forensics tries to reconstruct and explain activities and events - - PowerPoint PPT Presentation

forensics tries to reconstruct and explain activities and
SMART_READER_LITE
LIVE PREVIEW

forensics tries to reconstruct and explain activities and events - - PowerPoint PPT Presentation

Dec 31, 2022 128 likes •299 views

forensics tries to reconstruct and explain activities and events their actors and participants causes consequences individual forensic procedures in the best case can only provide parts of the puzzle for the whole

slide-1
SLIDE 1
slide-2
SLIDE 2

2

  • forensics tries to reconstruct and explain activities and events

their actors and participants

causes

consequences

  • individual forensic procedures

in the best case can only provide parts of the puzzle

  • for the whole picture/story

they need to be put in the right sequence

interpreted in broader context

  • the legal ramifications of forensic investigation it is important to

make sure that forensic material cannot be changed (tampered)

  • after being acquired

and that this can be proved

  • therefore we need a well defined procedure(s)

2015-2017 (c) P.Pale: Računalna forenzika - Procedures 21.12.2018.

slide-3
SLIDE 3

3

  • police (court) forensics

▪ have their required, mandatory procedures ▪ scope defined by law

  • this course teaches generic/general forensics

▪ applicable in industry

  • therefore it is not based on

procedures defined by any law(s)

21.12.2018. 2015-2017 (c) P.Pale: Računalna forenzika - Procedures

slide-4
SLIDE 4

4

  • reconnaissance of the target system
  • planning the evidence acquisition
  • acquisition of evidence material
  • storing and guarding the material
  • analysis of the material
  • reporting
  • But!

▪ before the beginning ▪ acquire/define the questions you need to give answers to

  • in written form

21.12.2018. 2015-2017 (c) P.Pale: Računalna forenzika - Procedures

slide-5
SLIDE 5

5

  • what is it all about – what are we invetigating

▪ disaster, attack, problems , suspicion…

  • define the scope of the system –

what are we going to observe/analyse

▪ computer/device, cluster, system, data, organization, public …

  • enumerate/list components

▪ servers, workstations, portable devices, phones, other equipment connected with IT components

  • interview actors and stakeholders

▪ operators, managers, management, users, partners …

  • gather the documentation

▪ communication system’s blueprints ▪ logic blueprints of information system

21.12.2018. 2015-2017 (c) P.Pale: Računalna forenzika - Procedures

slide-6
SLIDE 6

6

  • gather as many as possible information

▪ about the subject of investigation

  • passive gathering
  • interviews

▪ users ▪ operates ▪ authorized persons ▪ everybody involved

  • find out

▪ which network resources are used ▪ which communication systems

  • mail servers
  • social networks

21.12.2018. 2015-2017 (c) P.Pale: Računalna forenzika - Procedures

slide-7
SLIDE 7

7

  • identify target device/program/data
  • if this is not possible, than enumerate/list:

▪ computers: servers, users’ ▪ handheld devices ▪ communication equipment ▪ other

  • identify other target devices
  • identify other targed data
  • determine which devices can be turned off
  • define the sequence of acquisition
  • ensure the legitimacy
  • f the procedure, authority, support

21.12.2018. 2015-2017 (c) P.Pale: Računalna forenzika - Procedures

slide-8
SLIDE 8

8

  • remove all persons from the

physical space except forensics

  • do not touch anything
  • take photos of the scene

▪ record (in written) everything that seems important

  • take photos and document

how things were connected

  • seize devices
  • take cables too, if they are special

▪ power supplies

  • take media
  • do not forget printed documents

▪ hand written, reminders etc.

21.12.2018. 2015-2017 (c) P.Pale: Računalna forenzika - Procedures

  • physically protect

the objects

▪ for transport ▪ for storage ▪ prepare instructions for transport

  • label every object

uniquely

▪ the very object ▪ and its packaging

  • prepare all necessary

documentation for takeover of evidence

▪ and acquire all signatures

slide-9
SLIDE 9

9

  • do not turn off devices which are turned on gasite

▪ du not turn on those which are turned off

  • communication devices which have wireless

communication put in Faraday bags

  • look around the devices

▪ take all gadgets which could be part of the device

  • if you have to turn the device off

▪ first take the photo of the screen ▪ make a list of active applications, visited web sites, …

  • if it can be done safely!!!

▪ capture the RAM ▪ take the battery out from portable devices

  • when detaching cables

▪ label them, make sketches ▪ and take photos

21.12.2018. 2015-2017 (c) P.Pale: Računalna forenzika - Procedures

slide-10
SLIDE 10

10

  • storage and protection must be according to law
  • keep separate inventory of stored materials
  • copy everything that can be copied

▪ analysis should not be done on original evidence material

  • access to stored evidence material

must be under strict surveillance

▪ this pertains to investigator’s notes and reports ▪ keep the access log to stored material

  • take special care about parts of devices

that can be detached

▪ each part should be separately labeled and logged

21.12.2018. 2015-2017 (c) P.Pale: Računalna forenzika - Procedures

slide-11
SLIDE 11

11

  • acquire the order for analysis

▪ what are we looking for? ▪ which questions do we need to answer?

  • perform the forensic analysis

▪ but on copies of data

  • keep precise log

▪ what was investigated ▪ why ▪ who performed investigation ▪ how, with what ▪ what did they find

  • data
  • conclusions
  • prepare data for report

21.12.2018. 2015-2017 (c) P.Pale: Računalna forenzika - Procedures

slide-12
SLIDE 12

12

  • question or hypothesis
  • the object (which material) will be analyzed
  • which method
  • which tools
  • when (from– to)
  • results
  • conclusion/finding
  • next step - proposal

21.12.2018. 2015-2017 (c) P.Pale: Računalna forenzika - Procedures

  • Investigation
  • Expert
  • Date
  • Place
  • ID of analysis
  • ….
slide-13
SLIDE 13

13

  • who (all) will receive reports & what are their questions
  • separate report for different recipients

▪ based on gathered documentation and ▪ results of analyses

  • Important! Forensic expert is not the judge.

Does not define the responsibility.

▪ but merely states facts & offers expert interpretation ▪ in ideal case, the forensic expert merely answers the questions

  • take care about the level of confidentiality

▪ mark confidentiality in appropriate manner

  • get ready for oral presentation of findings and or

▪ questions ▪ counter-arguments

21.12.2018. 2015-2017 (c) P.Pale: Računalna forenzika - Procedures

Keep detailed log about given answers

slide-14
SLIDE 14

14

  • Case description
  • Broader assignment

▪ order/warrant

  • Expert opinion

▪ answer to question #1 ▪ answer to question # 2 ▪ … ▪ answer to question # N

  • Argumentation

▪ by each question ▪ short

  • Findings od analyses

▪ results ▪ by each question/analysis

  • Forensic team

▪ their competences

  • Methods od work
  • Addenda

21.12.2018. 2015-2017 (c) P.Pale: Računalna forenzika - Procedures

  • the report is result of your entire work
  • thers do not seee te rest
  • any other expert should understand it
  • and reach same conclusions
slide-15
SLIDE 15

15

  • when you are sure there will be no more

investigation

▪ return all evidence material ▪ archive all documentation

  • lists
  • minutes
  • logs
  • reports

▪ in special cases – destroy all work materials

  • and have the proof you did it

21.12.2018. 2015-2017 (c) P.Pale: Računalna forenzika - Procedures

slide-16
SLIDE 16