Back to Subject
Practice MCQ

Unit 1 - Notes

INT250

Unit 1: Computer Forensics and Investigation Process

1. Fundamentals of Computer Forensics

Computer Forensics (also known as Cyber Forensics or Digital Forensics) is the application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence.

Core Objectives

  1. Identification: Locating the evidence and determining its significance.
  2. Preservation: Ensuring the data is kept safe and unaltered from the moment of discovery.
  3. Extraction/Collection: Recovering data from the digital media (including deleted or hidden files).
  4. Documentation: Creating a detailed record of every step taken (Chain of Custody).
  5. Interpretation/Analysis: Converting bits and bytes into information meaningful to the investigation.

Scope of Computer Forensics

  • Criminal Prosecution: Law enforcement uses forensics to solve crimes like homicide, fraud, and child pornography.
  • Civil Litigation: Used in disputes regarding intellectual property theft, harassment, or discrimination.
  • Administrative/Corporate Matters: Internal investigations regarding policy violations or insider threats.

Locard’s Exchange Principle (Digital Context)

"Anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind."

  • In the digital world, this means every interaction with a computer system leaves traces (logs, registry keys, cache files, metadata).

2. Cybercrimes and Investigation Procedures

Cybercrime refers to illegal acts where a computer or a network is the source, tool, target, or place of a crime.

Categories of Cybercrime

  1. Computer as a Target: Attacks specifically targeting the system (e.g., DoS attacks, Virus/Malware injection).
  2. Computer as a Tool: Using the computer to commit traditional crimes (e.g., Cyberstalking, Phishing, Credit Card Fraud).

Common Types

  • Hacking: Unauthorized access to a system.
  • Identity Theft: Stealing PII (Personally Identifiable Information).
  • Ransomware: Encrypting user data and demanding payment.
  • Espionage: Theft of trade secrets or classified information.

General Investigation Procedure

  1. Assessment: Determine the scope and nature of the crime.
  2. Acquisition: Secure the evidence (imaging drives, capturing traffic).
  3. Examination: Use forensic tools to extract data.
  4. Analysis: Correlate data to reconstruct the crime.
  5. Reporting: Present findings to the court or management.

3. Digital Evidence

Digital Evidence is any information of probative value that is either stored or transmitted in a digital form.

Characteristics of Digital Evidence

To be useful in court, evidence must be:

  • Admissible: Must conform to legal rules of evidence.
  • Authentic: It must be proven that the evidence is what it claims to be and links to the incident.
  • Complete: It must not be a partial view that changes the context.
  • Reliable: The tools and methodology used to collect it must be standard and validated.
  • Believable: It must be understandable to a jury.

Types of Digital Evidence

  1. Volatile Data: Data lost when power is cut (RAM, Cache, Network state).
  2. Non-Volatile Data: Data persistent after shutdown (Hard Drives, USBs, ROM).
  3. Transient Data: Data in transit over a network.

The Best Evidence Rule

In legal terms, the court prefers the original evidence. However, in digital forensics, using the original drive risks altering it. Therefore, a bit-stream image (forensic copy) is accepted as "best evidence" provided it is authenticated via hashing (MD5/SHA).

4. Forensic Readiness

Forensic Readiness refers to an organization’s ability to maximize its potential to use digital evidence while minimizing the costs of an investigation. It is a proactive approach.

Benefits

  • Faster incident response.
  • Lower cost of regulatory or legal compliance.
  • Evidence is less likely to be corrupted or lost.
  • Deterrence of insider threats due to known monitoring.

Components of Forensic Readiness

  1. Policy Definition: Clear rules on how data is handled and who is authorized to handle it.
  2. Evidence Retention: Configuring logs (Firewall, Server, AD) to be retained for a specific period.
  3. Training: Staff must know not to touch a compromised computer.
  4. Tools: Having forensic software and hardware write-blockers on standby.

5. Incident Response (IR)

Incident Response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack.

The NIST Incident Response Lifecycle

  1. Preparation: Planning, tooling, and training before an incident.
  2. Detection and Analysis: Identifying that an incident has occurred.
  3. Containment, Eradication, and Recovery: Stopping the spread, removing the threat, and restoring systems.
  4. Post-Incident Activity: Lessons learned and documentation.

IR vs. Forensics

  • IR Goal: Business continuity, stopping the attack, and recovering operations.
  • Forensics Goal: Preserving evidence, identifying the root cause, and supporting legal action.
  • Note: These often overlap; IR teams must preserve evidence for the Forensic teams.

6. Role of SOC (Security Operations Center) in Computer Forensics

The SOC is a centralized unit that deals with security issues on an organizational and technical level.

Key Functions

  1. First Line of Defense: SOC analysts monitor SIEM (Security Information and Event Management) systems for alerts.
  2. Triage: They determine if an alert is a false positive or a true incident.
  3. Log Preservation: The SOC ensures logs required for forensic analysis are captured and not overwritten.
  4. Handover: When a deep-dive investigation is needed, the SOC packages the initial data (alerts, affected IP addresses, timestamps) and hands it to the Forensic Investigators.

7. Roles and Responsibilities of a Forensic Investigator

A Computer Hacking Forensic Investigator (CHFI) or Digital Forensic Analyst has specific duties to ensure the integrity of the case.

Key Roles

  • Investigator: Gathers facts and evidence.
  • Evidence Custodian: Manages the secure storage and Chain of Custody.
  • Analyst: Interprets the data.
  • Expert Witness: Testifies in court regarding the findings.

Responsibilities

  1. Integrity: Never altering the original evidence.
  2. Chain of Custody: Maintaining a chronological documentation of the handling of evidence (Who collected it? When? Where was it stored?).
  3. Confidentiality: Protecting the privacy of the client or organization.
  4. Objectivity: Reporting facts, not opinions (unless asking for an expert opinion).
  5. Compliance: Adhering to local laws (e.g., obtaining search warrants).

8. The Forensic Investigation Process and Its Importance

A standardized process is vital to ensure that evidence is not dismissed in court due to procedural errors.

The Three Broad Phases

  1. Pre-Investigation Phase: Preparation and Authorization.
  2. Investigation Phase: Acquisition and Analysis.
  3. Post-Investigation Phase: Reporting and Archiving.

Importance

  • Ensures repeatability (another investigator should get the same results).
  • Protects the rights of the suspect.
  • Maintains the chain of custody.

9. The Pre-investigation Phase

This phase occurs before the actual handling of evidence at the crime scene.

Key Activities

  1. Building the Forensic Lab:
    • Physical Security: Access control, lockable cages.
    • Hardware: Write-blockers (bridges), forensic workstations, Faraday bags (to block signals).
    • Software: Tools like EnCase, FTK, Autopsy, Volatility.
  2. Team Assembly: Designating the Lead Investigator, photographer, and technical specialists.
  3. Legal Authorization:
    • Obtaining Search Warrants.
    • Defining the scope of the warrant (what can be seized).
  4. Risk Assessment: Analyzing potential hazards at the scene.

10. First Response

First Response is the immediate action taken when an incident is identified. The First Responder is usually the first person at the scene (could be a SysAdmin or Law Enforcement).

Critical Rules for First Responders

  1. Safety First: Ensure physical safety.
  2. Do Not Reboot/Shutdown: If the computer is ON, shutting it down destroys RAM (volatile) evidence.
  3. Do Not Touch: Do not explore files or run programs.
  4. Secure the Scene: Isolate the area to prevent tampering.
  5. Documentation: Photograph the screen, the connections, and the physical layout.

Order of Volatility (RFC 3227)

When collecting evidence, capture the most volatile data first:

  1. Registers, Cache.
  2. Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory (RAM).
  3. Temporary File Systems.
  4. Disk (Hard Drive).
  5. Remote Logging and Monitoring Data.
  6. Archival Media (DVDs, Tape).

11. The Investigation Phase

This phase involves the actual execution of the search warrant and the analysis of the data.

Step 1: Search and Seizure

  • Securing the physical evidence (laptops, phones, drives).
  • Tagging and bagging evidence (using anti-static bags).
  • Initiating the Chain of Custody log.

Step 2: Data Acquisition

  • Static Acquisition: Creating an image of a turned-off drive using a hardware write-blocker to prevent modification.
  • Live Acquisition: capturing RAM and running processes while the system is powered on (crucial if encryption is used).
  • Hashing: Generating a hash value (MD5/SHA1/SHA256) of the original drive immediately. This "digital fingerprint" proves later that the evidence was not altered.

Step 3: Analysis

  • Timeline Analysis: Reconstructing events chronologically.
  • Data Recovery: Recovering deleted files (File Carving).
  • Artifact Analysis: Examining:
    • Windows Registry (User activity, USB history).
    • Web Browser History/Cache.
    • Email headers.
    • Metadata (EXIF data in photos).

Step 4: Finding the "Smoking Gun"

  • Locating the specific file, log, or communication that proves the offense.