INTRODUCTION TO COMPUTER FORENSICS

Introduction to Traditional Computer Crime, traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.

Computer Forensics and Investigation

Introduction to Computer Forensics and Investigations (Based on Chapter 1)

Objectives

• Define computer forensics and identify related fields

• Define fundamental concepts of computer forensics

• Identify computer forensics methodologies

• Differentiate between public and private cases

• Discuss the role of a forensic investigator

• Practical: Set up a forensic workstation

What is Forensic Science?

• Forensic Science is a scientific method of collecting and analyzing information about events that took place in the past, so that they can be used in a court of law.

• Forensic basically means legal, or related to law.

• Forensic science has many disciplines, including:

  • Jurisprudence (the theory of law)

  • Forensic Pathology (injury and disease)

  • Forensic Biology (genetics, microbiology – e.g. blood)

  • Computer Forensics (our course)

  • And more…

What is Computer Forensics?

• Computer Forensics is a science that involves obtaining and analyzing digital information for use as evidence in civil, criminal, or corporate cases.

Why Computer Forensics?

• It involves scientifically examining and analyzing digital data—from computer storage media.

• Documents maintained on a computer are covered by different rules depending on the nature of the documents (i.e. different from physical evidence).

Related Fields

• In general, computer forensics investigates data that can be retrieved from a computer’s hard drive or other storage media.

• Other related fields include:

  • Network Forensics

    • Attempts to get information about how someone gained access to a network.

    • Uses log files to determine when users logged on, which URLs they accessed, how they logged on, and from what location.

    • Determines what tracks or new files were left on a victim’s computer and what changes were made.

  • Data Recovery

    • Computer forensics is different from data recovery.

    • Involves recovering digital data that was deleted or lost during events such as power surges or server crashes.

    • Typically, you know what you’re looking for.

The Investigation Triad

The computer investigations function is one of three in a triad that makes up computing security in an enterprise network environment. The triad consists of the following parts:

• Vulnerability Assessment and Risk Management (CSF4003)

• Network Intrusion Detection and Incident Response (CSF3203)

• Computer Investigations (CSF3403)

1) Vulnerability Assessment & Risk Management

• Goal: Test the integrity of valuable resources (computer systems and networks)

• Discover vulnerabilities and identify threats

• Test for known vulnerabilities of operating systems and applications used in the network

• Launch attacks on the network, workstations, and servers to assess vulnerabilities

• Typically, personnel have several years of experience in UNIX and Windows administration

2) Network Intrusion Detection & Incident Response

• Goal: Detect intruder attacks and respond to security incidents

• When an external attack is detected, the response team tracks, locates, identifies the intrusion method, and denies further access

• If an internal user is engaged in illegal acts, the team locates and blocks the user’s access (e.g. community college incident with inflammatory emails)

• Vulnerability assessment staff often contribute significantly to computing investigations

3) Computer Investigations

• Focus on events that have already happened

• Process: Identify → Analyze → Present

• Conduct forensic analysis of systems suspected of containing evidence related to an incident or crime

• Analyze evidence to resolve or terminate case investigations

Challenges of Computer Forensics

• Digital information is not always easy to find

• Information may be encrypted and/or cleverly hidden

• Information may reside on various media (HDD, SSD, CD, Floppies, VMs, etc.)

• Computer technology continues to evolve, adding new challenges

• Computer criminals continuously develop new methods

Computer Forensics Terminology

• Litigation: The legal process of establishing criminal or civil liability in court. Evidence collected can be used in lawsuits.

• Evidence: Collection of facts or information indicating whether a belief or proposition is true. It can be inculpatory (incriminating) or exculpatory.

• Exculpatory Evidence: Evidence that could prove the innocence of the suspect (e.g., an email sent by another user).

• Affidavit: A sworn statement of support of facts or evidence of a crime, submitted to a judge with a request for a search warrant.

• Case Law: Law based on outcomes of previous cases; used when regulations are insufficient due to rapid technological evolution.

• Chain of Custody (CoC): The documented route that evidence takes from the crime scene to the lab, ensuring its integrity.

• Evidence Integrity: The quality of being free from unauthorized or unwanted change; crucial for evidence admissibility in court.

• Investigation: A formal and systematic inquiry where an investigator identifies and studies facts to prove guilt or innocence.

Computer Forensics Methodology

• A methodology is a systematic, standardized way of performing tasks.

• In computer forensics, consistent investigations ensure nothing is missed and the integrity of evidence is maintained.

Computer Forensics Methodologies

• U.S. Department of Justice (DOJ)

• Digital Forensics Research Workshop (DFRW)

• Abstract Digital Forensics Model (ADFM)

• Integrated Digital Investigation Process (IDIP)

• Enhanced Digital Investigation Process (EDIP)

• Forensic Methodology will be covered in more detail.

Types of Computer Investigations

• Public Investigations

  • Involve government agencies responsible for criminal investigations and prosecutions

  • Governed by local and national laws

  • Example: A hacker compromises a bank and steals money

• Private or Corporate Investigations

  • Deal with incidents within private companies (does not involve government agencies)

  • Based on policy violations rather than laws

  • Example: An employee harasses a colleague via email

Public – Legal Case Flow

• Complaint: A case begins when a complainant makes an allegation about an illegal event or policy violation.

• Investigation: Investigators collect and process information related to the complaint and report their findings.

• Prosecution: Prosecutors use the investigation report (and the investigator's expertise in an affidavit) to build a case. In private incidents, the investigation might escalate to legal action.

The Forensic Investigator

• The forensic investigator conducts the investigation by processing digital evidence.

• They summarize their findings in a report and, when required, present these findings to prosecutors, in court, or to company executives.

Computer Forensics Expertise

• Law enforcement expertise is divided into three levels:

• Level 1:

  • A trained police officer acquires and seizes digital evidence at the crime scene.

• Level 2:

  • The assigned detective handles and manages the case, including suspect interrogation.

• Level 3:

  • A computer forensics expert (investigator) identifies, retrieves, and processes digital evidence.

Computer Forensics Investigator

• An investigator must be a computer expert familiar with multiple computing platforms, including current systems (Windows, Mac, Linux), older platforms (DOS and Windows 9x), as well as mobile and emerging platforms.

• They should also build and maintain contacts with computing, network, and forensics professionals.

• Key steps include assessing the case scope (OS, hardware, peripherals), ensuring available resources to process evidence, determining the right tools for collection and analysis, and possibly collaborating with other specialists.

Professional Conduct

• Professional conduct includes ethics, morals, and standards of behavior.

• Exhibit the highest level of ethical behavior at all times by:

• • Maintaining objectivity (don’t take sides)

  • Maintaining credibility (unbiased and trustworthy)

  • Keeping case information confidential

  • Continuously expanding technical knowledge

  • Conducting oneself with integrity (honesty)

Computer Forensics Certifications

• SANS – Global Information Assurance Certification Forensic Examiner (GCFE) and Analyst (GCFA)

• The International Society of Forensic Computer Examiners (ISFCE) – Certified Computer Examiner (CCE)

• EC-Council – Computer Hacking Forensic Investigator (CHFI)

• Access Data Certified Examiner (ACE)

• Encase Certified Examiner (EnCE)

• And more…

Laws of the Land

• Laws are written to protect society.

• Governments are becoming more serious about cybercrime punishment.

• Laws differ from one country to another and continue to evolve and change.

• Cyber law in the UAE:

• • http://www.aecert.ae

  • http://www.tra.gov.ae

Related Resources

• UAE Cyber Laws:

  • http://aecert.ae/en

  • http://www.tra.gov.ae/en

  • http://www.elaws.gov.ae/DefaultEn.aspx

• FTK Forensic Toolkit:

  • FTK

• SANS - Integrating Forensic Investigation Methodology into eDiscovery:

  • SANS Forensic Investigation Methodology

• NIST - General Test Methodology for Computer Forensic Tools:

  • NIST Test Methodology