Guide to Computer Forensics and Investigations, Second Edition Chapter 5 Processing Crime and Incident Scenes.
Post on 04-Jan-2016
216 Views
Preview:
Transcript
Guide to Computer Guide to Computer Forensics and Forensics and Investigations, Investigations, Second EditionSecond Edition
Chapter 5 Processing Crime
and Incident Scenes
Guide to Computer Forensics and Investigations, 2e 2
ObjectivesObjectives
• Collect evidence in private-sector incident scenes
• Process law enforcement crime scenes
• Prepare for a search
Guide to Computer Forensics and Investigations, 2e 3
Objectives (continued) Objectives (continued)
• Secure a computer incident or crime scene• Seize digital evidence at the scene• Review a case using three different computer
forensics tools
Guide to Computer Forensics and Investigations, 2e 4
Collecting Evidence in Private-Sector Collecting Evidence in Private-Sector Incident ScenesIncident Scenes
• Freedom of Information Act (FOIA)– States public records are open and available for
inspection– Citizens can request public documents created by
federal agencies
• Homeland Security Act
• Patriot Act
Guide to Computer Forensics and Investigations, 2e 5
Collecting Evidence in Private-Sector Collecting Evidence in Private-Sector Incident Scenes (continued)Incident Scenes (continued)
• Corporate environment is much easier than criminal environment
• Employees’ expectation of privacy– Create and publish a privacy policy– Use warning banners
• State when an investigation can be initiated– Reasonable suspicion
Guide to Computer Forensics and Investigations, 2e 6
Collecting Evidence in Private-Sector Collecting Evidence in Private-Sector Incident Scenes (continued)Incident Scenes (continued)
Guide to Computer Forensics and Investigations, 2e 7
Collecting Evidence in Private-Sector Collecting Evidence in Private-Sector Incident Scenes (continued)Incident Scenes (continued)
• Avoid becoming a law enforcement agent
• Check with your corporate attorney on how to proceed– Commingled data– Warrants– Subpoena– Civil liability
Guide to Computer Forensics and Investigations, 2e 8
Processing Law Enforcement Crime Processing Law Enforcement Crime ScenesScenes
• Criminal rules of search and seizure
• Probable cause– Specific crime was committed– Evidence exists– Place to be searched includes evidence
• Warrant– Probable cause– Witness
Guide to Computer Forensics and Investigations, 2e 9
Processing Law Enforcement Crime Processing Law Enforcement Crime Scenes (continued)Scenes (continued)
Guide to Computer Forensics and Investigations, 2e 10
Understanding Concepts and Terms Understanding Concepts and Terms Used in WarrantsUsed in Warrants
• Innocent information– Unrelated information
• Limiting phrase– Separate innocent information from evidence
• Plain view doctrine– Searched area can be extended
• Knock and announce
Guide to Computer Forensics and Investigations, 2e 11
Preparing for a SearchPreparing for a Search
• Most important step in computing investigations
• Steps:– Identifying the nature of the case– Identifying the type of computer system– Determining whether you can seize a computer– Obtaining a detailed description of the location
Guide to Computer Forensics and Investigations, 2e 12
Preparing for a Search (continued)Preparing for a Search (continued)
• Steps (continued):– Determining who is in charge– Using additional technical expertise– Determining the tools you need– Preparing the investigation team
Guide to Computer Forensics and Investigations, 2e 13
Identifying the Nature of the CaseIdentifying the Nature of the Case
• Private or public• Dictates:
– How you proceed – Resources needed during the investigation
Guide to Computer Forensics and Investigations, 2e 14
Identifying the Type of Computing Identifying the Type of Computing SystemSystem
• Identify:– Size of the disk drive– Number of computers at the crime scene– OSs– Specific details about the hardware
• Easier to do in a controlled environment, such as a corporation
Guide to Computer Forensics and Investigations, 2e 15
Determining Whether You Can Seize a Determining Whether You Can Seize a ComputerComputer
• Ideal situation– Seize computers and take them to your lab
• Not always possible
• Need a warrant
• Consider using portable resources
Guide to Computer Forensics and Investigations, 2e 16
Obtaining a Detailed Description of the Obtaining a Detailed Description of the LocationLocation
• Get as much information as you can
• Identify potential hazards– Interact with your HAZMAT team
• HAZMAT guidelines– Protect your target disk before using it– Check for high temperatures
Guide to Computer Forensics and Investigations, 2e 17
Determining Who Is in ChargeDetermining Who Is in Charge
• Corporate computing investigations require only one person to respond
• Law enforcement agencies:– Handle large-scale investigations– Designate leader investigators
Guide to Computer Forensics and Investigations, 2e 18
Using Additional Technical ExpertiseUsing Additional Technical Expertise
• Look for specialists– OSs– RAID servers– Databases
• Can be difficuly to find
• Educate specialists who are not investigators in proper investigative techniques– Prevent evidence damage
Guide to Computer Forensics and Investigations, 2e 19
Determining the Tools You NeedDetermining the Tools You Need
• Prepare your tools using incident and crime scene information
• Initial-response field kit– Lightweight– Easy to transport
• Extensive-response field kit– Includes all tools you can afford
Guide to Computer Forensics and Investigations, 2e 20
Determining the Tools You Need Determining the Tools You Need (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 21
Determining the Tools You Need Determining the Tools You Need (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 22
Preparing the Investigation TeamPreparing the Investigation Team
• Review facts, plans, and objectives
• Coordinate an action plan with your team– Collect evidence– Secure evidence
• Slow response can cause digital evidence to be lost
Guide to Computer Forensics and Investigations, 2e 23
Securing a Computer Incident or Securing a Computer Incident or Crime SceneCrime Scene
• Preserve the evidence
• Keep information confidential
• Define a secure perimeter– Use yellow barrier tape– Legal authority
• Professional curiosity– Can destroy evidence
Guide to Computer Forensics and Investigations, 2e 24
Seizing Digital Evidence at the SceneSeizing Digital Evidence at the Scene
• Law enforcement can seize evidence with a proper warrant
• Corporate investigators rarely can seize evidence
• U.S. DoJ standards for seizing digital data
• Civil investigations follow same rules– Require less documentation, though
• Consult with your attorney for extra guidelines
Guide to Computer Forensics and Investigations, 2e 25
Processing a Major Incident Processing a Major Incident or Crime Sceneor Crime Scene
• Guidelines– Keep a journal– Secure the scene– Be professional and courteous with onlookers– Remove people who are not part of the investigation– Video record the computer area
• Pay attention to details
• Look under desks, chairs
• Examine dropped ceilings
Guide to Computer Forensics and Investigations, 2e 26
Processing a Major Incident Processing a Major Incident or Crime Scene (continued)or Crime Scene (continued)
• Guidelines (continued)– Sketch the incident or crime scene– Check computers as soon as possible– Save data from current applications as safe as
possible– Make notes of everything you do when copying data
from a live suspect computer– Close applications and shutdown the computer
Guide to Computer Forensics and Investigations, 2e 27
Processing a Major Incident Processing a Major Incident or Crime Scene (continued)or Crime Scene (continued)
• Guidelines (continued)– Look for information related to the investigation
• Passwords, passphrases, PINs, bank accounts
– Collect documentation and media related to the investigation
• Hardware, software, backup media
Guide to Computer Forensics and Investigations, 2e 28
Processing Data Centers Processing Data Centers with an Array of RAIDswith an Array of RAIDs
• Sparse evidence file recovery– Extracts only data related to evidence for your case
from allocated files– Minimizes how much data you need to analyze– Doesn’t recover residual data in free or slack space– If you have a computer forensics tool that accesses
the unallocated space on a RAID system, work it on a test system first to make sure it doesn’t corrupt the RAID computer
Guide to Computer Forensics and Investigations, 2e 29
Using a Technical Advisor at an Using a Technical Advisor at an Incident or Crime SceneIncident or Crime Scene
• Technical specialists
• Responsibilities:– Know aspects of the seized system– Is direct investigator handling sensitive material– Help securing the scene– Help document the planning strategy– Conduct ad hoc trainings– Document activities
Guide to Computer Forensics and Investigations, 2e 30
Sample Civil InvestigationSample Civil Investigation
• Recover specific evidence– Suspect’s Outlook e-mail folder (PST file)
• Covert surveillance– Company policy– Risk of civil or criminal liability
• Sniffing tools– For data transmissions
Guide to Computer Forensics and Investigations, 2e 31
Sample Criminal InvestigationSample Criminal Investigation
• Computer crimes examples– Fraud– Check fraud– Homicides
• Need a warrant to start seizing evidence– Limit searching area
Guide to Computer Forensics and Investigations, 2e 32
Sample Criminal Investigation Sample Criminal Investigation (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 33
Reviewing a CaseReviewing a Case
• Tasks for planning your investigation– Identify the case requirements– Plan your investigation– Conduct the investigation– Complete the case report– Critique the case
Guide to Computer Forensics and Investigations, 2e 34
Identifying the Case RequirementsIdentifying the Case Requirements
• Identify requirements, such as:– Nature of the case– Suspect’s name– Suspect’s activity– Suspect’s hardware and software specifications
Guide to Computer Forensics and Investigations, 2e 35
Planning Your InvestigationPlanning Your Investigation
• List what you can assume or know– Several incidents may or may not be related– Suspect’s computer can contain information about
the case– Whether someone else has used suspect’s
computer
• Make an image of suspect’s computer disk drive
• Analyze forensics copy
Guide to Computer Forensics and Investigations, 2e 36
DriveSpyDriveSpy
• Functions– Create an image– Verify validity of image– Analyze image
Guide to Computer Forensics and Investigations, 2e 37
DriveSpy (continued)DriveSpy (continued)
Guide to Computer Forensics and Investigations, 2e 38
DriveSpy (continued)DriveSpy (continued)
Guide to Computer Forensics and Investigations, 2e 39
Access Data Forensic Toolkit (FTK)Access Data Forensic Toolkit (FTK)
• Functions– Extract the image from an bit-stream image file– Analyze the image
Guide to Computer Forensics and Investigations, 2e 40
Access Data Forensic Toolkit (FTK) Access Data Forensic Toolkit (FTK) (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 41
Access Data Forensic Toolkit (FTK) Access Data Forensic Toolkit (FTK) (continued)(continued)
Guide to Computer Forensics and Investigations, 2e 42
X-Ways ForensicsX-Ways Forensics
• Functions– Extract forensic image– Analyze image
Guide to Computer Forensics and Investigations, 2e 43
X-Ways Forensics (continued)X-Ways Forensics (continued)
Guide to Computer Forensics and Investigations, 2e 44
X-Ways Forensics (continued)X-Ways Forensics (continued)
Guide to Computer Forensics and Investigations, 2e 45
X-Ways Forensics (continued)X-Ways Forensics (continued)
Guide to Computer Forensics and Investigations, 2e 46
SummarySummary
• Private sector– Contained and controlled area
• Publish right to inspect computer assets policy
• Private and public sectors follow same computing investigation rules
• Avoid becoming an agent of law enforcement
• Criminal cases require warrants
Guide to Computer Forensics and Investigations, 2e 47
Summary (continued)Summary (continued)
• Protect your safety and health as well as the integrity of the evidence from hazardous materials
• Follow guidelines when processing an incident or crime scene– Securing perimeter– Video recording
Guide to Computer Forensics and Investigations, 2e 48
Summary (continued)Summary (continued)
• Become familiar with forensics tools– DriveSpy and Image– FTK– X-Ways Forensics
Guide to Computer Forensics and Investigations, 2e 49
Questions & DiscussionQuestions & Discussion
top related