Intro to Computer Forensics CSC 485/585 Objectives Understand the roles and responsibilities of a computer forensic examiner. Understand the “Safety Net” concept. What is a Computer Forensic Examiner? A CF examiner is not a computer expert, but rather a specialist in the preservation, recovery and authentication of evidence originating from electronic media. You are a critical member of an investigative team. Exact roles and responsibilities will depend on whether you work in a criminal law enforcement position or as a civil litigation/private examiner. Your roles and responsibilities impact on all stages of an investigation or engagement. The sooner you become involved in the investigation/engagement, the better! Roles & Responsibilities… in preparation for the seizure of electronic evidence Recommend and/or assist in securing information from witnesses, informants, complainants, or others, which will help determine the volume, complexity, and role of any computers and/or media you will be seizing. For LE, assist in the preparation of the Affidavit and Search Warrant. Ensure proper legal basis for seizure Acquiring the resources (logistics) which may be necessary to handle the engagement or seizure and secure the anticipated electronic evidence. Roles & Responsibilities… in seizing electronic evidence Document all evidence seized Document all relevant information, including what you did, where, how, and any deviation from standard procedures. Proper seizure and continuing Chain of Custody Inventory and secure Arrange safe transportation and storage of media Avoid heat and moisture Magnetic fields Physical care: Handling, bumping, jiggling Searching and securing items unique to electronic media Searching for passwords Securing and seizing manuals and original software for unique programs Printer, webcam, scanner, digital camera, iPod, cell phone, etc. (any of which may be relevant to your investigation/engagement) Roles & Responsibilities… in seizing electronic evidence Interviewing Subjects, Witnesses, System Administrators, etc. Determine whether media/systems may be seized and taken back to your forensic lab or if analysis and/or backup is to be done on-site. Proper accessing of original evidence The creation of a “Safety Net” (more on this later) Use standard and tested procedures and tools, when possible and practical. Roles & Responsibilities… in the analysis of media ALWAYS protect against changes to the original evidence media. Prepare investigative worksheets/documentation In some cases, restoration of your bit-for-bit forensic image is necessary to perform analysis. Make bit-for-bit forensic images (copies) of all original evidence media. Analyze only a duplicate “working” copy of the original. Restore Images to VMWare or other virtual machine Some proprietary computer systems (i.e. PlayStation 3) require restoration to a duplicate physical hard drive that is re-inserted into the computer in place of the original. Analysis performed by “running” the copy of the original in the original machine. Review for and recovery of hidden or deleted files, directories, and data. Review for and recovery of data from unallocated space or previous/lost file systems. Conduct searches by filename, by file type (using extension and/or file headers), by hash value or by string of characters/bytes. Overcome encryption and password protected files, directories, drives, etc. Roles & Responsibilities… in the analysis of media Preparing reports from accounting, database or other complex programs with proprietary file formats. Review the boot process for any deviations which may represent overt acts in attempting to destroy or conceal evidence Reconstruct computer and user activity via “time line” analysis and/or recovery and analysis of Operating System artifacts left by a user’s computer usage. Identify malware/virus/trojan…or lack thereof . Maintain investigative documentation and report findings to investigative team. Authentication of any exhibited evidence items. Roles & Responsibilities… in trial prep and testimony Review exhibits and documentation Discuss testimony with attorneys Prepare copies of physical exhibits and media for defense/opposing counsel. CD/DVD copies, image restoration, make copy of images, etc. Testify Emphasize custody control and actions that you took in ensuring the evidence would be preserved in its’ original form. Maintain your credibility Additional Responsibilities Cleaning media and systems Calibrating your equipment Wiping “target” media prior to use Virus checking any media provided to investigators, prosecutors, defense, etc. Keeping your systems clean and up-to-date Running validation checks to ensure equipment is in proper working order Continued professional development to keep up-to-date on new technology, new potential computer forensic challenges, and legal developments. Education of peers and new computer forensic examiners. The “Safety Net” Concept Procedures and actions taken to insure that Electronic Evidence… is not altered or destroyed. is properly preserved and protected. can be authenticated. is maintained with a chain of custody. The “Safety Net” is an broad concept and not a specific list of “Thou Shall” and “Thou shall not.” In computer forensics there are often exceptions to standard policy/procedure…..be able to articulate any deviation from standard policies. Why the “Safety Net”? So judicial challenges to the authenticity of evidence may be met. So that steps taken to recover evidence may be reproduced at a later date – for trial, or by another examiner. To help protect against examiner liability issues – following proper procedures helps protect you from liability should something go wrong. Safety Net Procedures Documentation – be able to recount what you did, how, when, where, with what tools, etc. System Checking (BIOS date/time, boot order, attached hardware, configuration, etc.) Controlled Boot Process Take digital pictures and keep in your case file. If booting the subject’s computer, use a self-validated control boot disk and procedures…you will learn about this later. Hardware or Software Disk Write Protection If removing subject drive(s) from subject computer, ensure media is protected from your OS and any inadvertent writes. Test and self-validate your hardware or software write blockers before use on original evidence. Safety Net Procedures (cont.) Bit-for-bit copy using tested and approved forensic imaging software or devices. Data Transfer and Storage Physical image when possible…not logical image or file copying unless specific reason to do so. Be able to authenticate all evidence (via hash values, documentation, and your recollection). Protect seized equipment and data from bumping, dropping, extreme heat, moisture and unforeseen circumstances (leaking pipes or A/C dripping on equipment, flooding, etc.) Maintain Chain-of-Custody!!! Do NOT leave seized evidence in your car (or elsewhere) unattended after you leave the seizure location…secure it! Virus Checking Do not provide virus infected evidence files to investigators, attorneys, or others. You do not want to be responsible for infecting their systems. Summary Your role is to: 1. Protect the Integrity of the Original Evidence and 2. Authentic any Evidence Originating from an Electronic Source All of the methodologies, procedures and tools have been designed for the accomplishment of these two basic roles, both of which are the basis for the creation of the “Safety Net” Concept. It is the training in preservation and authentication of electronic evidence that make you a unique member of the investigative team and teach you to apply physical world safeguards of evidence to a fragile, electronic environment. Lastly, you must have the credibility necessary for the court to accept a printed document as evidence, where no physical document was seized or received. Testimony must convince the judge and the jury, that the physical representation of this information is complete and accurate. Your actions in EVERYTHING you do will impact on the creditability of your testimony. Questions ??? …as usual, use the discussion board!