Computer Data Forensics Principle and Procedure

1
Computer Data Forensics Principle and Procedure
Lab 1 Concept

• Joe Cleetus
• Concurrent Engineering Research Center,
• Lane Dept of Computer Science and Engineering, WVU

2
Computer Forensics Defined

• Computer Forensics deals with the preservation,
  identification, extraction and documentation of
  computer evidence. (1991 IACIS)
• application of law to a science
• autopsy of a computer hard disk drive
• specialized software tools and techniques are
  required to analyze
• Stipulates procedures which must be followed

3
Computer Forensics Procedures

• The Procedures
• Guarantee the preservation of evidence (no
  contamination)
• Ensure the accuracy of the results found from
  computer evidence processing
• Chosen to be reliable, time-tested and approved
• Cross-validated by using multiple tools (flaws in
  one tool may be overcome)

4
What investigators need to do

• Determine whether certain computers are suspect
• Seize legally
• Preserve the evidence
• Perform detective analysis of the data using
  contextual knowledge of possible criminal
  activity
• Exploit tools available
• Find evidence and journal it writing up the
  procedures used
• Present it convincingly in court

5
Seizing legally

• If you are performing work for a company on the
  companys premises, you need the companys
  authorization only
• Companys duty to advise employees that they
  cannot claim privacy to any files on their
  computers at work
• If universities have a different policy, they
  should state it clearly to the employees when
  they join
• Company bears the onus of seizing.

6
Seizing legally

• If you are working for law enforcement, then they
  must have the necessary warrants issued by a
  judge
• You need not as an investigator even be present
  when the computers are seized.
• Good to have procedures though
• Powering off I advise normal power down.
• Vain to think you need see what the employee was
  doing at the moment. The evidence will be on disk.

7
How to preserve computer evidence

• Obtain the disks and do a bitstream copy and
  generate a hash.
• Then you can return the computer and disks to law
  enforcement if they want to dust for
  fingerprints, let them. The digital fingerprints
  are on the disk copy.
• Keep the disks carefully, indeed make another
  copy and keep them in a distant place under lock
  and key, with control.

8
Forensic Process 4 Phases

• 1. Collection phase
• Search, recognition, collection, and
  documentation of electronic evidence
• Real-time and stored information may be lost
  without precautions
• 2. Examination phase
• Makes the evidence visible and explain its origin
  and significance
• Document the content, and state of the evidence
  in its totality
• Separate the significant stuff from the mass of
  data
• 3. Analysis
• Takes the results of the examination and
  considers what it can prove or disprove

9
Forensic Process 4 Phases

• 4. Reporting phase
• Step by step outline of Collection and
  Examination
• Seizure, examination, storage, and transfer of
  electronic evidence
• Notes preserved
• Validity of procedure carefully argued
• Qualifications of examiner stated

10
Reference

• http//www.ojp.usdoj.gov/nij/pubs-sum/187736.htm
  
• http//www.ustreas.gov/usss/electronic_evidence.sh
  tml