Computer and Hacking Forensics
CHFI Module 02 Part 2 Investigative Process md5calc Lab ..
Welcome to Cybrary IT. Most of the investigative process in computer forensics is already dictated to us by the current laws and legislation. So let’s go ahead and take a closer look. You have 18 US Code 1361 – and I encourage everyone to look these up for yourself, okay? I’m not giving, um, legal advice here. I’m just simply illustrating the current laws that are in place so do your due diligence and practice due care. You have 18 US Code 1361 which is malicious mischief. You have 18 US Code 1029; this is fraud and related to computers and access devices. You have 18 US Code 1030; this is fraud and related to computer systems. You have a bunch of different rules that are applied, ah, and you should be familiar with these. You have Rule 402; this is the admissibility of evidence, 901 which is the identification and authentication of evidence. Rule 608 the conduct of a witness and expected behavior of a witness. Rule 609 the impeachment of evidence. You have Rule 502 which is your attorney client privileges. You have Rule 614, interrogation of a witness. You have 701, opinion testimony. Rule 705, disclosure of facts. Rule 10, um, 02, um, the re, re, re requirement of the original evidence. You have Rule 1003 which is the admissibility of duplicates of evidence. And a couple of other variety of laws as well which you should be familiar about – with. You have, uh, ECPA which is Electronic Communications Privacy Act. You have US Patriot Act of 2001. You have the Privacy Protection Act in 1980 and the Cable Communications Policy Act, okay? And remember that all of these fit in to the larger scheme of things. Remember the big picture process here. We’re going to assess evidence, acquire it, and take it to our labs so we can analyze it. All of that needs to go through a management process; ultimately, write a report and eventually get to court. But before we do that, we have to do a little bit of ground work first. We have to actually do our homework and prepare. We’re going to need a workstation which we can analyze the evidence and we’re going to need a team of people other than ourselves, alright? Because we’re not the only ones in the process here, okay? So when it comes to building a workstation there is a variety of forensics-specific hardware. Sometimes you can just do this, as simple on a, uh, Windows Workstation. Other cases we have specific hardware requirements, uh, that we have to pay close attention to. Ultimately, we’re going to need to take an integrity snapshot of our evidence. This is where things like MD5 and SHA are going to come in to play. We’re going to need to do a whole bunch of recording – dates and times and fill out our forms. We’re going to be looking for deleted files. We’re going to be looking at removable media and analyzing hard drives. Um, and as far as the team goes, okay, we have a variety of roles and responsibilities that are going to be in play. So let’s look at a few of the players. You – good idea to have an attorney since we’re going to be going to court. More than likely you’re going to need a top-notch attorney and you’re probably going to need a photographer, an incident responder or an incident handler, or a first responder, someone to analyze the evidence, someone to document the evidence.
Some of these may or may not be the same people. Um, and ultimately, expert witnesses because they’re going to provide the testimony in court. Okay? So let’s take a closer look at the big picture process here, okay? Ultimately, for us to get in to court, we’re going to need a search warrant. This is normally done by the actual warrant itself. And they can be as generic as a whole company or as specific as one particular device. So, I normally chalk that up to scoping. Alright? What’s the scope? And once you supply the information to a judge to actually get your warrant we’re going to need to secure the scene. This is going to be everything from photographing the scene to labeling it to filling out our forms all the way in, in a complete manner – like dates and times and is the evidence volatile verses non-volatile? Or, generally these address the five Ws; the who, the what, the when, the where, the why, and the how of the evidence throughout the whole complete life-cycle. We need to collect evidence. Ah, this is everything from media, and cables, and hard drives, and memories, and trash, and peripherals, and – to removal of USB drives to DVD’s – whatever it is, you’re going to need to collect that evidence. You’re going to need to secure it to make sure that, ultimately, it can get in to court and be presented at, pre-presented. This is where chain of custody comes in and the management of evidence. You’re going to need to acquire the data so you can analyze it, right? And this is where we talk about image integrity and, um, our message digest or bit-by-bit copy so that when we take it in to our lab we can look at everything from slack space to unallocated space and things of the like. Alright? So then we’ll go in to the actual analysis. We’ll look at our file systems.
Some of the tools that we’ll discuss, um, will be open-source like FTK and then some of them will be just the run-of-the-mill software that I would chalk up to just you finding something available on the Internet. Nonetheless, whatever software you’re going to be using you need to make sure that it adheres to industry best practices because in the forensics process we don’t make stuff up. Alright? So you need an approved software, and then, of course, documentation and report. Alright? So, the investigative process in itself isn’t too bad, okay? There’s a couple different ways that you can approach this. Inside of accompanying, in terms of an investigative process, uh, you can kind of bundle this with the incident response and incident handling teams. Um, you can also reach out to a consultant or a third-party or you can get law enforcement involved, okay? Now, the difference here is that if you’re doing it internally, inside of a company, or if you’re reaching out to a consultant, information dissemination is controlled.
However, if you reach out to law enforcement, they start running the show so information dissemination is not necessarily controlled. Uh, law enforcement is going to have their own policies, standards, procedures, and guidelines, oh my. Alright? So that’s the big picture of the investigative process. So, let’s go ahead and take a look at a few of the labs, get familiar with some of the software that we’re going to use here. And let’s take – go ahead and take a closer look.