Computer forensics is a fast-growing
field that involves carefully collecting, identifying and analyzing evidence
that not only measures the damage to a computer as a result of an electronic attack but also recover lost information from
such a system to prosecute a criminal. With computers getting more powerful,
the field of computer forensics must always progress. In the early days of
computers, it was possible for a single detective to sort through files because
storage capacity was so low. Today, that
would be an overwhelming task with hard drives capable of holding gigabytes and
even terabytes of data. Therefore, it is vital to incorporate an investigation
plan which will include legal documentation, preservation, collection,
examination, analysis, and report of the evidence found.
investigation plan covers how to properly conduct a computer forensics investigation.
Before an investigation can begin legal documents should be acquired and
obtained thereafter conducting interview questions would be the next recommended
step. Conducting interview questions is crucial which helps determine what is
needed in the case and if there is enough information to person the
investigation. The questions should ask: who, what when, where, why and how’s of the investigation.
Conducting interview questions asking
who, what when, where, why and how will set the foundation for the
investigation, it will also determine if enough information was collected to proceed
to the next step for the investigation. Below are the questions that were asked
during the meeting.
Title, Role in the investigation
What organization started the investigation?
Who is involved in the investigation?
Who is the lead, investigator?
Who will be assisting with the digital forensics
What was the crime committed?
When did the crime occur?
Please give a detailed summary of the incident
How many people are involved in the crime?
Name of people that are connected to the crime?
Are any involved under the age of 18?
Have suspects been located or still wanted?
Are the charges being filed with a county or federal court?
Does the District Attorney have guidelines on
filing the case in court?
any legal restrictions?
Where is the crime scene location? Are there other locations of the crime scene?
Is there a related crime and investigation?
What evidence was retrieved?
Was a search warrant present?
What does the search warrant include? To collect
evidence was collected?
What type of evidence is being looked at? (Pictures, Videos or etc.)
Have all legal documents and procedures been
Police reports state the findings of
incidents. Below is the document that will need to be kept on record. The
police report is an example that can be used to document evidence as soon as a
crime has been discovered. (“Sample Police Report”). For example:
Figure 1, Example of
Chain of Custody
A chain of custody keeps a record of chronological documentation and/or paper trail showing the seizure,
custody, control, transfer, analysis, and disposition of evidence, physical or
electronic. Because this evidence could be used in court to convict persons of
crimes, it must be handled in a
careful manner to avoid later allegations of tampering or misconduct.
typical chain of custody document may include:
Date and time
Name of investigator(s)
Name or owner
of the media or computer
or case number
Type of media
of media if available
model of hard drive or other media
capacity of device or hard drive
capture (tools used)
description of computer and whether it was on or off
Name of the
image file or resulting files that were collected
of source hard drive or files
of resulting image files for verification
or issues encountered
of persons giving and taking possession of evidence (“How to Document Your
Chain of Custody and Why It’s Important. “).
2, Example of Chain of Custody
Search Warrants and
An affidavit and application for a
warrant to search a computer are in most respects the same as any other search
warrant affidavit and application: the affiant swears to facts that establish
that there is probable cause to believe that evidence of crime (such as
records), contraband, fruits of crime, or instrumentalities of crime is present
in a private space (such as a computer’s hard drive, or other media, which in
turn may be in another private space, such as a home or office), and the
warrant describes with particularity the things (records and other data, or
perhaps the computer itself) to be searched and seized. The process of drafting
an affidavit and application, then, falls into two general steps: establishing
probable cause to search the computer, and describing with particularity the
data to be taken from the computer or the computer hardware itself (Pollitt,
M., Noblett, M., Strang, R., Kerr, O., & Presley, L., 2002).
3, Example of United States District
Court Search and Seizure Warrant
A subpoena to the ISP (Internet
Service Provider could be drafted to get records of the activity on the alleged
internet activity. Below is an example of a subpoena.
Collection – search and seizing of digital evidence, and
acquisition of data
Examination – applying techniques to identify and extract data
Analysis – using data and resources to prove a case
Reporting – presenting the info gathered (e.g., written case
Forensics readiness means that all
incident response procedure is ready to go, with the designated trained personnel to handle the investigation. It
includes the collection and preservation of the digital evidence in a quick well-organized
manner with minimal investigation costs. The readiness contains people, tools,
The amount of people involved in the
digital forensic investigation, and what needs to be examined is going to
depend on the number of people are involved. A small investigation could
probably be conducted by to investigators. If there is only one computer and a thumb drive to be investigated it would
only need one or two investigators to work on the case. People included in the investigation would include
district attorneys, investigators, agency, managers, police officers and others
that are involved in the case.
Tools, toolkits, imaging
Comprehensive forensic software tools (such
as Encase Forensic Edition, X-Ways Forensic Addition, Paraben, Forensic Toolkit
(FTK), Linux DD, etc.) will be used for
the investigation to provide collection,
indexing, and detailed analysis.
The forensic investigation consists of
gathering computer forensic information; the process can begin by analyzing
network traffic with a packet analyzer or a sniffer tool like Wireshark that is capable of intercepting
traffic and logging it for further analysis. NetworkMiner, another Network
Forensic Analysis Tool (NFAT), is an alternative to Wireshark to extract or
recover all files. Snort, instead, is a valuable tool in tracking down network
intruders in real time.
NFAT software also contains forensic
capabilities by performing analysis on stored network traffic, as its name
suggests. As for Incident Response and Identification, A Forensic Toolkit, or
FTK, can be used to identify deleted files and recovering them; whereas, EnCase
is apt for forensic, cyber-security and e-discovery use (“Computer Crime
Investigation Using Forensic Tools and Technology.”).
The following are the computer forensic tools
used for data collection: Guidance Software’s EnCase (www.guidancesoftware.com);
EnCase is a forensic data and analysis program for various operating systems
that are used to perform a computer-related investigation. EncCase can
quickly find files that have been misplaced or deleted. It also allows an
investigator to understand and define the information present in a system.
AccessData’s Forensic Toolkit
(www.accessdata.com); AccessData’s Forensic Toolkit, referred to by forensic
analysts simply as FTK, contains the full suite of password recovery tools,
drive and media wipers, a registry viewer, and other useful products. The
password recovery tools also unlock locked files. Most people often use repeat
passwords, which helps hackers gain access to systems. The software also
enables access to password management, which manages and analyzes multiple
files. Forensic Toolkit also enables the recovery of multilingual passwords,
thus enabling the investigator to bypass security against the unauthorized
access of these files.
In addition to the toolkit and imaging
programs some of the other tools that are
needed are as follows: screw drivers, sockets, hex keys, grounding decides,
suctions cups, a flash light, take, zip ties, string, scissors, pliers, wire
cutters, razor blades, labels, a camera, blanket, Faraday bag, storage
bags/cases, magnifying glass, extension cord, various cables and connectors,
pencil, paper/log book, permanent marker, air sickness bags, latex gloves, and
a black light (Gogolin, G, 2013).
After the evidence step the investigation
and analysis of the case with begin in the forensics lab. First, a timeline analysis will be created.
This is a crucial step and very useful because it includes information such as
when files were modified, accessed, changed and created in a human-readable format, known as MAC time
evidence. The data is gathered using a variety of tools and is extracted from
the metadata layer of the file system (inode on Linux or MFT records on
Windows) and then examined and sorted in order to be analyzed. Timelines of
memory artifacts can also be very useful in reconstructing what happened. The end goal is to generate a
snapshot of the activity done in the system including its date, the artifact
involved, action and source. The creation is an easy process, but the
interpretation is hard. During the interpretation,
it helps to be meticulous and patience and it facilitates if you have
comprehensive file systems and operating system artifacts knowledge. To
accomplish this step several commercial or open source tools exist such as the SIFT Workstation that is
freely available and frequently updated.
The budget will depend on several of
aspects that will be included in the investigation plan below with details.
The acquisition process includes making copies
of the digital evidence. It is a best practice
that an investigator works on a copy of electronic evidence so that accessing
or reading the files will not accidentally
modify or damage the original evidence. Write blockers are a device that allows
copying by creating a possibility of accidentally
damaging drive contents. The following below will give a guideline for the
Secure digital evidence
Document hardware and software configuration of the examiner’s
Verify operation of the examiner’s computer system to include
hardware and software.
Disassemble the case of the computer to be examined to permit
physical access to the storage devices.
Ensure equipment is protected from static electricity and
Identify storage devices that need to be acquired. These devices
can be internal, external, or both.
Document internal storage devices and hardware configuration.
Drive condition (e.g., make, model, geometry, size, jumper
settings, location, drive interface).
-Internal components (e.g., sound card; video card; network
card, including media access control (MAC) address; personal computer memory
card international association (PCMCIA) cards).
Disconnect storage devices (using the power connector or data
cable from the back of the drive or from the motherboard) to prevent the
destruction, damage, or alteration of data.
Retrieve configuration information from the suspect’s system
through controlled boots.
Perform a controlled boot to capture CMOS/BIOS information and
Boot sequence (this may mean changing the BIOS to ensure the
system boots from the floppy or CD-ROM drive).
•Time and date.
•Power on passwords.
Perform a second controlled boot to test the computer’s
functionality and the forensic boot disk.
Ensure the power and data cables are properly connected to the
floppy or CDROM drive, and ensure the power and data cables to the storage
devices are still disconnected.
Place the forensic boot disk into the floppy or CD-ROM drive.
Boot the computer and ensure the computer will boot from the forensic boot
Reconnect the storage devices and perform a third controlled
boot to capture the drive configuration information from the CMOS/BIOS.
Ensure there is a forensic boot disk in the floppy or CD-ROM
drive to prevent the computer from accidentally booting from the storage
Drive configuration information includes logical block
addressing (LBA); large disk; cylinders, heads, and sectors (CHS); or
Power system down.
Whenever possible, remove the subject storage device and perform
the acquisition using the examiner’s system. When attaching the subject device
to the examiner’s system, configure the storage device so that it will be
Exceptional circumstances, including the following, may result
in a decision not to remove the storage devices from the subject system:
RAID (redundant array of inexpensive disks). Removing the disks
and acquiring them individually may not yield usable results.
Laptop systems. The system drive may be difficult to access or
may be unusable when detached from the original system.
Hardware dependency (legacy equipment). Older drives may not be readable in newer
Equipment availability. The examiner does not have access to
Network storage. It may be necessary to use the network
equipment to acquire the data.
When using the subject computer to acquire digital evidence,
reattach the subject storage device and attach the examiner’s evidence storage
device (e.g., hard drive, tape drive, CD-RW, MO).
Ensure that the examiner’s storage device is forensically clean
when acquiring the evidence.
should be initiated, if available, to preserve and protect original evidence.
If hardware write protection is used:
Install a write protection device.
Boot system with the examiner’s-controlled operating system.
If software write
protection is used:
Boot system with the examiner-controlled operating system.
Activate write protection.
Investigate the geometry of any storage devices to ensure that
all space is accounted for, including host-protected data areas (e.g., nonhost
specific data such as the partition table matches the physical geometry of the
Capture the electronic serial number of the drive and other
user-accessible, host-specific data.
Acquire the subject evidence to the examiner’s storage device
using the appropriate software and hardware tools, such as:
Stand-alone duplication software.
Forensic analysis software suite.
Dedicated hardware devices.
Case No: 2018-124567
Date: January 11,
Prepared By: Sheriff
Description of Incident
Tuesday, January 9, 2018, I was dispatched to 12345 Butter Cream Drive
regarding a cyber-related call, when I
arrived Jamie Butler was trying to
destroy computer components on his neighbor’s property. There were reports
from an anonymous caller stating Jamie
Butler was involved in downloading mass data illegally and possible child
pornography. Mr. Butler was arrested due to trespassing onto his neighbor’s property which led to confiscating
his computer equipment for evidence of