384 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Digital Forensics
Digital forensics, also known as computer forensics or cyberforensics, is a discipline
that incorporates the collection and processing of digital data as evidence. is
occurs through the systematic investigation and analysis of a computer system or
other digital device. is process needs to follow an accepted set of standards that
have been instituted for the collection of evidence in a manner that maintains its
admissibility. Sensitivity analysis can also point to areas needing sound evidence.
For example, if an important calculation, such as dealing with improvement in
employee turnover, is highly sensitive to variations in its value, take the extra time
to nd support concerning why the specic quantity selected is trustworthy.
Digital forensics can be used to nd the supporting evidence. A digital forensics
professional needs to eectively and eciently identify relevant electronic evidence
associated with violations of specic laws as a part of a discovery order and per
instructions.
◾ Identify and articulate probable cause necessary to obtain a search warrant
and recognize the limits of warrants.
◾ Locate and recover relevant electronic evidence from computer systems using
a variety of tools.
◾ Recognize and maintain a chain of custody.
◾ Follow a documented forensics investigation process.
e seven most crucial Do’s and Don’ts that will apply to any forensic investiga-
tion are as follows:
1. Ask questions: Inquire as to the nature of the request. e more knowledge
you have regarding the investigation, the more eective you can be.
2. Document methodically: No matter how simple the demand, write it
down—even if you do not feel that you will perform that portion of work.
3. Operate in good faith: Generally, you should follow instructions from your
superior or legal counsel in the course of an investigation. It may be pos-
sible that some investigative actions could be illegal. Bring this to the other
parties’ attention.
4. Don’t get in too deep: If any of the following conditions are true you may
need to make an important determination as to whether to continue yourself
or call in other parties, such as law enforcement:
a. e investigation involves a crime.
b. e investigation is expected to result in serious discipline or termina-
tion of an employee.
c. e investigation requires that documents are prepared and maintained
for court or a government investigative body and follow legal discov-
ery rules.
d. Large-scale investigations over multiple jurisdictions should be conducted
by experienced investigators.
Law Investigation, Forensics, and Ethics ◾ 385
© 2011 by Taylor & Francis Group, LLC
5. Decide to investigate: Involve people who are necessary to the investigation
and don’t make all the decisions yourself.
6. Treat everything as condential: Regardless of who knows—or the rumors
that surface—keep all information condential and only disclose the infor-
mation to those who need to know.
7. File it: Keep your documentation and store it safely. Always le it in a con-
trolled manner, regardless.
Processes
e term “evidence location” refers to the process of investigating and gathering
information of a forensic nature and particularly of legal importance. is evidence
aids in the investigation of both criminal investigations and civil suits.
For instance, the Microsoft Windows operating system contains a number of
locations that can act as a rich source of evidence. Information gathering through
investigating hidden les can be extremely helpful to any investigation.
Even le attributes and time stamps are valuable. Often, perpetrators may
attempt to change a le’s attributes in order to either cover their tracks or hide
important data that may be present in the system. Collating time stamps, for
instance, can aid in reconstructing the actions taken by the suspect.
Some of the more important sources of electronic evidence on a Windows host
include the following:
◾ Files
◾ Slack space
◾ Swap le
◾ Unallocated clusters
◾ Unused partitions
◾ Hidden partitions
Some of the most crucial areas to check for evidence within volatile data include
registers, cache, physical and virtual memory, network connections, running processes,
and disk, for instance, the page le (Figure5.4). Any external device associated with the
system should also be considered and checked for evidence: oppy, tape, CD/ROM,
USB thumb drives, and printers. Captured data must then be gathered and saved in
external devices so that it may be safely removed and kept oine at another location.
RFC 3227 (Guidelines for Evidence Collection and Archiving) lists the order of
volatility in a Microsoft Windows–based system as follows:
◾ Registers, cache
◾ Routing table, ARP cache, process table, kernel statistics
◾ Memory
◾ Temporary le systems
386 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
◾ Disk
◾ Remote logging and monitoring data that is relevant to the system in question
◾ Physical conguration, network topology
◾ Archival media
Documents—whether completed or still in draft—and working notes or scrap
paper may be used as evidence in court. If working notes, etc., exist at the time of
discovery, they are required to be included as sources of evidence and are subject
to discovery.
◾ Computer-based information
◾ Photographs, maps, and charts
◾ Internal correspondence and email
◾ Legal and regulatory lings
◾ Company intranet access and publications
◾ Formal meeting minutes or transcripts
Locate Evidence
on Windows
Systems
Gather Volatile
Evidence
Investigate
Windows File
Slack
Examine the File
System
Check the
Windows Registry
Memory Dumps
are Important!
Check System
State Backup
Investigate
Internet Traces
Figure 5.4 Digital evidence volatility requires that evidence is processed in order.
Law Investigation, Forensics, and Ethics ◾ 387
© 2011 by Taylor & Francis Group, LLC
◾ Casual conservations
◾ Conversations at trade shows and events
A competitive organization may also be able to make use of and gain an advan-
tage using the following:
◾ Marketing and product plans, especially prior to release
◾ Source code
◾ Corporate strategies and plans
◾ Marketing, advertising, and packaging expenditures
◾ Pricing issues, strategies, lists
◾ R&D, manufacturing processes, and technological operations
◾ Target markets and prospect information
◾ Plant closures and development
◾ Product designs, development, and costs
◾ Stang, operations, organization charts, wage/salary
◾ Partner and contract arrangements including delivery, pricing, and terms
◾ Customer and supplier information
◾ Merger and acquisition plans
◾ Financials, revenues, P&L, R&D budgets
With the rise of identity fraud and other related oenses, the theft of propri-
etary company information and private personnel records is also increasing. e
records sought include the following:
◾ Home addresses
◾ Home phone number
◾ Names of spouse and children
◾ Employee’s salary
◾ Social security number
◾ Medical records
◾ Credit records or credit union account information
◾ Performance reviews
Rather than shutting the system down, there is a large amount of volatile evidence
that may be collected on a live system. e section objectives include the following:
◾ Locating and gathering volatile evidence on a Windows host
◾ Investigating Windows le slack for evidence
◾ Interpreting the Windows registry and memory dump information
◾ Investigating the system state backups
◾ Analyzing Internet trace data and events
388 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Documentation
A well-written investigative report tells a story in which one has to answer various
questions such as who, when, where, why, and how. While answering these ques-
tions, supporting materials such as gures, tables, data, and equations are required
if they help the story unfold in an eective form.
e supporting material can be referred to directly in the text and integrated
in the writing to enhance the impact. It is advisable to number gures and tables
in the same order as they are introduced in the report. For example, tables can be
numbered as Table1, Table2, and so on. In the same way, gures can be labeled as
Figure1, Figure2, and so on. Numbering the material avoids confusion and makes
it easier to understand. To reduce narration and emphasize important facts, put
tables and schedules in appendices.
Captions are preferred over simple titles, as the complete information adds
to the conciseness of the presentation. If charts are used, they should be labeled,
including axes and units. In a paragraph, if any table or gure is mentioned, then
that gure or table should be inserted after the paragraph. One could also gather
all supporting material after the reference section.
e following presents a possible layout of an investigative report. e presen-
tation of accurate text is equivalent to being able to speak clearly. As such, always
give your full attention to the layout and presentation of information in a report
when you are writing. It is further advisable to consistently adhere to a single format
throughout the report. is creates consistency. ere are two main methodologies
for creating a layout structure. ere is decimal numbering and legal-sequential
numbering. Decimal numbering is as follows:
1.0 Introduction
1.1 e Nature of the Incident
1.1.1 e Details of the Victim
2.0 First Incident
2.1 e First Witness
2.1.1 Witness Testimony—Witness No. 1
3.0 Location of Evidence
3.1 Seizure of Evidence
3.1.1 Transportation of Evidence
4.0 Analysis of Evidence
4.1 Chain of Evidence
4.1.1 Extraction of Data
5.0 Conclusion
5.1 Results
5.1.1 Expert Opinion
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.