ch01

Understanding The Digital Forensics Profession

  • Digital Forensics: Scientific examination & analysis of data from computers/storage media, usable as court evidence.

    • Cyber Forensics: Possible more appropriate terminology.

Objectives of Digital Forensics

  • Describe the field.

  • Prepare for investigations in public vs. private sectors.

  • Importance of professional conduct.

  • Systematic approach in preparing digital forensics investigations.

  • Procedures for private sector investigations.

  • Requirements for data recovery workstations/software.

  • Summary of investigation processes and case critiques.

Digital Evidence Collection

  • Digital Evidence Sources:

    • Networks (Network Forensics)

    • Small-scale digital devices

    • Storage media (Computer Forensics)

    • Code analysis

    • Message forensics

Key Computer Forensic Activities

  • Secure collection of computer data.

  • Identify suspect data.

  • Imaging/acquisition of data.

  • Examine suspect data: origin & content.

  • Present information in court.

  • Apply laws relevant to computer practices.

Investigating Digital Devices

  • Securely collect data.

  • Examine suspect data (origin & content).

  • Present digital information to courts.

  • Apply laws to digital device practices.

  • Distinction from data recovery: retrieving lost/deleted information.

  • Teamwork in investigations: investigations triad.

Methodology: The 3 As

  • Acquire: Evidence must be collected without alteration.

  • Authenticate: Validate the image of the collected evidence.

  • Analyze: Analyze data without modifications.

Legal Context in Digital Forensics

  • Technology evolves faster than laws.

  • Case law is used when statutes are lacking.

  • Familiarity with recent court rulings is essential for examiners.

    • Specific example: UAE cyber crime laws (2006, 2009, 2012, 2016, Jan 2022).

Criminal Investigation Process

  • Begins with evidence of a crime or witness reports.

  • Police interviews and report generation.

  • Decision-making based on management regarding logging or investigation.

  • Importance of affidavits & supporting evidence.

Public vs. Private-Sector Investigations

  • Public Sector: Investigate crimes like harassment, murder, etc., by law enforcement.

  • Private Sector: Address company policy violations; reduce litigation risk.

    • Examples include email harassment, falsification of data, etc.

  • Use of warning banners in organizations to inform of monitoring policies.

Authority and Conduct in Investigations

  • Line of Authority: Defines who can initiate and possess evidence, and access it.

  • Clear specifications for authorized requesters within companies.

  • Professional Conduct: Ethics and standards vital for integrity in investigations.

    • Maintain objectivity, credibility, and confidentiality.

Preparing a Digital Forensics Investigation

  • Collect evidence proving crime/company policy violations.

  • Importance of chain of custody in evidence handling.

  • Digital forensics requires a structured approach in planning and execution.

Computer Evidence Acquisition and Preservation

  • Requires original storage media & evidence custody forms.

  • Use of write-blockers to prevent altering evidence.

Analyzing Digital Evidence

  • Focus on recovering data: deleted files, file fragments, complete files.

  • Tools such as Autopsy for evidence retrieval.

  • Keeping comprehensive notes/documentation for court use.

Investigation Checklist

  • Initial case assessment, resources determination, detailed checklists.

  • Evidence acquisition processes such as evidence forms and chain of custody.

Securing Evidence

  • Use evidence bags, antistatic products, and proper sealing techniques.

    • Importance of physical integrity of evidence collected.

Employee Misconduct Investigations

  • Investigate employee misuse of corporate resources.

  • Termination cases commonly relate to creating a hostile work environment.

Internet Abuse Investigations

  • Necessary resources: proxy server logs, suspect's computer, forensics tools.

  • Recommended analysis techniques and comparison with logs.

E-mail Abuse Investigations

  • Use of electronic copies of e-mails and server logs for evidence.

  • Analysis of header data and associated messages.

Industrial Espionage

  • Guidelines for investigations include the scope, approvals, and gathering evidence.

    • Might include physical surveillance and accessing sensitive logs.

Interviews and Interrogations

  • Distinction between interviews (information gathering) and interrogations (obtaining confessions).

Data Recovery Labs

  • Concept of distinguishing between data recovery and forensics.

  • Specialized workstations configured for forensic investigations & tools.

Workstation Setup for Digital Forensics

  • Basic requirements include Windows system, write-blockers, and forensics tools.

  • Additional hardware and software to enhance capabilities.

Conducting Investigations

  • Require gathering and appropriate tools for analysis of evidence.

Data Analysis and Reports

  • Maintain logs, answering key investigative questions.

  • Use of tools for report generation in various formats.