Computer Forensics Phases and Common Tasks

Download as pdf or txt
Download as pdf or txt
You are on page 1of 29

Module 3

Computer Forensics Phases and


common tasks
Objective
• Computer or digital forensics is a branch of
forensic science that focuses on devices
and cybercrime. Through a process of
identifying, preserving, analyzing and
documenting digital evidence, forensic
investigators recover and investigate
information to aid in the conviction of
criminals.

• The digital forensic process is extensive,


and a secure environment is necessary to
retrieve and preserve digital evidence.
Overview
Purpose of investigation
process
Computer Forensics Investigation
common steps
The Nine Phases of Computer
Forensics
There are nine phases that digital forensic specialists
usually take while investigating digital evidence

1. First Response
2. Search and Seizure
3. Evidence Collection
4. Securing of the Evidence
5. Data Acquisition
6. Data Analysis
7. Evidence Assessment
8. Documentation and Reporting
9. Expert Witness Testimony
Identification
The first step is identifying evidence and potential
containers of evidence.

• Identification, in which profile detection, system


monitoring and audit analysis were performed.

• More difficult than it sounds - Small scale


devices, non-traditional storage media,
multiple possible crime scenes

• Do not overlook non-electronic sources of


evidence such as manuals, papers, printouts,
etc.
8
Devices Identification

9
Collection
Collection, in which relevant data are being
collected based on the approved methods utilizing
various recovery techniques.

• Care must be taken to minimize contamination

• Collect or seize the system(s)

• Create forensic image

12
Collection

13
Collection
• Take detailed photos and notes of the computer /
monitor
• If the computer is “on”, take photos of what is
displayed on the monitor – Do Not Alter The Scene

14
Collection
• Make sure to take photos and notes of all
connections to the computer/other devices

15
Collection: Imaging
• Rule of Thumb: make 2 copies and don’t
work from the original (if possible)

• A file copy does not recover all data areas


of the device for examination

• Working from a duplicate image


➢ Preserves the original evidence
➢ Prevents inadvertent alteration of
original evidence during examination
➢ Allows recreation of the duplicate
image if necessary
16
Collection: Imaging
• Digital evidence can be duplicated with
no degradation from copy to copy

• This is not the case with most other


forms of evidence

17
Securing of the evidence:
Preservation

Preservation, involving tasks such as setting up a


proper case management and ensuring an acceptable
chain of custody.

• This phase is crucial so as to ensure that the data


collected is free from contamination.
Securing of the evidence:
Preservation
• Write-blocking software: To prevent any change to
the data on the device or media, the analyst will
install a block on the working copy so that data may
be viewed but nothing can be changed or added.

• Hardware write blockers are becoming the industry


standard e.g USB, SATA, IDE, SCSI, SIM, Memory
Cards

20
Securing of the evidence :
Imaging
• Forensic Copies (Bitstream)
➢ Bit for Bit copying captures all the data on
the copied media including hidden and
residual data (e.g., slack space, swap,
residue, unused space, deleted files etc.)

• Imaging from a disk (drive) to a file is becoming


the norm
➢ Multiple cases stored on same media
➢ No risk of data leakage from underlying
media
• Remember avoid working for original

• Use a write blocker even when examining a


copy!
21
Data Acquisition: Authenticity & Integrity
• How do we demonstrate that the image is a true unaltered
copy of the original?
- using Hashing techniques (MD5, SHA 256)

• A mathematical algorithm that produces a unique value


(128 Bit, 512 Bit)

• Can be performed on various types of data (files,


partitions, physical drive)

• The value can be used to demonstrate the integrity of the


data. Changes made to data will result in a different value

• The same process can be used to demonstrate the image


has not changed from time-1 to time-n 23
Examination & Data Analysis
Examination and Analysis phase. In these phases, tasks such
as evidence tracing, evidence validation, recovery of
hidden/encrypted data, data mining and timeline were
performed.

• Higher level look at the file system representation of the


data on the media

• Verify integrity of image - MD5, SHA1 etc.

• Recover deleted files & folders

• Determine keyword list - What are you searching for

• Determine time lines - What is the time zone setting of the


suspect system, What time frame is of importance
25
Presentation
In this last phase or step, the process of summarization
and explanation of conclusions is done.

• This is the process of presenting the evidence in a


legally acceptable and understandable manner. If the
matter is presented in court the jury who may have
little or no computer experience, must all be able to
understand what is presented and how it relates to
the original, otherwise all efforts could be futile.

• Should be written in a layperson’s terms using


abstracted terminologies. All abstracted terminologies
should reference the specific details.

You might also like