Digital Forensics Lecture 1 Notes

Introduction to Digital Investigations and Forensics

• Objectives of Lecture

  • Explain how to prepare computer investigations and summarize the difference between public-sector and private-sector investigations

  • Explain the importance of maintaining professional conduct

  • Describe how to prepare a digital forensics investigation by taking a systematic approach

  • Describe procedures for private-sector digital investigations

  • Explain requirements for data recovery workstations and software

  • Summarize how to conduct an investigation, including critiquing a case

Overview of Digital Forensics

• Digital Forensics:

  • Branch of forensic science that involves recovery and investigation of material from digital devices, mainly in relation to computer crimes.

  • Evolution:

    • Originated in the 1970s with the Federal Rules of Evidence (FRE) to standardize federal procedures, signed into law in 1973.

    • FBI established the Computer Analysis and Response Team (CAAT) in 1984 for handling digital evidence.

    • Collaboration between CAAT and the Department of Defense Computer Forensics Laboratory in late 1990s.

    • In October 2012, the ISO 27037 standard was introduced to ensure best practices for digital evidence.

  • Modern Context:

    • Increasing importance of digital forensics due to rise in cybercrimes and threats.

    • Evolved definition to include cybersecurity incident response, maintaining data integrity and a strict chain of custody.

Scope of Digital Forensics Investigations

• Investigation Digital Devices Include:

  • Collecting data securely

  • Examining suspect data to determine details such as origin and content

  • presenting digital information to courts

  • applying laws to digital device practices and ensuring compliance with regulations regarding data protection and privacy.

• Types of Investigations:

  • Digital Forensics:

    • retrieves data from computers for legal evidence.

  • Network Forensics:

    • Analyzes logs to trace attack methods and user interactions.

    • Important for understanding breaches and securing networks.

• Difference between Digital Forensics and Data Recovery:

  • Digital forensics focuses on recovering hidden or deleted evidence for legal purposes, while data recovery deals with retrieving lost files without specific evidential concerns.

  • Forensic tasks involve piecing together ambiguous data in unknown contexts.

Investigation Triads in Digital Forensics

• Three Investigative Triads:

  1. Vulnerability Assessment and Risk Management

     • test and verifies the integrity of standalone workstations and network servers

  2. Network Intrusion Detection and Incident Response

     • detects intruders attacks by using automated tools and monitoring for eg. network file logs, firewall logs

  3. Digital Investigations

     • manages investigations and conducts forensic analysis of systems suspected of containing evidence related to the incident or crime. (resolves or terminates investigations)

     

  Roles & Responsibilities:

  • Detect and mitigate network threats.

  • Conduct forensic analysis of systems.

• Collaboration: All triads must work together for effective cybersecurity and evidence gathering.

Preparing Investigations: Public vs Private Sector

• Public Sector Investigations:

  • Conducted by government agencies (e.g., police, FBI) focused on criminal prosecution.

  • Must follow strict legal processes for evidence handling.

  • How to build a criminal case

• Private Sector Investigations: (eg. wrongful terminations)

  • Focus on company policy violations, minimizing corporate risks, and maintaining operations while investigating.

  • Businesses strive to minimize or eliminate litigation

  • Examples include employee misconduct, fraud cases, and insider threats

• Eg. Internet Abuse Investigation

  to conduct an investigation for this case you need:

  • organizations internet proxy and server logs

  • suspect computers IP address

  • Suspects computers disk drive

  • your preferred computer forensics analysis tool

Professional Conduct in Digital Investigation

• Importance of Professionalism: - (ethics, morals and standards of behavior)

  • Credibility depends on maintaining high ethical standards.

  • Must maintain objectivity and confidentiality.

  • conduct investigation with integrity

• Ethical Responsibilities:

  • Avoid bias, thoroughly investigate all leads, and only divulge information to authorized parties.

  • investigators should also attend training to stay current with the latest technical changes in computer hardware and software, networking and forensic tools.

Systematic Approach to Digital Forensics Investigation

• Role of an DF Professional:

  • gather evidence to prove that a suspect commuted a crime or violated a company policy

  • collect evidence that can be offered in court or at a cooperate inquiry

    • investigate the suspects computer

    • preserve the evidence on a different computer

  • Chain of custody

    • route the evidence takes from the time you find it until the case is closed or goes to court

• Preparation Steps:

  1. Initial assessment of the case you are investigating.

  2. determine a preliminary design or approach to the case

  3. Create a detailed checklist of investigative steps.

  4. Determine necessary resources, software, and personnel for analysis.

  5. Maintain a complete chain of custody for evidential integrity e.g. evidence drive. (from the time you find it until the case is closed)

• Further steps

  • identify the risks

  • mitigate or minimize the risks

  • test the design

  • analyze and recover the digital evidence

  • investigate the data you recover

  • complete the case report

  • critique the case

• Risk Assessment: (Identify potential risks and mitigation strategies during evidence collection.)

  • identify the risks

  • mitigate or minimize the risks

  • test the design

  • analyze and recover the digital evidence

  • investigate the data you recover

  • complete the case report

  • critique the case

Steps in Digital Evidence Gathering

• Assessing the Case - Systemically outline the case details:

  • situation

  • nature of the case

  • specifics of the case

  • type of evidence

  • known disk format

  • location of evidence

• Planning the investigation - Investigation plan includes the following activities:

  • acquire the evidence

  • complete an evidence form and establish a chain of custody

  • transport the evidence to a computer forensics lab

  • secure the evidence in an approved secure container

  • prepare your forensics workstation

  • retrieve the evidence from the secure container

  • make a forensic copy of the evidence

  • return the evidence to the secure container

  • process the copied evidence with computer forensic tools

• Securing your Evidence:

  • use evidence bags to secure the evidence

  • Use computer safe products when collecting computer evidence (antistatic bags or pads)

  • use well padded containers

  • use evidence tape to seal all openings — cd drive bays, insertion slots.

• Investigative Procedures:

  • Assess and document the evidence.

  • Utilize forensic acquisition tools.

  • Perform thorough analysis on secured copy of evidence.

  • Respond to unexpected challenges that arise during investigation.

Reporting and Evaluating Cases

• Final Steps in Investigation:

  • Create comprehensive case reports documenting findings.

  • Critique case outcomes to improve future investigations.

• Documentation:

  • Maintain a detailed journal of all actions taken and their outcomes.

Conclusion

• Summary of Best Practices:

  • Always ensure maintaining evidence integrity through rigorous procedures.

  • Recognize the differences and roles within public and private sectors.

  • Critique and reflect on personal practices to enhance digital forensic skills.