Powerpoint template - PowerPoint by gg2zRNML

VIEWS: 101 PAGES: 34

Digital Forensics
Lecture 4A: Forensic Processes
   Module Leader: Dr Gordon Russell
   Lecturers: Robert Ludwiniak
Forensics Processes - objectives

  – Investigation Process
  – Forensic Ethics Issues
  – Forensic Law Issues
Investigation Process
According to many professionals, Computer Forensics is a
four (4) step process:

       Physically or remotely obtaining possession of the computer, all network
       mappings from the system, and external physical storage devices

       This step involves identifying what data could be recovered and
       electronically retrieving it by running various Computer Forensic tools
       and software suites
Investigation Process
According to many professionals, Computer Forensics is a
four (4) step process:

      Evaluating the information/data recovered to determine if and how it
      could be used again the suspect for employment termination or
      prosecution in court

      This step involves the presentation of evidence discovered in a manner
      which is understood by lawyers, non-technically staff/management, and
      suitable as evidence as determined by United States and internal laws
Digital Investigation Process Model

    Brian Carrier – “An Event-Based Digital Forensic Investigation Framework”
Readiness Phases

Computer forensics lab
  • Where you conduct your investigation
  • Store evidence
  • House your equipment, hardware, and

American Society of Crime Laboratory Directors
(ASCLD) offers guidelines for:
  • Managing a lab
  • Acquiring an official certification
  • Auditing lab functions and procedures
Staff Readiness

Lab manager duties :
   • Estimate when to expect preliminary and final results
   • Create and monitor lab policies for staff
   • Provide a safe and secure workplace for staff and

Staff member duties:
   • Knowledge and training:
       • Hardware and software
       • OS and file types
       • Deductive reasoning
Acquiring Certification and Training
• Update your skills through appropriate
• International Association of Computer
  Investigative Specialists (IACIS)
   – Created by police officers who wanted to formalize
     credentials in computing investigations
   – Certified Electronic Evidence Collection Specialist
   – Certified Forensic Computer Examiners (CFCEs)
Acquiring Certification and Training
• High-Tech Crime Network (HTCN)
  – Certified Computer Crime Investigator, Basic and Advanced Level
  – Certified Computer Forensic Technician, Basic and Advanced
• EnCase Certified Examiner (EnCE) Certification
• AccessData Certified Examiner (ACE)
• Other Training and Certifications
  – High Technology Crime Investigation Association (HTCIA)
Acquiring Certification and Training
• Other training and certifications
  – SysAdmin, Audit, Network, Security (SANS) Institute
  – Computer Technology Investigators Network (CTIN)
  – NewTechnologies, Inc. (NTI)
  – Southeast Cybercrime Institute at Kennesaw State
  – Federal Law Enforcement Training Center (FLETC)
  – National White Collar Crime Center (NW3C)
Physical Requirements for a Computer
Forensics Lab

• Most of your investigation is conducted in a lab
• Lab should be secure so evidence is not lost,
  corrupted, or destroyed
• Provide a safe and secure physical
• Keep inventory control of your assets
  – Know when to order more supplies
Digital Crime Scene Investigation Phases

    Brian Carrier – “An Event-Based Digital Forensic Investigation Framework”
Digital Evidence Searching Phase
Event Reconstruction Phase

    Brian Carrier – “An Event-Based Digital Forensic Investigation Framework”
Ethics and Codes

 • Ethics
   – Rules you internalize and use to measure your performance
 • Codes of professional conduct or
   – Standards that others apply to you or that you are compelled to
     adhere to by external forces
       • Such as licensing bodies

 • People need ethics to help maintain their
   – And self-respect and the respect of their profession
Applying Ethics and Codes

• Laws governing codes of professional conduct or
  – Define the lowest level of action or performance required to avoid
• Expert witnesses should present unbiased,
  specialized, and technical evidence to a jury
• Expert witnesses testify in more than 80% of trials
  – And in many trials, multiple expert witnesses testify
Applying Ethics and Codes to Expert
• The most important laws applying to attorneys
  and witnesses are the rules of evidence

• Experts are bound by their own personal ethics
  and the ethics of their professional organizations

  – In the United States, there’s no state or national
    licensing body for computer forensics examiners
Computer Forensics Examiners’ Roles in
• Computer forensics examiners have two roles:
   – Scientific/technical witness and expert witness
• Scientific/technical witness
  •   Person involved in a case, investigator that found and presented the

• As expert witness
   – You can testify even if you weren’t present when the event
       • Or didn’t handle the data storage device personally
   – Criticism: it’s possible to find and hire an expert to
     testify to almost any opinion on any topic
Organizations with Codes of Ethics

• No single source offers a definitive code of
  ethics for forensic investigator
• You must draw on standards from other
  organizations to form your own ethical
International Society of Forensic
Computer Examiners

• Includes guidelines such as the following:
  – Maintain the utmost objectivity in all forensic
    examinations and present findings accurately
  – Conduct examinations based on established, validated
  – Testify truthfully in all matters before any board, court,
    or proceeding
  – Avoid any action that would appear to be a conflict of
International Society of Forensic
Computer Examiners (continued)

• Includes guidelines such as the following:
  – Never misrepresent training, credentials, or association
  – Never reveal any confidential matters or knowledge
    learned in an examination without an order from a court
    of competent jurisdiction or the client’s express
International High Technology Crime
Investigation Association
• HTCIA core values include the following
  requirements related to testifying:
  – The HTCIA values the Truth uncovered within digital
    information and the effective techniques used to
    uncover that Truth, so that no one is wrongfully
  – The HTCIA values the Integrity of its members and
    the evidence they expose through common
    investigative and computer forensic best practices,
    including specialized techniques used to gather
    digital evidence
International Association of Computer
Investigative Specialists
• Standards for IACIS members include:
   – Maintain the highest level of objectivity in all forensic
     examinations and accurately present the facts
   – Thoroughly examine and analyze the evidence
   – Conduct examinations based upon established,
     validated principles
   – Render opinions having a basis that is
     demonstratively reasonable
   – Not withhold any findings that would cause the facts
     of a case to be misrepresented or distorted
• Public Interest
   •   Legitimate rights of third parties include protecting personal identifiable
       data to prevent unlawful disclosure and identity theft, and also respect for
       copyright, patents and other intellectual property.
• Professional Competence and Integrity
   •   You should only claim current competence where you can demonstrate
       you have the required expertise e.g. through recognised competencies,
       qualifications or experience.
• Duty to Relevant Authority
   •   If any conflict is likely to occur or be seen by a third party as likely to occur
       you will make full and immediate disclosure to your Relevant Authority.
• Duty to the Profession
   •   Share knowledge and understanding of IT and support inclusion of every
       sector of society.
Legal Issues

In criminal investigation you ALWAYS have to have

Warrant can be issued for:
Entire company, floor, room, a device, car, house, any
company/person owned property

Mobile phone cases – issues with interception rules laid
down in RIPSA [Regulations of Investigative Powers
(Scotland) Act]
Ethics and Warrants

 A lot of the ethical issues are covered by the
warrants system. Before a warrant can be issues
a judge is presented with the evidence that
suggests a search will find something relating to
the crime under investigation. He will then way
this against the person's freedoms and decide
whether the warrant should be granted.
Corporate Investigation Issues

Non-criminal internal investigation can be
restricted by the individual’s right of privacy

Data Protection Act

Company Polices
Best Practice
  – Principle 1 - No action taken by law enforcement or
    their agents should change data held on an electronic
    device or media which may subsequently be relied
    upon in Court.
  – Principle 2 - In exceptional circumstances where a
    person finds it necessary to access original data held
    on an electronic device or media, that person must be
    competent to do so, and be able to give evidence
    explaining the relevance and the implications of their
Best Practice
  – Principle 3: An audit trail or other record of all
    processes applied to computer based
    electronic evidence should be created and
    preserved. An independent third party should
    be able to examine those processes and
    achieve the same result.
Best Practice
  – Principle 4: The person in charge of the
    investigation (the case officer) has overall
    responsibility for ensuring that the law and
    these principles are adhered to.
Assessment: Short-Answer Examples
What are the requirements for the computer forensic lab?

Assessment: Short-Answer Examples
What is a difference between Ethics and Code of Practice?

Assessment: Short-Answer Examples
How Data Protection Act can create problems in a corporate investigation?


To top