Intro to Computer Forensics

Mr. Islahuddin JalalMS (Cyber Security) – UKM Malaysia

Research Title – 3C-CSIRT Model for Afghanistan

BAKHTAR UNIVERSITY باخترپوهنتون د

Outline• CF Investigation Process • Investigating Computer Crime• Before the Investigation• Computer Forensic Investigation Methodology• Evaluate and Secure the Scene• Electronic Evidence• Collect the Evidence• Principles of Electronic Evidence

Investigating Computer Crime• Determine if an incident has occurred• Find and interpret the clues left behind• Conduct preliminary assessment to search for the evidence• Search and seize the computer’s equipment• Collect evidence that can be presented in the court of law or at a

corporate inquiry

Before the Investigation• Have work station and data recovery lab• Build investigating team• Enter into alliance with a local district attorney• Review policies and laws• Notify decision makers and acquire authorization• Assess risks• Build a computer investigation toolkit• Define the methodology

Computer Forensics MethodologyIdentification

Collection

Analysis

Presentation

Objective: To manage information and to ensure that prior to set off to the crime scene all resources are in place1. To gather as much information as one can in hardcopy or recorded

form; the crime convicted2. Get first hand information of theses:1. Types of crime2. Location3. People involves with the crime4. If possible get advise of what to expect at crime scene

3. These facts need to be collected (where applicable)1. The web page2. IP and MAC address3. The location of the crime scene4. Identify the resources you may need at the crime scene

Computer Forensics MethodologyIdentification

Collection

Analysis

Presentation

Objective: To make justifiable decision whether to collect,

acquire or both the digital evidence and to ensure that all

steps taken towards the digital evidence follow the right

process.

1. Prepare the needed resources

2. Secure the crime scene

3. Identify potential exhibits

4. Document the crime scene

5. Conduct preliminary interview at the scene

6. Document and photograph all information of the exhibits

7. Label the devices and cables

8. Pack/seal all the exhibits in a proper packaging or antistatic bag

plastic

Computer Forensics MethodologyIdentification

Collection

Analysis

Presentation

Objective: To extract, analyze and reconstruct

potential evidence from digital media

1. Discuss the case objective between IO and analyst before analyzing

the exhibit

2. Analysis will be done according to the case objectives

3. Analysis must be done on image copy of the exhibit and in a

controlled environment

4. Data from file slack and unallocated spaces must be analyze as well

5. Hash value of the image copy must be same as original exhibit

6. All steps taken must be written in diary

7. Construct the user profile of the case

8. IO to get statement from analyst.

Computer Forensics MethodologyIdentification

Collection

Analysis

Presentation

Objective: To put together findings in a

presentable and understandable manner

1. Several ways of presenting the findings

1. Written report

2. Demonstration

3. Animation

4. Slide presentation

2. All forensics result must be Accurate, Repeatable,

Impartial and Verifiable

Computer Forensics MethodologyIdentification

Collection

Analysis

Presentation

Preservation

Objective: To Track digital evidence chain of

custody, and to ensure the chain is not broken

1. To preserve the exhibits from the point of taken to the return of

the exhibits to the IO

2. To maintain chain of custody at all the times

3. Digital evidence not in the process of analysis must be sealed

and stored in a highly secured room

CFI Methodology [CHFI]

Evaluate and Secure the Scene• Forensics Photography• Gather Preliminary information at the crime scene

• Date and Time• Place and location of the incident• Evidence from a volatile system and non volatile system

• Volatile data: Data that would be lost if the computer is turned off• Hard drives and storage media

• Non-volatile: Data that remains unaffected when the computer is turned off• Deleted files, computer history, the computer’s registry, temporary files and web browsing history

• Details of the person(s) at the crime scene• Name and identification of the people or person who can serve as a potential

witness

Electronic Evidences• What data you can retrieved?• Any data that is recorded or preserved on any medium in or by a

computer system or other similar device, that can be read or understand by a person or a computer system or other similar device• Evidence is everything• Evidence is used to establish facts

Where to find Evidence?• Find the evidence, Where is it stored• Find relevant data- Recovery• Create order of volatility• Collect Evidence- use tools• Good documentation of all the actions.

Where to find Evidence?• Text documents• Graphical images• Calendar files• Databases• Audio and video files• Websites and application programs• Even viruses, Trojan horses and spyware• Email records• Instant messaging logs• etc

Collect the Evidence [CHFI]

Evidence Collection Form [CHFI]

Collect Electronic Evidence [CHFI]

Principle of Electronic Evidence• Relevance• Able to demonstrate that material acquired is relevant to the investigation

• Reliability• All processes used in handling evidence is auditable and repeatable

• Sufficient• Enough material has been gathered to allow proper investigation

• Admissible• It must be able to be used in court

Thank YouFor Your Patience