Guide to Computer Forensics and Investigations Fourth EditionObjectivesPreparing a Computer InvestigationAn Overview of a Computer CrimeAn Overview of a Company Policy ViolationTaking a Systematic ApproachTaking a Systematic Approach (continued)Assessing the CaseAssessing the Case (continued)Planning Your InvestigationPlanning Your Investigation (continued)Slide 12Slide 13Slide 14Securing Your EvidenceProcedures for Corporate High-Tech InvestigationsEmployee Termination CasesEmployee Termination Cases (continued)Slide 19Slide 20Attorney-Client Privilege InvestigationsAttorney-Client Privilege Investigations (continued)Slide 23Slide 24Slide 25Media Leak InvestigationsMedia Leak Investigations (consider)Slide 28Industrial Espionage InvestigationsIndustrial Espionage Investigations (continued)Slide 31Slide 32Slide 33Interviews and Interrogations in High-Tech InvestigationsInterviews and Interrogations in High-Tech Investigations (continued)Understanding Data Recovery Workstations and SoftwareSetting Up your Computer for Computer ForensicsSetting Up your Computer for Computer Forensics (continued)Conducting an InvestigationGathering the EvidenceUnderstanding Bit-Stream CopiesUnderstanding Bit-stream Copies (continued)Acquiring an Image of Evidence MediaAnalyzing Your Digital EvidenceAnalyzing Your Digital Evidence (continued)Completing the CaseCritiquing the CaseSummarySummary (continued)Chapter 2Understanding Computer InvestigationsGuide to Computer Forensics and InvestigationsFourth EditionGuide to Computer Forensics and Investigations 2Objectives•Explain how to prepare a computer investigation•Apply a systematic approach to an investigation•Describe procedures for corporate high-tech investigations•Explain requirements for data recovery workstations and software•Describe how to conduct an investigation•Explain how to complete and critique a caseGuide to Computer Forensics and Investigations 3Preparing a Computer Investigation •Role of computer forensics professional is to gather evidence to prove that a suspect committed a crime or violated a company policy•Collect evidence that can be offered in court or at a corporate inquiry–Investigate the suspect’s computer–Preserve the evidence on a different computer•Follow an accepted procedure to prepare a case•Chain of custody–Route the evidence takes from the time you find it until the case is closed or goes to courtGuide to Computer Forensics and Investigations 4An Overview of a Computer Crime•Computers can contain information that helps law enforcement determine:–Chain of events leading to a crime–Evidence that can lead to a conviction•Law enforcement officers should follow proper procedure when acquiring the evidence–Digital evidence can be easily altered by an overeager investigator•Information on hard disks might be password protectedGuide to Computer Forensics and Investigations 5An Overview of a Company Policy Violation•Employees misusing resources can cost companies millions of dollars•Misuse includes:–Surfing the Internet–Sending personal e-mails–Using company computers for personal tasksGuide to Computer Forensics and Investigations 6Taking a Systematic Approach• Steps for problem solving–Make an initial assessment about the type of case you are investigating–Determine a preliminary design or approach to the case–Create a detailed checklist–Determine the resources you need–Obtain and copy an evidence disk driveGuide to Computer Forensics and Investigations 7Taking a Systematic Approach(continued)• Steps for problem solving (continued) –Analyze and recover the digital evidence–Investigate the data you recover–Complete the case report–Critique the caseGuide to Computer Forensics and Investigations 8Assessing the Case•Systematically outline the case details–Situation–Nature of the case–Specifics of the case–Type of evidence–Operating system–Known disk format–Location of evidenceGuide to Computer Forensics and Investigations 9Assessing the Case (continued)•Based on case details, you can determine the case requirements–Type of evidence–Computer forensics tools–Special operating systemsGuide to Computer Forensics and Investigations 10Planning Your Investigation•A basic investigation plan should include the following activities:–Acquire the evidence–Complete an evidence form and establish a chain of custody–Transport the evidence to a computer forensics lab–Secure evidence in an approved secure containerGuide to Computer Forensics and Investigations 11Planning Your Investigation(continued)•A basic investigation plan (continued):–Prepare a forensics workstation–Obtain the evidence from the secure container–Make a forensic copy of the evidence–Return the evidence to the secure container–Process the copied evidence with computer forensics toolsGuide to Computer Forensics and Investigations 12Planning Your Investigation(continued)•An evidence custody form helps you document what has been done with the original evidence and its forensics copies•Two types–Single-evidence form•Lists each piece of evidence on a separate page–Multi-evidence formGuide to Computer Forensics and Investigations 13Planning Your Investigation(continued)Guide to Computer Forensics and Investigations 14Planning Your Investigation(continued)Guide to Computer Forensics and Investigations 15Securing Your Evidence•Use evidence bags to secure and catalog the evidence•Use computer safe products–Antistatic bags–Antistatic pads•Use well padded containers•Use evidence tape to seal all openings–Floppy disk or CD drives–Power supply electrical cord•Write your initials on tape to prove that evidence has not been tampered with•Consider computer specific temperature and humidity rangesGuide to Computer Forensics and Investigations 16Procedures for Corporate High-Tech Investigations•Develop formal procedures and informal checklists –To cover all issues important to high-tech investigationsGuide to Computer Forensics and Investigations 17Employee Termination Cases•Majority of investigative work for termination cases involves employee abuse of corporate assets•Internet abuse investigations–To conduct an investigation you need:•Organization’s Internet proxy server logs•Suspect computer’s IP address•Suspect computer’s disk drive•Your preferred computer forensics analysis toolGuide to Computer Forensics and