Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified

Practical Application of Practical Application of Computer Forensics Computer Forensics

Lisa Outlaw, CISA, CISSP, ITIL CertifiedLisa Outlaw, CISA, CISSP, ITIL Certified

OverviewOverview Definition of Computer ForensicsDefinition of Computer Forensics Computer Forensics & IT AuditingComputer Forensics & IT Auditing Why We Need Computer Forensics Why We Need Computer Forensics The Process (Do’s & Don’ts)The Process (Do’s & Don’ts)

IdentificationIdentification Collection of EvidenceCollection of Evidence Required DocumentationRequired Documentation ImagingImaging ExaminationExamination Report PreparationReport Preparation Returning of EvidenceReturning of Evidence

Definition of Computer ForensicsDefinition of Computer Forensics

Computer forensics involves the: Computer forensics involves the: IdentificationIdentification CollectionCollection PreservationPreservation Examination, and Examination, and Analysis of digital informationAnalysis of digital information

Digital Information becomes Digital EvidenceDigital Information becomes Digital Evidence

What is Digital Evidence?What is Digital Evidence?

Digital evidence is any information of value Digital evidence is any information of value that is either stored or transmitted in a that is either stored or transmitted in a binary form, including digital audio, image, binary form, including digital audio, image, and video.and video.

Computer Forensic ExaminationComputer Forensic Examination

The Computer forensic examination The Computer forensic examination is:is:

Locating digital evidence Locating digital evidence Evidence can withstand close Evidence can withstand close

scrutiny or a legal challenge. scrutiny or a legal challenge.

Computer Forensics & IT AuditComputer Forensics & IT Audit Incorporate computer forensic services Incorporate computer forensic services Cases are requiring computer forensicsCases are requiring computer forensics IT Auditors have:IT Auditors have:

authority authority technical know howtechnical know how

Reasons for Reasons for Computer Forensic ServicesComputer Forensic Services

Inappropriate Use of State SystemsInappropriate Use of State Systems Determining a Security BreachDetermining a Security Breach Detection of Disloyal Employees Detection of Disloyal Employees Evidence for Disputed DismissalsEvidence for Disputed Dismissals Malicious File Identification Malicious File Identification Theft of Information AssetsTheft of Information Assets Forgeries of DocumentsForgeries of Documents

The ProcessThe Process

(1)(1)IdentificationIdentification

(2)(2)Collection of EvidenceCollection of Evidence

(3)(3)Required DocumentationRequired Documentation

(4)(4)ImagingImaging

(5)(5)ExaminationExamination

(6)(6)Report PreparationReport Preparation

(7)(7)Returning of EvidenceReturning of Evidence

IdentificationIdentification

IT AUDITOR’S ROLEIT AUDITOR’S ROLE

(Forensic Specialist)1. Determine if reason for

computer forensics is appropriate.

2. Identify where additional digital evidence may reside.

CLIENT’S ROLECLIENT’S ROLE

(ex. State University)1. Determine when to use

Computer Forensic Services:

2. Identify where digital evidence may reside.

Collection of EvidenceCollection of Evidence

• IT AUDITOR’S ROLE– Help Client Secure the

computer to be examined

– Require and Complete Necessary Forms

– Securely Collect Computer from Client

• CLIENT’S ROLE– Ensure that computer

to be examined remains secure until collected

– Notify Appropriate Personnel

– Complete Chain of Custody Form

Collection of Evidence – Collection of Evidence – (Do's & Don'ts)(Do's & Don'ts)

Do not disturb the computer in question. Do not disturb the computer in question.

Computer is off, Leave it offComputer is off, Leave it off

Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)

Computer is on, Leave it onComputer is on, Leave it on


Do not run any programs on the Do not run any programs on the computer.computer.


Do not make any changesDo not make any changes


Do Not Insert Anything Into The Do Not Insert Anything Into The ComputerComputer


Secure the computerSecure the computer


Required DocumentationRequired Documentation

Computer Forensic Request Form Computer Forensic Request Form

Chain of Custody FormChain of Custody Form

Signatures Signatures

Disclosures and Disclaimers Disclosures and Disclaimers



IT Auditor’s Role Assign a Case Number

Assign A Team Date & Time When

device was secured

Client’s Role Document Date & Time

of Request Name of Requestor Date & Time Client

secured the device Agency Name Head of the Agency

Name

Required DocumentationRequired DocumentationIT Auditor’s Role Document Hard Drive

Serial Numbers

Client’s RoleDocument computers: Mac Address -Static IP

Address Serial Number -Make &

Model Reason For Request Desired Objectives

Approval From OSA ISA Director & Approval From OSA ISA Director & Legal CounselLegal Counsel

We also obtain approval from both the ISA We also obtain approval from both the ISA director and legal counsel before director and legal counsel before commencing Computer Forensic services. commencing Computer Forensic services.

This approval will be documented on the This approval will be documented on the requisition forms and filed with the case requisition forms and filed with the case evidence as well.evidence as well.

IT Auditor’s Role Sign and Date form Obtain Director and

Legal Counsel approval

Client’s Role Sign and Date form Obtain Agency Head

Approval


Additional Chain of Custody Form

Chain of Custody form continued on the reverse side of the computer forensic request form.

Device Serial#

FAS

Make Model

Signature Print Name

Reason Date Time

Relinquished By:

Received By:

Why Are These Documents Why Are These Documents Necessary?Necessary?

Collect important informationCollect important information Legal AspectsLegal Aspects

Get out of jail free cardGet out of jail free card

ImagingImaging

• IT AUDITORS ROLE– Determine where to

perform the image:– Onsite

– In the Lab

• CLIENTS ROLE– escort our staff to

physically collect the computer from the computer’s secure location.

Hardware Imaging

ImagingImaging Here are some of the procedures we use Here are some of the procedures we use

during imaging to ensure that evidence during imaging to ensure that evidence collected is clearly identified and preserved:collected is clearly identified and preserved:

Scan HardcopiesScan Hardcopies

We scan all hardcopy forms to PDF and this electronic We scan all hardcopy forms to PDF and this electronic copy is kept with the images of the evidence.copy is kept with the images of the evidence.

Tag EvidenceTag Evidence

We manually tag all evidence items with an We manually tag all evidence items with an assigned case number using the following naming assigned case number using the following naming convention:convention:

Case Number and Hard Drive Serial Number Case Number and Hard Drive Serial Number (Ex., 01-2008-04-Agency Name – HDD Serial#)(Ex., 01-2008-04-Agency Name – HDD Serial#)

Connect Suspect Drive to Write BlockerConnect Suspect Drive to Write Blocker

Connect Write Blocker to Connect Write Blocker to the suspects hard drivethe suspects hard drive

Imaging Regular Hard DriveImaging Regular Hard Drive

To image a regular sized To image a regular sized hard drive, implement hard drive, implement the following procedures:the following procedures: Request the client to Request the client to

purchase a storage device. purchase a storage device. Reduces CostReduces Cost Ensure enough space is Ensure enough space is

available to process the available to process the evidence. evidence.

Easy transfer of images to Easy transfer of images to clientclient

Storage DeviceStorage Device

•

Organize Evidence InformationOrganize Evidence Information Create the following folders on the Create the following folders on the

destination drive for every case:destination drive for every case: Case Name-Evidence Item Number (Folder)Case Name-Evidence Item Number (Folder)

1.1. Evidence (sub-folder)Evidence (sub-folder)1.1. HDD1 (sub-folder)HDD1 (sub-folder)2.2. HDD2 (sub-folder)HDD2 (sub-folder)

2.2. Export (sub-folder)Export (sub-folder)3.3. Temp (sub-folder)Temp (sub-folder)4.4. Index (sub-folder)Index (sub-folder)5.5. Drive Geometry (sub-folder)Drive Geometry (sub-folder)6.6. Report (sub-folder)Report (sub-folder)7.7. Case Back-up (sub-folder)Case Back-up (sub-folder)

Place all images produced in the Evidence Folder

Use FTK Imager Use FTK Imager Create the image using FTK imagerCreate the image using FTK imager

Through experience, we have found this to be one of the Through experience, we have found this to be one of the easiest and most portable software to create images. easiest and most portable software to create images. Also, this image can be used in both FTK and Encase. Also, this image can be used in both FTK and Encase.

Image Physical DriveImage Physical Drive

Always image the Physical drive.Always image the Physical drive.

Imaging A Raid ServerImaging A Raid Server Redundant Array of Inexpensive Disks Have the systems administrator to help Have the systems administrator to help

you review the RAID information. you review the RAID information. You need to gather the following You need to gather the following

information: information: Stripe SizeStripe Size Element Order (Disk Order)Element Order (Disk Order) Element Size, whether it is a RAID 1, 5, etc. Element Size, whether it is a RAID 1, 5, etc. Right hand, left hand, forward, back, or Right hand, left hand, forward, back, or

dynamic disk.dynamic disk.

Imaging A Raid Server (con’t)Imaging A Raid Server (con’t) RAID RecontructorRAID Recontructor

Examination/AnalysisExamination/Analysis

Remove hard drive from the Write Remove hard drive from the Write Block device. Block device.

Reassemble the computerReassemble the computer Ensure evidence remains tagged.Ensure evidence remains tagged.

Examination/Analysis (con’t)Examination/Analysis (con’t)

FTKFTK


FTK can take a few days to process FTK can take a few days to process your image.your image.

During this time, we return to our During this time, we return to our normal audit work normal audit work


Run Keyword SearchesRun Keyword Searches Obtain from ClientObtain from Client

Review Corroborating Review Corroborating EvidenceEvidence EmailsEmails Surveillance VideoSurveillance Video DVD & CDsDVD & CDs

Examination/Analysis (con’t)Examination/Analysis (con’t) EncaseEncase

Examination/Analysis (con’t)Examination/Analysis (con’t) Do not answer orDo not answer or Provide additional information to Provide additional information to

agency personnel. agency personnel. Agency personnel can accidentally Agency personnel can accidentally

leak information.leak information.

Forensic ReportForensic Report

The IT Auditor will issue a report to The IT Auditor will issue a report to appropriate personnel once the appropriate personnel once the examination is completed.examination is completed.

If court action is anticipated, inform If court action is anticipated, inform Agency Head to preserve the original Agency Head to preserve the original evidence if possible.evidence if possible.

If original evidence cannot be preserved, If original evidence cannot be preserved, NC Court Rules of evidence allow for the NC Court Rules of evidence allow for the image to be admitted as evidence. image to be admitted as evidence.

Questions????Questions????