ch01

Understanding The Digital Forensics Profession

• Digital Forensics: Scientific examination & analysis of data from computers/storage media, usable as court evidence.

  • Cyber Forensics: Possible more appropriate terminology.

Objectives of Digital Forensics

• Describe the field.

• Prepare for investigations in public vs. private sectors.

• Importance of professional conduct.

• Systematic approach in preparing digital forensics investigations.

• Procedures for private sector investigations.

• Requirements for data recovery workstations/software.

• Summary of investigation processes and case critiques.

Digital Evidence Collection

• Digital Evidence Sources:

  • Networks (Network Forensics)

  • Small-scale digital devices

  • Storage media (Computer Forensics)

  • Code analysis

  • Message forensics

Key Computer Forensic Activities

• Secure collection of computer data.

• Identify suspect data.

• Imaging/acquisition of data.

• Examine suspect data: origin & content.

• Present information in court.

• Apply laws relevant to computer practices.

Investigating Digital Devices

• Securely collect data.

• Examine suspect data (origin & content).

• Present digital information to courts.

• Apply laws to digital device practices.

• Distinction from data recovery: retrieving lost/deleted information.

• Teamwork in investigations: investigations triad.

Methodology: The 3 As

• Acquire: Evidence must be collected without alteration.

• Authenticate: Validate the image of the collected evidence.

• Analyze: Analyze data without modifications.

Legal Context in Digital Forensics

• Technology evolves faster than laws.

• Case law is used when statutes are lacking.

• Familiarity with recent court rulings is essential for examiners.

  • Specific example: UAE cyber crime laws (2006, 2009, 2012, 2016, Jan 2022).

Criminal Investigation Process

• Begins with evidence of a crime or witness reports.

• Police interviews and report generation.

• Decision-making based on management regarding logging or investigation.

• Importance of affidavits & supporting evidence.

Public vs. Private-Sector Investigations

• Public Sector: Investigate crimes like harassment, murder, etc., by law enforcement.

• Private Sector: Address company policy violations; reduce litigation risk.

  • Examples include email harassment, falsification of data, etc.

• Use of warning banners in organizations to inform of monitoring policies.

Authority and Conduct in Investigations

• Line of Authority: Defines who can initiate and possess evidence, and access it.

• Clear specifications for authorized requesters within companies.

• Professional Conduct: Ethics and standards vital for integrity in investigations.

  • Maintain objectivity, credibility, and confidentiality.

Preparing a Digital Forensics Investigation

• Collect evidence proving crime/company policy violations.

• Importance of chain of custody in evidence handling.

• Digital forensics requires a structured approach in planning and execution.

Computer Evidence Acquisition and Preservation

• Requires original storage media & evidence custody forms.

• Use of write-blockers to prevent altering evidence.

Analyzing Digital Evidence

• Focus on recovering data: deleted files, file fragments, complete files.

• Tools such as Autopsy for evidence retrieval.

• Keeping comprehensive notes/documentation for court use.

Investigation Checklist

• Initial case assessment, resources determination, detailed checklists.

• Evidence acquisition processes such as evidence forms and chain of custody.

Securing Evidence

• Use evidence bags, antistatic products, and proper sealing techniques.

  • Importance of physical integrity of evidence collected.

Employee Misconduct Investigations

• Investigate employee misuse of corporate resources.

• Termination cases commonly relate to creating a hostile work environment.

Internet Abuse Investigations

• Necessary resources: proxy server logs, suspect's computer, forensics tools.

• Recommended analysis techniques and comparison with logs.

E-mail Abuse Investigations

• Use of electronic copies of e-mails and server logs for evidence.

• Analysis of header data and associated messages.

Industrial Espionage

• Guidelines for investigations include the scope, approvals, and gathering evidence.

  • Might include physical surveillance and accessing sensitive logs.

Interviews and Interrogations

• Distinction between interviews (information gathering) and interrogations (obtaining confessions).

Data Recovery Labs

• Concept of distinguishing between data recovery and forensics.

• Specialized workstations configured for forensic investigations & tools.

Workstation Setup for Digital Forensics

• Basic requirements include Windows system, write-blockers, and forensics tools.

• Additional hardware and software to enhance capabilities.

Conducting Investigations

• Require gathering and appropriate tools for analysis of evidence.

Data Analysis and Reports

• Maintain logs, answering key investigative questions.

• Use of tools for report generation in various formats.