WEEK 1

Computer Forensics and

Investigations as a Profession

Understanding Computer
Forensics

Defining Computer Forensics

The New Shorter Oxford English Dictionary
defines computer forensics as the application
of forensic science techniques to computerbased material.

Definition

Computer forensics is the process of

identifying, preserving, analyzing, and
presenting digital evidence in a manner that is
acceptable in a legal proceeding.

cont

At times, it is more science than art; other

times, it is more art than science.
computer forensics is similar to other forms of
legal forensics.
But, computer forensics needs a great
knowledge of computer hardware and software
in order to prevent the unintended invalidation
or destruction of evidence and to preserve the
evidence for future analysis.

cont

Computer forensic review involves the

application of investigative and analytical
techniques to acquire and protect potential
legal evidence; therefore, a professional
within this field needs to have a detailed
understanding of the local, regional, national,
and sometimes even international laws
affecting the process of evidence collection
and retention.

cont

Computer forensics can also be described as

the critical analysis of a computer hard disk
after an intrusion or crime. This is mainly
because specialized software tools and
procedures are required to analyze the
various areas where computer data is stored,
after the fact.

Real-life Examples of Computer

Crimes
Hackers pleads guilty to illegally accessing new
York Times Computer Network
Adrian Lamo illegally accessed a database
containing confidential information such as
home telephone numbers and Social Security
numbers for over 3,000 contributors. The
records he accessed included entries for
some famous people in the USA.

cont
Man pleads guilt to hacking intrusion and theft of
data costing company $5.8 million
Daniel Jeremy was charged with illegally
accessing a protected computer and stealing
customer databases from Acxiom that
maintains customer information for automotive
manufacturers, bank, credit card issuers, and
retailers, among others. Daniel worked as a
computer system administrator.

Preparing for Computer Investigations

A computer forensic investigator should know
- how the network under investigation is laid out
- what devices are in use
- what types of operating systems are installed
- what types of filesystems are being used

Know Your Hardware

What I/O devices are used?
One of the first items on your planning agenda
should be to list all of the types of input/output
(I/O) devices used in the organization.
This list will provide information on what tools
will be needed to analyze information and
what areas may be susceptible to intrusion
and need more monitoring.

cont
- Servers
- Workstations
- Personal Digital Assistants (PDAs)
- Other devices (removable media, printers,
webcams, faxes, and copiers.

Check Computers for Unauthorized

Hardware
- Modems
- Key loggers: record everything typed
- I/O devices (Syquest SyJet drive, JumpDrive,
Pockey drive, microdrive, portable laptop)

Keep Up to Date with New I/O Trends

- USB devices
- FireWire
- Bluetooth
- Other technologies (Blackberry, Infrared (IR))

Know Your Operating System

- Windows
- Unix/Linux
- Macintosh
- Sun Solaris
- Other operating systems

Know What Filesystems are in Use

- FAT/VFAT/NTFS
- Unix/Linux Filesystems (HPFS, VFS, ext2/ext3,
NFS, BFS, FAT16, FAT32)

Maintain Tools and procedures for Each

Operating System and Filesystem
You need to have tools and procedures in place
so that you can more easily collect the
evidence you need.

Preinstalled Tools Make Forensics

Easier
- There are tools already installed on most
operating systems.
- All operating systems come with ability to log
events
- Event Viewer allows you to audit certain events
- Event Viewer maintains log files

Event Viewer for Windows 7

Auditing
Auditing is the process of tracking users and
their actions on a network.
You should audit access use and rights changes
to prevent unauthorized or unintentional
access by a guest or restricted user account.
This will prevent access to sensitive or protected
resources.

cont
- Auditing should be a clear-cut plan built around
goals and policies.
- When deciding what to audit, first identify
potential resources at risk within your network
environment.
- These resource might be sensitive files,
financial applications, and personnel files.

cont
- Set up the audit policy through the operating
system tools
- It is useful to monitor successful as well as
failed access attempts
- Auditing is resource intensive and can easily
add additional load to your server
- Make time to view the logs

Know Your Limits

- You must know what lengths you must go to
minimize the damage.
- Know the legal organizational rights and limits
- Know the search and seizure guidelines
- Know the Zanzibar's Computer Act of 2006
- Know the Zanzibar's Criminal Code

Will This End Up in Court?

- In the case that an incident is of enormous
proportion and the organizational policy is to
prosecute, an investigation could end up in
court.

cont
- Courts requires information instead of
equipment be seized, and information must be
ample and unaltered.
- Computer forensic examiners can help
prosecute a case with advice about how to
present computer-related evidence in court.

Develop Your Incident Response

Team
- Proper preservation of evidence must be done
by an incident response team (IRT) developed
by an organization.
- The team must know how to handle situations.
- The team must have clear incident response
plans.

cont
- Team members should be the following personnel:
- The team should come from Security and IT personnel.
- Someone to deal with communication with management
and employees
- Someone to deal with communication with vendors,
business partners and press
- Developers of in-house applications and interfaces
- Database managers

State Clear Processes

- The basic premise of incident handling and
response is that an organization needs to
have a clear action plan on what procedures
should be in place when an incident happens.
- The procedures should be:
- Identifying the initial infected resources
- Notifying key personnel

cont
- Assembling the response team
- Diagnosing the problem and identifying
possible solutions and setting priorities.
- Gathering all the information learned about the
incident
- Communicating the incident (other people like
press,clients).

Coordinate with Local Law

Enforcement
- It is good to report incidents to law
enforcement.
- Law enforcement agencies are familiar with
computer crimes investigation, view intrusion
as important, and will respond appropriately.