You are on page 1of 15


Part A
Computer technology is the major integral part of everyday human life, and it is growing rapidly, as
are computer crimes such as financial fraud, unauthorized intrusion, identity theft and intellectual theft. To
counteract those computer-related crimes, Computer Forensics plays a very important role. Computer
Forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal or
administrative cases (Nelson, B., et al., 2008).
Digital evidence can be any information stored or transmitted in digital form. Our team of XYZ Inc
will identify and tracking the computer systems of Human Resource Managers Computer, operates a
Microsoft Windows XP workstation. Also our team has been analyzing the HCC network, database server, and
any workstations we suspect to determine if there was a breach and any potential patient data leakage. The
database server is a Microsoft Windows 2003 Server running Microsoft SQL Server 2008.
Our team has been tasked with analyzing the HCC network, database server, and any workstations
we suspect to determine if there was a breach and any potential patient data leakage. The database server is a
Microsoft Windows 2003 Server running Microsoft SQL Server 2008.
The team can collect the information from the image of hard disk of all the system, Human Resource
Managers Computer, database server, workstations we suspect to determine.
This image of disks helps us to determine what data they were accessed on which date and at what
time. Generally, computer records are considered admissible if they qualify as a business record. Computer
records are usually divided into computer-generated records and computer-stored records. Computer-
generated records are data the system maintains, such as system log files and proxy server logs. They are
output generated from a computer process or algorithm, not usually data a person creates. Computer stored
records, however, are electronic data that a person creates and saves on a computer, such as a spreadsheet or
word processing document. Some records combine computer-generated and computer-stored evidence, such
as a spreadsheet containing mathematical operations (computer-generated records) generated from a
persons input (computer-stored records). Computer records must also be shown to be authentic and
trustworthy to be admitted into evidence. Computer-generated records are considered authentic if the
program that created the output is functioning correctly. These records are usually considered exceptions to
the hearsay rule. For computer-stored records to be admitted into court, they must also satisfy an exception
to the hearsay rule, usually the business-record exception, so they must be authentic records of regularly
conducted business activity. To show that computer-stored records are authentic, the person offering the
records (the offer or - the plaintiff, or defense) must demonstrate that a person created the data and the
data is reliable and trustworthy - in another words, that it wasnt altered when it was acquired or afterward.
It is obvious that before starting the investigation, we need to have a preparation in order to conduct
the investigation efficiently. This is considered a proactive measure of investigation (Murray, 2012). The
following steps need to be taken in the preparation stage:
1. Gathering all available information from the assessing the incident, such as severity of the incident.
2. Identifying the impact of the investigation on the business, such as network down time, duration of
recovery from the incident, and loss of confidential information.
3. Obtaining information of the networks, network devices such as router, switches, hub, etc., network
topology documentation, computers, servers, firewall and network diagram.
4. Identifying the external storage devices such as pen drive, flash drive, external hard disk, CD, DVD,
memory cards and remote computer.
5. Identifying the forensic tools which can be used in this investigation.
6. Capturing live network traffic in case the suspicious activities are still running.
7. Documenting all the activities during the investigation which may be used in court to verify the
course of action that was followed in the investigation.
8. Imaging the target devices hard drive and hashing them with MD5 for data integrity.
As stated in the case that there is a email contained a benefits attachment. When she opened the
attachment, the document was blank and she noticed that her system has been acting strangely after
opening the attachment. It means:
There is a document available in the system having some virus/worm or illegal information that
disturbed the working of the system.
FTK is a application software of forensic science that keeps track what the computer operates, so we
have to work with DD or FTK to know the processing done by the computer.
Preparing for computer search is most important step in investigation. Better planning will smoother
the investigation. To perform effective search we have to make plan in the following way:
1. Identifying the nature of Case
2. Identifying the type of computing systems
3. Determining whether we can seize the computer or not
4. Obtaining the detailed description of the location
5. Identify the in-charge of each activities
6. Determine the tools we need
7. Preparing the team for investigation according to what we have to collect and how we can
The nature of case depicts whether it is a private, public or government organization with the actual
nature of case that is whether is is related to computer science or related to civil, criminal investigation so
that the team can make plan accordingly. Also we can proceed and what type of assets or resources we need
to use in the investigation.
The type of computer system allows us to know the operating systems, hardware used etc, so that
our plan for investigation includes the compatible items with the computer systems, HCC Security Operation
System have.
The ideal solution for any incident is to seize the computers and take them in forensic lab for further
investigation. However team has to identify whether it is possible to seize the computer from the workplace
is feasible or not. If no problems arise to seize the computer from workplace like no warrantee issue, the
other functions of HCC continuously working without that computer. In this case we have to seize the HR
managers computer but not the server etc. Now the team of XYZ Inc has to take some other necessary steps
to acquire the digital evidence from unmovable computers. The tools needed are the large hard drives to take
the image of unmovable computers.
The team has to identify the detailed description of the location in terms of the safety issues, hidden
cameras, the authorized person allowed at that place etc. This is a case of computer malfunction so it is to
identify the persons using the computer, who was looking after the firewall / virus protector eyc.
Now comes on who is the in-charge of the computer systems involving in crime. Prepare a list of
authorized list of concerns, another list of person, who ever used those system, and also prepare the list of
authorized manager who is responsible for transferring the data etc.
Now we have to consider some tools to investigate the crime. Below is the list of tools required to
investigate the scene?
Tools in an initial-response field kit
Number needed(Approx) Tools
1 Small computer toolkit
1 Large-capacity drive
1 IDE ribbon cable (ATA-33 or ATA-100)
1 SATA cable
1 Forensic boot media containing our preferred acquisition utility
1 Laptop IDE 40- to 44-pin adapter, other adapter cables
1 Laptop computer
1 FireWire or USB dual write-protect external bay
1 Flashlight
1 Digital or 35mm camera with film and flash
10 Evidence log forms
1 Notebook or dictation recorder
10 Computer evidence bags (antistatic bags)
20 Evidence labels, tape, and tags
1 Permanent ink marker
10 External USB devices or a portable hard drive
1 Initial-response field kit
1 Portable PC with SCSI card for tape-drive or suspects drive
1 Additional hand tools, bolt cutters, pry bar, and hacksaw
1 Leather gloves and disposable latex gloves (assorted sizes)
1 Hand truck and luggage cart
10 Large garbage bags, large cardboard boxes with packaging tape
1 Magnifying glass
1 Ream of printer paper
10 USB drives of varying sizes
2 External hard drives (200 GB or larger) with power cables
5 Additional assorted hard drives for data acquisition

Before start search and seize the computers the team has to review all the available facts, plan, and
objectives to collect the evidence from the crime place.
Yes, off course XYZ Inc has to seize the HR managers computer. So some basic steps are required to
seize the computer:
a. Plan to seize the entire computer and all peripherals with the media used for transferring
the data.
b. Is the computer switched on when our team collecting the equipment.
c. Prepare a list of persons available when we seize the computer.
d. Record all the event of seizing the computer from that organization.
e. Computer data is volatile, so keep in mind that checks the state of computer as soon as
f. Collect all the document evidence available at that place.
To document evidence, XYZ Inc has to create or use an evidence custody form. Because of constant
changes in technologies and methods for acquiring data, create an electronic evidence custody form that we
can modify as needed. An evidence custody form serves the following functions:
a. Identifies the evidence
b. Identifies who has handled the evidence
c. Lists dates and times the evidence was handled
After we have established these pieces of information, we can add others to our form, such as a
section listing MD5 and SHA-1 hash values. Include any detailed information we might need to reference.
Evidence bags also include labels or evidence forms we can use to document our evidence. Commercial
companies offer a variety of sizes and styles of paper and plastic evidence bags. Be sure to write on the bag
when its empty, not when it contains digital evidence, to make sure our writing is legible and to avoid
possibly damaging the evidence. We should use antistatic bags for electronic components.
With digital evidence, we need to consider how and on what type of media to save it and what type of
storage device is recommended to secure it. The media we use to store digital evidence usually depends on
how long we need to keep it. If we investigate criminal matters, store the evidence as long as we can. We can
also use magnetic tape to preserve evidence data. The 4-mm DAT magnetic tapes store between 40 to 72 GB
or more of data, but like CD-Rs, they are slow at reading and writing data. If were using these tapes, test our
data by copying the contents from the tape back to a disk drive. Then verify that the data is good by
examining it with our computer forensics tools or doing an MD5 hash comparison of the original data set and
the newly restored data set.
However, dont rely on one media storage method to preserve evidence, be sure to make two copies
of every image to prevent data loss. Also, if practical, use different tools to create the two images. For
example, we can use the Linux dd command to create the first image and ProDiscover to create the second
image As a good security practice, our lab should have a sign-in roster for all visitors. Most labs use a manual
log system that an authorized technician maintains when an evidence storage container is opened and closed.
These logs should be maintained for a period based on legal requirements, including the statute of limitations,
the maximum sentence, and expiration of appeal periods. Make the logs available for management to inspect.
The evidence custody form should contain an entry for every person who handles the evidence.

Part B
Steps for taking the image of Hard Disk of HR Managers Computer and other computer:
1. Get an external hard drive and hook it up via USB to your computer. Right click on "My Computer" on
your desktop and choose "Open." Verify that the external hard drive is connected and shows up as a
second drive on your computer.
2. Install the latest version of Norton Ghost.
3. Close all applications and programs that are running on your computer, including Internet
browsers. Be sure to also look in your system tray in the lower right corner of the screen and close
any anti-virus or other programs that are running.
4. Open Norton Ghost and follow the instructions on the installer wizard.
5. Launch your Norton Ghost program and click on "Ghost Advanced" on the left sidebar. Then select
"Clone." Wait as the Clone Wizard window appears. Click "Next" to begin the wizard (On newer
version of Ghost, choose "Copy hard drive" option under tools or task menu).
6. Select the source drive of the drive you want to ghost. Under the heading "Source," highlight "Disk 1"
to select your hard drive and all of the partitions, if you have them. If you have partitions and want to
ghost one or some of them, click on the partition. Hold down the "CNTRL" and click to select multiple
7. Look under the "Destination" heading and choose "Disk 2." Read the information under both the
"Source" and "Destination" headings and make sure the source disk is smaller in size than the
destination disk. Click "Next." Click "Cancel" if a screen with the heading "Device Information"
appears as you will not need to use an external device to transfer your data to the ghost drive. Click
"Next" again.
8. Review the information on the screen with the heading "Important/Advanced information." This
screen informs you what the wizard is going to do next. Click the "Next" button. Then review the
information on the Norton Ghost task summary page. This reminds you what you have told the
Norton Ghost program to do. Click "Next."
9. Click "OK" or "Finish" to finish wizard and start the ghosting process. Wait as Norton Ghost
completes the process. Your computer will automatically restart.
The areas on her system we will analyze for potential evidence of infection and/or modification.
MBR infection
The MBR or Master Boot Record is the portion of the hard drive that tells the BIOS (Basic Input
Output System) where to find the OS (Operating System). This is a critical handoff of responsibility between
the BIOS which does the initial boot sequence when the computer is started and the OS which takes over.
A hypervisor is a virtual machine manager, which when used for legitimate purposes allows a single
physical computer to host and run more than one OS simultaneously by creating multiple virtual machines,
each of which appear to the OS to be a physical computer. It simulates hardware and intercepts attempts by
the OS to access the hardware, then translates the request, and passes it to the actual hardware.
Alternate Data Streams
Alternate Data Streams or ADS are a little known function of NTFS, a popular file system used by
Microsoft Windows products. ADS allows the OS to store metadata about a file without changing the file
itself. ADS are not viewable by Windows Explorer or other common file viewers.
Slack space
Every file on a hard drive is allocated a certain amount of space. Because space is allocated in fixed
size "chunks" or disk clusters, most often the file that has been allocated the space doesn't use all of its
allocated space and there is a little bit left over. This is known as slack space.
Bad Sectors
Over time a hard drive may develop sectors (storage units) which can no longer be reliably read from
or written to, these are called bad sectors or bad blocks. The OS keeps a record of these bad sectors in the
MFT in Windows and the bad blocks inode in Linux so it will not try to write to them in the future. Sectors
marked as bad are generally not readable because in most modern drives they are transparently mapped to a
pool of spare sectors either by the drive controller hardware or in some cases the OS.
Hidden Partition
A partition is a logical division of the physical hard drive used for data access. Some rootkits create a
hidden partition within an existing disk partition.
Interrupt Hooks
The OS uses a set of basic commands to interface with the computer hardware as mediated by the
BIOS. These commands are known as interrupt calls and given numbers in hexadecimal
Message Hooks
Programs running in memory use messages to communicate changes and user input to other
programs and the OS. A message hook is used to either monitor or intercept messages before they reach the
intended system process. For Windows OS they are created by calling the SetWindowsHook function with
appropriate parameters.
SSDT Hooks
The System Service Descriptor Table or SSDT is used by Windows OS to locate system services which
are crucial to the functioning of the OS. In Linux OS this function is held by the System Call Table.
IRP Hooks
Any time a program needs to send or receive data from the computer hardware an I/O Request
Packet (IRP) is used as an intermediary between hardware and software. This includes reading and writing
data from the hard drive, RAM, video, audio, and network. Hooking IRP generally involves modifying or
replacing hardware drivers.
A kernel object is a virtual placeholder for a resource that contains information about it. Everything
on a computer will have an associated kernel object, every file, every process, every port, etc. When a kernel
object is created, it is given an index number called a handle, through which it is accessed. When a program
wants to make a change (e.g. create or destroy a process), it makes a request to change the kernel object, and
the kernel itself (Object Handler) decides whether to grant or deny the request.
Our team will approach and process the database server the location for patient medical records) in
the following way.
Examine the whole system, the authorized authority for permission to approach the database server.
There can be volatile and non-volatile data, therefore team has to collect all the data.
The following figure shows how to capture the volatile data. The forensic workstation must be
installed in same LAN where the target machine/database server having the medical records, in this case the
Windows 2003 and running SQL server 2008, is located. Cryptcat tools can be used in the forensic
workstation to listen to the port of the Windows 2003 server. Create the trusted toolset optical drive in the
Windows 2003 server and open the trusted console:

Figure 1: Volatile data collection setup [Reino, A., (2012)]
The following table shows the Graphic User Interface tools, and their usage and outcome can be used
in the computer forensic investigation.
Tools Usage Outcome
Rootkit Revealer Detectors user mode and kernel made
root kits
System date and time, stored in information
in memory
Process Explorer Useful information about running
process, loaded libraries, used resources
Running date and time, Stored on users
TCP View Display network connection and
associated applications
Network connection, Open ports

Table 1: Volatile Data Forensic Tools and their usage and outcome [Reino, A., (2012)]
We also use various Windows-based tools to capture the volatile data as follows:
HBGrays FastDump Local Physical memory acquisition.
HBGrays F-Response Remote physical memory acquisition
ipconfig Collecting subject system details.
netusers and qusers Identifying logged-in users
doskey/history Collecting command history
netfile Identifying the services and drivers
Finally, collecting the clipboard content is also very important in a computer forensic investigation.
More evidence can be found from a machine which is still running, so if the anomalies are still there in the
SME, then we can retrieve a lot of important evidence from the running processes, network connection and
the data that is stored in the memory. There is a lot of evidence when the machine is in the volatile state, and
so it must be ensured that the affected computers are not shut down in order to collect such evidences.
Once the volatile data have been captured, then we will look into the non-volatile data. The first step
in non-volatile data collection is to copy the content of entire target system. This is also called forensic
imaging. Imaging helps to preserve the original data as evidence without any malfunction or changes in data
which occurs during the forensic investigation. Forensic imaging will be created by forensic tools such as
EnCase, ProDiscover and FTK. A forensic investigator uses a write blocker to connect to the target system and
copy the entire contents of the target drive to another storage device by using any of those forensic tools.
Hard drive cloning is nothing but to make a duplicate of the entire system. The difference between forensic
imaging and hard drive cloning is that forensic imaging cant be accessed without forensic tools, but hard
drive cloning can easily be accessed with a mount drive. Hard drive cloning contains only a raw image, and
every bit will be copied, and no other extra content will be added. Forensic imaging contains metadata ie.,
hashes and timestamps and it compresses all the empty blocks. Forensic imaging will hash with MD5 or SHA-
2 to ensure the integrity of digital evidence (Nelson, B., et al., 2008).
Data collection can be done in offline investigation and online investigation. Forensic imaging can be
done with offline investigation. Live network traffic can be done with online investigation by using ethereal or
Wireshark tools. Firewall logs, antivirus logs, and domain controller logs will be collected for the
investigation under the non-volatile data collection. We will also collect the Web server logs, Windows event
logs, database logs, IDS logs and application logs. Once we collect all the digital evidences, they must be
documented in the chain of the custody log documentation. Chain of the custody log documentation is to
maintain the integrity of the evidence from start to end of the investigation until this investigation report will
be presented (Nelson, B., et al., 2008).
Before carrying out any further processes, we need to image the disk bit by bit, which will access the
entire volume and copy the original media, including the deleted files. After the disk is imaged, we should
hash everything which will make sure that the data is authentic and the integrity of the data will be
maintained throughout the investigation. The hash values must be recorded in multiple locations and we
must ensure that we do not make any changes to the data from the time of collection of the data till the end of
the investigation. Most tools help in achieving this by accessing the media in a read-only state (SANS, 2010).
Target System Hard drives, External Storage devices, and the Windows 2003 Server Hard drive must be
acquired for the digital forensic investigation in this case.
The Documentation Phase of the physical crime scene involves taking photographs, sketches and
videos of the crime scene and the physical evidence. The goal is to capture as much information as possible so
that the layout and important details of the crime scene are preserved and recorded. For a digital incident, it
is important to document and photograph the connections on the computer and document the state of the
computer. It could also be important to document the number and size of the hard drives and the amount of
memory. In some cases, the hardware MAC address of the network cards should also be recorded so that
DHCP logs can used to identify the system activity. Serial numbers and asset tags are useful to record in this
phase. To identify what should be recorded, consider that the analysis lab may only get a copy of the hard disk
and no original physical hardware. Anything that could be of use to the analysis lab and later reconstruction
should be recorded. Note that the Documentation Phase is not the phase where a final incident report is
A forensic report highlights the evidences in the court and it also helps for gathering more evidences
and can be used in court hearings. The report must contain the investigations scope. A computer forensic
investigator must be aware of the type of computer forensic reporting such as formal report, written report,
verbal report and examination plan. A formal report contains the facts from the investigation findings. A
written report is like a declaration or an affidavit which can be sworn to under oath so that it must be clear,
precise and detailed. A verbal report is less structured and is a preliminary report that addresses the areas of
investigation not covered yet. An examination plan is a structured document that helps the investigator to
understand the questions to be expected when he/she is justifying the evidences. An examination plan also
helps the attorney to understand the terms and functions which were used in computer forensic investigation
(Nelson, B., et al., 2008). Generally a computer forensic report contains the following functions:
Purpose of the Report
Author of the Report
Incident Summary
Supporting Documents
There are many forensic tools to generate the forensic investigation report such as ProDiscover, FTK
and EnCase (Nelson, B., et al., 2008).
The Documentation Phase of the digital crime scene involves properly documenting the digital
evidence when it is found. The exact copy of the system that was acquired during the Preservation Phase has
the same role as the sketches and video of a physical crime scene. Each piece of digital evidence that is found
during the analysis of the image must be clearly documented. This phase documents individual pieces of
evidence and does not create the final incident report. The final report of the digital analysis will be generated
in the Presentation Phase. Digital evidence can exist in many abstraction layers [Brian Carrier, 2003] and
must be documented accordingly. For example, a file can be documented using its full file name path, the
clusters in the file system that it uses, and the sectors on the disk that it uses. Network data can be
documented with the source and target addresses at various network layers. As digital evidence can be
changed and leave little trace, additional steps should be taken to later verify the integrity. A cryptographic
hash value, such as MD5 or SHA-1, should be calculated for the evidence when it is collected so that its
integrity can be proven to the courts. Chain of Custody forms should be created in this phase if the evidence
could be used in court. In practice, the Documentation Phase is not a specific phase in a digital investigation
because the digital evidence is documented as it is found.

Part C
For better preparing our team for court testimony, the investigators specifies that all the authorized
of HCC networks should present the most professional demeanor from the moment they arrive in court. Dress
professionally and conservatively. Be cordial but serious. Don't allow the opposing attorney to provoke you
into making angry or emotional statements or blurting out answers without thinking about them.
When testifying, don't use technical jargon or try to "sound smart." Explain things in simple language
that's understandable to the average non-technical person. Juries and judges are often not technically savvy
at all. Don't talk down to them, but use plain words and analogies to explain difficult concepts. Here are some
tips for testifying effectively:
In direct testimony (when being questioned by the attorney that called you to testify), answer only
the question that is asked. Don't expound on the matter until or unless you're asked to do so. If you're
asked a yes or no question, answer yes or no without explanation. If the attorney wants you to say
more, you'll be asked to elaborate.
If you don't know the answer to a question, say so. Don't make something up or evade the question.
Don't offer opinions that are not in your area of expertise.
If you don't understand the question, ask for clarification and don't answer it until you're sure you
understand it.
Pick your words carefully. Be sure to say exactly what you mean.
In both direct and cross examination, if an attorney objects to a question you're asked, don't answer
the question until the judge rules on the objection.
Use visual aids (white board, video, photographs, slides, computer demonstration, etc.) to help
explain difficult concepts, demonstrate how a particular task is accomplished, or show relationships
of items to one another.
Be able to back up your opinions and conclusions with hard data.

Computer Forensic involves collecting, analyzing, preserving and presenting digital evidence in a
legally acceptable manner. It is a complex procedure therefore it requires due diligence at every stage of
process and this brings the role of investigator. Any carelessness intended or not can adversely affect the
outcome. To counter this problem, our forensic investigator XYZ Inc must follow the basic and specific
guidelines and rules. There are collections of these guidelines starting with the United Kingdom Association
of Chief Police Officers (ACPO)s good practice guide for computer based electronic evidence below:
1. No action taken by low enforcement agency or their agents should change the data held on a
computer or storage media, which may subsequently be relied upon in court.
2. In circumstances where a person finds it necessary to access original data held on a computer that
person must be competent to do so and be able to give evidence explaining the relevance and the
implication of their actions.
3. An audit trail or another record of all processes applied to computer based electronic evidence
should be created and preserved. An independent third party should be able to examine those
processes and achieve the same result.
4. The person on-charge of the investigation has overall responsibility for ensuring that the law and
these principles are adhered to.
The following areas of ethical concerns in digital forensic investigation and prosecution:
1. Ethical rules governing digital forensic investigation
2. The lawyers ethical obligations while working with digital forensics.
3. Attorney-Client Privilege and confidentiality
4. Legality of digital forensic investigation techniques
5. Civil Liability arising from digital forensic investigation

References and Bibliography
[1] 7safe, (2013) Good Practice Guide for Computer-Based Electronic Evidence, Available at:, Accessed
on 12th January 2014.
[2] ACPO (2013), Good Practice Guide for Computer-Based Electronic Evidence, V4.0
[3] Adams, R., (2012), Evidence and Digital Forensics, Australian Security Magazine, Available at, accessed on 31st December 2013.
[4] Aquilina, M.J., (2003), Malware Forensics, Investigating and Analyzing Malicious Code,
[5] Carvey, H., (2005), Windows Forensics and Incident Recovery, Boston: Pearson Education Inc.
[6] Case studies, PwC CybercrimeUS Center of Excellence, PricewaterhouseCoopers LLP, 2010,
[7] Dave, P., (2013), SQL A Career in Database Forensics!, Available at, accessed on 2nd
January 2014.
[8] Fowler, K., (2007), Forensic Analysis of a SQL Server 2005 Database Server, Available at
2005-database-server-1906, accessed on 2nd January 2014.
[9] ISO/IEC 17799:2005, (2005), Information technology Security techniques Code of practice
for information security management,
[10] Kent, K, and Grance, T., (2006), Guide to Integrating Forensic Techniques into Incident
Response, Available at:
[11] Kruse II, W.G., and Heiser, J.G. (2010), Computer Forensics: Incident Response Essentials, 14th
edn, Indianapolis: Pearson Education
[12] Nelson, B., et. al., (2008), Guide to Computer Forensics and Investigations, 3
Massachusetts: Course Technology.
[13] Nolan, Richard, et. al. Forensics Guide to Incident Response for Technical
[14] SANS, (2010), Integrating Forensic Investigation Methodology into eDiscovery, Available at:
[15] Venter, J. P., (2006), Process Flows for Cyber Forensics Training and Operations, Available at
[16] Wong, L.W.,(2006) Forensic Analysis of the Windows Registry Available at