Book One-Chapter Three

Question 1

Explain the 13 basic steps in computer investigation:

Answer 1

1. Intially access the case: The investigator should ask related questions and document people’s responses. Company security professionals can relate questions to the seizure of computer equipment and components. investigators should check for the role of the compter in question and for evidence related to the case.
2. Determine a preliminary design or approach to the case: During this step, the investigator prepares a general outline for investigating the case. In the case of an employee violation of company policy, this phase deals with determining whether the employee’s computer can be seized during working hours or whether an investigator has to wait until after office hours or the weekend.
3. Prepare a detailed design: The investigator refines the general outline that was prepared during the previous step. The investigator plans detailed steps, taking into account the estimated time, resources, and money required to complete each step. This helps the forensic professional track the progress of an investigation and ensures that appropriate controls are in place in case there is deviation from the plan.
4. Determine what resources are required: The kind of software used for investigation varies with the OS used by the suspect.
5. Obtain an evidence disk drive: The investigator seizes the different kinds of equipment used by any suspects in the case.
6. Copy an evidence disk drive: The investigator images the evidence obtained during the previous step onto a different disk and then prepares a forensic copy of the disk.
7. Identify the risks involved: An investigator can face a lot of problems while handling a case, so investigators are required to document any problems they expect or constraints they think may occur during the investigation. This documentation of problems is called “standard risk assessment”. Ex: a suspect might have set a logon scheme that shuts down the computer or erases the hard disk if someone wants to change the password.
8. Minimize the risks: A forensic professional should look for different ways to minimize the risks identified during the previous step. Ex: if the suspect had password-protected the hard drive, the investigator should make multiple copies of the media before starting the investigation. This step will help the investigator achieve the goal of retrieving the information.
9. Test the design: The investigator needs to review the decisions made and the steps taken so far. During the review, the investigator can determine whether the steps that have been taken are correct and can be justified.
10. Analyze and recover the digital evidence: The investigator can analyze and recover the digital evidence using the software tools and other resources that were determined in the previous steps.
11. Investigate the recovered data: Once the data is recovered and analyzed, the investigator can view and organize the data to help prove the guilt or innocence of the suspect.
12. Complete the case report: The investigator prepares a complete report containing information about what he/she did and found.
13. Critique the case: This step deals with a self-evaluation by the investigator, After the investigation related to the case is completed and the report is prepared, the investigator should review the case to identify successful decisions and actions, and work uppon any shortcomings. This will help the investigator deal with future cases.

Question 2

Discuss the policy and procedure development stage of computer investigation:

Answer 2

Development policies and procedures is an important phase in creating a computer forensic unit. The following are the types of policies and procedures that need to be established:

1. Mission statement: Incorporates the core functions of the unit, which includes high-technology crime investigations, evidence collection, and forensic analysis.
2. The personnel requirements for the computer forensic unit: Includes Job Descriptions, Minimum Qualifications, Hours of operation, On-call duty status, Command structure, and Team Configuration.
3. Administrative considerations: Includes the following:
   - Software Licensing: makes sure that the software tools the unit uses are property licenced.
   - Resource Commitment: Includes resources such as equipment used by the examiners, ongoing professional development, and software and hardware requirments.
   - Training: Produces skilled and competent examiners
4. Submission and retrieval of computer forensic service requests: Develops the guidelines to set up the process for the submission of computer forensic services requests and the acceptance of these requests for the examination of digital evidence.
5. Implementation of case-management procedures: Includes the nature of the crime, court dates, deadlines, possible victims, lawful considerations, and the volatile nature of the evidence.
6. Handling of evidence: Gives the guidelines for receiving, processing, documenting, and preserving the evidence at the time of examination.
7. Development of case-processing procedures: Helps in preserving and processing digital evidence.
8. Development of technical procedures: The following must be documented at the time of the developent and validation of procedures:
   - identifying the task or problem
   - proposing possible solutions
   - testing each solution on a known control sample
   - evaluating the results of the test
   - finalizing the procedure

Question 3

Does an investigator need a search warrant to carry out an investigation?

Answer 3

• Prior to the search warrant, the investigator needs to determine the computer’s significance in the offense. The role of a computer in an offense could be that it is :
  1. A tool of the offense, ex: a counterfeiter might use his scanner and printer to scan and print currentcy. Te computer is actively involved in performing illicit activity.
  2. A repository of the offense, ex: an identity thief might store credit card details of customers.
• A computer can be both a tool and a repository. Warrants should be issued with consideration to the role of the computer in the crime.
• An investigator must seek permission to conduct a search at the site of a crime from the judiciary branch of that particular location. The investigator needs to obtain a search warrent from a court.

Search warrant: This is a written order issued by a judge that directs a law enforecemtn officer to search for a particular piece of evidence at a particular location.
Successful warrants include the particular object the investigator wants to seize and the search strategy used in the investigation.

Can be issued for:
An entire company
floor/room in a company building
a device, car, house
any other company property

Searches Without a Warrant:
In certain situations, seartches performed without a warrant may be allowed:

1. When destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity.
2. Agents may search a place or object without a warrant or probable cause, if a person with authority has consented.

Question 4

What do warning banners help a user understand?

Answer 4

Should inform an authentic user when monitoring is being used to identify or watch an intruder. Should also indicate when system administrators are monitoring authentic user’s during regular system maintenance.

The following are examples of common phrases on warning banners:

• Access to this system and network is restricted
• Use of this system and network is for offical business only
• Systems and networks are subject to monitoring at any time by the owner
• Using ths system implies consent to monitoring by the owner
• Unauthorized or illegal users of this sytem or network will be subject to discipline or prosecution

Question 5

How do you collect evidence (3 step process) ?

Answer 5

1. Find the evidence: During the gathering process, the investigator should look for the place where the evidence is stored. The investigator needs to prepare a checklist to cross-check the finings and list all items that can be used for committing a crime.

Evidence is collected from a live computer by searching the following:

• Process Register- includes services like calibration inspection and testing, construction management, hardware, and software.
• Virtual and Physical memory- these provide a complete address space for every process and protect each process from other processes.
• Network State- shows the state of the network and includes the IP address and URL.
• Running Processes- all of the processes currentl running on the computer
• Disks, Tapes, and CD-ROM’s- physical media used for data storage
• Paper printouts- show data that have been printed out from a live computer.
  2. Discover the relevant data: It should be clear to the investigator which data should be taken. It is inadvisable to seize and entire system if it can be avoided. The investigator must first identify the relevant data and then gather it, otherwise, over-collection can result.
  3. Prepare an order of volatility: Some evidence does not last long as it needs a consitent power supply for storage or it contains information that is constantly changing. The investigator should prepare an order of volatility to ensure that all relevant data is collected. Order of volatility can be:
• Registers and cache
• Routing tables
• ARP cache
• Process table
• Kernal statistics and modules

The following are the volatile sources and commands used to capture the evidence on live computers:

• ps or the /proc file system: used to run the processes
• netstat: displays active TCP connections, ethernet statistics, and the IP routing table
• arp (ARP cache)- displays the mappings between different layers of the network architecture
• lsof (list of open files)- shows all of the files that are currently open
• /dev/mem and /dev/kmem- examines each and every patch in the computer

The following are computer forensic tools used for data collection:

• Guidance Software’s EnCase- forensic data and analysis program for various OS’s that is used to perform computer related investigation. An investigator can quickly find files that have been misplaced or deleted. Also allows an investigator to understand and define the inormation present in a system.
• Access Data’s Forensic Toolkit: FTK, contains the full suite of password recovery tools, drive and media wipers, a regristry viewer. The password recovery tools also unlock locked files, enables password management, which manages and analyzes multiple files, also enables the recovery of multilingual passwords, thus enabling the investigator to bypass security against the unauthorized access of these files.

Question 6

Explain the various methods of examining digital evidence:

Answer 6

Forensic principles instituted by the National Institute of Justice are enforced.

For conducting examinations, examiners must:

1. Use accepted forensic procedures
2. Avoid using the orginal evidence

Analysis of recovered data involves interpreting the data and putting it into a logical and useful format. Analysis is the phase in which acquired data turns into evidence. When conducting the evidence examination, use these steps:

1. Preparation- allows the investigator to prepare the working directory on separate media so that evidentiary files and data can be recovered or extracted.
2. Extraction- 2 types: physical and logical

Physical- identifies and recovers the data across the entire physical drive without regard to the file system.

• keyword searching, file carving, and extraction of the partition table and unused space on the physical drive.
• performing a keyword search across the physical drive; this allows the examiner to extract data that may not be accounted for by the OS and file system.
• file-carving utilities processed across the physical drive; this will assist in recovering and extracting usable files and data that may not be accounted for by the OS and file system.

Logical- identifies and recovers files and data based on installed operating systems, file systems, and applications. May include data from active files, deleted files, file slack, and unallocated file space.

File slack- the space that exists between the end of the file and the end of the last cluster used by that file.

• Extraction of the file system information to reveal characteristics such as directory structure, file attributes, file names, date and time stamps, file size, and file location.
• Data reduction to identify and eliminate known files through the comparison of calculated hash values to authenticated has values.
• Extraction of files pertinent to the examination; methods to accomplish this may based on file name and extension, file header, file content, and location on the drive
• Recovery of deleted files
• Extraction of password-protected, encrypted, and compressed data, file slack, and unallocated file space

The investigator should perform the examination process on a bit-stream copy rather than the original computer.

Bit-stream copy- a bit-by-bit copy of the orginal storage medium. An exact duplicate of the orignal disk- a back up copy is nothing but a compressed file stored in a folder. bit-streaming can create an exact image of a disk as it is copied bit by bit.

Question 7

How do you evaluate a case on the basis of evidence (13 steps)?

Answer 7

1. Initially examine the investigator’s service request
2. Find the legal authority for the forensic examination request
3. Ensure that the request for assistance is assigned
4. Provide the complete chain of custody
5. Check if forensic processes such as analysis of DNA, fingerprints, tool marks, traces, and questioned documents need to be performed on the evidence
6. Check if there is the possibility to follow investigative methods such as sending a prevervation order to an ISP, identifying remote storage locations, and obtaining e-mail.
7. Identify the relevance of various peripheral components, such as credit cards, check patper, scanners, and cameras, to the crime scene
8. Establish the potential evidence being sought
9. Obtain additional details such as e-mail addresses, the ISP used, and user names
10. Evaluate the skill levels of the users to identify their expertise in destroying or concealing the evidence
11. Set the order of evidence examination
12. Identify whether additional personnel is required
13. Identify whether additional equipment is required

Question 8

Write in detail about evidence assessment

Answer 8

• Prioritizing the evidence:
  a. Location of evidenece at the crime scene
  b. Stability of media to be examined
• Establishing how to document the evidence (photographs, sketches, or notes)
• Evaluation storage locations for electromagnetic interference
• Determining the state of the evidence after packaging, transport, or storage
• Evaluating the necessity to provide a continuous power supply to battery-operated devices

Question 9

Write in detail about what is involved in a company policy violation

Answer 9

An investigator has to gather the evidence from the suspect’s computer and determine whether a crime or violation of the company policy has occured.
The motive behind company policy violation investigation is not always punitive. Sometimes, employees just need to be educated, as they might not be aware of the fact that they are violating company policy. If the problem persists, the company can take strict action against those employees who continue to violate policy.

In a policy violation case example, describe the:

• Situation
• Nature of the case
• Specifics about the case
• Type of evidence
• OS
• Known disk format
• Location of evidence

Question 10

Bit-stream copy

Answer 10

A bit-by-bit copy of the orginal storage medium. An exact duplicate of the original disk, while a backup copy is nothing but a compressed file stored in a folder. Bit-streaming can create an exact image of a disk, as it is copied bit by bit.

Question 11

Drive-Spy

Answer 11

A disk-forensic DOS tool designed to emulate and extend the capabilities of DOC to meet forensic needs. Compact enought to fit on a floppy disk. It creates direct disk-to-disk forensic duplicates and can copy a range of sectors within or between drives and process duplicate drives regardless of physical drive geometry or sector translation differences. Uses DOS commands (cd, dir, and others) to navigate the system under investigation and extend the capabilities of the associated DoS commands or add new commands. Searches for, analyzes, and extracts data from floppy disks or hard disks.

Operates in one of the following modes:

System- operates at the BIOs level and permits the navigation and viewing of all disk drives connected to the computer.

Drive- Used while examining an unformatted disk; accesses the physical level, which allows viewing the raw data on a disk

Part mode- aka Partition mode, refers to the logical structure of the disk and can show the directory and files for the file allocation table (FAT)

Question 12

File slack, AKA flack space

Answer 12

The space that exists between the end of the file and the end of the last cluster used by that file

Question 13

host protected area (hpa)

Answer 13

an area of the drive where a certain portion of the drive’s contents is hidden from the OS and file system

Question 14

incident

Answer 14

an event that threatens the security of a computer system or network in an organization

Question 15

steganography

Answer 15

The art and science of hiding inforamtion by embedding messages in other, seemingly harmless messages