J. M. Kizza - Ethical And Social Issues

1

Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven Security Protocols and

Best Practices

J. M. Kizza - Ethical And Social Issues

2

IntroductionComputer forensics – (Computer Crime Investigation) as is the

application of forensic science investigative techniques to computer-based material used as evidence. 

The search technique helps to reconstruct a sequence of activities of what happened.  

The investigation process involves the extraction, documentation, examination, preservation, analysis, evaluation, and interpretation of computer-based material to provide relevant and valid information as evidence in civil, criminal, administrative, and other cases

J. M. Kizza - Ethical And Social Issues

3

Digital Evidence Evidence is something tangible needed to

prove a fact.Tangible evidence to prove a claim or an

assertion can be from one of following sources:◦ From an eye witness who provides a testimony◦ From physical evidence as traces of the

sequence of activities leading to the claim or assertion.

◦ Digital evidence as digital footprints of the digital sequence of activities leading to the claim or assertion.

Digital evidence is digital footprints left after every digital activity form a cybertrail

J. M. Kizza - Ethical And Social Issues

4

Looking for Digital Evidence Looking for digital evidence is difficulty and is

comparable to searching for bits of evidence data from a haystack.

The evidence usually sought includes binary data fixed in any medium such as on CDs, memory, and floppies, residues of things used in the committing of a crime and physical materials such as folders, letters, and scraps of papers.

At the start of the investigation, the examiner must decide on things to work with like written and technical policies, permissions, billing statements, and system application and device logs.

Also decide early on what to monitor, if this is needed. This may include employer and employee computing activities, Internet e-mail, and chat rooms.

J. M. Kizza - Ethical And Social Issues

5

Digital Evidence Previewing and Acquisition

Dealing with digital evidence requires a lot of care because it is very volatile.

The two processes previewing and acquiring of data may disturb the data evidence to a point of changing its status, thus creating doubt to its credibility.

To make sure that this does not happen, a strict sequence of steps must be followed in handling the evidence.

J. M. Kizza - Ethical And Social Issues

6

Handling Evidence – through tracing the sequence of events by looking for answers the following questions:◦Who extracted the evidence, how, and when?◦Who packaged it and when?◦Who stored it, how, when and where?◦Who transported it, where and when?

Previewing Image Files - allows the investigator to view the evidence media in order to determine if a full investigation is warranted.

Evidence Acquisition is the process of evidence extraction

J. M. Kizza - Ethical And Social Issues

7

Preserving Evidence

Given that digital evidence is very fluid in that it can disappear or change so fast,

extra care must be taken in preserving digital evidence.

One way of preserving evidence is to strictly follow the following procedures: ◦secure the evidence scene from all

parties that have no relevancy to it. This is to avoid contamination usually from deposit of hairs, fibres or trace material from clothing, footwear or fingerprints. 

J. M. Kizza - Ethical And Social Issues

8

Preserving Evidence ◦Securely catalog and package evidence

in strong anti-static, well-padded, and labelled evidence bags.

◦Image all suspected media as evidence to create a back up. Try to make several copies of each evidence item.

◦Make a checksums of the original evidence disk before and after each copy. After imaging, the two checksums must agree.

◦Institute a good security access control system to make sure that those handling the evidence are the only ones authorized to handle the evidence.

◦Secure the evidence by encryption, where and if possible. Encryption ensures the confidentiality of the evidence.

◦ .

J. M. Kizza - Ethical And Social Issues

9

Two common network configuration models - the centralized and distributed

Computer networks- centralized or distributed, come in different sizes depending on the number of computers and other devices the network has.

The number of devices, computers or otherwise, in a network and the geographical area covered by the network determine the network type:◦ Local Area Network (LAN)◦ Wide Area Networks (WANs) ◦ Metropolitan Area Networks (MANs)

J. M. Kizza - Ethical And Social Issues

10

Analysis of Digital Evidence

Evidence analysis is the most difficult and demanding task for investigators

It involves:◦ Analyzing Data Files

File Directory Structure File Patterns Metadata Content Application User Configuration

J. M. Kizza - Ethical And Social Issues

11

◦Analysis Based on Digital Media Deleted Files 2 Hidden Files Slack Space Bad Blocks Steganography Utilities Compressed and Coded Files Encrypted Files Password-Protected Files

◦Analysis Based on Operating Systems Microsoft–Based File Systems UNIX and LINUX File Systems Macintosh File System

J. M. Kizza - Ethical And Social Issues

12

Relevance and Validity of Digital Evidence

There a need to establish relevancy of the evidence.

The relevancy of the digital evidence depends on;◦ the requesting agency, ◦ nature of the request, ◦ type of the case in question.

The question of validity of data is tied up with the relevance of data.

It is also based on the process of authentication of that data.

J. M. Kizza - Ethical And Social Issues

13

Writing Investigative Reports

A report is a summary of all findings of the investigation and it comes from all the documentation that has been made throughout the investigation.

Report should include the following documents :◦ All notes taken during meetings and contacts that

led to the investigation◦ All forms used in the investigation including the

chain of custody forms◦ Copies of search warrants and legal authority

notes granting permission to conduct searches◦ Notes, video recordings, and pictures taken at the

incident scene describing the scene◦ Notes and any documentation made to describe

the computer components including description of peripherals and all devices.

J. M. Kizza - Ethical And Social Issues

14

◦Documentation and notes describing the networking of suspect’s devices

◦Notes made on what was discovered including passwords, pass phrases, encryption and any data hiding.

◦ Any changes to the suspect’s scene configuration authorized or not.

◦ Names of everyone at the suspect’s scene

◦Procedures used to deal with the scene including acquisition, extraction, and analysis of evidence.

◦Any observed or suspected irregularities including those outside the scope of the techniques in use.