CSN08101 Digital Forensics Lecture 4A: Forensic Processes Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
Forensics Processes - objectives Investigation Process Forensic Ethics Issues Forensic Law Issues
Investigation Process According to many professionals, Computer Forensics is a four (4) step process: Acquisition Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices Identification This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites
Investigation Process According to many professionals, Computer Forensics is a four (4) step process: Evaluation Evaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court Presentation This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws
Digital Investigation Process Model Brian Carrier An Event-Based Digital Forensic Investigation Framework
Readiness Phases Computer forensics lab Where you conduct your investigation Store evidence House your equipment, hardware, and software American Society of Crime Laboratory Directors (ASCLD) offers guidelines for: Managing a lab Acquiring an official certification Auditing lab functions and procedures
Staff Readiness Lab manager duties : Estimate when to expect preliminary and final results Create and monitor lab policies for staff Provide a safe and secure workplace for staff and evidence Staff member duties: Knowledge and training: Hardware and software OS and file types Deductive reasoning
Acquiring Certification and Training Update your skills through appropriate training International Association of Computer Investigative Specialists (IACIS) Created by police officers who wanted to formalize credentials in computing investigations Certified Electronic Evidence Collection Specialist (CEECS) Certified Forensic Computer Examiners (CFCEs)
Acquiring Certification and Training (continued) High-Tech Crime Network (HTCN) Certified Computer Crime Investigator, Basic and Advanced Level Certified Computer Forensic Technician, Basic and Advanced Level EnCase Certified Examiner (EnCE) Certification AccessData Certified Examiner (ACE) Certification Other Training and Certifications High Technology Crime Investigation Association (HTCIA)
Acquiring Certification and Training (continued) Other training and certifications SysAdmin, Audit, Network, Security (SANS) Institute Computer Technology Investigators Network (CTIN) NewTechnologies, Inc. (NTI) Southeast Cybercrime Institute at Kennesaw State University Federal Law Enforcement Training Center (FLETC) National White Collar Crime Center (NW3C)
Physical Requirements for a Computer Forensics Lab Most of your investigation is conducted in a lab Lab should be secure so evidence is not lost, corrupted, or destroyed Provide a safe and secure physical environment Keep inventory control of your assets Know when to order more supplies
Digital Crime Scene Investigation Phases Brian Carrier An Event-Based Digital Forensic Investigation Framework
Digital Evidence Searching Phase
Event Reconstruction Phase Brian Carrier An Event-Based Digital Forensic Investigation Framework
Ethics and Codes Ethics Rules you internalize and use to measure your performance Codes of professional conduct or responsibility Standards that others apply to you or that you are compelled to adhere to by external forces Such as licensing bodies People need ethics to help maintain their balance And self-respect and the respect of their profession
Applying Ethics and Codes Laws governing codes of professional conduct or responsibility Define the lowest level of action or performance required to avoid liability Expert witnesses should present unbiased, specialized, and technical evidence to a jury Expert witnesses testify in more than 80% of trials And in many trials, multiple expert witnesses testify
Applying Ethics and Codes to Expert Witnesses The most important laws applying to attorneys and witnesses are the rules of evidence Experts are bound by their own personal ethics and the ethics of their professional organizations In the United States, there s no state or national licensing body for computer forensics examiners
Computer Forensics Examiners Roles in Testifying Computer forensics examiners have two roles: Scientific/technical witness and expert witness Scientific/technical witness Person involved in a case, investigator that found and presented the evidence As expert witness You can testify even if you weren t present when the event occurred Or didn t handle the data storage device personally Criticism: it s possible to find and hire an expert to testify to almost any opinion on any topic
Organizations with Codes of Ethics No single source offers a definitive code of ethics for forensic investigator You must draw on standards from other organizations to form your own ethical standards
International Society of Forensic Computer Examiners Includes guidelines such as the following: Maintain the utmost objectivity in all forensic examinations and present findings accurately Conduct examinations based on established, validated principles Testify truthfully in all matters before any board, court, or proceeding Avoid any action that would appear to be a conflict of interest
International Society of Forensic Computer Examiners (continued) Includes guidelines such as the following: (continued) Never misrepresent training, credentials, or association membership Never reveal any confidential matters or knowledge learned in an examination without an order from a court of competent jurisdiction or the client s express permission
International High Technology Crime Investigation Association HTCIA core values include the following requirements related to testifying: The HTCIA values the Truth uncovered within digital information and the effective techniques used to uncover that Truth, so that no one is wrongfully convicted The HTCIA values the Integrity of its members and the evidence they expose through common investigative and computer forensic best practices, including specialized techniques used to gather digital evidence
International Association of Computer Investigative Specialists Standards for IACIS members include: Maintain the highest level of objectivity in all forensic examinations and accurately present the facts involved Thoroughly examine and analyze the evidence Conduct examinations based upon established, validated principles Render opinions having a basis that is demonstratively reasonable Not withhold any findings that would cause the facts of a case to be misrepresented or distorted
BCS CODE OF CONDUCT Public Interest Legitimate rights of third parties include protecting personal identifiable data to prevent unlawful disclosure and identity theft, and also respect for copyright, patents and other intellectual property. Professional Competence and Integrity You should only claim current competence where you can demonstrate you have the required expertise e.g. through recognised competencies, qualifications or experience. Duty to Relevant Authority If any conflict is likely to occur or be seen by a third party as likely to occur you will make full and immediate disclosure to your Relevant Authority. Duty to the Profession Share knowledge and understanding of IT and support inclusion of every sector of society.
Legal Issues In criminal investigation you ALWAYS have to have warrant!!! Warrant can be issued for: Entire company, floor, room, a device, car, house, any company/person owned property Mobile phone cases issues with interception rules laid down in RIPSA [Regulations of Investigative Powers (Scotland) Act]
Ethics and Warrants A lot of the ethical issues are covered by the warrants system. Before a warrant can be issues a judge is presented with the evidence that suggests a search will find something relating to the crime under investigation. He will then way this against the person's freedoms and decide whether the warrant should be granted.
Corporate Investigation Issues Non-criminal internal investigation can be restricted by the individual s right of privacy Data Protection Act Company Polices
Best Practice ACPO Principle 1 - No action taken by law enforcement or their agents should change data held on an electronic device or media which may subsequently be relied upon in Court. Principle 2 - In exceptional circumstances where a person finds it necessary to access original data held on an electronic device or media, that person must be competent to do so, and be able to give evidence explaining the relevance and the implications of their actions.
Best Practice ACPO Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Best Practice ACPO Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
ANY QUESTIONS?
Assessment: Short-Answer Examples Question: What are the requirements for the computer forensic lab? Answer:
Assessment: Short-Answer Examples Question: What is a difference between Ethics and Code of Practice? Answer:
Assessment: Short-Answer Examples Question: How Data Protection Act can create problems in a corporate investigation? Answer: