Executive Summary

• Computer Forensics Basics:

  • Defined as using scientific methods to collect, analyze, and present digital evidence.
  • Key objectives include understanding the evolution of investigation models and following a systematic procedure.

• Investigation Process:

  • Traditional Phases: Acquisition, Identification, Evaluation, Admission.
  • Modern Models: DFRWS and GCFIM emphasize stages like preservation (maintaining the Chain of Custody), collection, examination, analysis, and presentation.

• Chain of Custody (CoC):

  • A documented record that shows who handled the evidence and when, ensuring its integrity.

• Systematic Investigation Approach:

  • Start with initial assessment, planning, risk management, and clearly document every step.
  • Separate steps for "dead box" (machine off) vs. "live box" (machine on) scenarios.

• Handling Specific Cases:

  • High-tech cases like employee termination, internet abuse, email abuse, media leaks, and industrial espionage each have unique considerations and logs to examine.

• Key Concepts:

  • Forensic imaging (bit-stream copy) is critical—it’s a complete copy of a drive, unlike a simple backup.

1. Introduction

What is Computer Forensics?

• Definition: It is the science of finding, preserving, collecting, analyzing, and presenting digital evidence using proven scientific methods.
• Goal: To use this evidence in investigations and in court.

2. Computer Crime and How Evidence is Handled

Overview of a Computer Crime:

• Crime Scene Example: When the police raid a crime scene (say, a suspected drug dealer’s home), they may find computers, USB drives, and cell phones.
• Evidence Handling:
  • Bagging and Tagging: Items are placed in evidence bags, tagged, and documented for future reference.
  • Why It Matters: Digital evidence is delicate—it must be secured properly because even small changes can affect its integrity.

3. The Forensic Investigation Process

Traditional 4 Phases

1. Acquisition:
   • Collecting digital evidence (e.g., hard disks, USB drives).
2. Identification:
   • Finding and recognizing which parts (files, photos) are useful as evidence.
3. Evaluation:
   • Deciding if the evidence you found is relevant to the crime.
4. Admission:
   • Presenting the evidence in court.

Evolved Methodologies

There are several models, such as:

• DFRWS (Digital Forensic Research Workshop) Model (2001):

1. Identification: Recognize the incident (like hacking).
2. Preservation: Secure and protect the evidence (while keeping a record called the Chain of Custody).
3. Collection: Methodically collect the evidence using standard procedures.
4. Examination: Deeply search and review the evidence (a technical phase).
5. Analysis: Decide what the evidence tells you and draw conclusions (a non-technical phase).
6. Presentation: Document and report the findings (and sometimes testify in court).

• Generic Computer Forensic Investigation Model (GCFIM, 2011):

1. Pre-Process: Get approvals, set up your investigation space (lab preparation).
2. Acquisition & Preservation: Find, collect, and secure the digital evidence carefully.
3. Analysis: Examine the evidence thoroughly to find who is responsible.
4. Presentation: Write and present your report of the findings.
5. Post-Process: Wrap up the investigation by returning or archiving evidence and reflecting on the process.

4. The Importance of Procedure and the Chain of Custody (CoC)

Following Procedure:

• Always follow a proven and accepted procedure to ensure that your investigation is accepted in court.
• Document every action you take because any mistake might lead to the evidence being disallowed.

Chain of Custody (CoC):

• What is it? A documented record that tracks who handled the evidence, when, and how from the moment it is found until the case is closed.
• Tools for CoC:
  • Single-Evidence Form: Each piece of evidence gets its own page.
  • Multi-Evidence Form: A form used to document multiple items at once.
• Why it’s Crucial: Maintaining the Chain of Custody proves that the evidence has not been tampered with and is in the same condition as when it was collected.

5. A Systematic Approach to Investigations

When handling a case, follow these step-by-step actions:

1. Initial Assessment:
   • Quickly decide what type of case you’re dealing with.
2. Plan Your Approach:
   • Develop a preliminary design for the investigation.
   • Create a detailed checklist of tasks.
3. Resources and Risk Management:
   • Identify all the resources you will need.
   • Determine what risks could affect your investigation and plan to reduce them.
4. Evidence Handling:
   • Obtain a copy of the evidence drive.
   • Analyze and recover the digital evidence.
5. Reporting and Review:
   • Investigate the recovered data.
   • Complete a detailed report.
   • Critique what worked and what could be improved in your process.

6. Handling a Case with Objectivity

Keeping it Unbiased:

• Always remain neutral. The evidence might clear a suspect, so be prepared to report all facts without letting personal opinions interfere.

Planning and Preparation:

• Plan your investigation in advance, outlining details like:
  • The nature of the case (e.g., employee misconduct, internet abuse).
  • The location and type of digital evidence (which computer, which operating system, disk format, etc.).

7. Planning Your Investigation in Practice

Example Process Steps:

• Evidence Collection:

1. Acquire the hard drive or storage media.
2. Fill in an evidence form and document the Chain of Custody.
3. Transport the evidence to your secured forensic lab.
4. Place the evidence in secure, approved containers (like a locked, fireproof cabinet).

• Processing Evidence:

1. Prepare your forensic workstation.
2. Retrieve evidence from secure storage.
3. Make an exact copy (forensic image) of the evidence.
4. Return the original evidence to secure storage.
5. Process the copied evidence using forensic analysis tools.

8. Preserving and Securing Digital Evidence

Preservation:

• Main Rule: The evidence must not be altered or contaminated.
• How to Preserve:
  • Document details such as who recovered the evidence, where it was stored, and when it was handled.
  • Use an evidence custody form to track the evidence throughout its lifecycle.

Securing Evidence:

• Practical Tips:
  • Use well-padded containers and evidence bags to protect physical items.
  • Photograph the evidence at the scene (e.g., taking pictures of computer desktops or open windows).
• Live vs. Dead Machines:
  • Dead Box (Machine is Off):
    • Easier to handle. You simply confiscate and later copy the disk without altering evidence.
  • Live Box (Machine is On):
    • More complex because volatile memory (RAM) contains important temporary data (like passwords).
    • Use special tools to capture the live data before shutting the machine down.

9. High-Tech Investigations and Specific Case Types

Types of High-Tech Cases:

• Employee Termination Cases:
  • Investigate misuse of company assets or unauthorized activities.
• Internet Abuse Cases:
  • Look at internet usage logs, proxy server logs, and compare them with evidence found on the computer.
• Email Abuse Cases:
  • Examine offending emails, check the email headers, and use server logs or client files (like Outlook’s .pst or .ost files).
• Media Leak Investigations:
  • Investigate how sensitive information left the company.
  • Look at e-mails, internet message boards, proxy logs, and telephone records.
• Industrial Espionage Cases:
  • These involve theft of company information and require a tight chain-of-custody and thorough analysis.

Key Points to Remember:

• Each investigation type might use different tools and procedures.
• Always follow standard forensic techniques and check if the evidence supports the claim.
• Collaborate with legal and HR teams when investigating internal abuses.

10. Interviews vs. Interrogations

Interviews:

• Conducted with witnesses or suspects.
• They focus on collecting factual information regarding the investigation.

Interrogations:

• These are aimed at getting a confession.
• They require a different approach and are often more intense.

11. Other Key Concepts

Bit-Stream Copy (Imaging):

• Definition: An exact, bit-by-bit copy of a disk or partition.
• Why It’s Important:
  • It is more complete than a simple backup because it copies all data on a drive (including deleted files or hidden fragments), which can be vital to the investigation.
• Difference from Backups:
  • Traditional backup software usually copies files based on known file structures and may miss deleted data or fragmented files.

12. Final Thoughts and Exam Tips

• Follow Procedures: Make sure you always document every step of the investigation process. In court or in your exam answers, showing that you understand the chain-of-custody and systematic methods is key.
• Know Your Models: Familiarize yourself with both the DFRWS model and the GCFIM model. Be ready to explain how each phase fits into the overall investigative process.
• Practical Examples: Remember the real-life examples of “dead box” vs. “live box” scenarios—they highlight why different techniques are used in different situations.
• Detail Orientation: Be prepared to outline steps not just in theory but also in practical planning. For example, know how to secure evidence, perform a forensic imaging, and document your process.
• High-Tech & Abuse Cases: Understand how investigations differ depending on the type—whether it’s internet abuse, email abuse, or media leaks. Each requires looking at different logs and data sources.