Module 13: Computer Investigations - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

Module 13: Computer Investigations

Description:

Tangible evidence to prove a claim or an assertion can be from one of following sources: ... All forms used in the investigation including the chain of custody forms ... – PowerPoint PPT presentation

Number of Views:40
Avg rating:3.0/5.0
Slides: 14
Provided by: utcEdu
Learn more at: https://www.utc.edu
Category:

less

Transcript and Presenter's Notes

Title: Module 13: Computer Investigations


1
Module 13 Computer Investigations
  • Introduction
  • Digital Evidence
  • Preserving Evidence
  • Analysis of Digital Evidence
  • Writing Investigative Reports
  • Proven Security Protocols and Best Practices

2
Introduction
  • Computer forensics (Computer Crime
    Investigation) as is the application of forensic
    science investigative techniques to
    computer-based material used as evidence. 
  • The search technique helps to reconstruct a
    sequence of activities of what happened.  
  • The investigation process involves the
    extraction, documentation, examination,
    preservation, analysis, evaluation, and
    interpretation of computer-based material to
    provide relevant and valid information as
    evidence in civil, criminal, administrative, and
    other cases

3
Digital Evidence
  • Evidence is something tangible needed to prove
    a fact.
  • Tangible evidence to prove a claim or an
    assertion can be from one of following sources
  • From an eye witness who provides a testimony
  • From physical evidence as traces of the
    sequence of activities leading to the claim or
    assertion.
  • Digital evidence as digital footprints of the
    digital sequence of activities leading to the
    claim or assertion.
  • Digital evidence is digital footprints left after
    every digital activity form a cybertrail

4
Looking for Digital Evidence
  • Looking for digital evidence is difficulty and
    is comparable to searching for bits of evidence
    data from a haystack.
  • The evidence usually sought includes binary data
    fixed in any medium such as on CDs, memory, and
    floppies, residues of things used in the
    committing of a crime and physical materials
    such as folders, letters, and scraps of papers.
  • At the start of the investigation, the examiner
    must decide on things to work with like written
    and technical policies, permissions, billing
    statements, and system application and device
    logs.
  • Also decide early on what to monitor, if this
    is needed. This may include employer and
    employee computing activities, Internet e-mail,
    and chat rooms.

5
Digital Evidence Previewing and Acquisition
  • Dealing with digital evidence requires a lot of
    care because it is very volatile. The two
    processes previewing and acquiring of data may
    disturb the data evidence to a point of
    changing its status, thus creating doubt to its
    credibility.
  • To make sure that this does not happen, a strict
    sequence of steps must be followed in handling
    the evidence.

6
  • Handling Evidence through tracing the sequence
    of events by looking for answers the following
    questions
  • Who extracted the evidence, how, and when?
  • Who packaged it and when?
  • Who stored it, how, when and where?
  • Who transported it, where and when?
  • Previewing Image Files - allows the investigator
    to view the evidence media in order to determine
    if a full investigation is warranted.
  • Evidence Acquisition is the process of evidence
    extraction

7
Preserving Evidence
  • Given that digital evidence is very fluid in
    that it can disappear or change so fast, extra
    care must be taken in preserving digital
    evidence.
  • One way of preserving evidence is to strictly
    follow the following procedures
  • secure the evidence scene from all parties that
    have no relevancy to it. This is to avoid
    contamination usually from deposit of hairs,
    fibers or trace material from clothing, footwear
    or fingerprints. 
  • Securely catalog and package evidence in strong
    anti-static, well-padded, and labelled evidence
    bags.
  • Image all suspected media as evidence to create a
    back up. Try to make several copies of each
    evidence item.
  • Make a checksums of the original evidence
    disk before and after each copy. After imaging,
    the two checksums must agree.
  • Institute a good security access control system
    to make sure that those handling the evidence are
    the only ones authorized to handle the evidence.
  • Secure the evidence by encryption, where and
    if possible. Encryption ensures the
    confidentiality of the evidence.

8
  • Two common network configuration models - the
    centralized and distributed
  • Computer networks- centralized or distributed,
    come in different sizes depending on the number
    of computers and other devices the network has.
  • The number of devices, computers or otherwise,
    in a network and the geographical area covered
    by the network determine the network type
  • Local Area Network (LAN)
  • Wide Area Networks (WANs)
  • Metropolitan Area Networks (MANs)

9
Analysis of Digital Evidence
  • Evidence analysis is the most difficult and
    demanding task for investigators
  • It involves
  • Analyzing Data Files
  • File Directory Structure
  • File Patterns
  • Metadata
  • Content
  • Application
  • User Configuration

10
  • Analysis Based on Digital Media
  • Deleted Files
  • 2 Hidden Files
  • Slack Space
  • Bad Blocks
  • Steganography Utilities
  • Compressed and Coded Files
  • Encrypted Files
  • Password-Protected Files
  • Analysis Based on Operating Systems
  • MicrosoftBased File Systems
  • UNIX and LINUX File Systems
  • Macintosh File System

11
Relevance and Validity of Digital Evidence
  • There a need to establish relevancy of the
    evidence.
  • The relevancy of the digital evidence depends on
  • the requesting agency,
  • nature of the request,
  • type of the case in question.
  • The question of validity of data is tied up with
    the relevance of data.
  • It is also based on the process of
    authentication of that data.

12
Writing Investigative Reports
  • A report is a summary of all findings of the
    investigation and it comes from all the
    documentation that has been made throughout the
    investigation.
  • Report should include the following
    documents4
  • All notes taken during meetings and contacts that
    led to the investigation
  • All forms used in the investigation including the
    chain of custody forms
  • Copies of search warrants and legal authority
    notes granting permission to conduct searches
  • Notes, video recordings, and pictures taken at
    the incident scene describing the scene
  • Notes and any documentation made to describe the
    computer components including description of
    peripherals and all devices.

13
  • Documentation and notes describing the
    networking of suspects devices
  • Notes made on what was discovered including
    passwords, pass phrases, encryption and any data
    hiding.
  • Any changes to the suspects scene
    configuration authorized or not.
  • Names of everyone at the suspects scene
  • Procedures used to deal with the scene including
    acquisition, extraction, and analysis of
    evidence.
  • Any observed or suspected irregularities
    including those outside the scope of the
    techniques in use.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Module 13: Computer Investigations" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!