CSN08101
Digital Forensics
Lecture 4A: Forensic Processes
Module Leader: Dr Gordon Russell
Lecturers: Robert Ludwiniak
Forensics Processes - objectives
– Investigation Process
– Forensic Ethics Issues
– Forensic Law Issues
Investigation Process
According to many professionals, Computer Forensics is a
four (4) step process:
Acquisition
Physically or remotely obtaining possession of the computer, all network
mappings from the system, and external physical storage devices
Identification
This step involves identifying what data could be recovered and
electronically retrieving it by running various Computer Forensic tools
and software suites
Investigation Process
According to many professionals, Computer Forensics is a
four (4) step process:
Evaluation
Evaluating the information/data recovered to determine if and how it
could be used again the suspect for employment termination or
prosecution in court
Presentation
This step involves the presentation of evidence discovered in a manner
which is understood by lawyers, non-technically staff/management, and
suitable as evidence as determined by United States and internal laws
Digital Investigation Process Model
Brian Carrier – “An Event-Based Digital Forensic Investigation Framework”
Readiness Phases
Computer forensics lab
• Where you conduct your investigation
• Store evidence
• House your equipment, hardware, and
software
American Society of Crime Laboratory Directors
(ASCLD) offers guidelines for:
• Managing a lab
• Acquiring an official certification
• Auditing lab functions and procedures
Staff Readiness
Lab manager duties :
• Estimate when to expect preliminary and final results
• Create and monitor lab policies for staff
• Provide a safe and secure workplace for staff and
evidence
Staff member duties:
• Knowledge and training:
• Hardware and software
• OS and file types
• Deductive reasoning
Acquiring Certification and Training
• Update your skills through appropriate
training
• International Association of Computer
Investigative Specialists (IACIS)
– Created by police officers who wanted to formalize
credentials in computing investigations
– Certified Electronic Evidence Collection Specialist
(CEECS)
– Certified Forensic Computer Examiners (CFCEs)
Acquiring Certification and Training
(continued)
• High-Tech Crime Network (HTCN)
– Certified Computer Crime Investigator, Basic and Advanced Level
– Certified Computer Forensic Technician, Basic and Advanced
Level
• EnCase Certified Examiner (EnCE) Certification
• AccessData Certified Examiner (ACE)
Certification
• Other Training and Certifications
– High Technology Crime Investigation Association (HTCIA)
Acquiring Certification and Training
(continued)
• Other training and certifications
–
–
–
–
SysAdmin, Audit, Network, Security (SANS) Institute
Computer Technology Investigators Network (CTIN)
NewTechnologies, Inc. (NTI)
Southeast Cybercrime Institute at Kennesaw State
University
– Federal Law Enforcement Training Center (FLETC)
– National White Collar Crime Center (NW3C)
Physical Requirements for a Computer
Forensics Lab
• Most of your investigation is conducted in a lab
• Lab should be secure so evidence is not lost,
corrupted, or destroyed
• Provide a safe and secure physical
environment
• Keep inventory control of your assets
– Know when to order more supplies
Digital Crime Scene Investigation Phases
Brian Carrier – “An Event-Based Digital Forensic Investigation Framework”
Digital Evidence Searching Phase
Event Reconstruction Phase
Brian Carrier – “An Event-Based Digital Forensic Investigation Framework”
Ethics and Codes
• Ethics
– Rules you internalize and use to measure your performance
• Codes of professional conduct or
responsibility
– Standards that others apply to you or that you are compelled to
adhere to by external forces
• Such as licensing bodies
• People need ethics to help maintain their
balance
– And self-respect and the respect of their profession
Applying Ethics and Codes
• Laws governing codes of professional conduct or
responsibility
– Define the lowest level of action or performance required to avoid
liability
• Expert witnesses should present unbiased,
specialized, and technical evidence to a jury
• Expert witnesses testify in more than 80% of trials
– And in many trials, multiple expert witnesses testify
Applying Ethics and Codes to Expert
Witnesses
• The most important laws applying to attorneys
and witnesses are the rules of evidence
• Experts are bound by their own personal ethics
and the ethics of their professional organizations
– In the United States, there’s no state or national
licensing body for computer forensics examiners
Computer Forensics Examiners’ Roles in
Testifying
• Computer forensics examiners have two roles:
– Scientific/technical witness and expert witness
• Scientific/technical witness
•
Person involved in a case, investigator that found and presented the
evidence
• As expert witness
– You can testify even if you weren’t present when the event
occurred
• Or didn’t handle the data storage device personally
– Criticism: it’s possible to find and hire an expert to
testify to almost any opinion on any topic
Organizations with Codes of Ethics
• No single source offers a definitive code of
ethics for forensic investigator
• You must draw on standards from other
organizations to form your own ethical
standards
International Society of Forensic
Computer Examiners
• Includes guidelines such as the following:
– Maintain the utmost objectivity in all forensic
examinations and present findings accurately
– Conduct examinations based on established, validated
principles
– Testify truthfully in all matters before any board, court,
or proceeding
– Avoid any action that would appear to be a conflict of
interest
International Society of Forensic
Computer Examiners (continued)
• Includes guidelines such as the following:
(continued)
– Never misrepresent training, credentials, or association
membership
– Never reveal any confidential matters or knowledge
learned in an examination without an order from a court
of competent jurisdiction or the client’s express
permission
International High Technology Crime
Investigation Association
• HTCIA core values include the following
requirements related to testifying:
– The HTCIA values the Truth uncovered within digital
information and the effective techniques used to
uncover that Truth, so that no one is wrongfully
convicted
– The HTCIA values the Integrity of its members and
the evidence they expose through common
investigative and computer forensic best practices,
including specialized techniques used to gather
digital evidence
International Association of Computer
Investigative Specialists
• Standards for IACIS members include:
– Maintain the highest level of objectivity in all forensic
examinations and accurately present the facts
involved
– Thoroughly examine and analyze the evidence
– Conduct examinations based upon established,
validated principles
– Render opinions having a basis that is
demonstratively reasonable
– Not withhold any findings that would cause the facts
of a case to be misrepresented or distorted
BCS CODE OF CONDUCT
• Public Interest
•
Legitimate rights of third parties include protecting personal identifiable
data to prevent unlawful disclosure and identity theft, and also respect for
copyright, patents and other intellectual property.
• Professional Competence and Integrity
•
You should only claim current competence where you can demonstrate
you have the required expertise e.g. through recognised competencies,
qualifications or experience.
• Duty to Relevant Authority
•
If any conflict is likely to occur or be seen by a third party as likely to occur
you will make full and immediate disclosure to your Relevant Authority.
• Duty to the Profession
•
Share knowledge and understanding of IT and support inclusion of every
sector of society.
Legal Issues
In criminal investigation you ALWAYS have to have
warrant!!!
Warrant can be issued for:
Entire company, floor, room, a device, car, house, any
company/person owned property
Mobile phone cases – issues with interception rules laid
down in RIPSA [Regulations of Investigative Powers
(Scotland) Act]
Ethics and Warrants
A lot of the ethical issues are covered by the
warrants system. Before a warrant can be issues
a judge is presented with the evidence that
suggests a search will find something relating to
the crime under investigation. He will then way
this against the person's freedoms and decide
whether the warrant should be granted.
Corporate Investigation Issues
Non-criminal internal investigation can be
restricted by the individual’s right of privacy
Data Protection Act
Company Polices
Best Practice
• ACPO
– Principle 1 - No action taken by law enforcement or
their agents should change data held on an electronic
device or media which may subsequently be relied
upon in Court.
– Principle 2 - In exceptional circumstances where a
person finds it necessary to access original data held
on an electronic device or media, that person must be
competent to do so, and be able to give evidence
explaining the relevance and the implications of their
actions.
Best Practice
• ACPO
– Principle 3: An audit trail or other record of all
processes applied to computer based
electronic evidence should be created and
preserved. An independent third party should
be able to examine those processes and
achieve the same result.
Best Practice
• ACPO
– Principle 4: The person in charge of the
investigation (the case officer) has overall
responsibility for ensuring that the law and
these principles are adhered to.
ANY QUESTIONS?
Assessment: Short-Answer Examples
Question:
What are the requirements for the computer forensic lab?
Answer:
Assessment: Short-Answer Examples
Question:
What is a difference between Ethics and Code of Practice?
Answer:
Assessment: Short-Answer Examples
Question:
How Data Protection Act can create problems in a corporate investigation?
Answer: