chapter 1 computer forensics and investigations as a profession

CHAPTER 1 

COMPUTER FORENSICS AND 

INVESTIGATIONS AS A PROFESSION 

Modified from the slides accompanying Nelson et al “Computer 

Forensics and Investigations”. (4ed) Original content © Richard 

Austin 

Instructor Bio 

30+ Year IT Career 

Resumed 26+ year HP career as a Cyber Security Engineer in Global Cyber Security 

MS in IS (concentration in INFOSEC) from KSU (a NCAE/IAE) 

CNSS Certificate in Information Security and Assurance (IATS 4011, 4012, 4013, 4014) 

Senior Member, IEEE 

Senior Member, ACM 

IEEE Computer Society, CTIN, ISC(2) 

Book review editor for IEEE Cipher Postcard 

SNIA Security Technical Working Group 

INCITS/CS1 

Storage and Evidence Working Group 

Incident Management Working Group 

NIST Cloud Forensics Working Group 

Cloud Security Alliance 

Trusted Cloud Reference Architecture Working Group 

Cloud Incident Response and Forensics Working Group 

Atlanta Chapter of Infragard 

Chapter 01 1 

Chapter 1 

2

Mr. Manners Says 

My name is not Dr. Austin (I don’t have a 

doctoral degree) 

You will treat your fellow students with the 

professional courtesy deserving of a 

colleague 

There are no “dumb” questions – only silly 

answers and I’ll provide most of those. 

Academic Honesty 

Trust is the 

foundational 

requirement for an 

information security 

professional 

Chapter 01 2 

Chapter 1 

NO!!! 

Chapter 1 4 

3

What will you learn? 

Not a certification prep 

Understand the legal and policy environment 

Similarities and differences between digital forensics and e-discovery 

Understand the place of forensics in the incident response 

process 

Processes for identifying, collecting, documenting and 

safeguarding evidence 

Analysis of evidence using EnCase Forensic Edition, FTK, The 

Sleuth Kit and the Volatility framework 

Build familiarity with the capabilities and use of forensic tools 

Documenting and reporting the analysis of evidence 

In both oral and written form 

Purpose and place of anti-forensics 

Chapter 01 3 

Chapter 1 

International Standards 

ISO 27041CD, p. vi 

Chapter 1 6 

5

Lecture Outline 

Introduce the Course 

Chapter 1 Lecture 

Define computer and network forensics 

Process for computer investigations 

Professional Guidelines and Ethics 

Class Logistics 

Chapter 01 4 

Chapter 1 

Lab/Lecture 

Notebook for class notes 

must be SEWN binding 

in your handwriting 

only thing you’re allowed to use for exams 

Laboratory Notebook (or equiv) 

Must have by first lab 

Chapter 1 

7 

8

Course Format 

We will cover entire text supplemented with 

selected outside readings 

There will be at least 8 lab activities 

You will perform one complete case 

investigation from the complaint through 

evidence collection and analysis, reporting and 

presentation to the company CEO and/or CFO 

with your assessment and recommendations for 

further action 

Chapter 01 5 

Chapter 1 

Additional Materials 

A sewn-bound notebook for your class notes 

Laboratory notebook – see specific 

requirement in the syllabus 

Chapter 1 

9 

10

Labs 

Lab assignments will be provided on the day 

of the lab 

There will be an answer/sheet report that 

must be turned in at the beginning of the 

next class meeting 

Duplicate record from your laboratory 

notebook must accompany answer sheet 

Must follow record keeping standard 

Grading 

Chapter 01 6 

Chapter 1 

Labs/Other Assignments 20% 

Exam I 20% 

Exam 2 20% 

Project 40% 

Chapter 1 12 

11

Late Work 

Late work will not be accepted except 

If you are absent on the date a deliverable is due, 

you may note that on the deliverable with the 

reason for your absence and turn it in at the next 

class. At my discretion, I may accept it for credit. 

DO NOT: 

EMAIL it 

Slide it under my office door 

Chapter 1 13 

Office Hours/Contact Info 

See me after class 

Other arrangements can be made via EMAIL 

It is very unlikely that you will reach me at my 

office phone and I do not use voicemail 

EMAIL is the most reliable method for contacting 

me and I will typically respond within 24 hours 

Chapter 1 14 

Chapter 01 7

WARNING 

Your text does contain errors which I will call 

attention to in class 

The “text book” answer may not be correct 

Lecture notes and classroom presentation 

overrule the text 

It is the best currently available forensics textbook 

Forensics is a fast-evolving profession and a text 

is, in some ways, already out-of-date by the time 

it is published 

What is “forensics” 

Chapter 01 8 

Chapter 1 

Webster – from L forensis fr forum. Belonging to, 

used in or suitable to courts of judicature or to 

public discussion and debate 

Saferstein – Forensic science in its broadest 

definition is the application of science to law 

Computer forensics – using accepted methods 

and procedures to properly seize, safeguard and 

analyze data. (Kroll Ontrack) 

Chapter 1 

15 

16

“Evidence” 

An item does not become officially a piece of 

evidence until a court admits it as such 

Opposing counsel can (and will) challenge this 

admission 

Incidentally, attorneys do argue with me about which 

comes first – the evidence or its admission 

Typically where we use the word “evidence,” 

we’re using it as a shortcut for “item of potential 

evidentiary value” 

Much of forensics practice concerns how to 

collect, preserve and analyze these items 

without compromising their potential to be 

admitted as evidence in a court of law 

Chapter 01 9 

Chapter 1 

So what is “digital evidence”? 

ISO 27037 – “information or data, stored or 

transmitted in binary form that may be relied 

on as evidence” 

Eoghan Casey – “any data stored or 

transmitted using a computer that support or 

refute a theory of the offense such as intent 

or alibi” (Dig. Evid. & Comp. Crime, p. 7) 

Brian Carrier – “digital data that support or 

refute a hypothesis about digital events or 

the state of digital data” (CERIAS TR 2006-6) 

Chapter 1 18 

17

Evidence 

Chapter 1 19 

Evidentiary Requirements 

(requirements for admissibility) 

Relevant 

Has an important role in deciding a question of 

fact 

Authentic 

The “real” thing 

Integrity preserved 

Really a component of authenticity but important 

enough to mention separately 

Has not been modified in any way 

Chapter 01 10 

Chapter 1 

20

It Matters In the Private 

Sector 

The legal 

profession is 

becoming 

increasingly 

savvy regarding 

digital evidence 

including its 

recovery 

through forensic 

processes 

Chapter 01 11 

Chapter 1 

Forensics | e-discovery 

The concepts are similar but different 

E-discovery formalized in the new FRCP 

Focused on indentifying and preserving all relevant 

digital information not protected by privilege in the 

digital corpus of an organization 

Forensics 

Similar goal but more attuned to indentifying and 

recovering digital artifacts relevant to the matter 

Explicitly interface in the “image-and-hold” 

preservation technique 

Chapter 1 22 

21

E-discovery 

Objectives 

Define computer forensics 

Chapter 1 23 

Describe how to prepare for digital investigations 

and explain the difference between law 

enforcement agency and corporate 

investigations 

Explain the importance of maintaining 

professional conduct 

Chapter 1 24 

Chapter 01 12

Understanding Digital 

Forensics 

Digital forensics 

Involves obtaining and analyzing digital information 

as well as communicating the results of analysis 

As evidence in civil, criminal, or administrative cases 

Understanding Digital 

Forensics 

Chapter 1 25 

Fourth Amendment to the U.S. Constitution 

Esablishes right to be secure in their person, 

residence, and property 

From search and seizure 

Search warrants are generally required for most LE 


Gray area around warrantless searches 

Chapter 1 26 

Chapter 01 13

Digital Forensics and Related 

Fields 

Computer forensics 

Investigates data that can be retrieved from a computer’s 

hard disk or other digital devices/media 

Network forensics 

Yields information about how a perpetrator or an attacker 

gained access to a network and how intrusion/extrusion 

unfolded over time 

Data recovery 

Recovering information that was deleted by mistake 

Or lost during a power surge or server crash 

Typically you know what you’re looking for 

Chapter 1 27 

Digital Forensics and Related 

Fields 

Digital forensics 

Overall umbrella term that includes computer, 

network, memory, etc., forensics 

Evidence can be inculpatory (“incriminating”) or 

exculpatory 

Disaster recovery 

Uses computer forensics techniques to retrieve 

information their clients have lost 

Investigators often work as a team to help secure 

computers and networks in an organization 

Chapter 1 28 

Chapter 01 14

Digital Forensics 

Digital Forensics in the 

Enterprise 

Enterprise network environment 

Chapter 1 29 

Large corporate computing systems that might 

include disparate or formerly independent systems 

Vulnerability assessment and risk 

management group 

Tests and verifies the integrity of standalone 

workstations and network servers 

Professionals in this group have skills in network 

intrusion detection and incident response 

Chapter 1 30 

Chapter 01 15

Digital Forensics in the 

Enterprise 

Litigation 

Legal process of deciding a question of fact and its 

consequences 

Computer investigations group 

Manages investigations and conducts forensic 

analysis of systems suspected of containing evidence 

related to an incident or a crime 

Chapter 1 31 

A Brief History of Computer 

Forensics 

By the 1970s, electronic crimes were increasing, 

especially in the financial sector 

Most law enforcement officers didn’t know enough 

about computers to ask the right questions 

Or to preserve evidence for trial 

1980s 

PCs gained popularity and different OSs emerged 

Disk Operating System (DOS) was available 

Forensics tools were simple, and most were generated 

by government agencies 

Chapter 1 32 

Chapter 01 16


Forensics 

Mid-1980s 

Xtree Gold appeared on the market 

Recognized file types and retrieved lost or deleted files 

Norton DiskEdit soon followed 

And became the best tool for finding deleted files 

1987 

Apple produced the Mac SE 

A Macintosh with an external EasyDrive hard disk with 

60 MB of storage 

Chapter 1 33 


Forensics 

Chapter 1 34 

Chapter 01 17


Forensics 

Chapter 1 35 


Forensics 

Early 1990s 

Tools for computer forensics were available 

International Association of Computer Investigative 

Specialists (IACIS) 

Training on software for forensics investigations 

IRS created search-warrant programs 

ExpertWitness for the Macintosh 

First commercial GUI software for computer forensics 

Created by ASR Data 

Chapter 1 36 

Chapter 01 18


Forensics 

Early 1990s 

ExpertWitness for the Macintosh 

Recovers deleted files and fragments of deleted files 

Large hard disks posed problems for investigators 

Other software 

iLook 

AccessData Forensic Toolkit (FTK) 

Understanding Case Law 

Technology is evolving at a rapid pace 

Chapter 1 37 

Existing laws and statutes are lagging the technology 

Case (or judge-made) law used when specific 

statutes or regulations don’t exist 

Case law allows courts to use previous cases 

similar to the current one 

Because the laws don’t yet exist 

Each case is evaluated on its own merit and 

issues 

Chapter 1 38 

Chapter 01 19

Developing Computer 

Forensics Resources 

You must know more than one computing 

platform 

Be familiar with the platforms used in your 

organization as well as other common ones 

Join applicable professional associations 

Computer Technology Investigators Network 

(CTIN) 

Meets monthly to discuss problems that law 

enforcement and corporations face 

Chapter 1 39 

Developing Computer Forensics 

Resources 

High Technology Crime Investigation Association 

(HTCIA) 

Exchanges information about techniques related to computer 

investigations and security 

Restrictions on members working on criminal defense cases 

User groups can be helpful 

Build a network of computer forensics experts and other 

professionals 

And keep in touch through e-mail, listservs, social networks, etc 

Outside experts can provide detailed information you 

need to retrieve digital evidence 

Chapter 1 40 

Chapter 01 20

Preparing for Computer 

Investigations 

Computer investigations and forensics falls into 

two distinct (but non-exclusive) categories 

Public investigations 

Private or corporate investigations 

Public investigations 

Involve government agencies responsible for criminal 

investigations and prosecution 

Stringent set of legal requirements 

Law of search and seizure 

Protects rights of all people, including suspects 



Chapter 1 41 

Chapter 1 42 

Chapter 01 21






Chapter 1 43 

Deal with private companies, non-law-enforcement 

government agencies, and lawyers 

Aren’t directly governed directly by criminal law or 

Fourth Amendment issues 

Governed by internal policies that define expected 

employee behavior and conduct in the workplace 

Private corporate investigations also involve 

litigation disputes 

Investigations are usually conducted in civil cases 

Chapter 1 44 

Chapter 01 22

Flow of Investigation 

Chapter 01 23 

Chapter 1 

Understanding Law 

Enforcements Agency 


In a criminal case, a suspect is tried for a criminal 

offense 

Such as burglary, murder, or molestation 

Computers and networks might be the only tools 

that can be used to commit certain crimes 

Many states have added specific language to criminal 

codes to define crimes involving computers 

Following the legal process 

Legal processes depend on local custom, legislative 

standards, and rules of evidence 

Chapter 1 46 

45

Understanding Law Enforcements 

Agency Investigations 


Criminal case follows three stages 

The complaint, the investigation, and the 

prosecution 

Chapter 1 47 




A criminal case begins when someone believes an 

illegal act has occurred 

Complainant makes an allegation 

A police officer interviews the complainant and 

writes a report about the crime 

Investigators delegate, collect, and process the 

information related to the complaint 

Chapter 1 48 

Chapter 01 24




After building the case, the information is turned 

over to the prosecutor 

Affidavit 

Sworn statement of support of facts about or 

evidence of a crime 

Example: Probable-cause affidavit submitted to a 

judge in requesting a search warrant 

Judge must approve and sign a search warrant 

Before authorized to collect evidence 

Chapter 1 49 

Requirements for Warrant 

Probable cause to believe: 

A crime is being/has been committed 

Relevant evidence exists at a particular place 

Must identify specifically what is to be 

searched for which 

“Fishing expeditions” are prohibited 

Challenge is to be general enough to include all 

relevant items while specific enough to pass the 

test 

Chapter 1 50 

Chapter 01 25

Example of Comprehensive 

Language 

1. Computer hardware to include any and all computer equipment used to collect, analyze, create, display, convert, store, 

conceal, or transmit electronic, magnetic, optical, or similar computer impulses or data. Hardware includes (but is not 

limited to) any data-processing devices (such as central processing units, personal computers to include "laptop" or 

"notebook" computers); internal and peripheral storage devices (such as fixed disks, external hard disks, floppy disk drives 

and diskettes, tape drives and tapes, optical storage devices, and other electronic media devices); peripheral input/output 

devices (such as keyboards, printers, scanners, plotters, video display monitors, and optical readers); and related 

communications devices (such as modems, cables and connections, and recording equipment,); as well as any devices, 

mechanisms, or parts that can be used to restrict access to computer hardware (such as physical keys and locks). 

2. Computer software required to run the above hardware and/or access data from the hardware, e.g., software required to run 

operating systems, applications (like word-processing, graphics, or spreadsheet programs), utilities, compilers, 

interpreters, and communications programs. 

3. Computer-related documentation such as written, recorded, printed, or electronically stored material which explains or 

illustrates how to configure or use computer hardware, software, or other related items. 

4. Data maintained on the computer, or computer related storage devices such as floppy diskettes, tape backups, computer 

printouts, and “zip” drive diskettes. In particular, data in the form of images, and/or log files recording the transmission of 

images as they relate to violations of Florida law. 

5. Documents, notes, or equipment relating to passwords and data security devices which may restrict access to the hardware, 

software or data. 

6. All computer files associated with the accounts listed above, including password protected files, both text and image types 

that may include, but are not limited to: “.doc, .txt, .gif, .bmp, .tif, .pcs, .pic, .png, .dcs, .art or .jpeg.”, that can be stored or 

saved by these suffixes or they can be renamed and saved under different titles 

Graciously provided courtesy of Dennis Nicewander, Assistant State Attorney, 

State of Florida 

Chapter 01 26 

Chapter 1 

Following the Legal Process 

The Search Warrant 

UNITED STATES DISTRICT COURT 

District of Arizona 

In the matter of the Search of 

(Name, address or brief description of person or property to be searched) 

SEARCH WARRANT 12345 East Hacker Street Apt. 866 Case Number:#### 98-5887MB Phoenix, Arizona TO: Bill 

F. Scrotum, III and any Authorized Officer of the United States Affidavit(s) having been made before me by affiant, 

Bill F. Scrotum, III, who has reason to believe that /_/ on the person of or /X/ on the premises known as (name, 

description and/or location) 

SEE ATTACHMENT A. 

in the District of Arizona there is now concealed a certain person or property namely (describe the person or 

property) 

SEE ATTACHMENT C. 

I am satisfied that the affidavit(s) and any recorded testimony establish probably cause to believe that the person 

or property so described is now concealed on the person or premises above-described and establish grounds for 

the issuance of this warrant. 

YOU ARE HEREBY COMMANDED to search on or before _______12-20-98__at__11:15a.m.________ Date 

http://all.net/books/forensics/warrant.html 

Chapter 1 

51 

52

Understanding Corporate 



Involve organizations and attorneys handling policy 

violations and litigation 

Corporate computer crimes can involve: 

E-mail harassment 

Falsification of data 

Gender and age discrimination 

Embezzlement 

Sabotage 

Industrial espionage 

Establishing Company 

Policies 

Policies minimize risk of litigation 

Policies provide: 

Chapter 1 53 

Defines how company computers and networks 

should be used 

Line of authority for internal investigations 

Who has the authority to initiate an investigation 

Who can take possession of evidence 

Who can have access to evidence 

Chapter 01 27 

Chapter 1 

54

Know Where the Line Is 

Criminal matters MUST be reported to law 

enforcement 

Accessory after the fact 

Conspiracy to conceal the commission of a crime 

Child pornography is the text-book case 

Chapter 01 28 

Chapter 1 

Silver Platter Doctrine 

Originally, state agencies could illegally obtain evidence 

and have it admitted in Federal court since Federal 

officials had not participated in the violation of the 

defendant’s rights . Since repudiated in Elkins v U.S. 

(Black’s, 5ed, p.1240) 

Text (wrongly) uses it in the sense of evidence presented 

to LE “on a silver platter” by a civilian 

Typically immune to challenge on constitutional grounds 

regarding search and seizure IF done independent of and 

not at the request of law enforcement 

Can be challenged on authenticity and integrity 

May be challenged based on policy support for its original 

collection 

Evolving area of law – stay current!!! 

Chapter 1 

55 

56

How We See Each Other 

Keystone Kops 

Scenario 

Detective “Wanna-be’s” 

Buster Keaton, Sherlock Jr., 1924 

Chapter 01 29 

Chapter 1 

You are a forensics consultant retained to 

investigate Joe’s computer for evidence of 

theft of trade secrets 

In the course of your examination, you 

discover over 100 photographs of prepubescent 

males in lewd sexual situations 

What actions do you take? 

Chapter 1 

57 

58



Displaying Warning Banners 

Deals with the expectation of privacy 

Helps avoid litigation over whether or not the 

evidence was legally acquired 



Displaying Warning Banners 

Warning banner 

Chapter 1 59 

Usually appears when a computer starts or connects to the 

company intranet, network, or virtual private network 

Informs end users that the organization reserves the right 

to inspect computer systems and network traffic at will 

Establishes the right to conduct an investigation 

As a corporate computer investigator 

Make sure company displays well-defined warning 

banners 

Chapter 1 60 

Chapter 01 30



A sample banner from a US Government-owned system 

Chapter 1 61 



Designating an authorized requester 

Authorized requester has the power to request 


Policy should be defined by executive management 

Groups that commonly have direct authority to request 

computer investigations 

Corporate Security Investigations 

Corporate Ethics Office 

Corporate Equal Employment Opportunity Office 

Internal Auditing 

The general counsel or Legal Department 

Chapter 1 62 

Chapter 01 31



Conducting security investigations 

Types of situations 

Abuse or misuse of corporate assets 

E-mail abuse 

Internet abuse 

Be sure to distinguish between a company’s policy 

violations and potential criminal issues 

Corporations may provide evidence to LE if a crime is 

involved 

What happens when a civilian or corporate investigative 

agent delivers evidence to a law enforcement officer? 

Chapter 1 63 



Distinguishing personal and company property 

Many company policies distinguish between personal and 

company digital property 

One area that’s difficult to distinguish involves 

PDAs/smartphones, cell phones, and personal 

notebook/tablet computers 

The safe policy is to not allow any personally owned devices 

to be connected to company-owned resources 

Limiting the possibility of commingling personal and company 

data 

This is increasingly a counsel of perfection so don’t bet the 

farm on it 

Chapter 1 64 

Chapter 01 32

Maintaining Professional 

Standards 

Professional conduct 

Determines your credibility 

Includes ethics, morals, and standards of behavior 

Maintaining objectivity means you must form and 

sustain unbiased opinions of your cases 

Maintain an investigation’s credibility by keeping 

the case confidential 

In the corporate environment, confidentiality is critical 

In rare instances, your corporate case might 

become a criminal case as serious as murder 

Objectivity 

Chapter 1 65 

If the law has made you a witness, remain a 

man of science, you have no victim to 

avenge, no guilty or innocent person to 

convict or save – you must bear testimony 

within the limits of science. 

-- Dr. P. C. Brouardel, 19 th century French forensic scientist 

Chapter 1 66 

Chapter 01 33



Maintaining objectivity 

Sustain unbiased opinions of your cases 

You are an INVESTIGATOR not the JUDGE or JURY 

Brady doctrine requires discovery and disclosure of evidence that may 

disprove an allegation 

Avoid making conclusions about the findings until all 

relevant information has been examined 

Consider ALL the available facts – not just those that 

support the prevailing theory 

Ignore external biases to maintain the integrity of the 

fact-finding in all investigations 

Keep the case confidential 

Why does this matter? 

Scenario 

Chapter 01 34 

Chapter 1 

Investigator Smith approached a colleague of 

Jane 

I’m investigating Jane for sexual harassment … 

Smith is at a cocktail party “You’ll never 

believe what I found on Joe’s computer …” 

What are the consequences of such 

unprofessional behavior? 

Chapter 1 

67 

68



Enhance your professional skills through 

continuing education 

Record your fact-finding methods in a journal 

Attend workshops, conferences, and vendor 

courses 

Membership in professional organizations adds to 

your credentials 

Achieve a high public and private standing and 

maintain honesty and integrity 

Summary 

Chapter 1 69 

Computer forensics applies forensics procedures 

to digital evidence 

Laws about digital evidence established in the 

1970s 

To be a successful computer forensics 

investigator, you must know more than one 

computing platform 

Public and private computer investigations are 

different in some ways but alike in others 

Chapter 1 70 

Chapter 01 35

Summary 

Use warning banners to remind employees and 

visitors of policy on computer and Internet use 

Companies should define and limit the number of 

authorized requesters who can start an 

investigation 

Digital forensics investigators must maintain 

professional conduct to protect their credibility 

Chapter 1 71 

Chapter 01 36

chapter 1 computer forensics and investigations as a profession

Create successful ePaper yourself

Delete template?

Save as template?