Guidelines on Digital Forensic
advertisement
STANDARDS FOR DIGITAL AND COMPUTER FORENSICS IN NIGERIA DRAFT PREPARED BY: FIRST DIGITAL & TECHNO-LAW FORENSICS CO. LTD. FOR NATIONAL TECHNICAL COMMITTEE (NTC) MEETING ON STANDARDS FOR DIGITAL AND COMPUTER FORENSICS MARCH 2014 Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 1 TABLE OF CONTENTS 1. Introduction …………………………………………………….. 1.1 Background …………………………………………………….. 1.2 Objectives …………………………………………………….. 1.3 Methodology ……………………………………………………… 1.4 Scope of Assignment …………………………………………………… 3 3 5 5 5 2. Digital and Computer Forensic Investigation…..………………………… 7 3. Data Recovery ……………………………………………… ……………….. 16 4. Establishing a Digital and Computer Forensics Laboratory …………. 4.1 Needs Statement ……………………………………………………… 4.2 Scope of Work ……………………………………………………… 4.3 Design of a Laboratory (New Building) ……………………………… 4.4 Starting a Laboratory in an Existing Building ………………………… 4.5 Suggested Digital and Mobile Forensics Equipment, Software, Tools and Supplies …………………………………………………... 20 20 20 20 29 5. Training and Professional Qualifications of Digital and Computer Forensics Examiners ………………………………………..………… 5.1 Training …………………………………………………………… 5.2 Profile/Qualifications of a Digital and Computer Forensics Examiner … 5.3 Profile/Qualifications of Digital and Computer Forensics Consultants for the Implementation of Laboratory Implementation … 5.4 Skill Sets Required by Digital and Computer Forensics Examiner ……. 5.5 Job Description: Computer Forensics Examiner/Investigator ……….. 5.6 Computer Forensics Examiner/Investigator Salary ……………………. APPENDICES A B Forensics Portals Glossary of Terms ……………………………….. ………………………………. FIGURES 2.1 Sample of a Single-evidence Form ………………………………….. 2.2 Sample of a Multi-evidence Form ………………………………….. SELECTED REFERECES 30 34 34 34 35 37 39 39 40 43 12 13 ………………………………………………………….46 Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 2 1. INTRODUCTION 1.1 BACKGROUND Today, virtually every business and personal document is prepared on a computer and mobile, hand-held devices. E-mail records and pages visited on the Internet yield even more critical information about our daily lives. More importantly, the information stored on a computer can make or break a business or a person or a group of people or a court case. Computer and digital forensics is the science of retrieving and chronicling evidence located on a computer's hard drives and other sources of Electronically Stored Information (ESI) such as floppies, CDs and DVDs, external drives, thumb drives and voice mail servers, so that it can be presented as evidence in a court of law. It is the use of specialized techniques for recovery, authentication and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, and authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer and digital forensics is useful for the detection and investigation of crime committed on computers, computer networks, the internet and other digital devices with the intent of giving digital evidence in law courts and tribunals. It is also the professional extraction and handling of potential electronic evidence from any digital device or digital storage media to assist investigators, prosecutors, and the trier of fact (Judges, magistrates and members of tribunals) in a criminal justice system in arriving at the right judgment in litigation. The practice of computer and digital forensics includes the use of formal, accepted techniques for collecting, analyzing, and presenting suspect data in court, concentrating on rules of evidence, the legal processes, the integrity and perpetuity of evidence, reporting of facts, and the preparation and presentation of expert testimony. It requires the use of specialized techniques for recovery, authentication, and analysis of computer data, typically of data which may have been deleted or destroyed. Similar to all forms of forensic science, computer and digital forensics comprises of the application of the law to computer technology. Computer and digital forensics deals with the preservation, identification, extraction, and documentation of computer evidence. Like many other forensic sciences, computer forensics involves the use of sophisticated technological tools and procedures that must be followed to guarantee the accuracy of the preservation of evidence and the accuracy of results concerning computer evidence processing. Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel. The applications of computer forensics require specialized training and techniques and state of the art forensics tools and software to evaluate the potential usefulness of computer data, to retrieve and interpret "hidden" data from computer media, and to provide chain of custody and data accuracy with court-accepted techniques. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 3 Law-enforcement agencies worldwide have successfully used computer forensics experts to investigate crimes such as fraud, murder, terrorism, hacking, cyber-warfare, money laundering and other cases for many years. But the advent of PCs (personal computers) used by businesses and individuals in recent years has dramatically increased the volume of criminal acts committed with the use of computers. Hence, digital and computer forensics can be used to investigate the following crimes amongst others: Espionage, Terrorism and Treason; attacks against National Critical Infrastructure; Cyber Terrorism, Cyber Warfare, Identity Theft, Hacking, Financial Fraud e.g. e-Payment fraud, ATM fraud, etc.; Human resource/Payroll Fraud; Fraudulent Websites and mails; Blackmails; Theft, Narcotics, Homicide, Forgery, Electoral Fraud; Kidnapping; Threats and malicious calls; Extortion; Recovering evidence after formatting hard drive or after evidence deletion; Corporate or Governmental internal investigation; Law-enforcement investigation; Computer Security violations; Child Pornography; Corporate or Governmental Policy Violation; Perjury; etc. Digital and Computer Forensics can also be used proactively as a preventive tool against cyber-attacks. Forensic, Digital or electronic evidence, therefore, is any data stored or transmitted using a computer or similar electronic devices (including phones, hand-held devices) that support or refute a theory of how an offence occurred or that address critical elements of the offence such as intent and alibi. It is estimated that over 85 percent of all criminal cases today have one form of digital, electronic or forensic evidence or the other. In July, 2011, Nigeria, signed into law her Evidence Act, 2011 which recognizes electronic, digital and computer-generated evidence. No doubt that this singular act has the capability to transform our legal and judicial systems. As electronic evidence grows in both volume and importance in criminal and civil courts, judges and magistrates need to fairly and justly evaluate the merits of the offered evidence. To do so, prosecutors, investigators, judges and magistrates need a general understanding of the underlying technologies and applications from which forensic evidence is derived and the appropriate standards that must be met. Even though Nigeria now has a new Evidence Act, it should be noted that digital and computer forensics is a new field and profession in Nigeria. Furthermore, the area of standards for digital and computer forensics is a technical issue and not a legal issue. Hence, the need for the development of an appropriate Standards for the implementation of forensic platform in the new Evidence Act, 2011 in Nigeria. There is need for standards to be set on how electronic evidence should be acquired, examined, analyzed and presented in a manner that will be admissible in the Nigerian Law Courts and Tribunals. Not only these, standards for laboratories where admissible forensic evidence could be extracted and for the quality of forensic laboratory staff need to be set as well. To demonstrate the need for the development of the Standards for Forensic Evidence, the Federal Ministry of Justice commenced the training and certification of its Prosecutors and Zonal Officers in Forensic Evidence in August 2012. The first batch of these prosecutors Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 4 were inducted by the Computer Forensics Institute, Nigeria (CFIN) at a special induction ceremony on 29th November, 2012. The Nigeria Police Force also commenced the training and Certification of its officers in Digital and Computer Forensics in August, 2013. However, the lack of Standards for the implementation of digital, computer and electronic evidence in Nigeria has left a big vacuum in the entire process. The NITDA Act empowers NITDA to develop such Standards. Furthermore, this study is in line with the Scope, Goals and Objectives of ICT4D Governance and Legislature generally and Law of Evidence in particular. 1.2 OBJECTIVES: The objectives of this Standards document are as follows: 1.2.1. To develop the Standards for the implementation of digital and computer forensics in Nigeria in terms of electronic evidence acquisition, examination, analysis and presentation in a manner that will be admissible in the law courts; and 1.2.2. To develop standards for: (a) forensic laboratories where admissible forensic evidence could be extracted; and (b) develop standards for the quality of forensic laboratory staff. 1.3 METHODOLOGY 1.3.1 Prepare a Draft of the Standards for Forensic Evidence. 1.3.2 Make the Draft Standards available to Stakeholders. 1.3.3 Review the Draft with relevant Stakeholders at the National Technical Committee (NTC) Meeting on Standards for Digital and Computer Forensics in Nigeria. 1.3.4 Obtain comments from Stakeholders and take these into consideration in preparing a Final Draft of the Standards for Digital and Computer Forensics in Nigeria. 1.4 SCOPE OF THE STANDARDS This standards document, in this version, will cover all areas of digital and computer forensic evidence obtained from computers, laptops, servers and other digital or electronic storage devices, including phones and mobile devices, video, photo, digital fingerprints and other biometric data, etc. This document shall be subject to review and update from time to time in view of the dynamic nature of information technology. Appendix A shows the forensic portals. Appendix B contains the Glossary of digital forensics terms. This Standards document is aimed principally at police officers, law-enforcement and security agents, military officers, prosecutors, anti-corruption agencies, regulatory agencies, other public sector investigators and private sector investigators working for their organizations and those working in conjunction with law enforcement. This document is meant for all those involved in the investigation and prosecution of incidents or offences which require the collection and examination of digital evidence in Nigeria. This document is intended for use in the recovery of computer-based electronic evidence; it is not a comprehensive guide to the examination of that evidence. It is a standards Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 5 document. It is, therefore, the responsibility of the users of this document to obtain the necessary training required for carrying out digital and computer forensic examination and analysis. This document was developed to ensure that in a crime which involves a hightech element the digital forensics examiner collects all relevant evidence in a timely and appropriate manner. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 6 2. DIGITAL AND COMPUTER FORENSIC INVESTIGATION According to the Association of Chief Police Officers’ (ACPO), as information technology is ever developing and as each new development finds a greater role in our lives, the recovery of evidence from electronic devices has now become firmly part of investigative activity in both public and private sector domains. According to the Association (ACPO), in its Good Practice Guide for Computer-Based Electronic Evidence (www.acpo.police.uk), “electronic evidence is valuable evidence and it should be treated in the same manner as traditional forensic evidence - with respect and care. The methods of recovering electronic evidence, whilst maintaining evidential continuity and integrity may seem complex and costly, but experience has shown that, if dealt with correctly, it will produce evidence that is both compelling and cost effective.” The ACPO went further to give four Principles of Computer-Based Electronic Evidence. These are listed and explained below: Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court. Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to. The ACPO’s explanation of the principles: Computer-based electronic evidence is subject to the same rules and laws that apply to documentary evidence. The doctrine of documentary evidence may be explained thus: the onus is on the prosecution to show to the court that the evidence produced is no more and no less now than when it was first taken into the possession of police. Operating systems and other programs frequently alter and add to the contents of electronic storage. This may happen automatically without the user necessarily being aware that the data has been changed. In order to comply with the principles of computer-based electronic evidence, wherever practicable, an image should be made of the entire target device. Partial Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 7 or selective file copying may be considered as an alternative in certain circumstances e.g. when the amount of data to be imaged makes this impracticable. However, investigators should be careful to ensure that all relevant evidence is captured if this approach is adopted. In a minority of cases, it may not be possible to obtain an image using a recognized imaging device. In these circumstances, it may become necessary for the original machine to be accessed to recover the evidence. With this in mind, it is essential that a witness, who is competent to give evidence to a court of law makes any such access. It is essential to display objectivity in a court, as well as the continuity and integrity of evidence. It is also necessary to demonstrate how evidence has been recovered, showing each process through which the evidence was obtained. Evidence should be preserved to such an extent that a third party is able to repeat the same process and arrive at the same result as that presented to a court. The Nature of Computer-Based Electronic Evidence Digital and Computer Forensics is the application of science and technology to law in the search for truth in civil, criminal, and social behavioral matters to the end that injustice shall not be done to any member of society. It can also be defined as the acquisition, preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis using well-defined and approved methodologies and procedures. It is also the study of network traffic to search for truth in civil, criminal, and administrative matters to protect users and resources from exploitation, invasion of privacy, and any other crime fostered by the continual expansion of network connectivity. Goal: To determine the evidential value of crime scene and related evidence. Computer-based electronic evidence is information and data of investigative value that is stored on or transmitted by a computer. As such, this evidence is latent evidence in the same sense that fingerprints or DNA (deoxyribonucleic acid) evidence is latent. In its natural state, we cannot see what is contained in the physical object that holds our evidence. Equipment and software are required to make the evidence available. Testimony may be required to explain the examination and any process limitations. Computer-based electronic evidence is, by its very nature, fragile. It can be altered, damaged, or destroyed by improper handling or improper examination. For this reason, special precautions should be taken to document, collect, preserve and examine this type of evidence. Failure to do so may render it unusable or lead to an inaccurate conclusion. Functions of the Digital and Computer Forensic Examiner: The functions of the forensic examiner are: (a) Analysis of Physical / Electronic Evidence (b) Provision of Expert Opinion/ Testimony Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 8 (c) Furnishes training in the proper Recognition, Collection, Analysis and Preservation of physical / electronic evidence. Methodology: (a) Acquire the evidence without altering or damaging the original. (b) Authenticate that the recovered evidence is the same as the original seized. (c) Analyze the data without modifying it. (The methodology is discussed in full later in this section) Categories of Digital Evidence: Hardware Software: o Data o Programs Digital Evidence: Digital data that can establish that: a crime has been committed or can provide a link between a crime and its victim or provide a link between a crime and its perpetrator. Categories: Text Audio Image Video Where Forensic Evidence Resides: Computer systems, Laptops, Phone and Mobile devices, etc. o Logical file system o File system o Files, directories and folders, FAT, Clusters, Partitions, Sectors o Random Access memory o Physical storage media: HDD, CD, Flash-Drives, etc. o Slack space: space allocated to file but not actually used due to internal fragmentation. o Unallocated space Computer Networks: Application Layer: Web pages, Online documents. E-Mail messages. News group archives. Archive files. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 9 Chat room archives. Transportation Layer Network Layer Data Link Layer TAKING A SYSTEMATIC APPROACH: Steps for problem solving: Make an initial assessment about the type of case you are investigating Determine a preliminary design or approach to the case Create a detailed design Determine the resources you need Obtain and copy an evidence disk drive Identify the risks Mitigate or minimize the risks Test the design Analyze and recover the digital evidence Investigate the data you recovered Complete the case report Critique the case Systematically outline the case details: Situation Nature of the case Specifics about the case Type of evidence OS Known disk format Location of evidence. Based on case details, you can determine the case requirements: Type of evidence Computer forensics tools Special OSs A basic investigation plan should include the following activities: Acquire the evidence Complete an evidence form and establish a chain of custody Transport evidence to a computer forensics laboratory Secure evidence in an approved secure container. Prepare a forensics Workstation Obtain the evidence from the secure container Make a forensic copy (image copy) of the evidence Return the evidence to the secure container Process the copied evidence with computer forensics tools Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 10 An evidence custody form helps you document what has been done with the original evidence and its forensics copies. There are two types: Single-evidence form (see Figure 2:1 Multi-evidence form (Figure 2:2) Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 11 Nigeria Yzx Dept. Forensics Investigations Unit This form is to be used for only one piece of evidence Fill out a separate form for each piece of Evidence. Case No: Unit Number: Investigator: Nature of Case: Location where evidence was found: Item # ID Description of evidence Vendor Name Evidence recovered by: Date & Time Evidence placed in Locker by: Evidence processed by Model No./ Serial No. Date & Time Disposition of Evidence Date & Time Page ____ __of Figure 2-1: A single-evidence form Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 12 Nigeria Xyz Dept. Forensics Investigations Unit This form is to be used for one to ten pieces of evidence Investigating Organization: Case No: Investigator: Nature of Case: Location where evidence was found: Description of Evidence Vendor Name Model No./ Serial No. Item #1 Item #2 Item #3 Item #4 Item #5 Item #6 Item #7 Item #8 Item #9 Item #10 Evidence recovered by: Date & Time Evidence placed in Locker by: Item # Evidence processed by Date & Time Disposition of Evidence Date & Time Page__ of__ __ Figure 2-2 A sample Multi-evidence form Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 13 Securing your Evidence: o o o o o o Use evidence bags to secure and catalog the evidence Use computer safe products Antistatic bags Antistatic pads Use well-padded containers. Use evidence tape to seal all openings Floppy disk or CD drives Power supply electrical cord o Write your initials on tape to prove that evidence has not been tampered o Consider computer-specific temperature and humidity ranges. Data-Recovery Workstations and Software o Investigations are conducted in a computer forensics lab (or data-recovery lab) o Computer forensics and data-recovery are related but different o Computer forensics workstation: Specially configured personal computer o To avoid altering the evidence, use: Write-blocker devices. Gathering the Evidence: Take all necessary measures to avoid damaging the evidence Place the evidence in a secure container Complete the evidence custody form Transport the evidence to the computer forensics lab Create forensics copies Secure evidence by locking the container Image Copy or Bit-Stream Copy: Bit-by-bit copy of the original storage medium Exact copy of the original disk Different from a simple backup copy; backup software only copies known files; it cannot copy deleted files or e-mail messages, or recover file fragments A bit-stream image file contains the bit-stream copy of all data on a disk or partition If possible, copy the image file to a target disk that matches the original disk‟s manufacturer, size, and model. Use a Write-blockers to ensure that the Operating System (OS) does not write to the source and target disks. Verify the integrity of the image copy, that is, it is the exact replica of the source disk by obtaining a set of Hash Values. Three (3) most common types of Hash Values are: o MD5 Hass Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 14 o SHA1 Hass o SHA256 Hass Analysing your Digital Evidence: Your job is to recover data (digital evidence) from: Deleted files File fragments Complete files Encrypted files Passworded files Completing the Case: Prepare a draft report State what you did and what you found Include logs from the forensic tools you used If required, use a report template The report should show conclusive evidence that the suspect did or did not commit a crime or violate a company/government policy Forward draft report to a Solicitor/Prosecutor/Investigator or requesting party for review Produce a final report Critiquing the Case: Ask yourself the following questions: How could you improve your participation in the case? Did you expect the results you found? Did the case develop in ways you did not expect? Was the documentation as thorough as it could have been? What feedback has been received from the requesting source? Did you discover any new problems? What are they? Did you use new techniques during the case or during research? Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 15 3. DATA RECOVERY 3.1 INTRODUCTION Data recovery is the process of retrieving or recovering or salvaging either a deleted or a damaged or inaccessible data from a failed electronic media such as computer Hard Disk Drives, RAIDs, Removable Media (Flash Drives, Zip Drives, Memory Cards, etc.), Optical Devices (CDs, DVDs),Tape Cartridge, Phones and mobile devices, and other storage media. One of the most important functions of a Digital and Computer Forensics Examiner is recovery of data that has been deleted maliciously or intentionally for criminal purposes or to conceal evidence. Data recovery is also useful in discovering „digital‟ action(s) of the suspect that could link him or her to a crime, e.g. homicide – where all physical evidence regarding a suspected murder case has been neatly concealed but electronic evidence found on the suspect‟s laptop showed that the suspect ordered a substance used in poisoning the victim. Therefore, in order to effectively handle this aspect of the job, the examiner must have at least an elementary technical knowledge of Data Recovery and how the data storage media work. The hard disk (HD) drive will be used for this purpose in this document. This part is divided into five parts: data, the essence of data recovery, scope of data recovery, elementary knowledge of hard disk, and steps in data recovery. 3.2. DATA Data, as used here includes not only multi-media files such as data documents, images, voices that stored in file system or data base, but also hardware information, network addresses and network services, which are used to store and manage those information. 3.3 THE ESSENCE OF DATA RECOVERY Data recovery means retrieving lost, deleted, unusable or inaccessible data that lost for various reasons. Data recovery not only restores deleted or lost files but also recovers corrupted data and data maliciously deleted for criminal intent. On the basis of different lost reason, we can adopt different data recovery methods. 3.4 THE SCOPE OF DATA RECOVERY There are two purposes of data recovery: for forensic investigation and for disaster recovery. We can also divide the scope of data recovery according to different symptoms, namely: Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 16 3.4.1 Files loss: If files are lost because of deletion and formating (malicious, intentional and unintentional, criminal intention), format or Ghost clone error. files recovery tools such as FTK, EnCase, etc. can be used to recover data. 3.4.2 System problem: The main symptom is that you cannot enter the system or the system is abnormal or computer closes down. There are complex reasons for this, thus we need adopt different processing methods. Reasons for this symptom may be the key file of system is lost or corrupted, there is some bad track on hard disk, the hard disk is damaged, MBR or DBR is lost, or the CMOS setting is incorrect and so on. 3.4.3 Bad track of hard disk: There are logic and physical bad track. Logic bad track is mainly caused by incorrect operation, and it can be restored by software. While physical bad track is caused by physical damage, which is real damage, we can restore it by changing the partition or sector. 3.4.4 Partition problem: If partition cannot be identified and accessed, or partition is identified as unformatted, partition recovery tools such as Partition Table Software can be used to recover data. 3.4.5 Password loss: If files, system password, database or account is lost, some special decryption and password cracking tools can be used. 3.4.6 Files repair: For some reasons, some files cannot be accessed or used, or the contents are full of corrupted characters, in which the contents are changed and thus become unreadable. 3.5 METHODOLOGY OF DATA RECOVERY Taking a perfect image of a computer suspected of containing incriminating data is critical to all ensuing investigative work. Its significance must not be underestimated. When an imperfect image is used to gather suspect data, the resulting evidence will be found inadmissible in court. In most cases, "hidden," "deleted," or "lost" data cannot be located with the assistance of the limited software tools available to most users. However, sophisticated computer forensic tools allow specialists to find and restore missing data. Using specialized forensic tools and software, the technician will: Inspect all hard drives, floppy drives, and other available electronic media using methods that will allow the data to be preserved and exhibited in court. Explore and recover deleted files. Explore unallocated space and file slack for data, including hidden data. Explore areas of the media for fragmented data. Explore swap files. Locate and document current and deleted e-mail (sent and received). Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 17 Extract e-mail and e-mail conversations, identify all e-mail addresses and Web URLs. Our focus in this document is on approved methodology for data recovery for forensic evidence. Data recovery, in most cases, may require exhaustive, detailed work to recover the data. However, any data recovery case for forensic purpose typically involves the same general process for recovering such lost data for disaster recovery. The steps are stated below: 1. Make a Log Book Entry: Make a log book entry as to date and time, details of the suspect HD or device to be recovered, Case number, Name of Suspect, etc. 2. Evaluate the media and provide an initial determination of the extent of the damage, potential for recovery, and work involved to recover the data. 3. Estimate how much work will be involved, how much data can be recovered, what steps will need to be taken, and what the cost will be to recover the data. 4. Mirror or Image the suspect HDD. In this step, the forensic examiner perform an image copy or bit-stream copy of the HDD, using Write-blockers to protect the original HD from being written to by the Operating System (OS). If possible, make two (2) copies for yourself as the Examiner and one (1) copy ready for the defense (or the prosecutor) depending on which side you are. (If this process fails due to hardware problem or physical damages to the HD, then perform step 5 before returning to perform step 4. If you can perform this step without any problem, then skip step 5.) 5. Repair any electrical or physical damage that may be preventing the media from accessing the data. (A suspect may have deliberately smashed the HD or the computer system or device on the floor to prevent possible data recovery). This step 5 must be carried out in a “Clean Room” and with the appropriate tools since Hard Drives and finely tuned and sealed tightly to protect it from dust. 6. Recover the data through "logical" (software) processes that work with the raw data or image of the data on the disk or drive. World class software such AccessData FTK, EnCase, Belkasoft Evidence Centre are examples of software that can be used for this purpose. You must ensure that the software you are using is properly licensed to you or your organization, and that the updates/upgrades are up-to-date. 7. Examine the recovered (imaged) data to be sure it is intact and usable and extract a list of the results of the recovery (what data was recovered, etc.). 8. Return the original media (HD, etc.) to the appropriate authority from where you collected the HD for data recovery. 9. Analysis: Conduct a detailed analysis of the recovered data based on the scope of your assignment (or charges brought against the suspect): e.g. MS-Office Document files, PDF files, Photos (JPEG, etc.), Videos, SMS, MMS, Emails, Contact Book, Databases, Apps, Call logs, GPS data, etc. Restrict yourself to the scope of your assignment. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 18 10. Report Writing: Prepared a detailed report of your findings and digital evidence found during your examination in respect of the examination. Review the draft copy and submit a final draft. 3.6 COMPRESSED, ENCRYPTED OR PASSWORD-PROTECTED FILES Compressed file archives such as zip, rar, tar, cab, 7z, etc. will be extracted and examined to determine if they contain relevant file types. The processing must be able to recursively extract files from the archive because a compressed archive can be included in another compressed archive. Encrypted or password-protected files must be identified and a log generated. Once it is clear that this is the situation, attempts will be made to “crack” the password. Whatever actions are taken, must be well-documented in the report (including name(s) of tools used). 3.7 WHEN THERE IS SUSPICION OF POTENTIAL EVIDENCE TAMPERING The following forensic questions must be answered and documented for each computer or electronic device: 3.7.1 Was a data destruction tool used on the hard disk drive? 3.7.2 Is there evidence that the user of the suspect computer copied files to a network drive or external drive and deleted the files? 3.7.3 Is there evidence that someone may have tampered with the system clock? 3.7.4 Is there evidence that there was a massive destruction of files prior to imaging? Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 19 4.0 ESTABLISHING A LABORATORY DIGITAL AND COMPUTER FORENSIC 4.1 Needs Statement The emerging problem of terrorism, cybercrime, cyber-terrorism, cyber-warfare, kidnapping, financial fraud, money-laundering and other crimes in Nigeria places new responsibilities on law-enforcement agencies, regulatory agencies, financial institutions, corporate organizations, and governments at all levels. Furthermore, the passage of the Nigeria‟s Evidence Act, 2011 further requires law-enforcement, regulatory bodies and other organizations in the country to build capacity to address issues of digital forensics and electronic-based evidence. 4.2 Scope Of Work What is a “Computer Forensics Lab”? A Computer Forensics Lab or CFL is a designated location (permanent or mobile) for conducting computer based investigations. The lab should be securable in order to prevent unauthorized access. The scope of the work for a digital forensics laboratory are: 4.2.1 Planning and Design (including integration with existing systems); 4.2.2 Implementation: including supply and installation of computer/digital/mobile forensics laboratory equipment/software and tools, and moving into the laboratory, etc.; 4.2.3 Training and Capacity Building (including Certification); 4.2.4 Digital Forensics Best Practices Documentation; and 4.2.5 Post-Implementation Support. 4.3 Design of a Laboratory (New Building) Although the laboratory building presents some very complex and challenging design issues, elements of the site design must also be addressed in order to ensure a successfully designed forensic laboratory facility. Issues such as site access, proximity of secured and unsecured parking areas, and even landscaping have implications regarding the efficiency and security of the overall site and building design. Site Design Site access. o It is desirable that the site be designed with access from at least two directions to ensure access to the site despite traffic conditions, street maintenance work, acts of sabotage, or other unforeseen site disruptions. Emergency and service access. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 20 o Coordinate with laboratory staff and local authorities to ensure emergency access for fire department and other emergency vehicles. Access for shipping and receiving must comply with code requirements without compromising site security. Site lighting. o The site lighting should be designed to enhance security and discourage vandalism and unauthorized entry. Lighting comparable to that of a college campus offering night classes might serve as a guideline. Landscape design. o Landscaping should be designed to enhance site security by preventing potential vandals, burglars, and saboteurs from hiding in the landscaping until after dark. The following types of landscape design should be avoided: Dense shrubbery within 3.048 m (10 ft) of the building or any security fence. Large clusters of shrubbery, 0.61 m (2 ft) to 1.83 m (6 ft) high. Tall evergreens with branches less than 1.52 m (5 ft) above grade. Parking design:. o Like landscaping, the design of parking areas should consider site security requirements. The following are recommended levels of security for parking: Level 1, unsecured. Visitor parking located near the visitors‟ entrance to the building allowing entry and departure without security barriers. Level 2, partially secured. Fenced area for use by persons having business at the facility. For example, shipping and receiving, biological and toxic waste pickup, dumpster replacement, and evidence delivery. The area should be gated, and the gate may be left open during business hours and locked after hours. Access might be through the level 1 parking area. Level 3, secured. Staff parking area secured 24 hours, surrounded by a security fence, and accessible by use of a proximity or card key device. Depending on security policy, this level might be eliminated, and staff could park in the level 2 parking area. Level 4, high security. Vehicle impound parking with limited personnel access and monitored security systems. General Building Design Exterior walls. o Materials. Bullet-resistant, such as concrete. o Windows. Reflective and/or bullet-resistant glazing where exposed to public view. o Window sill design. Windows should be installed flush with the exterior surface of the wall, or if recessed, provide a sloped exterior sill to prevent the placement of explosives at the window. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 21 o HVAC intakes. o Locate in areas inaccessible to the public, such as in secured fenced areas. Design to prevent the possibility of someone introducing a tear gas canister into the intake. o If located in parking areas, design to prevent introduction of vehicle exhaust. o Locate away and upwind from fume hood exhaust. Visitor access protection. o Administrative or security receptionist at visitors‟ access should be protected behind bullet-resistant glazing with adjacent walls of similar bullet-resistive construction. Duress alarms. o “Call assistance” or duress/panic alarms should be installed in key areas throughout the facility and concealed as appropriate. Locations might include visitor reception desk, bulk chemical storage spaces, weapons ranges, parking garages, and clandestine lab storage and exam spaces. Laboratory tours. o If the facility is to be designed to accommodate guided tours, tour groups should not be allowed into the laboratory spaces. Guided tours should be conducted through the main corridor system with viewing through strategically placed windows in the corridor walls providing viewing into the laboratory spaces. Interior glazing. o It is recommended that the use of windows between laboratory spaces be maximized. o This is a feature designed to enhance safety of personnel by allowing those in one laboratory space to view the activities of those in other spaces that might be of a more hazardous nature. Equipment and systems service and maintenance. o Equipment and systems that are part of the building and might require periodic service and maintenance should be located outside of the laboratory spaces, and particularly outside of any space where evidence are stored. Such equipment and systems might include, but are not limited to, electrical panels, walk-in cooler compressors, and water purification filters. Corridors. o Primary circulation and exit corridors: 1.83 m (6 ft) wide, minimum. o Secondary circulation and non-exit corridors: 1.37 m (41/2 ft) wide, minimum. Doors. o Double doors to all laboratory sections and spaces that are expected to receive oversized evidence or equipment. Double doors shall consist of a 0.914 m (36 in) wide active leaf and an 0.457 m (18 in) wide inactive leaf. o Freight elevator doors minimum 1.22 m (48 in) wide. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 22 Security Design Security Strategy Meeting. o Although this is not a design guideline, it is recommended that a security strategy meeting take place upon completion of an approved schematic design of the building and the site. This meeting should be attended by representatives of the building owner, building users, security staff, the architect, the electrical engineer, and a security design consultant. o The purpose of this meeting is to establish and document a comprehensive security strategy for the new facility. This security strategy will act as a guideline for the design of passive and electronic security systems. This strategy should include, but not be limited to, security policy and procedural issues, site and building access as related to security, types of security electronics systems, performance requirements for security access systems, and any other special security needs that might be identified by the users. Specific considerations regarding hardening the laboratory against terrorist attack may be important, depending on the location and function of the lab. Escort only design. o The design of the building should incorporate a security perimeter within which unauthorized persons may enter under an “escort only” policy. This security perimeter should be defined during the Security Strategy Meeting. o The sign-in and badging area should be located at the visitors‟ entrance. Door access systems. o Access to and circulation throughout the facility, as well as key zones of the building, should be provided with controlled access through the use of proximity or card-key access systems. The system should be capable of programming access devices for specific areas and times, and should fully document all access attempts. o The system must prevent unauthorized entry while maintaining safe and legal exiting. This security must be maintained in multistory buildings having shared elevator access. Door status monitoring. o Key doors throughout the building, particularly exterior doors and doors to evidence storage spaces, should be electronically monitored for open/closed status. Closed circuit television (CCTV) systems. o Key areas of the building, both interior and exterior, should be kept under video surveillance. Key areas might include, but are not limited to, exterior doors, lobby/reception areas, parking lots, and evidence delivery areas. Placement of CCTV cameras and features (pan, zoom, tilt, constant sweep, time lapse recording, etc.) should be defined during the Security Strategy Meeting. Special security design features. o The security design of the facility should include consideration of such special features as: Motion detection in evidence storage spaces, circulation corridors, or other key areas. o Additional security protection for storage of high-value evidence items such as money and jewelry. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 23 Electrical Systems Design Checklist: Emergency generator. Recommend emergency power and lighting for the following spaces: o Entire evidence section. o All refrigerators and freezers, including walk-in units. o Photography darkroom(s). o Entire security section, including electronic security systems and telephones. o All computer-driven systems and equipment including, but not limited to, laboratory instrumentation, Automated Fingerprint Identification System (AFIS), Combined DNA Identification System (CODIS), Laboratory Information Management System (LIMS), Integrated Ballistic Imaging System (IBIS), and LAB Network. Central UPS system is preferred, but local UPS units are acceptable. General Laboratory Design Laboratory floors. o Chemical-resistant sheet vinyl or vinyl tiles with welded seams. Laboratory walls. o Epoxy in all spaces considered highly biologically or chemically hazardous, such as examination rooms, bulk drug analysis, and bulk chemical storage. o Semi-gloss latex enamel in all other spaces. Laboratory ceilings. o Epoxy in all spaces considered highly biologically or chemically hazardous, such as examination rooms, bulk drug analysis, and bulk chemical storage. o Suspended acoustical in all other spaces. Non-laboratory spaces. o Acceptable interior finish standards for offices and non-laboratory support spaces. Laboratory casework. o Standard laboratory casework with utility access space behind base cabinets. o Steel or wood preferred, plastic laminate acceptable. o Maximize use of flexible laboratory casework systems. Files. o Generally, one four-drawer filing cabinet, or the equivalent file storage space, should be provided for each forensics analyst at the area of the nonlaboratory workstation. Special considerations. o Acoustics. o Reflective surfaces. o Vibration-proof flooring. o High-strength flooring. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 24 Technical Laboratory Sections: General Design Comments The forensic laboratory consists of various laboratories within the overall facility. These various laboratories are commonly referred to as laboratory sections or units. The recommended guidelines provided here are intended to serve as checklists for the design of laboratory space in the technical laboratory sections. Many of the items listed, such as laboratory workstations, are universal components of technical sections. Other items may or may not be necessities, depending upon the needs and size of individual laboratory sections. In some instances area (m2, ft2) of floor space or linear footage (lin m, ft) of bench space have been assigned to represent minimum guidelines for space requirements. Items and areas that are not assigned measurements will vary as needed by individual laboratories and the sections within those laboratories. For most laboratory sections the checklist below follows a common theme. This theme consists of the concept of a main laboratory space for each section, and supporting spaces that are enclosed rooms with direct adjacency to the main laboratory. The main laboratory is where each analyst will have an individual laboratory workstation. The adjacent supporting spaces will be spaces devoted to specific procedures or equipment items and that might be used by each analyst from time to time during the course of his or her examinations. Administrative Work Spaces Each laboratory section will identify various non-laboratory work spaces. A significant amount of the forensic analyst‟s responsibilities include non-laboratory tasks such as data analysis, report writing, court testimony preparation, and other administrative responsibilities. The design should provide the analyst with an administrative work area, away from the hazards of the laboratory, where these tasks can be conducted in an efficient and safe environment. Supervisors‟ offices, case review areas, and space for files can also be included in this environment. With the exception of the supervisors‟ offices, which shall be private offices, all other spaces in the administrative work area can be designed as open office systems workstations. Some analysts, such as document and latent print examiners, require additional administrative work space since a significant amount of their technical examinations can occur outside of the laboratory environment. Computer Evidence Section May be designed as computer hardware space. Chemical and biological hazards will not be present. Main computer evidence laboratory space. o Individual analyst laboratory workstation: 7.62 lin m (25 lin ft) bench space per analyst. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 25 o Miscellaneous computer evidence bench: 7.62 lin m (25 lin ft) bench space per analyst. o Independent data line with two jacks. Various types of telephone lines. Evidence room. o 9.29 m2 (100 ft2) per analyst. Equipment room. o 9.29 m2 (100 ft2) per analyst. o Administrative work spaces. o May be included as part of the main computer evidence laboratory space. o Supervisor‟s office: 13.935 m2 (150 ft2). o Analyst‟s administrative workstation: 9.29 m2 (100 ft2) per analyst. o Independent data line with two jacks. o Various types of telephone lines. Dry fire-suppression system. Universal Facility Design Components Although no two forensic laboratories are alike, there are basic functional components and areas that are universal to most laboratory buildings. For example, office space, training rooms, and technical support areas are standard necessities that must be considered for space during the design phase. The following set of checklists serve as recommended guidelines and requirements for universal laboratory building components, and have been divided into four categories: administrative, building, technical support, and general technical. Administrative areas are nontechnical and primarily consist of office space used for evidence support. Building areas are not directly related to evidence analysis, and needs will vary for freestanding laboratories or laboratories occupying only part of a building. Technical support areas are directly related to, but are not used for, evidence analysis. General technical areas are shared by most laboratory sections within a building, and needs will vary depending upon laboratory size and functions. Administrative: Design standards for these spaces should be based on acceptable office space design standards. Private offices. o Based on existing space standards, if any. Offices for support personnel. o Shared offices or open office systems furniture. Files for active cases. Clerical, administrative, and case support. Mail, photocopy, and facsimile. Conference room(s). Lobby/reception. Consultant offices. Library. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 26 o o o o o Book stacks. Periodicals shelves. Study carrel(s) Study table(s) Computer information terminal(s) Building: Mechanical. o Heating, ventilation, and air conditioning (HVAC) equipment rooms. o Air handling systems. o Fume and biological hood exhaust equipment. o Laboratory compressed air and vacuum systems. o Central plant water treatment systems. o Domestic hot and cold water systems. o Fire extinguishing systems and sprinkler control rooms. o Instrument gas manifold and distribution systems. Communications. o Computer rooms and/or closets. o Telephone equipment rooms and/or closets. o Premise wiring rooms and/or closets. o Data line provisions Electrical. o Service entrance and main switch gear. o Emergency generator. o Uninterruptable power supply (UPS) equipment. o Electrical closets. o Electrical service panels. Staff use. o Lunch room. o Break room(s). o Locker rooms with showers. o Rest rooms. o Other. o Janitorial closet(s). o Passenger and/or freight elevator(s). o Recycling. o Lab coat cleaning. o Shipping and receiving. o Hazardous waste disposal. o Compressed gas cylinder storage. o General waste disposal. Technical Support Storage. o General laboratory storage. o General supplies storage. o Long-term files storage. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 27 o Chemical storage. Dry fire-suppression system. Evidence. o Evidence receiving and return counter from and to submitting agencies. o After-hours secure evidence lockers. o Evidence disbursal and return counter to and from laboratory sections. o Evidence custodian workstations: minimum 5.95 m2 (64 ft2). o Evidence supervisor office: minimum 11.48 m2 (120 ft2). o Evidence storage. General evidence storage shelving. Refrigerated and frozen evidence storage: refrigerators and freezers or walk-in units. Secure narcotics storage. Secure valuables storage. Flammable evidence storage: fire-rated, ventilated storage room, or ventilated flammable storage cabinets. Bio-hazardous evidence storage. Gun storage. Long-term evidence storage. o Evidence workroom. Mail room features for packaging, sending, and receiving evidence. Layout countertop space with sink. Photocopy and facsimile. o Evidence case review/triage/conference room(s). o Evidence drying. General Technical: Vehicle processing. o Securable and air conditioned/heated forensic garage bay(s). At least one bay large enough to accommodate vans and motor homes. o Workbench space: 3.048 lin m (10 lin ft) per bay. o One shop sink per bay. o Laser or remote fiber light source. o Vehicle lift (fixed or portable). o High-intensity lighting. o Additional pull-down lighting. o Tools storage. o Evidence drying room(s). o Compressed air. Forensic photography. o Can be utilized for laboratory support only or offer full services, including public relations and graphic arts. o Film and print for black and white and color processing. o Chemical storage and mixing space. o Studio. o Finishing. o Computer-aided design and drafting (CADD) for graphic arts. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 28 o Photographic equipment and supplies storage. o Refrigerator. Computer imaging. o Video and photographic enhancement. o General enhancement of latent prints, footprints, etc. o Virtual reality crime scene recording. Training. o Classroom(s). o Audio/visual media room. o Exhibit storage. o Mock crime scene room(s). o Training laboratory. o Breath alcohol training. o Video conferencing. o Computer and television networking. Quality assurance. o Proficiency testing/sample preparation laboratory (might be shared with training laboratory). o Conference/office. o Record storage and archival facilities. Crime scene unit. o Equipment storage. o Staging area. 4.4 Starting a Laboratory in an Existing Building 4.4.1 Minimum Space Requirements The minimum space requirements for a small laboratory (for a total of eight (8) forensics examiners) in an existing building in organizations just starting off a digital and computer forensics laboratory are as follows: A Reception Room The Main Digital Forensics Lab Room Optional (if additional space is available): A Data Recovery/Clean Room Office for the Head of Unit/Department The above space is just adequate for a start and should be evaluated periodically as the activities increase. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 29 4.4.2 FURNISHING 4.4.2.a The Reception: 1 No. Reception Table with two compartments 2 Nos. Swivel Chairs for two officers. 1 No. Four-seater visitors‟ chair 1 No. Centre Table. 4.4.2.b The Main Digital Forensics Laboratory Room (for six (6) Forensics Examiners): The Main Laboratory will contain: 1 No. Custom-built (Wall) Workstation Table with six (6) compartments, each having a mobile, multi-coloured 3-drawer cabinet; 6 Nos. Swivel Chairs for Forensics Examiners 6 Nos. Wall-Hanging Filing Drawers/Wooden Cabinets 2 Nos. Metal Office Filing Cabinets (with Bar for padlocking). 1 No. Fire-proof Filing Cabinet. 4.4.2.c Additional Items required for the two rooms (4.4.1 and 4.4.2): 4.5 Split Unit Air-conditioners Office Fridge – for Main Lab. 2 Nos. Plasma TV – 24” Burglary-proof Window Protector (Qty depends on number of windows in the two rooms) Secured Metal Doors (if not in place) Curtains and accessories (Qty depends on number of windows in the two rooms) 1 No. Signboard (to identify the laboratory) SUGGESTED DIGITAL/MOBILE FORENSICS EQUIPMENT, SOFTWARE, TOOLS, AND SUPPLIES 4.5.1 Factors to consider: In determining the type of forensic computer equipment needed, you should consider the following: Type and volume of investigations being conducted Is the organization Law-enforcement or Corporate? If Corporate, are investigations internal only or internal and external. Organizations conducting external investigations may require a more broad range of capabilities than one that only does internal investigations. Intended use of the machine: Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 30 o Will it be used only for imaging? o Will it be used only as an analysis platform or will it be used for everything? Relatively few labs have an unlimited budget. So, there are a number of other things to consider: How many investigators/examiners are assigned to the lab? What equipment and software are already present? What is the expected or known volume of work? Purchasing from one source can often save you money as the company may be able to give larger discounts on volume purchases. Commercially Purchased Systems – Selecting a vendor Commercial Companies like Dell, HP, IBM make good computers, but may have restrictions on customer repair and customization. Opening the case can void all warranties. These companies do not design their systems with forensics in mind. Dell recently started to partner with forensic software vendors. Ask: Has the company actually delivered forensic systems or are they just a website wonder? A company which specializes in forensic workstations should have: o The forensic experience to know what components are required, what the methodologies are and know how to use them. o A warranty policy that is “No Hassle” for the end user. o A policy that allows forensically qualified individuals to open the system. without voiding an warranty. o Test the systems to ensure they are forensically sound - not all computers are not created equal – test results must be repeatable. o The company should be responsive to customer needs and allow configuration changes based on customer specific needs. At the end of the day you want systems that will do the job. How fast the job gets done will in part depend on your budget. Is the system configured to accept the media routinely received in a investigation? Is the hardware easy to use? Do you need portable forensic systems? Portables come in a variety of shapes and sizes. Some are built specifically for mobile forensics. Laptops can work well as long as you test before you buy or buy from a forensics company that has tested them. The portable solution you choose should give you the same basic capabilities as you lab systems. Why use Hardware Write Protection? Do not think that if you do not use Windows, you may not a Write-blocker device. You can never be too careful. Linux and Mac OS X can be configured so they do not auto-mount hard drives and other media. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 31 4.5.2 Windows OS‟s will mount devices you attach automatically. Minimum Standards for Forensic Equipment, Software and Tools in a new Digital Forensics Laboratory The following items and the stated minimum quantities are to be provided for the kick-off of a e-Crime and Digital Forensics Laboratory: 2 Nos. UFED Touch Ultimate Phone Forensics Solution, with Chinex and Link Analysis (plus 2 Nos. extra batteries) – Ruggedized. 2 Nos. UFED 4PC Phone Forensics Solution, with Chinex and Link Analysis. 2 Nos. Susteen‟s Secured View 3 - svNUC Mobile Forensics Kit with the Intel® “Next Unit of Computing”. 2 Nos. AccessData Mobile Phone Examiner MPE+ 1 No. Belkasoft Evidence Center Enterprise (multi-user) 2014 or latest 2 Nos. Belkasoft Photo Forgery Detection Plugin Belkasoft Live RAM Capturer -- (Free of charge) FTK Imager (Free of Charge) 2 Nos. FTK 5.0 Licenses (AccessData) 1 No. FTK Lab (10 users Licenses) 1 No. FTK CIRT – 200 nodes 2 Nos. EnCase 7.09 or latest 1 No. Paraben Device Seizure 1 No. Paraben P2 Commander 4 Sets Write-Blockers 2 Nos. Image MASSter 4000PRO/WipePRO X2 IT & FORENSIC Extension Ready (Std i7) 2 Nos. Image MASSter RAPID IMAGE Complete Solutions - IT & FORENSIC with SCSI Cables, Image MASSter SATA Adapters, IDE Adapters, Expansion Boxes, Accessories, 2 Nos. Encryption Tools 8 Nos. Forensic Workstations with min. of 1TB HDD, >2.5MHz speed, 4 No. Forensic Laptops (for field work) with min. of 1TB HDD, >2.5MHz speed, Ruggedized, etc. 12 Nos. Microsoft Office Licenses 2 No. HP Deskjet 5500 or similar 2 No. LaserJet HP P2035 Printer or similar 8 Nos. UPS 650v 1 No. Scanner HP Scanjet G2710 or similar 12 Nos. Backup 2TB Hard Drives 12 Nos. Anti-Virus Software Licenses Electrical Cabling and Extension cords 4 Nos. Internet Routers (Optional: for field use) 3 months Internet Subscription for 4 Nos. WIFI Routers (Optional) 12 Nos. Packs of Latex Gloves Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 32 Consultancy: Planning/Design, Implementation, Configuration and Setup, Support, etc. Tool Sets: For the Lab a good starting list is: High quality screwdriver set (small ones also) – I like Craftsman and Wiha Small Wire Cutters Small Needle Nose Pliers Assortment of Torx bits Assortment of Hex head bits Small flashlight Technicians Mirror (the kind you can adjust the mirror head) Hemostats (forceps - Radio Shack calls them as solder helpers) Static Wrist Strap Small Digital Multimeter Container of computer screws Spare Hard Disk Jumpers (large and small) Spare Cables (Floppy, IDE, SATA, SCSI) Assortment of Gender Changers Assortment of Molex Male and Female Cables Latex type gloves Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 33 5.0 TRAINING AND PROFESSIONAL QUALIFICATIONS OF DIGITAL FORENSICS EXAMINERS 5.1 TRAINING 5.1.1 General Awareness Training in Digital/Mobile Forensics for staff in all key departments, such as Legal, ICT, Information Security, Accounting, Audit/Inspection, Forensics, Investigation, Prosecution, Judiciary, Admin/Human Resources, etc.; 5.1.2 Computer Forensics Certification Training for Digital and Computer Forensics Examiners and others officers working in the Lab who may testify as Expert Witnesses and present electronic evidence in courts and tribunals such as: MCFI – Member, Computer Forensics Institute CCE- Certified Computer Examiner CCFE- Certified Computer Forensics Examiner ; 5.1.3 Application-specific Certification Training in digital/mobile forensics for officers (i.e. for each adopted/procured forensic hardware/software/tool, training must be provided) such as: ACE Certification – AccessData Certified Examiner EnCE Certification- EnCase Certified Examiner . 5.1.4 Attendance at local/national and International Digital and Computer Forensics Conferences. 5.1.5 Provision of a Digital and Computer Forensics Library, with books, journals, and other resources. 5.2 PROFILE/QUALIFICATIONS FORENSICS EXAMINERS OF DIGITAL AND COMPUTER (a) At inception, the Head of Unit/Department must have at least three (3) to five (5) years‟ practical experience in the field of computer and digital/mobile forensics and particularly, in setting up new digital forensics laboratories for the detection and investigation of electronic crime (e-Crime). Where this level of experience is not available in-house, an organization should either arrange with its digital forensics consultant/consulting firm to provide the necessary support, training and supervision until such a time that capable hands are available in the unit or department or recruit from outside your organization. (b) Must be: i. A Certified Forensics Examiner through any of: MCFI - Computer Forensics Institute, Nigeria (CFIN) which offers a digital and computer forensics program which include: Biometrics, Cryptology, Data Recovery, Questioned Documents Examination, Hand-writing Analysis, Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 34 Nigeria‟s Evidence Act, 2011, Evidence Acquisition, Analysis, Reporting and Presentation. CFCE - The International Association of Computer Investigative Specialists offers the Certified Forensic Computer Examiner Program, which is open to active law enforcement personnel and others who qualify for membership in IACIS. CCE - Certified Computer Examiner certification through the International Society of Forensic Computer Examiners. and any other two of ii. to v: ii. A Certified Live Wire Examiner; iii. ACE or EnCase Certification; iv. Phone/Mobile Forensics Certification; v. Membership of High Technology Crime Investigation Association (HTCIA) (for Lawenforcement Officers); (c) Working knowledge of operating systems, communication and application systems; A good knowledge of Nigeria‟s Evidence Act, 2011 as it relates to the Rules of Evidence, and Electronic Evidence in particular. (e) Good experience of the Nigerian environment; (d) (f) Ability to image and use the recommended digital forensics hardware/software and tools, following sound digital and computer forensics approved methodology; (g) For those who will act as Expert Witnesses in the courts, a minimum of Bachelor‟s degree or HND in any field and success in an aptitude test is mandatory. For Laboratory Assistants, a minimum of OND in any field plus (b)i. are minimum requirements; (h) Must have an analytical and investigative mind; and (i) Must be ready to work long and odd hours. 5.3 PROFILE/QUALIFICATIONS OF DIGITAL AND COMPUTER FORENSICS CONSULTANT FOR LABORATORY IMPLEMENTATION (a) The Consultant for digital and computer forensics laboratory implementation assignment (individual or company) must have at least seven (7) years‟ experience in the field of computer/digital/mobile forensics; (b) Must have previous experience in setting up new digital forensics laboratories for the detection and investigation of electronic crime (e-Crime); Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 35 (c) Experience in the management and implementation of large scale computerization and infrastructural development in the public sector; (d) Ability and experience in providing training in computer/digital/mobile forensics; (e) Must be: i. A Certified Forensics Examiner through any of: MCFI - Computer Forensics Institute, Nigeria (CFIN) which offers a digital and computer forensics program which include: Biometrics, Cryptology, Data Recovery, Questioned Documents Examination, Hand-writing Analysis, Nigeria‟s Evidence Act, 2011, Evidence Acquisition, Analysis, Reporting and Presentation. CFCE - The International Association of Computer Investigative Specialists offers the Certified Forensic Computer Examiner Program, which is open to active law enforcement personnel and others who qualify for membership in IACIS. CCE - Certified Computer Examiner certification through the International Society of Forensic Computer Examiners. and any other two of ii. to v: ii. A Certified Live Wire Examiner; iii. ACE or EnCase Certification; iv. Certification in Phone/Mobile Forensics; v. Membership of High Technology Crime Investigation Association (HTCIA); (f) Good knowledge of operating systems, communication and application systems; (g) A good knowledge of Nigeria‟s Evidence Act, 2011 as it relates to the Rules of Evidence, and Electronic Evidence in particular. (h) Good experience of the Nigerian environment; (i) Ability to provide local support for forensic hardware, software and tools proposed. (j) Ability to manage a large-scale digital and computer forensics laboratory; (k) A minimum of Bachelor‟s degree with post-graduate qualifications as an added advantage. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 36 5.4 SKILL SETS REQUIRED BY DIGITAL AND COMPUTER FORENSICS EXAMINERS Who is a Certified Computer/Digital Forensics Examiner? Computer and digital forensics is still a relatively new field, so defining what a forensic examiner does can sometimes be difficult to understand for new comers to the field. Basically, the certified computer and digital forensics examiner applies reliable investigation and analysis techniques in order to discover potential electronic or digital evidence for legal purposes. Normally, the forensic examiner will inspect storage media such as hard drives, flash drives, CD‟s/DVD‟s, phone and mobile devices and other electronic components. The basic responsibilities are: To acquire the digital evidence by carefully extracting the data. Preserve the data/evidence Analyze the data/evidence using proper protocol and specialized tools Present and report on the findings Digital and computer forensic investigations involve three (3) distinct scenarios: 1. The computer was used to commit a crime or involved in inappropriate use. 2. The computer was the target of a crime, such as being hacked for information, or used as a zombie in a botnet. 3. The computer was a container of electronic evidence required in a legal matter. Forensic examiners are responsible for extracting and preserving three types of data from these computers: 1. Active data is the information clearly visible. Files, folders, programs, etc. 2. Archival data is data that has been backed up and/or stored. This could consist of backup tapes, CD/DVD‟s, floppies, or hard drives. 3. Latent data is the data that has been deleted or formated, usually requiring specialized software tools. Skills and Knowledge Required: The key aspect to being a certified digital forensic examiner is being able to protect evidence from intentional or accidental modification. In the information technology world, this means protecting and preserving data. The forensics field has its own set of software and hardware tools for this specific purpose. The digital forensics examiner will need to be familiar with these tools. The following is not an exhaustive list but should cover the basic skills that a computer forensic examiner should acquire, and which may also differ according to type of employment situation and environment: Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 37 Understanding of forensic methodologies Hardware imaging systems; Computer skills-hardware and software Legal concepts of criminology Familiarity with local, region, domestic, and international laws on Rules of Evidence and procedure Advanced knowledge of the Windows registry Experience with computer forensics processes and tools Using the Forensic Toolkit by AccessData Using Encase forensic software or any other top class forensic software Using Cellebrite‟s UFED or AccessData MPE+ or Paraben Solutions or other top class solutions Questioned Document Examination Hand-writing Analysis Biometrics – including Fingerprinting, face-recognition systems, etc. Network forensics Incident response skills Investigative skills Ability to work long hours Knowledge of finance and accounts Malware Analysis expertise or Malicious Code Examination Experience in full life cycle investigations Strong communication and interpersonal skills Ability to establish positive relationships with law enforcement professionals Ability to document evidence and complete investigation reports Ability to handle live incidents with appropriate responses Forensic analysis skills including hardware, media storage, data storage, forensic imaging, and file system analysis Investigation skills Personal interviewing skills Familiarity with the use of rootkits, monitoring mechanisms, remote control services Experience with unauthorized access methods and exploitation of known vulnerabilities, such as SQL injection, Mobile Instant Messaging (MIM), buffer overflows, and others Excellent written and verbal skills Ability to communicate complex technical information in non-technical staff and clients. Ability to lead presentations Investigative experience, i.e. military or law enforcement or private investigation Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 38 5.5 JOB DESCRIPTION: COMPUTER FORENSICS EXAMINER/INVESTIGATOR Duties of Computer Forensics Examiners and Investigators: Computer and Digital Forensics specializes in examining digital media to identify, recover, preserve, analyze, and present facts and opinions in a forensically sound manner. The need for such examination and analysis is needed not only for computer crime, but in other criminal and civil cases as well, and also where an electronic audit trail may be created from the information on the computer. There are many duties a computer forensics examiner performs. Some of these are: Conduct forensic and security investigations related to: o financial crime o breach of policy o standards of conduct o hacks o leaks o information security o corporate compliance o terrorism o cyber warfare o homicide and other crimes Provide technical guidance to upper level management Provide policy recommendations Develop and implement security policies and procedures for information technology infrastructures Conduct witness interviews Perform forensic analysis on electronic storage media and mobile devices Document evidence findings and prepare briefings Communicate investigation findings with law enforcement personnel Testify in court (when applicable) Research new forensic technologies Stay up-to-date with the most recent malicious technologies and evolving technology platforms 5.6 COMPUTER FORENSICS EXAMINER/INVESTIGATOR SALARY In 2014, the average annual salary of a Computer Forensics Examiner in the United States is between $50,000 and $70,000.00. There is a need to design and pay a special salary scale and allowances for digital and computer forensics specialists outside of the civil service salary scale. In the private sector, it is recommended that the pay be negotiated appropriately. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 39 APPENDIX A FORENSIC PORTALS Art forensics concerns the art authentication cases to help research the work's authenticity. Art authentication methods are used to detect and identify forgery, faking and copying of art works, e.g. paintings. Computational forensics concerns the development of algorithms and software to assist forensic examination. Criminalistics is the application of various sciences to answer questions relating to examination and comparison of biological evidence, trace evidence, impression evidence (such as fingerprints, footwear impressions, and tire tracks), controlled substances, ballistics, firearm and toolmark examination, and other evidence in criminal investigations. In typical circumstances evidence is processed in a Crime lab. Digital forensics is the application of proven scientific methods and techniques in order to recover data from electronic / digital media. Digital Forensic specialists work in the field as well as in the lab. Forensic accounting is the study and interpretation of accounting evidence Forensic aerial photography is the study and interpretation of aerial photographic evidence Forensic anthropology is the application of physical anthropology in a legal setting, usually for the recovery and identification of skeletonized human remains. Forensic archaeology is the application of a combination of archaeological techniques and forensic science, typically in law enforcement. Forensic astronomy uses methods from astronomy to determine past celestial constellations for forensic purposes. Forensic botany is the study of plant life in order to gain information regarding possible crimes. Forensic chemistry is the study of detection and identification of illicit drugs, accelerants used in arson cases, explosive and gunshot residue. Forensic dactyloscopy is the study of fingerprints. Forensic document examination or questioned document examination answers questions about a disputed document using a variety of scientific processes and methods. Many examinations involve a comparison of the questioned document, or components of the document, with a set of known standards. The most common type of examination involves handwriting, whereby the examiner tries to address concerns about potential authorship. Forensic DNA analysis takes advantage of the uniqueness of an individual's DNA to answer forensic questions such as paternity/maternity testingand placing a suspect at a crime scene, e.g. in a rape investigation. Forensic engineering is the scientific examination and analysis of structures and products relating to their failure or cause of damage. Forensic entomology deals with the examination of insects in, on and around human remains to assist in determination of time or location of death. It is also possible to determine if the body was moved after death using entomology. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 40 Forensic geology deals with trace evidence in the form of soils, minerals and petroleum. Forensic geophysics is the application of geophysical techniques such as radar for detecting objects hidden underground or underwater.[41] Forensic intelligence process starts with the collection of data and ends with the integration of results within into the analysis of crimes under investigation[42] Forensic Interviews are conducted using the science of professionally using expertise to conduct a variety of investigative interviews with victims, witnesses, suspects or other sources to determine the facts regarding suspicions, allegations or specific incidents in either public or private sector settings. Forensic limnology is the analysis of evidence collected from crime scenes in or around fresh-water sources. Examination of biological organisms, in particular diatoms, can be useful in connecting suspects with victims. Forensic linguistics deals with issues in the legal system that requires linguistic expertise. Forensic meteorology is a site-specific analysis of past weather conditions for a point of loss. Forensic odontology is the study of the uniqueness of dentition, better known as the study of teeth. Forensic optometry is the study of glasses and other eye wear relating to crime scenes and criminal investigations Forensic pathology is a field in which the principles f medicine and pathology are applied to determine a cause of death or injury in the context of a legal inquiry. Forensic podiatry is an application of the study of feet footprint or footwear and their traces to analyze scene of crime and to establish personal identity in forensic examinations. Forensic psychiatry is a specialized branch of psychiatry as applied to and based on scientific criminology. Forensic psychology is the study of the mind of an individual, using forensic methods. Usually it determines the circumstances behind a criminal's behavior. Forensic seismology is the study of techniques to distinguish the seismic signals generated by underground nuclear explosions from those generated by earthquakes. Forensic serology is the study of the body fluids.[43] Forensic toxicology is the study of the effect of drugs and poisons on/in the human body. Forensic video analysis is the scientific examination, comparison and evaluation of video in legal matters. Mobile device forensics is the scientific examination and evaluation of evidence found in mobile phones, e.g. Call History and Deleted SMS, and includes SIM Card Forensics Trace evidence analysis is the analysis and comparison of trace evidence including glass, paint, fibres and hair. Wildlife Forensic Science applies a range of scientific disciplines to legal cases involving non-human biological evidence, to solve crimes such as poaching, animal abuse, and trade in endangered species. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 41 Blood Spatter Analysis is the scientific examination of blood spatter patterns found at a crime scene to reconstruct the events of the crime. Source: http://en.wikipedia.org/wiki/Forensic_science Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 42 APPENDIX B GLOSSARY OF TERMS Acquisition: The process of creating a duplicate copy of digital media for the purposes of examining it. Agent: A person who serves the interests of an agency that has jurisdiction over criminal or civil matters involving digital evidence. In many jurisdictions and circumstances, the agent will be a law-enforcement officer. However, an agent may also be a non-sworn individual of suitable qualification who is serving the interests of the parties involved in a criminal or civil investigation or dispute. Buddy list: A collection of screen names, usually compiled by a user for instant messaging” on his or her personal computer or cellular telephone. Duplicate digital evidence: An accurate digital reproduction of all data objects contained on the original physical item. Electronic device: A device that operates on principles governing the behavior of electrons. Electronic evidence: Information and data of investigative value that are stored in or transmitted by an electronic device. Copy (v.): Accurately reproduce information contained on an original physical item, independent of the electronic storage device (e.g., logical file copy). Maintains contents, but attributes may change during the reproduction. Deleted files are not copied. Only the files which the operating system (OS) can recognize are copied. Encryption: Any procedure used in cryptography to convert plain text into cipher-text so as to prevent anyone but the intended recipient from reading the data. First responder: The initial responding law enforcement officer(s) and/or other public safety official(s) arriving at the scene. Digital evidence: Information stored or transmitted in binary form that may be relied on in court. Digital forensics: A branch of the forensic sciences related to the investigation of digital devices and media. Within the field a number of "normal" forensics words are re-purposed, and new specialist terms have evolved. Digital media: Used within the fields to refer to the physical medium (such as a hard drive) or data storage device. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 43 Documentation: Written notes, audio-tapes, videotapes, disc, printed forms, sketches, and photographs that form a detailed record of the scene, evidence recovered, and actions taken during the search of the crime scene. Duplicate: An accurate digital reproduction of all data contained on a digital storage device (e.g., hard drive, CD-ROM, flash memory, floppy disk, Zip®, Jaz®). Maintains contents and attributes (e.g., bit stream, bit copy, and sector dump). EA2011: Nigeria‟s Evidence Act, 2011. e-discovery or eDiscovery: A common acronym for electronic discovery. Exhibit: Digital media seized for investigation is usually referred to as an "exhibit". Hashing: Within the field, "hashing" refers to the use of hash functions (e.g. SHA1, SHA256 or MD5) to verify that an "image" is identical to the source media. High-technology crime: Criminal offenses that involve computer technology, including computer crimes, computer-related crimes, and Internet-related crimes. Image: A duplicate copy of some digital media created as part of the forensic process. Imaging: Synonym of "acquisition" ISP: Internet service provider. ISPs are organizations that provide subscribers with access to the Internet. Small ISPs provide service via modem and ISDN (Integrated Services Digital Network), while the larger ones also offer private line hookups (e.g., T1, fractional T1). Live Forensics or Live Analysis: Analysis of a piece of digital media from within itself; often used to acquire data from RAM where this would be lost upon shutting down the device. Metadata: Data about data. Network: A group of computers connected to one another to share information and resources. Server: A computer that provides some service for other computers that are connected to it via a network. Slack Space: The unused space at the end of a file in a file system that uses fixed size clusters (so if the file is smaller than the fixed block size then the unused space is simply left). Often contains deleted information from previous uses of the block. Sniffer: Software that monitors network packets and can be used to intercept data including passwords, credit card numbers, etc. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 44 Steganography: The word steganography comes from the Greek name “steganos” (hidden or secret) and “graphy” (writing or drawing) and literally means hidden writing. Steganography uses techniques to communicate information in a way that is hidden. Trier of fact: The person or persons who decide the facts in legal cases. In a jury trial the jury is the trier of fact. When there is no jury (sometimes called a “bench trial” or “trial to the court”), the judge is the trier of fact. With or without a jury, it is the judge who determines the law in a case. Unallocated Space: Clusters of a media partition not in use for storing any active files. They may contain pieces of files that were deleted from the file partition but not removed from the physical disk URL: Universal Resource Locator. Verification: A term used to refer to the hashing of both source media and acquired image to verify the accuracy of the copy. Write Blocker: The common name used for a forensic disk controller, hardware used to access digital media in a read only fashion. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 45 SELECTED REFERENCES Association of Chief Police Officers‟ (ACPO), Good Practice Guide for Computer-Based Electronic Evidence. (Official release version). (www.acpo.police.uk) Federal Republic of Nigeria. Evidence Act, 2011 (HB. 214). Greg Dominguez. Equipping A Forensic Lab. Techno Forensics 2007 National Institute for Standards and Technology (NIST). Guide to Integrating Forensic Techniques into Incident Response. Special Publication 800-86. Olayiwola, Peter O. “Digital Forensics in the Investigation and Prosecution of Criminal Cases,” A Paper presented at the Commonwealth National Workshop for Prosecutors and Investigators on Money Laundering, Terrorism and the Financing and Recovery of Proceeds of Crime, at Sheraton Hotel, Abuja, Nigeria, 15th-18th January, 2013. Olayiwola, Peter O. “Evidence Collection and Crime Scene Documentation.” A Paper presented at the First West African Digital & Computer Forensics Conference (Theme: Digital Forensics: Antidote to High-Tech Crimes in West Africa) held at the International Conference Centre, Abuja, Nigeria, 18th April 2012. U.S. Department of Justice, Office of Justice Programs, National Institute of Justice, Forensic Laboratories: Handbook for Facility Planning, Design, Construction, and Moving. U.S. Department of Justice, Office of Justice Programs, National Institute of Justice, Electronic Crime Scene Investigation: A Guide for First Responders. July, 2001. Standards for Digital and Computer Forensics in Nigeria – Draft v0.2 46
