Powerpoint template - PowerPoint by gg2zRNML

VIEWS: 101 PAGES: 34

									CSN08101
Digital Forensics
Lecture 4A: Forensic Processes
   Module Leader: Dr Gordon Russell
   Lecturers: Robert Ludwiniak
Forensics Processes - objectives


  – Investigation Process
  – Forensic Ethics Issues
  – Forensic Law Issues
Investigation Process
According to many professionals, Computer Forensics is a
four (4) step process:

   Acquisition
       Physically or remotely obtaining possession of the computer, all network
       mappings from the system, and external physical storage devices

   Identification
       This step involves identifying what data could be recovered and
       electronically retrieving it by running various Computer Forensic tools
       and software suites
Investigation Process
According to many professionals, Computer Forensics is a
four (4) step process:

   Evaluation
      Evaluating the information/data recovered to determine if and how it
      could be used again the suspect for employment termination or
      prosecution in court

   Presentation
      This step involves the presentation of evidence discovered in a manner
      which is understood by lawyers, non-technically staff/management, and
      suitable as evidence as determined by United States and internal laws
Digital Investigation Process Model




    Brian Carrier – “An Event-Based Digital Forensic Investigation Framework”
Readiness Phases

Computer forensics lab
  • Where you conduct your investigation
  • Store evidence
  • House your equipment, hardware, and
    software

American Society of Crime Laboratory Directors
(ASCLD) offers guidelines for:
  • Managing a lab
  • Acquiring an official certification
  • Auditing lab functions and procedures
Staff Readiness

Lab manager duties :
   • Estimate when to expect preliminary and final results
   • Create and monitor lab policies for staff
   • Provide a safe and secure workplace for staff and
     evidence

Staff member duties:
   • Knowledge and training:
       • Hardware and software
       • OS and file types
       • Deductive reasoning
Acquiring Certification and Training
• Update your skills through appropriate
  training
• International Association of Computer
  Investigative Specialists (IACIS)
   – Created by police officers who wanted to formalize
     credentials in computing investigations
   – Certified Electronic Evidence Collection Specialist
     (CEECS)
   – Certified Forensic Computer Examiners (CFCEs)
Acquiring Certification and Training
(continued)
• High-Tech Crime Network (HTCN)
  – Certified Computer Crime Investigator, Basic and Advanced Level
  – Certified Computer Forensic Technician, Basic and Advanced
    Level
• EnCase Certified Examiner (EnCE) Certification
• AccessData Certified Examiner (ACE)
  Certification
• Other Training and Certifications
  – High Technology Crime Investigation Association (HTCIA)
Acquiring Certification and Training
(continued)
• Other training and certifications
  – SysAdmin, Audit, Network, Security (SANS) Institute
  – Computer Technology Investigators Network (CTIN)
  – NewTechnologies, Inc. (NTI)
  – Southeast Cybercrime Institute at Kennesaw State
    University
  – Federal Law Enforcement Training Center (FLETC)
  – National White Collar Crime Center (NW3C)
Physical Requirements for a Computer
Forensics Lab

• Most of your investigation is conducted in a lab
• Lab should be secure so evidence is not lost,
  corrupted, or destroyed
• Provide a safe and secure physical
  environment
• Keep inventory control of your assets
  – Know when to order more supplies
Digital Crime Scene Investigation Phases




    Brian Carrier – “An Event-Based Digital Forensic Investigation Framework”
Digital Evidence Searching Phase
Event Reconstruction Phase




    Brian Carrier – “An Event-Based Digital Forensic Investigation Framework”
Ethics and Codes

 • Ethics
   – Rules you internalize and use to measure your performance
 • Codes of professional conduct or
   responsibility
   – Standards that others apply to you or that you are compelled to
     adhere to by external forces
       • Such as licensing bodies

 • People need ethics to help maintain their
   balance
   – And self-respect and the respect of their profession
Applying Ethics and Codes

• Laws governing codes of professional conduct or
  responsibility
  – Define the lowest level of action or performance required to avoid
    liability
• Expert witnesses should present unbiased,
  specialized, and technical evidence to a jury
• Expert witnesses testify in more than 80% of trials
  – And in many trials, multiple expert witnesses testify
Applying Ethics and Codes to Expert
Witnesses
• The most important laws applying to attorneys
  and witnesses are the rules of evidence

• Experts are bound by their own personal ethics
  and the ethics of their professional organizations



  – In the United States, there’s no state or national
    licensing body for computer forensics examiners
Computer Forensics Examiners’ Roles in
Testifying
• Computer forensics examiners have two roles:
   – Scientific/technical witness and expert witness
• Scientific/technical witness
  •   Person involved in a case, investigator that found and presented the
      evidence

• As expert witness
   – You can testify even if you weren’t present when the event
     occurred
       • Or didn’t handle the data storage device personally
   – Criticism: it’s possible to find and hire an expert to
     testify to almost any opinion on any topic
Organizations with Codes of Ethics

• No single source offers a definitive code of
  ethics for forensic investigator
• You must draw on standards from other
  organizations to form your own ethical
  standards
International Society of Forensic
Computer Examiners

• Includes guidelines such as the following:
  – Maintain the utmost objectivity in all forensic
    examinations and present findings accurately
  – Conduct examinations based on established, validated
    principles
  – Testify truthfully in all matters before any board, court,
    or proceeding
  – Avoid any action that would appear to be a conflict of
    interest
International Society of Forensic
Computer Examiners (continued)

• Includes guidelines such as the following:
  (continued)
  – Never misrepresent training, credentials, or association
    membership
  – Never reveal any confidential matters or knowledge
    learned in an examination without an order from a court
    of competent jurisdiction or the client’s express
    permission
International High Technology Crime
Investigation Association
• HTCIA core values include the following
  requirements related to testifying:
  – The HTCIA values the Truth uncovered within digital
    information and the effective techniques used to
    uncover that Truth, so that no one is wrongfully
    convicted
  – The HTCIA values the Integrity of its members and
    the evidence they expose through common
    investigative and computer forensic best practices,
    including specialized techniques used to gather
    digital evidence
International Association of Computer
Investigative Specialists
• Standards for IACIS members include:
   – Maintain the highest level of objectivity in all forensic
     examinations and accurately present the facts
     involved
   – Thoroughly examine and analyze the evidence
   – Conduct examinations based upon established,
     validated principles
   – Render opinions having a basis that is
     demonstratively reasonable
   – Not withhold any findings that would cause the facts
     of a case to be misrepresented or distorted
BCS CODE OF CONDUCT
• Public Interest
   •   Legitimate rights of third parties include protecting personal identifiable
       data to prevent unlawful disclosure and identity theft, and also respect for
       copyright, patents and other intellectual property.
• Professional Competence and Integrity
   •   You should only claim current competence where you can demonstrate
       you have the required expertise e.g. through recognised competencies,
       qualifications or experience.
• Duty to Relevant Authority
   •   If any conflict is likely to occur or be seen by a third party as likely to occur
       you will make full and immediate disclosure to your Relevant Authority.
• Duty to the Profession
   •   Share knowledge and understanding of IT and support inclusion of every
       sector of society.
Legal Issues

In criminal investigation you ALWAYS have to have
warrant!!!

Warrant can be issued for:
Entire company, floor, room, a device, car, house, any
company/person owned property

Mobile phone cases – issues with interception rules laid
down in RIPSA [Regulations of Investigative Powers
(Scotland) Act]
Ethics and Warrants

 A lot of the ethical issues are covered by the
warrants system. Before a warrant can be issues
a judge is presented with the evidence that
suggests a search will find something relating to
the crime under investigation. He will then way
this against the person's freedoms and decide
whether the warrant should be granted.
Corporate Investigation Issues

Non-criminal internal investigation can be
restricted by the individual’s right of privacy

Data Protection Act

Company Polices
Best Practice
• ACPO
  – Principle 1 - No action taken by law enforcement or
    their agents should change data held on an electronic
    device or media which may subsequently be relied
    upon in Court.
  – Principle 2 - In exceptional circumstances where a
    person finds it necessary to access original data held
    on an electronic device or media, that person must be
    competent to do so, and be able to give evidence
    explaining the relevance and the implications of their
    actions.
Best Practice
• ACPO
  – Principle 3: An audit trail or other record of all
    processes applied to computer based
    electronic evidence should be created and
    preserved. An independent third party should
    be able to examine those processes and
    achieve the same result.
Best Practice
• ACPO
  – Principle 4: The person in charge of the
    investigation (the case officer) has overall
    responsibility for ensuring that the law and
    these principles are adhered to.
ANY QUESTIONS?
Assessment: Short-Answer Examples
Question:
What are the requirements for the computer forensic lab?


  Answer:
Assessment: Short-Answer Examples
Question:
What is a difference between Ethics and Code of Practice?


 Answer:
Assessment: Short-Answer Examples
Question:
How Data Protection Act can create problems in a corporate investigation?


 Answer:

								
To top