Phases of Computer Forensics1

Computer ForensicsBACS 371

1Management Information Systems for the Information Age 5e, Haag, Cummings, McCubbrey, 2005, McGraw Hill

Phases of Computer Forensics

Collection Phase Get physical access to computer and related items Make a forensic image copy of all information Authentication & Preservation

Examination Phase Makes evidence visible Explains origin and significance Should document content and state of evidence Technical review – forensic examiner

Analysis Phase Follow trail of clues Build evidence Looks for probative value – investigation team

Reporting Phase Outline examination process Pertinent data recovered Validity of procedure

Collection

Search for… Recognition of… Documentation of… Collection and Preservation of… Packaging and Transportation of… Electronic Evidence

Digital Evidence Collection Toolkit1

Documentation Tools Cable tags Indelible felt tip markers Stick-on labels

Disassembly and Removal Tools Flat-blade and Philips-type

screwdrivers Hex-nut drivers Needle-nose pliers Secure-bit drivers Small tweezers Specialized screwdrivers Standard pliers Star-type nut drivers Wire cutters

Package and Transport Supplies Antistatic bags Antistatic bubble wrap Cable ties Evidence bags Evidence tape Packing materials Packing tape Sturdy boxes of various sizes

Other Items Gloves Hand truck Large rubber bands List of contact telephone numbers

for assistance Magnifying glass Printer paper Seizure disk Small flashlight Unused floppy diskettes (3 ½” and 5

¼”)

1Electronic Crime Scene Investigation: A guide for First Responders, NIJ Guide, DOJ

Preliminary Interviews1

Separate and identify all persons (witnesses, subjects, others)

Obtain Information Owners/users of devices Passwords Purpose of System Unique security schemes Offsite data storage Documentation

1Electronic Crime Scene Investigation: A guide for First Responders, NIJ Guide, DOJ

Document the Scene1

Observe and document scene – photos and sketches

Document condition of computers Identify related, but not collected,

electronics Photograph scene Photograph computer

1Electronic Crime Scene Investigation: A guide for First Responders, NIJ Guide, DOJ

Evidence Collection

Non-electronic evidence Stand-alone/Laptop computers Network attached computers Network servers Other electronic devices

Places to Look for Information

Deleted Files and Slack Space Recycle Bin System and Registry Files Unallocated Disk (Free) Space Unused Disk Space Erased Information

Ways of Hiding Information

Rename the File Make the Information Invisible Use Windows to Hide Files Protect the File with a Password Encrypt the File Use Steganography Compress the File Hide the Hardware

Methodology for Investigating Computer Crime1

Search and Seizure Formulate a plan Approach and Secure Crime Scene Document Crime Scene Layout Search for Evidence Retrieve Evidence Process Evidence

Information Discovery Formulate Plan Search for Evidence Process Evidence

While maintaining Chain of Custody

1Field Guide for Investigating Computer Crime, Timothy E. Wright, http://www.securityfocus.com/print/infocus/1244

Brief Outline of the Scientific Method

1. Identify and research a problem2. Formulate a hypothesis3. Conceptually and empirically test the

hypothesis4. Evaluate the hypothesis with regards to

test results5. If hypothesis is acceptable, evaluate its

impact