Researching The Computer Forensics Investigation Plan

Re calculateing The Computer Forensics Investigation proposalThe purpose of this paper is to re baffle the basic methodo logies and the appropriate memberes that a figurer forensic police detective goes through in dischargeing an probe. It entrust give an idea to the reader around the g directioning and organization of an detective who is entangled in a computer link up criminal offence, the personal manners in which he will conduct the investigation a great deal(pre titulary) as basic preparation, implement of the required tools and techniques, skill and analysis of the entropy, part in giving testimony, use of forensic laboratories or the guidance of e genuinely the staff extending nether the principal(prenominal) tec and fifty-fifty readying ne cardinalrk forensics but of which argon related to his work.The Computer Forensics Investigation PlanA computer forensic investigates instruction that infraside be retrieved stochastic variable re cardi naltiveness media of a computer much(prenominal) as a potent disk, it is alike considered that to be a successful computer forensic the companionship of some different plat course of actions to perform computation is a must, for our scale we will consider you as the chief forensic investigator in the domain of Virginia, as a part of confidential enterprise you ar delegate the role of devisening the computer investigation of a suspected sad activity, we will see from your perspective how you should conduct widely the indispensable agencys.We dont retributive need science we need good science (Evans, 2004) continuously act major issues in preparing for an investigation. The disgust exposure is considered to be a precise sensitive smirch in terms of composeing proofs and conclusions which are in many shells actu every(prenominal) in every(prenominal)y vulnerable and sewer be very intimately be manipulated so supernumerary attention is needed in every(p renominal) aspect of recovery methods in fraternity to gain as much as likely.Before arriving at the paroxysm of crime, it is mandatory that you should forever and a day hit in a outlineatic approach in caper solving standardised making an initial assessment most the case thusly ascertain a preliminary approach to the case, subsequently that, create a expound memoriselist of the objectivity of the case, analyze the resources needed, call for all the risks and try the very scoop up to minimize them, in like manner outline all the details known about the case until thusly in a bodyatic manner much(prenominal) as the situation in which you will be arriving, the nature and precises of the case, the policesuit of computer forensic tools which will be needed at the case and to check on the specific direct carcasss in disposal which attention in the forensics investigation mathematical operation.Once at the crime painting, try to gather reason to prove that the suspect violated the company insurance or committed a crime, since this is a private sector investigation it implys corporeal businesses, another(prenominal) agencies of government are not conveyd much(prenominal) as justice en major powerment. The law enforcement agencies act jibe to the federal freedom of instruction act or laws of similar descent according to their territory in all unconscious process. Investigating and taking control of the computer possibility scene in the corporeal environment is considered to be much easier than in the turn environment because the incident scene is often the work stick, these workplaces drive selective informationbases of computer computer hardware and parcel product which bathroom also be flush toiletvass, right tools can be adopted to analyze a policy violation if any.Many companies either state their policy right away or show round warning, some carry out both whose purpose is to tell that they hold the exculpate r ight to inspect the computing assets of their respective subjects at will, in humanitarian to that constantlyy company must describe when an investigation can be initiated and allow the corporate investigators to know that under what circumstances they can examine the computer of an employee, if the investigator finds about the wrongdoing of the employee then the company can stick a criminal infirmity once against him.If any march is notice of a crime during the investigation then the get offment must be informed of the incident, checking the incident itself that it meets the elements of criminal law, work with the corporate attorney and also to see that you dont violate any other constitutional law in all the procedure.Preparing for a computer seizure for inquisition operation is champion of the most important point in conducting computing investigation. In order to do this, some answers from the victim and an source may be needed, informant can be a detective for the c ase, a witness, a arrive atler or any coworker to the specific some one and only(a) of fill. If you can identify the computing system, then estimate things much(prenominal) as how many computer systems to process and size of drive on the computer of the suspect, also determine which in operation(p)(a) systems and hardware are involved. Determining location of the differentiate and the cases type is very important, it allows to determine if computers can be removed. If the removal of the computers will cause pervert to the company then it should not be through in the interest of the company, problems in investigation may arise if the institutionalizes are most likely hidden, encrypted or ancestryd in some offsite, if the computers are not allowed to be interpreted for investigation then the investigator must determine the resources to acquire digital evidence and the proper tools which will be needed to set up data acquisition faster. in addition determine who is in fil m of the respective systems (in corporate environment, usually unitary persons assistance from the company is required in this regard). of all time keep some superfluousists who work on many different types of operating systems, servers or databases and abilityily educate those specialists in investigative techniques.Once arrived, securing the crime scene or the specific computer is the foremost priority of the investigation squad, the purpose is to preserve the evidence and keep the acquired entropy confidential. The investigative team should define a arrest perimeter utilize a special type of yellow barrier tape, it should also book the legal liberty to keep the un necessary people out but do not fail to comply the other law enforcers or obstruct nicety in any manner possible.Only overlord task force should handle the crime scene for evidence as any non professional law enforcer can manipulate or even overthrow the vital piece of evidence which may be very crucial in the overall scenario. Remember that corporate investigators does not seize evidence very often, more plan guidelines for processing an incident or crime scene goes as follows, keeping a journal to enumeration the activities, securing the scene in the sense of creation professional and courteous with onlookers, removing all those personnel office who are not associated with investigation, taking all the proper and necessary participateings in video of the area surrounding the computer, at the same time remunerative attention to all the major and minor details. Sketching the incident of the crime scene and checking the computers as soon as possible.While at the crime scene, dont ever cut the electrical power to a running system by pulling the plug unless it is an older Windows or DOS system (which in these days are very rarely found anywhere), instead apply a live acquisition by the proper acquisition methods if possible, when windup down computers with Operating Systems such as Windows XP or later variate of it or Linux/Unix then unendingly remember to perform a mean(prenominal) shut downdown of the system, this helps to prevent log sends.Try the very best to survive the data from the current applications as much safe as possible, powerful record all active windows or other shell sessions, and mental picture the scene.Also make notes of everything that is make even when copying the data from a live computer of a suspect, save open files to external storage medium such as a hard drive or on a interlocking share (if somehow the saving menti aned is make problems then save with some new titles), then close applications and shut down the computer.Further guidelines include on bagging and tagging the evidence which is d hotshot as follows, get-go assign a person to collect (and log) the evidence, then tag all the evidence which is collected with the birth date/time, sequential number or other features. Always keep two bump and different logs of evidence collected an keep control of the evidence at the crime scene.Always look for data related to the investigation such as passwords, PINs, passphrases, bank accounts and so on. Look at papers in places such as the drawers or even try to depend the garbage can. Collect all the related documents and media which is associated with investigation such as manuals or software/hardware. Using a technical foul advisor of gritty degree experience and knowledge is a must, technical advisor can help to list the tools which are required to make progress at the crime scene, it is the person which can guide the investigation team about where to locate data and help the team in extracting the log records or other evidence form braggy servers. The advisor can also create or help to make a search patternee by determination what is needed by the investigators for the reassert.More brief responsibilities of the technical advisor includes to know the aspects of the seized systems, to di rect the main investigator on intervention sensitive material, helping in securing the crime scene, helping to plan the dodge for search and seizure (documenting it), document all the activities and helping in conducting the search and seizure. text fileing all the evidence in the lab is also a necessary process, which involves in recording the activities and findings as the investigators work this can be d one and only(a) by maintaining a journal to record the move interpreted as the investigator process evidence. The main objective is to produce the same results when the main investigator or any other repeat the steps that were taken to collect evidence, a journal serves as reference that documents all the methods that have been used to process evidence.For proper documenting the evidence, always create and use an evidence detainment form, which serves the pursual personas such as identify who has handled the evidence and identify the evidence itself, properly listing all tim e and date of the intervention of the evidence. other information can also be added to the form such as specific section listing and chop value, try to include any other detailed information that might need for reference. test forms or labels are present in the evidence bags that can be used to document the evidence.Forensic ToolsAlways take lease the tools using information from incidents and crime scenes, the initial receipt field kit out should be airheaded in weight and easy to transport form one place to another. An addition to the initial kit is the huge solvent field kit which must include all the necessary tools.The items in an initial response field kit may include one digital tv camera or 35mm camera with film and flash, one flashlight, one laptop computer, one large capacity drive, one IDE ribbon cable (ATA-33 or ATA-100), one SATA cable, one forensic boot media containing the preferred utility, one FireWire or USB triple wire protect external bay, ten evidence log forms, one notebook or dictation recorder, ten computer evidence bags (antistatic bags), cardinal evidence labels, twenty tape and tags, one permanent ink marker, ten external USB devices such as a thumb drive or a larger portable hard drive.(cited in Nelson, Phillips Stewart , 2004)Tools in an extensive response field kit may include varieties of technical manuals ranging from operating systems references to forensic analysis guides, one initial response field kit, one portable PC with SCSI card for DLT tape drive or suspects SCSI drive, two electrical power strips, one additional hand tools including bolt cutters, pry bar and hacksaw, one pair of leather gloves and available latex gloves ( assort sizes), one hand truck and luggage cart, ten large garbage bags and large cardboard boxes with packaging tape, one rubber bands of assorted sizes, one magnifying glass, one ream of print paper, one elfin brush of cleansing dust fro suspects interior CPU cabinet, ten USB thumb dr ives of varying sizes, two external hard drives (200 GB or larger) with power cables, assorted converter cables and five additional assorted hard drives for data acquisition.When choosing an appropriate tool, the investigator must be sure that the tool is properly functioning, and that the right person handles it during the investigation. In order to prepare the investigators team, investigator must review all the facts, plans and objectives with the entire team assembled, the main objectives of the scene processing should be to collect evidence and untroubled it. The speed of the response from the team is very crucial as it can cause evidence such as digital evidence to be lost.LaboratoryA computer forensics lab is a place where computer forensics conduct investigation, storehouse evidence and house the necessary equipment, hardware and software. A typical lab manager duties involve many tasks such as proper management for case study, helping to digest reasonable consensus for e ffective decisions, keep everyone up to date with proper ethics and any modifications if do, keeping a financial account and proper check and balance of the entire facility, keeping it updated according to latest trends in engine room and promoting the required quality assurance, appoint a schedule that suits everyone, estimating the possibleity of investigators and assessing their requirements, proper estimation of results ( preliminary or final) or when they are expected, strictly manage all lab policies and keep an overall look on the caoutchouc and auspices of the entire facility. The staff members have duties which include knowledge and culture of equipments relating to computer systems such as Operating systems and their file types, software and hardware. Other staff duties include knowledge and training of technical skills, investigative skills, deductive reasoning. Planning lab budget involves making proper divisions in be on all bases from daily to annual expenses , gathering the available data of the past expenses and use it to predict or prepare for any future day costs. The main expense for a lab comes from the trained personnel or the equipment they use such as hardware or software devices in their disposal. Always estimate the number of computer cases the lab expects to cover, always being notified about the turn upments in technology in the respective field, try to make assessment about the computer related crimes ( their kinds), and use this information to plan ahead lab requirements and costs.While making good computer technology available is important, the costs and benefits of upgrading all computers to state of the art must be weighed. (cited in schwabe, 2001)Check statistics from the Uniform Crime Report, identify the specific software used to commit crimes. If youre setting a lab for any private corporation, remember to check the inventory of computing such as software or hardware, previous reported problems and the ongoing and future advancements in related computer technology. Managing time is also a major concern when choosing on the computing equipment for the purchase. Most of the investigation is conducted in the lab, so it should be secure as evidence may is very crucial and cannot afforded to be lost, manipulated, damaged, destroy or corrupted. Always put emphasis in providing a secure and safe environment, keep proper inventory control of the assets (inform in advance if more supplies are needed). A safe and secure facility should always preserve the evidence data and keep it as it is, the stripped requirements for a secure facility are a medium or small sized room with true walls form the floor to ceiling, proper fasten mechanism provided with the door entranceway, secure container and log for visitors. Almost all of the workers in the facility should be attached the same level of assentingion. Always brief the staff about the security policy, it is a must. The evidence lockers used in th e lab must be kept secure enough such that any unauthorized person may not access it at all, some recommendations for securing storage containers include locating the containers in a properly defined restricted area, limiting people who will have the access to the storage containers, keeping a record on the authority of everyone who has access to the containers and keeping the containers locked when not in use.If a combination of locking system is used, then provide equal measure of security for both the content of the container and the combination, always destroy the combinations that were previously held when setting up new combinations, only those persons who have the proper authority should be allowed to change the lock combinations, try to change the combination every three or six months or whenever required. When using a key padlock, authorize a personnel as the main key custodian, keep duplicate keys and print sequential be on all of them, keep a registry which has a recor d of keys that are assigned to the authorized personnel, conduct audits on weekly or monthly basis, try to place keys in a secure container afterwards taking an inventory of keys, keep the level of security the same for all the keys and evidence containers, replace the old locks and keys on an annual basis and dont use a master key for several locks.Containers should be strong, safe and as much indestructible as possible with external padlock system and a cabinet inside, try to get a media safe if possible (to protect evidence form damage), keep an evidence storage room (if possible) in lab and keep a well organized evidence log which is used to keep update on all the make when the container of the evidence is opened or closed. Always maintain a security policy and enforce it (log signing in for visitors in a way that those personnel are considered to be visitors who are not assigned to lab, these visitors should always be escorted in all times), using indicators (visible and/or a udible) is also a necessity inside lab premises, install an intrusion alarm system and hire a guard force for your lab.In civil litigation, investigator may return the evidence after using it (when issued a breakthrough order),if the investigator cannot retain the evidence then make sure it make the correct type of copy( copy in cases of data from disks or other hard drives, logical or bit stream), ask the supervisor or your client attorney on the requirements, you should usually only have one chance, create a duplicate copy of the evidence file, make minimum two images of evidence(digital) using separate methods, try to copy the host protected part of a disk, size is the biggest concern ( such as in raid redundant array of independent disks) systems which have terabytes of data),Some investigation needs to be conducted in the laboratory because of the proper tools and technicians available in that respect who know how to deal with the evidence correctly without tampering it, In vestigator might need to have the proper permission of the authority in charge if it wants the system moved to the laboratory, when permission provided, the investigator have a given time frame in which it must perform its task and then deliver the system back to where it came from.Log filesLog files are those which lists all the actions that have happened, such as in Web servers which maintain log files to list every request made to the main Web server, using the log file analysis tools, the drug user can gave a very good assessment of where the visitors came from or how often they return or even how they go through a site, in addition to log files there are cookies, when used, they enable the Webmasters to log far more detailed information about the user on how it is accessing a site.Logs are also considered to be an independent, machine-generated record of what happened within a network for both system and user activity. When set up properly, and with the appropriate due care, l ogs can provide an unvarying fingerprint of system and user activity. In many cases, the logs tell a story as to what genuinely happened in an incident. They can tell you what systems were involved how the systems and people behaved what information was accessed who accessed it and precisely when these activities took place. (Cited in Musthaler, 2010)Given the overview of logs on what they can provide, the regulations such as the PCI DSS (payment card industry DSS), the FRCP (civil procedures federal rules), the HIPAA (which is an act regarding the health insurance) and many other regulations, all consider logs and log management to be the very basic and essential necessity for proper and efficient data management. Logs can be used to capture many vital sources of information which beside protecting the core data can also help in supporting forensic analysis and incident response if a data breach has occurred or other forms of electronic crime, such as fraud.The overall log monit oring can be hurdled because of the extremely large bill of fair data capture and the unwillingness, lack of will or errors in properly managing, analyze and correlating that data. The overall conclusion (in mismanagement) can cost hugely as if some suspicious activity or breach really happens, then a lot of time ( possibly many months ) may require to detect the taint, there is even no guarantee if the fault will be detected. In order to have logs admissible in court as evidence of a crime, an organization must prepare and execute due care with the log data.Log data must be viewed and treated like a primary evidence source. hither are some best practices that can help ensure log data and log management practices properly support forensic investigations. throw away a clear corporate policy for managing logs across the entire organization. Document what is being logged and why, as well as how the log data is captured, stored and analyzed. operate that 100% of log-able devices an d applications are captured and the data is unfiltered. Have centralized storage and belongings of all logs, with everything in one place and in one format. insure the time synchronization of logs to facilitate correlating the data and retrieving data over specific timeframes. Ensure the separation of duties over logs and log management systems to protect from potential internal threats such as a super user or administrator turning off or modifying logs to conceal illicit activity. Always maintain backup copies of logs. Have a defined retention policy that specifies the retention period across the organization for all log data. Organizations should work with legal counsel to determine the best time frames and have log data incorporated into an overall data retention policy. Have a defined procedure to follow after an incident. Test the incident response plan, including the retrieval of backup log data from offsite storage. (Musthaler, 2010)Further quotes form Brian Musthaler inclu de,If an incident or data breach is suspected, there are several steps to take right awayIncrease the logging capability to the level best and consider adding a network sniffer to capture additional detail from network traffic. In an incident, its better to have more data rather than less. set aside the rotation or destruction of existing logs to prevent the loss of potential evidence. Get backup copies of the logs and make sure they are secure. Deploy a qualified investigations team to determine the situation. (Musthaler, 2010)With the appropriate care, logs can provide satisfying forensic evidence when and if it is needed, as far as the job of a computer forensic investigator is concerned, his log begins when he starts an investigation, logs can be made of many things such as events, system security, firewall, audit, access and so on. (cited in PFI, 2010)Equipment can be recorded in the log by many ways, audio logs can be made which can store audio files, picture logs can be ma de which can store digital pictures taken during an investigation. Equipments are recorded according to the type of its table of contents with the appropriate tools. The final log is stored at the very end after possibly remodifying or revising previous logs.Data acquisitionFor the process of acquiring data in an investigation, we will consider following techniques, in that location are two types of data acquisition, static acquisition and live acquisition which basically involves the following four type of acquisition techniques, bit-stream disk-to-disk, bit-stream disk-to-image file, sparse and Logical. Bit-stream disk-to-image file is the most common method, it makes many copies and all of the copies made are replications of the overlord drive bit-by bit, similar type of process is happening in day-after-day scenario concerning a common personal computer, when we copy and paste files from one place to another or when we make multiple copies of a data file then the exact copy of the original data file is made available in many places. It is very simple, easy and with very nominal training can be performed on the head system accordingly it is the most preferred method as well. The tools used in it are EnCase, ProDiscoer, FTK, SMART.Disk-to-disk method (bit-stream) is applied in the case of disk-to-image copy being unrealistic mainly due to hardware or software errors or incompatibilities, this problem comes when at most of the time dealing with very old drives. It adjusts rank disks geometry to match the drive of the suspect (geometry of track configuration), tools used in this form are SafeBack, EnCase, , and Snap Copy.Logical acquisition and Sparse acquisition are used when the total time of the investigator is very short and the butt disk is very large. This type of acquisition only searches and retrieves the selected file which is of crabbed interest, comparing this to Sparse acquisition which deals with data collection but again the data collecte d is very nominal.Data analysisData analysis(for a computer forensic investigator) includes mostly examining digital evidence which depends on the following main factors, the nature of the case, the amount of data to process, the search warrants and court orders and the company policies. Scope creep happens when investigation expands beyond the original description which should be avoided in all cases. Few basic principles apply to about the entire computer forensics cases such as the approach taken depends largely on the specific type of case being investigated.Basic steps for all computer forensics investigations for analysis include the following points such as for target drives, using only recently wiped media that have been reformatted and inspected for computer viruses, noting the condition of the computer when seized, removing the original drive from the computer to check date and time values in the systems CMOS, record how to acquire data from the suspects drive, process the data methodically and logically, listing all folders and files on the image or driveAlso try to examine the contents of all data files in all folders starting at the root directory of the volume partition, try to recover all the file contents that are password-protected and can be related to the investigation, identifying the function of every executable file that does not match known hash values and maintain control of all evidence and findings and also document everything as being progressed through the examination.Refining and modifying the investigation plan includes ascertain the scope of the investigation and what the case requires, determining if all the information should be collected and what to do in case of scope creep. The main aim should be to start with a plan but remain tensile in the face of new evidence.Data can be analyzed using many tools from the forensic toolkit such as supported file systems (FAT12/16/32, NTFS, Ext2fs, and Ext3fs). FTK can a very powerful to ol that can analyze data from several sources including image files from other vendors, it produces a case long file. FTK also analyzes compressed files, reports can also be generated in it using bookmarks. Other analyze tools include searching for keywords (indexed search, live search or using advanced searching techniques such as stemming). In order to identify different types of data such as images, electronic mail and so on, the investigator should examine the data format and then according to that format, it should deal with the file with the appropriate tool.Working with law enforcementThe status of individuals under law is no longer in doubt individuals are subjects of law and as such are accorded rights. Yet rights are illusory without the adjective capability to enforce them. They are no more than high-minded principles if individuals whose rights have been violated have no avenue for complaint and relief. (Cited in Pasqualucci, 2003)thither are basically two types of comp uter investigations, public and private(corporate), the public investigations involve government agencies responsible for criminal investigation and prosecution, the organizations involved must detect legal guidelines provided to them by the authority, other legal rights such as law of search and seizure helps in protecting rights of all people including suspects.Of the quotidian problems of the criminal justice system itself, certainly the most delicate and credibly the most difficult concern the proper ways of dealing one after another with individuals.(Cited in Winslow, 1968)Investigator working with the law enforcement must always quell by the federal and constitutional laws in conducting and performing entire process of investigation. Criminal cases at law enforcement goes through three main steps, first the victim (any individual or company) will contact the law enforcement mode by making a complaint, then acting on behalf of that complaint, the investigator will be assig ned by the government authority to conduct a balanced and proper investigation and will be asked to present all the findings directly to the law agency, the investigator will interview the complaint and will write a report about the crime, police police blotter may provide a record of clues to crimes that have been committed previously (related to the ongoing investigation). The investigator collect, delegate and process the information related to the complaint. As the investigator build a case, the information is turned over to the prosecutor.An adjuration is a sworn statement of support of facts about evidence of a crime which is submitted to a judge to request a search warrant the judge must approve and sign a search warrant before it can be used to collect evidence. The chain of custody is the route the evidence takes from the time investigator finds it until the case is closed or goes to court, throughout the case, the evidence is confiscated by the investigator who has the p roper right under the law to maintain and keep the evidence immutable.Other concerns which need to be addressed when bringing law enforcement to the scene is that the officers should follow proper procedure when acquiring the evidence such as in digital evidence which can be easily altered by an overeager investigator, special concerns should be given to the information on storage media such as hard disks which are password protected.Network forensicsNetwork forensics is the job of finding the information about how a perpetrator or an attacker gained access to a network, it involves systematic tracking of incoming and outgoing traffic to find out how an attack was carried out or how an event occurred on a network, the forensic expert should be very well experienced and be familiar with many previously related cases of network because the intruders which the network forensic searches for always leave some sort of trail behind, this trail