1 CSN08101 Digital Forensics Lecture 4A: Forensic Processes Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
2 Forensics Processes - objectives Investigation Process Forensic Ethics Issues Forensic Law Issues
3 Investigation Process According to many professionals, Computer Forensics is a four (4) step process: Acquisition Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices Identification This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites
4 Investigation Process According to many professionals, Computer Forensics is a four (4) step process: Evaluation Evaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court Presentation This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws
5 Digital Investigation Process Model Brian Carrier An Event-Based Digital Forensic Investigation Framework
6 Readiness Phases Computer forensics lab Where you conduct your investigation Store evidence House your equipment, hardware, and software American Society of Crime Laboratory Directors (ASCLD) offers guidelines for: Managing a lab Acquiring an official certification Auditing lab functions and procedures
7 Staff Readiness Lab manager duties : Estimate when to expect preliminary and final results Create and monitor lab policies for staff Provide a safe and secure workplace for staff and evidence Staff member duties: Knowledge and training: Hardware and software OS and file types Deductive reasoning
8 Acquiring Certification and Training Update your skills through appropriate training International Association of Computer Investigative Specialists (IACIS) Created by police officers who wanted to formalize credentials in computing investigations Certified Electronic Evidence Collection Specialist (CEECS) Certified Forensic Computer Examiners (CFCEs)
9 Acquiring Certification and Training (continued) High-Tech Crime Network (HTCN) Certified Computer Crime Investigator, Basic and Advanced Level Certified Computer Forensic Technician, Basic and Advanced Level EnCase Certified Examiner (EnCE) Certification AccessData Certified Examiner (ACE) Certification Other Training and Certifications High Technology Crime Investigation Association (HTCIA)
10 Acquiring Certification and Training (continued) Other training and certifications SysAdmin, Audit, Network, Security (SANS) Institute Computer Technology Investigators Network (CTIN) NewTechnologies, Inc. (NTI) Southeast Cybercrime Institute at Kennesaw State University Federal Law Enforcement Training Center (FLETC) National White Collar Crime Center (NW3C)
11 Physical Requirements for a Computer Forensics Lab Most of your investigation is conducted in a lab Lab should be secure so evidence is not lost, corrupted, or destroyed Provide a safe and secure physical environment Keep inventory control of your assets Know when to order more supplies
12 Digital Crime Scene Investigation Phases Brian Carrier An Event-Based Digital Forensic Investigation Framework
13 Digital Evidence Searching Phase
14 Event Reconstruction Phase Brian Carrier An Event-Based Digital Forensic Investigation Framework
15 Ethics and Codes Ethics Rules you internalize and use to measure your performance Codes of professional conduct or responsibility Standards that others apply to you or that you are compelled to adhere to by external forces Such as licensing bodies People need ethics to help maintain their balance And self-respect and the respect of their profession
16 Applying Ethics and Codes Laws governing codes of professional conduct or responsibility Define the lowest level of action or performance required to avoid liability Expert witnesses should present unbiased, specialized, and technical evidence to a jury Expert witnesses testify in more than 80% of trials And in many trials, multiple expert witnesses testify
17 Applying Ethics and Codes to Expert Witnesses The most important laws applying to attorneys and witnesses are the rules of evidence Experts are bound by their own personal ethics and the ethics of their professional organizations In the United States, there s no state or national licensing body for computer forensics examiners
18 Computer Forensics Examiners Roles in Testifying Computer forensics examiners have two roles: Scientific/technical witness and expert witness Scientific/technical witness Person involved in a case, investigator that found and presented the evidence As expert witness You can testify even if you weren t present when the event occurred Or didn t handle the data storage device personally Criticism: it s possible to find and hire an expert to testify to almost any opinion on any topic
19 Organizations with Codes of Ethics No single source offers a definitive code of ethics for forensic investigator You must draw on standards from other organizations to form your own ethical standards
20 International Society of Forensic Computer Examiners Includes guidelines such as the following: Maintain the utmost objectivity in all forensic examinations and present findings accurately Conduct examinations based on established, validated principles Testify truthfully in all matters before any board, court, or proceeding Avoid any action that would appear to be a conflict of interest
21 International Society of Forensic Computer Examiners (continued) Includes guidelines such as the following: (continued) Never misrepresent training, credentials, or association membership Never reveal any confidential matters or knowledge learned in an examination without an order from a court of competent jurisdiction or the client s express permission
22 International High Technology Crime Investigation Association HTCIA core values include the following requirements related to testifying: The HTCIA values the Truth uncovered within digital information and the effective techniques used to uncover that Truth, so that no one is wrongfully convicted The HTCIA values the Integrity of its members and the evidence they expose through common investigative and computer forensic best practices, including specialized techniques used to gather digital evidence
23 International Association of Computer Investigative Specialists Standards for IACIS members include: Maintain the highest level of objectivity in all forensic examinations and accurately present the facts involved Thoroughly examine and analyze the evidence Conduct examinations based upon established, validated principles Render opinions having a basis that is demonstratively reasonable Not withhold any findings that would cause the facts of a case to be misrepresented or distorted
24 BCS CODE OF CONDUCT Public Interest Legitimate rights of third parties include protecting personal identifiable data to prevent unlawful disclosure and identity theft, and also respect for copyright, patents and other intellectual property. Professional Competence and Integrity You should only claim current competence where you can demonstrate you have the required expertise e.g. through recognised competencies, qualifications or experience. Duty to Relevant Authority If any conflict is likely to occur or be seen by a third party as likely to occur you will make full and immediate disclosure to your Relevant Authority. Duty to the Profession Share knowledge and understanding of IT and support inclusion of every sector of society.
25 Legal Issues In criminal investigation you ALWAYS have to have warrant!!! Warrant can be issued for: Entire company, floor, room, a device, car, house, any company/person owned property Mobile phone cases issues with interception rules laid down in RIPSA [Regulations of Investigative Powers (Scotland) Act]
26 Ethics and Warrants A lot of the ethical issues are covered by the warrants system. Before a warrant can be issues a judge is presented with the evidence that suggests a search will find something relating to the crime under investigation. He will then way this against the person's freedoms and decide whether the warrant should be granted.
27 Corporate Investigation Issues Non-criminal internal investigation can be restricted by the individual s right of privacy Data Protection Act Company Polices
28 Best Practice ACPO Principle 1 - No action taken by law enforcement or their agents should change data held on an electronic device or media which may subsequently be relied upon in Court. Principle 2 - In exceptional circumstances where a person finds it necessary to access original data held on an electronic device or media, that person must be competent to do so, and be able to give evidence explaining the relevance and the implications of their actions.
29 Best Practice ACPO Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
30 Best Practice ACPO Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
31 ANY QUESTIONS?
32 Assessment: Short-Answer Examples Question: What are the requirements for the computer forensic lab? Answer:
33 Assessment: Short-Answer Examples Question: What is a difference between Ethics and Code of Practice? Answer:
34 Assessment: Short-Answer Examples Question: How Data Protection Act can create problems in a corporate investigation? Answer:
Getting Physical with the Digital Investigation Process Brian Carrier Eugene H. Spafford Center for Education and Research in Information Assurance and Security CERIAS Purdue University Abstract In this
AMHCA Code of Ethics American Mental Health Counselors Association 801 N. Fairfax Street, Ste. 304 Alexandria, VA 22314 V: 800-326-2642 F: 703-548-4775 www.amhca.org AMHCA Code of Ethics (REVISED 2010)
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
Cybersecurity Unit Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Avenue, N.W., 6th Floor, Washington, D.C. 20530 - CYBERSECURITY.CCIPS@USDOJ.GOV
CYBERSECURITY INSIDER THREAT BEST PRACTICES GUIDE JULY 2014 INSIDER THREAT BEST PRACTICES GUIDE I. DISCLAIMER This report was prepared as an account of work within the private and public sector. Neither
Data breach notification guide: A guide to handling personal information security breaches August 2014 The Office of the Australian Information Commissioner (OAIC) was established on 1 November 2010 by
Global Network Initiative Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo Global Network Initiative Protecting and Advancing Freedom of Expresssion and Protecting and
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
Ethical and Legal Issues in Counseling Ethical Standards and Laws Each professional counselor has an enormous responsibility to uphold the public trust and must seek high levels of training, education,
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
28 CFR Part 23 CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES Executive Order 12291 1998 Policy Clarification 1993 Revision and Commentary 28 CFR Part 23 Executive Order 12291 These regulations are not
THE JAMAICA HOSPITAL MEDICAL CENTER DIAGNOSTIC AND TREATMENT CENTER COMMITMENT TO COMPLIANCE CODE OF CONDUCT AND COMPLIANCE PROGRAM SUMMARY OCTOBER 2009 REVIEWED: 4/12, 10/13, 5/14, 6/15 REVISED: AUGUST
BERKSHIRE HATHAWAY INC. CODE OF BUSINESS CONDUCT AND ETHICS A. Scope. This Code of Business Conduct and Ethics applies to all Berkshire Hathaway directors, officers and employees, as well as to directors,
HIPAA Security Risk Analysis Toolkit In January of 2013, the Department of Health and Human Services Office for Civil Rights (OCR) released a final rule implementing a wide range of HIPAA privacy and security
New York Lawyer's Code of Professional Responsibility (Updated Through December 28, 2007) TABLE OF CONTENTS PREAMBLE... 5 PRELIMINARY STATEMENT... 5 DEFINITIONS...6 CANON 1. A LAWYER SHOULD ASSIST IN MAINTAINING
Computer Forensic Services and the CPA Practitioner 2010-2012 Forensic Technology Task Force 2010-2012 Forensic Technology Task Force Ron Box Margaret Daley Carl Hoecker Joel Lanz Charles Reid Donna Tamura
overy in digital forensic investigations D Lawton R Stacey G Dodd (Metropolitan Police Service) September 2014 CAST Publication Number 32/14 overy in digital forensic investigations Contents 1 Summary...
Poplar Street Primary School ICT Security and Acceptable Use Policy E-Safety policy 2013/14 Working Together Aiming High! 1 Contents 1. Introduction... 3 2. Policy Objectives... 3 3. Application... 3 4.
Fraud Control in Australian Government Entities Better Practice Guide March 2011 This Better Practice Guide was prepared by the Australian National Audit Office and KPMG. ISBN No. 0 642 81180 6 Commonwealth
CODE OF PROFESSIONAL ETHICS FOR REHABILITATION COUNSELORS Adopted in June 2009 by the Commission on Rehabilitation Counselor Certification for its Certified Rehabilitation Counselors. This Code is effective
responsibility CODE OF CONDUCT Our reputation and integrity depend upon each of us assuming a personal responsibility for our business conduct. 02 Letter from Our CEO Dear ConocoPhillips Employees, Our
International Criminal Court Office of the Prosecutor Strategic plan June 2012-2015 11 October 2013 The OTP strategic plan is complementary to the ICC strategic plan and focuses in more detail on OTP-specific
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
Corporate Office 107 W. Franklin Street P.O. Box 638 Elkhart, IN 46515-0638 Phone (574) 294-7511 Fax (574) 522-5213 INTRODUCTION PATRICK INDUSTRIES, INC. CODE OF ETHICS AND BUSINESS CONDUCT As a leader
The Good medical practice framework for appraisal and revalidation The framework sets out the broad areas which should be covered in medical appraisal and on which recommendations to revalidate doctors
ASSOCIATION OF PERSONAL INJURY LAWYERS SCOTLAND Standard of competence for Litigators INTRODUCTION Standards of occupational competence Standards of occupational competence are widely used in many fields