Guide to Computer Forensics and Investigations, Fourth Edition
Chapter 1
Computer Forensics and Investigations as a Profession
At a Glance
Instructor’s Manual Table of Contents

Overview

Objectives

Teaching Tips

Quick Quizzes

Class Discussion Topics

Additional Projects

Additional Resources

Key Terms
1-1
Guide to Computer Forensics and Investigations, Fourth Edition
1-2
Lecture Notes
Overview
Chapter 1 defines computer forensics and describes how to prepare for computer
investigations. It also explains the difference between law enforcement agency and
corporate investigations. Finally, students will explore the importance of maintaining
professional conduct.
Chapter Objectives



Define computer forensics
Describe how to prepare for computer investigations and explain the difference between
law enforcement agency and corporate investigations
Explain the importance of maintaining professional conduct
Teaching Tips
Understanding Computer Forensics
1. Explain that computer forensics involves obtaining and analyzing digital information
for use as evidence in civil, criminal, or administrative cases.
2. Mention that the FBI Computer Analysis and Response Team (CART) was formed in
1984 to handle the increasing number of cases involving digital evidence. Use Figure 11 to illustrate your explanation.
Teaching
Tip
For more details about the FBI Computer Analysis and Response Team (CART),
visit: www.fbi.gov/hq/lab/org/cart.htm.
3. Explain that the Fourth Amendment to the U.S. Constitution protects everyone’s rights
to be secure in their person, residence, and property from search and seizure.
Computer Forensics Versus Other Related Disciplines
1. Explain that computer forensics investigates data that can be retrieved from a
computer’s hard disk or other storage media. Network forensics yields information
about how a perpetrator or an attacker gained access to a network.
Guide to Computer Forensics and Investigations, Fourth Edition
Teaching
Tip
1-3
Read more about computer forensics at:
http://en.wikipedia.org/wiki/Computer_forensics.
2. Mention that data recovery involves recovering information from a computer that was
deleted by mistake or lost during a power surge or server crash. Typically, you know
what you’re looking for. Computer forensics is the task of recovering data that users
have hidden or deleted and using it as evidence. This evidence can be inculpatory
(“incriminating”) or exculpatory.
Teaching
Tip
Read more about data recovery at: http://en.wikipedia.org/wiki/Data_recovery.
3. Explain that disaster recovery uses computer forensics techniques to retrieve
information their clients have lost.
4. Mention that investigators often work as a team to make computers and networks secure
in an organization. Use Figure 1-2 to illustrate your explanation.
5. Explain that enterprise network environment refers to large corporate computing
systems that might include disparate or formerly independent systems.
6. Explain that when you work in the vulnerability assessment and risk management
group, you test and verify the integrity of standalone workstations and network servers.
Professionals in this group have skills in network intrusion detection and incident
response.
7. Define litigation as the legal process of proving guilt or innocence in court.
8. Explain that the computer investigations group manages investigations and conducts
forensic analysis of systems suspected of containing evidence related to an incident or a
crime.
A Brief History of Computer Forensics
1. Explain that by the 1970s, electronic crimes were increasing, especially in the financial
sector. Most law enforcement officers didn’t know enough about computers to ask the
right questions or to preserve evidence for trial.
2. Mention that in the early 1980s, PCs gained popularity and different OSs emerged. Disk
Operating System (DOS) was available in many varieties. Forensics tools were simple,
and most were generated by government agencies. Use Figure 1-3 to illustrate your
explanation.
3. By the mid-1980s, Xtree Gold appeared on the market and recognized file types and
retrieved lost or deleted files. Norton DiskEdit soon followed and became the best tool
for finding deleted files.
Guide to Computer Forensics and Investigations, Fourth Edition
Teaching
Tip
1-4
Read more about Xtree Gold at: http://en.wikipedia.org/wiki/XTree.
4. Mention that in1987, Apple produced the Mac SE, a Macintosh with an external
EasyDrive hard disk with 60 MB of storage. Use Figure 1-4 to illustrate your
explanation.
5. Explain that by the early 1990s, specialized tools for computer forensics were available.
The International Association of Computer Investigative Specialists (IACIS) introduced
training on software for forensics investigations and the IRS created search-warrant
programs.
Teaching
Tip
Read more about IACIS at: www.iacis.com/iacisv2/pages/home.php.
6. Mention that ExpertWitness, created by ASR Data for the Macintosh, was the first
commercial GUI software for computer forensics. ExpertWitness could recover deleted
files and fragments of deleted files.
7. Mention that the introduction of large hard disks posed new problems for investigators.
Other software that was developed for computer forensics includes iLook and
AccessData Forensic Toolkit (FTK).
Understanding Case Law
1. Explain that since technology is evolving at an exponential pace, existing laws and
statutes can’t keep up with the rate of change.
2. Explain that when statutes or regulations don’t exist, case law is used. Case law allows
legal counsel to use previous cases similar to the current one because the laws don’t yet
exist. Each new case is evaluated on its own merit and issues.
Developing Computer Forensics Resources
1. Explain that you must be familiar with more than one computing platform, such as
DOS, Windows 9x, Linux, Macintosh, and current Windows platforms.
2. Mention that you should join as many computer user groups as you can. The Computer
Technology Investigators Network (CTIN) meets monthly to discuss problems that law
enforcement and corporations face. The High Technology Crime Investigation
Association (HTCIA) exchanges information about techniques related to computer
investigations and security.
3. Mention that user groups can be especially helpful when you need information about
obscure OSs.
Guide to Computer Forensics and Investigations, Fourth Edition
1-5
4. Explain that it is recommended that you build a network of computer forensics experts
and other professionals, and keep in touch through e-mail. Outside experts can provide
detailed information you need to retrieve digital evidence.
Quick Quiz 1
1. ____ involves obtaining and analyzing digital information for use as evidence in civil,
criminal, or administrative cases.
Answer: Computer forensics
2. The term ____ refers to large corporate computing systems that might include disparate
or formerly independent systems.
Answer: enterprise network environment
3. ____ is the legal process of proving guilt or innocence in court.
Answer: Litigation
4. ____ allows legal counsel to use previous cases similar to the current one because the
laws don’t yet exist.
Answer: Case law
Preparing for Computer Investigations
1. Explain that computer investigations and forensics falls into two distinct categories:
public investigations and private or corporate investigations. Use Figure 1-5 to illustrate
your explanation.
2. Explain that public investigations involve government agencies responsible for criminal
investigations and prosecution. These organizations must observe legal guidelines. For
example, the law of search and seizure protects the rights of all people, including people
suspected of crimes. Use Figure 1-6 to illustrate your explanation.
3. Explain that private or corporate investigations deal with private companies, non-lawenforcement government agencies, and lawyers. Private investigations aren’t governed
directly by criminal law or Fourth Amendment issues. They are governed by internal
policies that define expected employee behavior and conduct in the workplace.
4. Mention that private corporate investigations also involve litigation disputes.
Investigations are usually conducted in civil cases.
Understanding Law Enforcements Agency Investigations
1. Explain that in a criminal case, a suspect is tried for a criminal offense such as burglary,
murder, or molestation. Computers and networks are only tools that can be used to
commit crimes.
Guide to Computer Forensics and Investigations, Fourth Edition
1-6
2. Mention that many states have added specific language to criminal codes to define
crimes involving computers.
3. Explain that the legal processes depend on local custom, legislative standards, and rules
of evidence. Criminal case follows three stages: the complaint, the investigation, and
the prosecution. Use Figure 1-7 to illustrate your explanation.
4. Explain that a criminal case begins when someone finds evidence of an illegal act. The
complainant makes an allegation, an accusation or supposition of fact.
5. Next, a police officer interviews the complainant and writes a report about the crime.
The police blotter provides a record of clues to crimes that have been committed
previously. An investigator delegates, collects, and processes the information related to
the complaint.
6. Mention that after you build a case, the information is turned over to the prosecutor.
7. Define affidavit as a sworn statement of support of facts about or evidence of a crime
submitted to a judge to request a search warrant. Use Figure 1-8 to illustrate your
explanation. The affidavit must be notarized under sworn oath.
8. Mention that a judge must approve and sign a search warrant before you can use it to
collect evidence.
Teaching
Tip
Read more about affidavits at: http://en.wikipedia.org/wiki/Affidavit.
Understanding Corporate Investigations
1. Explain that private or corporate investigations involve private companies and lawyers
who address company policy violations and litigation disputes.
2. Mention that corporate computer crimes can involve:
a. E-mail harassment
b. Falsification of data
c. Gender and age discrimination
d. Embezzlement
e. Sabotage
f. Industrial espionage
3. Explain that one way to avoid litigation is to publish and maintain policies that
employees find easy to read and follow. Published company policies provide a line of
authority for a business to conduct internal investigations.
4. Mention that well-defined policies give computer investigators and forensic examiners
the authority to conduct an investigation.
Guide to Computer Forensics and Investigations, Fourth Edition
1-7
5. Explain that another way to avoid litigations is to display warning banners. A warning
banner usually appears when a computer starts or connects to the company intranet,
network, or virtual private network. It informs end users that the organization reserves
the right to inspect computer systems and network traffic at will. A warning banner
establishes the right to conduct an investigation. Use Figure 1-9 to illustrate your
explanation.
6. Mention that an authorized requester has the power to conduct investigations, and this
policy should be defined by executive management.
7. Describe the groups that should have direct authority to request computer
investigations, including:
a. Corporate Security Investigations
b. Corporate Ethics Office
c. Corporate Equal Employment Opportunity Office
d. Internal Auditing
e. The general counsel or Legal Department
8. Describe the most common type of situations that require conducting security
investigations in a corporate environment, including:
a. Abuse or misuse of corporate assets
b. E-mail abuse
c. Internet abuse
9. Mention that you should be sure to distinguish between a company’s abuse problems
and potential criminal problems.
10. Explain that corporations often follow the silver-platter doctrine, which is what happens
when a civilian or corporate investigative agent delivers evidence to a law enforcement
officer.
11. Explain that many company policies distinguish between personal and company
computer property. One area that’s difficult to distinguish involves PDAs, cell phones,
and personal notebook computers. The safe policy is to not allow any personally owned
devices to be connected to company-owned resources, thereby limiting the possibility of
commingling personal and company data.
Maintaining Professional Conduct
1. Explain that your professional conduct as a computer investigation and forensics analyst
is critical because it determines your credibility. It includes ethics, morals, and
standards of behavior.
2. Explain that maintaining objectivity means you must form and sustain unbiased
opinions of your cases. Maintain an investigation’s credibility by keeping the case
confidential. In the corporate environment, confidentiality is critical.
Guide to Computer Forensics and Investigations, Fourth Edition
1-8
3. Mention that in rare instances, your corporate case might become a criminal case as
serious as murder.
4. Explain that you can enhance your professional conduct by continuing your training,
attending workshops, conferences, and vendor courses. Also, membership in
professional organizations adds to your credentials.
5. Mention that you are expected to achieve a high public and private standing and
maintain honesty and integrity.
Quick Quiz 2
1. The ____ provides a record of clues to crimes that have been committed previously.
Answer: police blotter
2. In addition to warning banners that state a company’s rights of computer ownership,
businesses should specify a(n) ____ who has the power to conduct investigations.
Answer: authorized requester
3. Corporations often follow the ____ doctrine, which is what happens when a civilian or
corporate investigative agent delivers evidence to a law enforcement officer.
Answer: silver-platter
4. Your ____ as a computer investigation and forensics analyst is critical because it
determines your credibility.
Answer: professional conduct
Class Discussion Topics
1. Describe the three stages of a criminal case.
2. What is case law? How is it used in the American legal system?
Additional Projects
1. Ask your students to use the Internet to read more about the Fourth Amendment to the
US Constitution and write a report that includes the impact of this amendment when
conducting a security investigation.
2. Ask your students to use the Internet to read more about affidavits and write a report
with the most important points. In addition, the report should include a general example
of an affidavit.
Guide to Computer Forensics and Investigations, Fourth Edition
1-9
Additional Resources
1. Fourth Amendment to the United States Constitution:
http://en.wikipedia.org/wiki/Fourth_Amendment_to_the_United_States_Constitution
2. Disaster Recovery:
http://en.wikipedia.org/wiki/Disaster_recovery
3. Macintosh SE:
http://en.wikipedia.org/wiki/Macintosh_SE
4. General Affidavits:
www.ilrg.com/forms/affidavt.html
Key Terms
 affidavit — The document, given under penalty of perjury, that investigators create
detailing their findings. This document is often used to justify issuing a warrant or to
deal with abuse in a corporation.
 allegation — A charge made against someone or something before proof has been
found.
 authorized requester — In a corporate environment, the person who has the right to
request an investigation, such as the chief security officer or chief intelligence officer.
 computer forensics — Applying scientific methods to collect and analyze data and
information that can be used as evidence.
 computer investigations — Conducting forensic analysis of systems suspected of
containing evidence related to an incident or a crime.
 Computer Technology Investigators Network (CTIN) — A nonprofit group based in
the Seattle–Tacoma, WA, area composed of law enforcement members, private
corporation security professionals, and other security professionals whose aim is to
improve the quality of high-technology investigations in the Pacific Northwest.
 criminal case — A case in which criminal law must be applied.
 criminal law — Statutes applicable to a jurisdiction that state offenses against the
peace and dignity of the jurisdiction and the elements that define those offenses.
 data recovery — A specialty field in which companies retrieve files that were deleted
accidentally or purposefully.
 disaster recovery — A specialty field in which companies perform real-time backups,
monitoring, data recovery, and hot site operations.
 end user — The person who uses a software product and generally has less expertise
than the software designer.
 enterprise network environment — A large corporate computing system that can
include formerly independent systems.
 exculpatory — Evidence that indicates the suspect is innocent of the crime.
 exhibits — Items used in court to prove a case.
 Fourth Amendment — The Fourth Amendment to the U.S. Constitution in the Bill of
Rights dictates that the government and its agents must have probable cause for search
and seizure.
Guide to Computer Forensics and Investigations, Fourth Edition
1-10
 High Technology Crime Investigation Association (HTCIA) — A nonprofit
association for solving international computer crimes.
 hostile work environment — An environment in which employees cannot perform
their assigned duties because of the actions of others. In the workplace, these actions
include sending threatening or demeaning e-mail or a co-worker viewing pornographic
or hate sites.
 inculpatory — Evidence that indicates a suspect is guilty of the crime with which he or
she is charged.
 industrial espionage — Selling sensitive or proprietary company information to a
competitor.
 International Association of Computer Investigative Specialists (IACIS) — An
organization created to provide training and software for law enforcement in the
computer forensics field.
 line of authority — The order in which people or positions are notified of a problem;
these people or positions have the legal right to initiate an investigation, take possession
of evidence, and have access to evidence.
 litigation — The legal process leading to a trial with the purpose of proving criminal or
civil liability.
 network intrusion detection and incident response — Detecting attacks from
intruders by using automated tools; also includes the manual process of monitoring
network firewall logs.
 notarized — Having a document witnessed and a person clearly identified as the signer
before a notary public.
 police blotter — A log of criminal activity that law enforcement personnel can use to
review the types of crimes currently being committed.
 professional conduct — Behavior expected of an employee in the workplace or other
professional setting.
 right of privacy — The belief employees have that their transmissions at work are
protected.
 search and seizure — The legal act of acquiring evidence for an investigation. See
Fourth Amendment.
 search warrants — Legal documents that allow law enforcement to search an office, a
place of business, or other locale for evidence related to an alleged crime.
 silver-platter doctrine — The policy requiring an investigator who is not an agent of
the court to submit evidence to law enforcement when a criminal act has been
uncovered.
 vulnerability assessment and risk management — The group that determines the
weakest points in a system. It covers physical security and the security of OSs and
applications.
 warning banner — Text displayed on computer screens when people log on to a
company computer; this text states the ownership of the computer and specifies
appropriate use of the machine or Internet access.