15681 Forensic Examination

8/3/2019 15681 Forensic Examination

1/23


2/23

While all computer forensic cases are

unique, examiners should develop their owndocumented standard operating procedures(SOPs) and follow them consistently.

These SOPs will help protect the integrityand authenticity of evidence by ensuring

that all data is acquired, analyzed, andpreserved in a systematic and consistentmanner.


3/23

Vary according to the IT environment, typeof case, status of the system, requiredresources to acquired and analysis ofevidence.

A computer forensic examiner should seek toobtain the following information prior toconducting the analysis:

1. What is suspected or needs to be proven?;2. Any specific information about times and

dates to support time-line analysis ofactivities;


4/23

3. Any specific keywords and text strings;

4. Access to any other supporting computerevidence already in possession of theinvestigator to support evidence correlation,such as proxy logs (logs of Internet browser

activity from firewalls and proxy servers).5. A description of the computer skill level of

the suspect;

6. If the system is used for business ratherthan a personal computer, as detailed adescription as is available about the networkenvironment in which the system waslocated and what the systems primaryfunction was.


5/23

Live System Processing:

Sometimes evidences are found on livesystems and shut down systems.

Every forensic examiner should thereforehave an understanding of the protocols forsafely acquiring volatile data from live

systems, not just analyzing static file systemstructures from magnetic media.


6/23

The order of volatility for systemevents, and therefore the order in

which they need to be acquired duringforensic processing, is as follows:

1. Registers, peripheral memory, caches;

2. Memory (virtual, physical);

3. Network state;4. Running processes, open files, media mount

points;

5. Logical file system;

6. Physical hard drive, floppies and backuptapes;

7. CD-ROMs and printouts


7/23

Prior to carrying out forensic examinations,the following should be considered:

1.On live systems avoid tools that use agraphical user interface: Command lineutilities, and in particular, statically linkedbinary files, are best utilized as they are

more likely to leave little or no footprint onthe evidence system if they are properlyutilized.

2.Validate your tools: Only utilize tools fromtrusted sources and personally verify theiractions and that they work as advertized.


8/23

3. Keep copies of the tools on removablemedia.

4. Document, document, document:Documentation of exactly what is done and

when it is done during every facet of aninvestigation cannot be overemphasized.


9/23

These implement the three phases of theCFSAP model (secure, analyze, present) witheach phase comprising several steps.

1. Securing evidence: Establishing forensically sterileconditions: the media utilized for dataacquisition must be completely wiped of

non-essential data. Following a complete, documented,

logical process in acquiring evidencefrom the system- Use of SOPs, proper

documentation


10/23

Using a known trusted command shelland tools for acquiring data from asystem: The computer forensic examiner,should, if possible, carry out all actions usinga known, trusted kernel and applications thathe/she can be sure has not been

compromised or modified. Data acquisitionvolatiles Copying system files for analysis Logical volume imaging on live systems Shutting down the computer Documenting the hardware

configuration of the system Documenting the system date and time:


11/23

Continuity of evidence (chain ofcustody)

Data acquisitionmagnetic media Authentication of copied and imaged

media Malicious code protection Archiving media images


12/23

2. Analyzing secured data: Logical analysis of the media structure Operating system configuration

information Document file names, dates, and times

File signature recognition Identifying file content and type

anomalies: Evaluating program functionality: Text string and key word searching Evaluating virtual memory Evaluating ambient data


13/23

3. Presenting the results of analysis

Document, document, document: Asindicated previously, documentation shouldbe contemporaneous, that is, notes shouldbe taken at the time, not prepared from

memory, hours or days later.

Retaining copies of software used:Aspart of the documentation process, copiesof the software used to carry out theimaging and analysis should be retained

with the output of the forensic toolinvolved.


14/23

4. Limited examinations: In somecircumstances it may be legally or

operationally impractical to carry out acomplete forensic acquisition andexamination. This may be due to:

Physical equipment limitations requiring

examination of the original evidence on thepremises, with appropriate precautions.

Sheer quantity of data to search due to sizeof the media

Considerations with respect to businessimpact of shutting down the system

Legal constraints that may be applied to

the search and seizure process.


15/23

So much corroborative evidence has alreadybeen identified that makes further evidence

redundant and further search unnecessary. Circumstances beyond the examiners

control prevent the examination from beingconducted fully.


16/23

Techniques used for analysis include:

1.System Usage Analysis

2. Internet Usage Analysis

3.Time-line analysis4.Link Analysis

5.Password Recovery


17/23

General system analysis: This seeks toidentify user(s) of the system, the systemname, its apparent primary function, andany other characteristics that can bedetermined from the operating system andapplication configurations. Usernames andpasswords will be important particularly ifencrypted files are identified during theanalysis.


18/23

Internet usage analysis: The following typesof information that should be sought:

1.Network host and connectivity information

2. Internet browser history3.E-mail use

4.Other network applications


19/23

Time-line analysis: dates and times are socritical in criminal investigations. Time linesof computer usage can provide valuableinformation about the computer user and thesequence of events affecting the computer.


20/23

Link analysis: Its utility in visualizinginformation obtained during analysis needsto be recognized and considered.


21/23

Password recovery and cryptanalysis:Password protection and encryption poseunique problems for law enforcement.Password recovery using brute forcepassword attack using specialized programs


22/23

Information presented may include what istermed the real evidence, such as thefollowing:

1. The output from the forensic tools utilized;

2. Printed command line histories and monitorsnapshots;

3. Handwritten notes and checklists;

4. Audio and video recordings;5. Diagrams and manuals.


23/23

Supporting props: Due to the complexities ofa computer forensic examination, it may benecessary to attempt to simplify theinformation, and present it in a format morereadily understandable to a Court in the formof demonstrative evidence.

15681 Forensic Examination

Documents

Transcript of 15681 Forensic Examination