Intro to Computer Forensics
CSC 485/585
Objectives


Understand the roles and responsibilities of a computer
forensic examiner.
Understand the “Safety Net” concept.
What is a Computer Forensic Examiner?

A CF examiner is not a computer expert, but rather a
specialist in the preservation, recovery and authentication
of evidence originating from electronic media.
You are a critical member of an investigative team. Exact
roles and responsibilities will depend on whether you
work in a criminal law enforcement position or as a civil
litigation/private examiner.
Your roles and responsibilities impact on all stages of an
investigation or engagement. The sooner you become
involved in the investigation/engagement, the better!
Roles & Responsibilities…
in preparation for the seizure of electronic evidence


Recommend and/or assist in securing information from
witnesses, informants, complainants, or others, which will
help determine the volume, complexity, and role of any
computers and/or media you will be seizing.
For LE, assist in the preparation of the Affidavit and
Search Warrant.


Ensure proper legal basis for seizure
Acquiring the resources (logistics) which may be
necessary to handle the engagement or seizure and
secure the anticipated electronic evidence.
Roles & Responsibilities…
in seizing electronic evidence



Document all evidence seized
Document all relevant information, including what you did,
where, how, and any deviation from standard procedures.
Proper seizure and continuing Chain of Custody


Inventory and secure
Arrange safe transportation and storage of media




Avoid heat and moisture
Magnetic fields
Physical care: Handling, bumping, jiggling
Searching and securing items unique to electronic media



Searching for passwords
Securing and seizing manuals and original software for unique
programs
Printer, webcam, scanner, digital camera, iPod, cell phone, etc. (any of
which may be relevant to your investigation/engagement)
Roles & Responsibilities…
in seizing electronic evidence



Interviewing Subjects, Witnesses, System Administrators,
etc.
Determine whether media/systems may be seized and
taken back to your forensic lab or if analysis and/or
backup is to be done on-site.
Proper accessing of original evidence


The creation of a “Safety Net” (more on this later)
Use standard and tested procedures and tools, when possible
and practical.
Roles & Responsibilities…
in the analysis of media

ALWAYS protect against changes to the original evidence media.




Prepare investigative worksheets/documentation
In some cases, restoration of your bit-for-bit forensic image is necessary to
perform analysis.






Make bit-for-bit forensic images (copies) of all original evidence media.
Analyze only a duplicate “working” copy of the original.
Restore Images to VMWare or other virtual machine
Some proprietary computer systems (i.e. PlayStation 3) require restoration to a
duplicate physical hard drive that is re-inserted into the computer in place of the
original. Analysis performed by “running” the copy of the original in the original
machine.
Review for and recovery of hidden or deleted files, directories, and data.
Review for and recovery of data from unallocated space or previous/lost
file systems.
Conduct searches by filename, by file type (using extension and/or file
headers), by hash value or by string of characters/bytes.
Overcome encryption and password protected files, directories, drives, etc.
Roles & Responsibilities…
in the analysis of media






Preparing reports from accounting, database or other
complex programs with proprietary file formats.
Review the boot process for any deviations which may
represent overt acts in attempting to destroy or conceal
evidence
Reconstruct computer and user activity via “time line”
analysis and/or recovery and analysis of Operating System
artifacts left by a user’s computer usage.
Identify malware/virus/trojan…or lack thereof .
Maintain investigative documentation and report findings
to investigative team.
Authentication of any exhibited evidence items.
Roles & Responsibilities…
in trial prep and testimony



Review exhibits and documentation
Discuss testimony with attorneys
Prepare copies of physical exhibits and media for
defense/opposing counsel.


CD/DVD copies, image restoration, make copy of images, etc.
Testify


Emphasize custody control and actions that you took in
ensuring the evidence would be preserved in its’ original form.
Maintain your credibility
Additional Responsibilities

Cleaning media and systems




Calibrating your equipment



Wiping “target” media prior to use
Virus checking any media provided to investigators, prosecutors,
defense, etc.
Keeping your systems clean and up-to-date
Running validation checks to ensure equipment is in proper working
order
Continued professional development to keep up-to-date on
new technology, new potential computer forensic challenges,
and legal developments.
Education of peers and new computer forensic examiners.
The “Safety Net” Concept





Procedures and actions taken to insure that Electronic
Evidence…
is not altered or destroyed.
is properly preserved and protected.
can be authenticated.
is maintained with a chain of custody.
The “Safety Net” is an broad concept and not a specific list of
“Thou Shall” and “Thou shall not.”
In computer forensics there are often exceptions to standard
policy/procedure…..be able to articulate any deviation from
standard policies.
Why the “Safety Net”?



So judicial challenges to the authenticity of evidence may
be met.
So that steps taken to recover evidence may be
reproduced at a later date – for trial, or by another
examiner.
To help protect against examiner liability issues –
following proper procedures helps protect you from
liability should something go wrong.
Safety Net Procedures

Documentation – be able to recount what you did, how, when,
where, with what tools, etc.



System Checking (BIOS date/time, boot order, attached
hardware, configuration, etc.)
Controlled Boot Process


Take digital pictures and keep in your case file.
If booting the subject’s computer, use a self-validated control boot
disk and procedures…you will learn about this later.
Hardware or Software Disk Write Protection


If removing subject drive(s) from subject computer, ensure media is
protected from your OS and any inadvertent writes.
Test and self-validate your hardware or software write blockers
before use on original evidence.
Safety Net Procedures (cont.)

Bit-for-bit copy using tested and approved forensic imaging software
or devices.



Data Transfer and Storage




Physical image when possible…not logical image or file copying unless
specific reason to do so.
Be able to authenticate all evidence (via hash values, documentation, and
your recollection).
Protect seized equipment and data from bumping, dropping, extreme
heat, moisture and unforeseen circumstances (leaking pipes or A/C
dripping on equipment, flooding, etc.)
Maintain Chain-of-Custody!!!
Do NOT leave seized evidence in your car (or elsewhere) unattended
after you leave the seizure location…secure it!
Virus Checking

Do not provide virus infected evidence files to investigators, attorneys,
or others. You do not want to be responsible for infecting their systems.
Summary
Your role is to:
1.
Protect the Integrity of the Original Evidence and
2.
Authentic any Evidence Originating from an Electronic Source

All of the methodologies, procedures and tools have been designed for the
accomplishment of these two basic roles, both of which are the basis for the
creation of the “Safety Net” Concept.

It is the training in preservation and authentication of electronic evidence that make
you a unique member of the investigative team and teach you to apply physical
world safeguards of evidence to a fragile, electronic environment.

Lastly, you must have the credibility necessary for the court to accept a printed
document as evidence, where no physical document was seized or received.
Testimony must convince the judge and the jury, that the physical representation of
this information is complete and accurate. Your actions in EVERYTHING you do
will impact on the creditability of your testimony.
Questions ???
…as usual, use the discussion board!