Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Guide to Computer Forensics and Investigations, Fifth Edition 1-1
Chapter 1
Understanding the Digital Forensics Profession and
Investigations
At a Glance
Instructor’s Manual Table of Contents
• Overview
• Objectives
• Teaching Tips
• Quick Quizzes
Guide to Computer Forensics and Investigations, Fifth Edition 1-2
Lecture Notes
Overview
Chapter 1 introduces you to digital forensics and explains computer investigation.
Students will learn how to prepare a computer investigation. Next, students will apply a
systematic approach to an investigation. This chapter also describes procedures for
Chapter Objectives
• Describe the field of digital forensics
• Explain how to prepare a computer investigation and summarize the difference between
public-sector and private-sector investigations
• Explain the importance of maintaining professional conduct
Teaching Tips
An Overview of Digital Forensics
2. Point out that an International Organization for Standardization (ISO) standard for
digital forensics was ratified in October 2012.
3. Mention that the FBI Computer Analysis and Response Team (CART) was formed in
1984 to handle the increasing number of cases involving digital evidence. Use Figure 1-
1 to illustrate your explanation.
4. Explain that the Fourth Amendment to the U.S. Constitution protects everyone’s rights
Guide to Computer Forensics and Investigations, Fifth Edition 1-3
Digital Forensics and Other Related Disciplines
1. Explain that digital forensics investigates data that can be retrieved from a computer’s
hard disk or other storage media. Network forensics yields information about how a
perpetrator or an attacker gained access to a network.
2. Mention that data recovery involves retrieving information from a computer that was
deleted by mistake or lost during a power surge or server crash. Typically, you know
what you’re looking for. Digital forensics is the task of recovering data that users have
hidden or deleted and using it as evidence. This evidence can be inculpatory
(“incriminating”) or exculpatory.
Tip
4. Mention that investigators often work as a team to make computers and networks secure
5. Explain that when you work in the vulnerability assessment and risk management
6. Explain that the network intrusion detection and incident response group detects
intruder attacks by using automated tools and monitoring firewall logs.
7. Define the digital investigations group as a team that manages investigations and
A Brief History of Digital Forensics
1. Explain that by the 1970s, electronic crimes were increasing, especially in the financial
2. Mention that in the early 1980s, PCs gained popularity and different OSs emerged. Disk
Operating System (DOS) was available in many varieties. Forensics tools were simple,
3. By the mid-1980s, Xtree Gold appeared on the market and recognized file types and
Tip
4. Mention that in 1987, Apple produced the Mac SE, a Macintosh with an external
5. Explain that by the early 1990s, specialized tools for computer forensics were available.
The International Association of Computer Investigative Specialists (IACIS) introduced
training on software for forensics investigations and the IRS created search-warrant
programs.
6. Mention that ExpertWitness, created by ASR Data for the Macintosh, was the first
7. Mention that the introduction of large hard disks posed new problems for investigators.
Understanding Case Law
2. Explain that when statutes or regulations don’t exist, case law is used. Case law allows
Developing Digital Forensics Resources
1. Explain that you must be familiar with more than one computing platform, such as
Tip
2. Mention that you should join as many computer user groups as you can. The Computer
3. Point out that the High Technology Crime Investigation Association (HTCIA),
4. Mention that user groups can be especially helpful when you need information about
obscure OSs.
5. Explain that it is recommended that you build a network of computer forensics experts
detailed information you need to retrieve digital evidence.
Preparing for Digital Investigations
1. Explain that digital investigations falls into two distinct categories: public-sector
2. Explain that public investigations involve government agencies responsible for criminal
3. Explain that private or corporate investigations deal with private companies, non-law-
4. Mention that private corporate investigations also involve litigation disputes.
Understanding Law Enforcements Agency Investigations
1. Explain that in a criminal case, a suspect is tried for a criminal offense such as burglary,
2. Mention that many states have added specific language to criminal codes to define
Following Legal Processes
1. Explain that the legal processes depend on local custom, legislative standards, and rules
3. Next, a police officer interviews the complainant and writes a report about the crime.
4. Discuss the difference between a Digital Evidence First Responder (DEFR) and a
5. Mention that after you build a case, the information is turned over to the prosecutor.
6. Define affidavit as a sworn statement of support of facts about or evidence of a crime
7. Mention that a judge must approve and sign a search warrant before you can use it to
collect evidence.
Understanding Private-Sector Investigations
1. Explain that private-sector investigations involve private companies and lawyers who
address company policy violations and litigation disputes.
2. Mention that corporate computer crimes can involve:
a. E-mail harassment
b. Falsification of data
3. Explain that one way to avoid litigation is to publish and maintain policies that
5. Explain that another way to avoid litigations is to display warning banners. A warning
banner usually appears when a computer starts or connects to the company intranet,
6. Mention that an authorized requester has the power to conduct investigations, and this
policy should be defined by executive management.
7. Describe the groups that should have direct authority to request computer
investigations, including:
a. Corporate security investigations
8. Describe the most common type of situations that require conducting security
investigations in a corporate environment, including:
10. Explain that the Federal Rules of Evidence are the same for civil and criminal matters.
11. Explain that many company policies distinguish between personal and company
computer property. One area that’s difficult to distinguish involves cell phones,
Maintaining Professional Conduct
1. Explain that your professional conduct as a digital investigation and forensics analyst is
2. Explain that maintaining objectivity means you must form and sustain unbiased
4. Explain that you can enhance your professional conduct by continuing your training,
5. Mention that you are expected to achieve a high public and private standing and
Quick Quiz 1
1. ____ involves obtaining and analyzing digital information for use as evidence in civil,
criminal, or administrative cases.
2. Evidence that is used to clear the suspect is known as ______.
3. A sworn statement of support of the facts about or evidence of a crime is known as a(n)
_____.
4. ____ allows legal counsel to use previous cases similar to the current one because the
laws don’t yet exist.
5. A(n) _____ usually appears when a computer starts and informs end users that the
organization reserves the right to inspect computer systems and network traffic at will.
Preparing a Digital Forensics Investigation
1. Explain the role of digital forensics professionals.
2. Explain that collecting evidence that can be offered in court or at a corporate inquiry
3. Define chain of custody as the route the evidence takes from the time you find it until
the case is closed or goes to court.
An Overview of a Computer Crime
1. Explain to your students that information contained on a computer can help solve a
case.
3. You may need to define the roles of acquisitions officers and investigating officers.
An Overview of a Company Policy Violation
1. Explain to your students that when employees misuse company resources, i.e., not
following company policies, it can cost companies millions of dollars. Misuse includes:
a. Surfing the Internet
Taking a Systematic Approach
1. Briefly explain each step to problem solving, including:
a. Make an initial assessment about the type of case you are investigating
b. Determine a preliminary design or approach to the case
c. Create a detailed checklist
2. Do not forget to mention that the amount of time and effort for each step varies
Assessing the Case
1. Recall that when assessing a case, you first need to outline the case before determining
2. Present a list of case details. The list should include:
a. Situation
Planning Your Investigation
1. Outline the basic steps when planning an investigation:
a. Acquire the evidence
b. Complete an evidence form and establish a chain of custody
2. Remind your students that a broken chain of custody can throw out your case.
Therefore, documenting evidence is very important during a forensics analysis.
3. Use Figures 1-10 and 1-11 to explain the use of evidence custody forms, either single-
evidence or multi-evidence, and the fields typically included in these forms:
a. Case number
b. Investigating organization
c. Investigator
d. Nature of the case
e. Location evidence was obtained
f. Description of evidence
Guide to Computer Forensics and Investigations, Fifth Edition 1-11
Securing Your Evidence
1. Point out some of the considerations to follow when handling computer evidence:
a. Static electricity
b. Padding to prevent damage during transportation
Procedures for Private-Sector High-Tech Investigations
1. This section explains how to develop formal procedures and informal checklists to
Employee Termination Cases
Internet Abuse Investigations
1. Describe what you need to conduct an Internet abuse investigation, including:
a. The organization’s Internet proxy server logs
2. Describe the steps to perform an Internet abuse investigation, including:
a. Use standard forensic analysis techniques and procedures
E-mail Abuse Investigations
1. Describe what you need to conduct an e-mail abuse investigation, including:
a. An electronic copy of the offending e-mail that contains message header data
2. Describe the steps to perform an e-mail abuse investigation, including:
a. Use the standard forensic analysis techniques and procedures
Guide to Computer Forensics and Investigations, Fifth Edition 1-12
c. For Web-based e-mail investigations, use tools such as FTK’s Internet Keyword
Attorney-Client Privilege Investigations
1. Explain that under attorney-client privilege (ACP) rules for an attorney, you must keep
all findings confidential.
2. Mention that many attorneys want printouts of the data you have recovered. You need
3. Describe the steps for conducting an ACP case, including:
a. Request a memorandum from the attorney directing you to start the
investigation
b. Request a list of keywords of interest to the investigation
c. Initiate the investigation and analysis
d. For disk drive examinations, make two bit-stream images using different tools
4. Describe other guidelines for conducting ACP cases, including:
a. Minimize all written communications with the attorney
6. Always keep an open line of verbal communication.
Guide to Computer Forensics and Investigations, Fifth Edition 1-13
Industrial Espionage Investigations
2. Describe the staff needed for an industrial espionage investigation, including:
a. Computing investigator who is responsible for disk forensic examinations
3. Describe some of the guidelines for industrial espionage investigations, including:
a. Determine whether this investigation involves a possible industrial espionage
incident
b. Consult with corporate attorneys and upper management
4. Describe some of the planning considerations for an industrial espionage investigation,
including:
a. Examine all e-mail of suspected employees
b. Search Internet newsgroups or message boards
c. Initiate physical surveillance
5. Describe the basic steps to perform industrial espionage investigations, including:
a. Gather all personnel assigned to the investigation and brief them on the plan
b. Gather the resources needed to conduct the investigation
Guide to Computer Forensics and Investigations, Fifth Edition 1-14
Interviews and Interrogations in High-Tech Investigations
1. Mention that becoming a skilled interviewer and interrogator can take many years of
experience.
2. Explain that an interview is usually conducted to collect information from a witness or
4. Describe the ingredients for a successful interview or interrogation, including:
a. Being patient throughout the session
Understanding Data-Recovery Workstations and Software
1. Introduce your students to the concept of a digital forensics lab or data-recovery lab.
2. Compare digital forensics with data recovery.
3. Explain to the students the concept of a digital forensics workstation and its role on a
forensics analysis.
Setting Up your Workstation for Digital Forensics
1. Describe the basic requirements for setting up a computer forensics workstation,
including:
a. A workstation running Windows XP or later
2. Mention some additional useful items, including:
a. Network interface card (NIC)
b. Extra USB ports
c. FireWire 400/800 ports
Conducting an Investigation
1. Explain that you should start by gathering the resources you identified in your
investigation plan.
2. Describe the items needed for this phase, including:
a. Original storage media
b. Evidence custody form
Gathering the Evidence
1. Explain that when you gather the evidence, you should avoid damaging the evidence.
2. Outline the steps involved in gathering the evidence, including:
a. Meet the IT manager to interview him
b. Fill out the evidence form, have the IT manager sign it
Understanding Bit-stream Copies
1. Define a bit-stream copy as a bit-by-bit copy of the original drive or storage medium.
2. Compare a bit-stream copy against a simple backup copy.
4. Explain to the students why the target disk must match the original disk. Use Figure 1-
Guide to Computer Forensics and Investigations, Fifth Edition 1-16
Acquiring an Image of Evidence Media
1. Mention that the first rule of digital forensics is to preserve the original evidence.
Conduct your analysis only on a copy of the data.
Using ProDiscover Basic to Acquire a USB Drive
2. Use Figures 1-13 through 1-15 to describe the steps to acquire a USB drive image
using ProDiscover Basic.
Analyzing Your Digital Evidence
1. Remind your students that the job of a digital forensics investigator is to recover data
from deleted files, files fragments, and complete files.
3. Use Figures 1-16 and 1-17 to show the steps to load and acquire an image into
ProDiscover Basic.
4. Use Figures 1-18 and 1-19 to show how to display the contents of the acquired data.
5. Mention that data analysis can be the most time-consuming task.
6. Use Figures 1-20 through 1-23 to explain how to perform the following tasks with
ProDiscover Basic:
a. Search for keywords of interest in the case
Completing the Case
1. Discuss the questions that need to be answered in order to write the final report.
2. Give your students guides on how to write an investigation final report:
a. State what you did and what you found
3. Stress that if by repeating the process described in a report you cannot achieve the same
4. Mention to your students that the final report should be prepared accordingly to the
Critiquing the Case
1. Describe how to make a self-evaluation of your work by answering the following
questions:
a. How could you improve your performance in the case?
b. Did you expect the results you found? Did the case develop in ways you did not
expect?
Quick Quiz 2
1. During the _____________ step for problem solving you review the decisions you’ve
made and the steps you have already completed
2. The secure evidence locker is located at the ____.
3. Of all the Microsoft operating systems, ____ is the least intrusive in terms of changing
data.
4. A(n) ____ is a bit-by-bit copy of the original storage medium.
5. In any computing investigation, you should be able to repeat the steps you took and
produce the same results. This capability is referred to as ____.
Guide to Computer Forensics and Investigations, Fifth Edition 1-18
Class Discussion Topics
1. Discuss some of the various backup tools available in the market. What are the
differences among the computer forensic tools discussed within the chapter?
Additional Projects
2. Have students investigate several computer forensics tools for use on a UNIX/Linux
Additional Resources
1. How to Keep a Digital Chain of Custody:
2. What is attorney client privilege?:
3. Sniffers: What They Are and How to Protect Yourself:
4. Write-blockers:
Guide to Computer Forensics and Investigations, Fifth Edition 1-19
Key Terms
➢ affidavit — A notarized document, given under penalty of perjury, that investigators
➢ approved secure container — A fireproof container locked by a key or combination.
➢ attorney-client privilege (ACP) — Communications between an attorney and client
about legal matters is protected as confidential communications. The purpose of having
confidential communications is to promote honest and open dialogue between an
attorney and client. This confidential information must not be shared with unauthorized
people.
➢ authorized requester — In a private-sector environment, the person who has the right
to request an investigation, such as the chief security officer or chief intelligence
quality of high-technology investigations in the Pacific Northwest.
➢ data recovery — Retrieving files that were deleted accidentally or purposefully.
➢ Digital Evidence First Responder (DEFR) — A professional who secures digital
evidence at the scene and ensures its viability while transporting it to the lab.
➢ Digital Evidence Specialist (DES) — An expert who analyzes digital evidence and
physical possession of evidence.
➢ exculpatory evidence — Evidence that indicates the suspect is innocent of the crime.
➢ exhibits — Evidence that indicates the suspect is innocent of the crime.
➢ forensics workstation — A workstation set up to allow copying forensic evidence,
whether on a hard drive, flash drive, or the cloud. It usually has software preloaded and
ready to use.
which he or she is charged.
➢ industrial espionage — Theft of company sensitive or proprietary company
information often to sell to a competitor.
➢ International Association of Computer Investigative Specialists (IACIS) — An
organization created to provide training and software for law enforcement in the digital
intruders by using automated tools; also includes the manual process of monitoring
network firewall logs.
➢ professional conduct — Behavior expected of an employee in the workplace or other
professional setting.
➢ repeatable findings — Being able to obtain the same results every time from a
computer forensics examination.
➢ search and seizure — The legal act of acquiring evidence for an investigation. See also
Fourth Amendment.
➢ search warrants — Legal documents that allow law enforcement to search an office, a
home, or other locale for evidence related to an alleged crime.
➢ single-evidence form — A form that dedicates a page for each item retrieved for a
case. It allows investigators to add more detail about exactly what was done to the
evidence each time it was taken from the storage locker. See also evidence custody
form.
