Module 2

Preparation for Digital

investigations
Identify different types of hardware
Hardware

• Familiarity with all internal and external

devices/components of a computer
• Thorough understanding of hard drives and
settings
• Understanding motherboards and the various
chipsets used
Hardware components
Main systems devices Input Devices
• Motherboard • Keyboard
• System Bus • Mouse
• Read Only Memory (ROM) • Joy Stick
• Random Access Memory • Scanner
(RAM)
• Central Processing Unit Output Devices
(CPU) • Monitor
• Hard Disk Drive (HDD) • Printer
/Solid State Drive (SDD)
• Speakers
• Power Supply
Identify various operating systems

An operating system (OS) is system software that manages

computer hardware, software resources, and provides
common services for computer programs.

Examples :
• Microsoft Windows and DOS
• Apple MacOS
• UNIX
• LINUX
• VAX/VMS
Identify different types of file systems
File systems can differ between operating systems (OS),
Some file systems are designed for specific applications.

Common types of file systems.

• Disk file systems.
• Flash file systems.
• Tape file systems.
• Database file systems.
• Transactional file systems.
• Network file systems.
• Shared disk file systems.
• Special file systems.
 Identifying computer forensic tools
• Computer forensics tools are hardware and software tools
that can be used to aid in the recovery and preservation of
digital evidence.

• Law enforcement can use digital forensics tools to collect

and preserve digital evidence and support or refute
hypotheses before courts.
Identifying computer forensic tools
There are many hardware tools out there designed and built specifically
for digital forensics. Some of these tools include cloning devices, cell
phone acquisition devices, write blockers, portable storage devices,
adapters, cables, and more.

Computer forensics is heavily dependent on an assortment of hardware

such as PCs, servers, write blockers, cell phone kits, cables, and so on.

The figure shown below is a well-equipped digital forensic workstation.

Types of Computer Forensics Tools
⚫ Hardware forensic tools
– Range from single-purpose
components to complete computer
systems and servers

⚫ Software forensic tools

– Types
⚫ Command-line applications

⚫ Graphical User Interface (GUI) applications

– Commonly used to copy data from a suspect’s

disk drive to an image file
Use of Computer Forensics Tools
Forensic tools are valuable not only for acquiring disk images but
also for automating much of the analysis process, such as:

• Identifying and recovering file fragments and hidden and deleted

files and directories from any location (e.g., used space, free
space, slack space)

• Examining file structures, headers, and other characteristics to

determine what type of data each file contains, instead of relying
on file extensions (e.g., .doc, .jpg, .mp3)

• Displaying the contents of all graphics files

• Performing complex searches

• Graphically displaying the acquired drive’s directory structure

• Generating reports.
Categories of investigations
Computer investigations and forensics falls
into two categories :

• Public investigations

• Private or corporate investigations

Categories of investigations
Public investigations
• Involve government agencies responsible
for criminal investigations and
prosecution

• Organizations must observe legal

guidelines

• Law of search and seizure - Protects

rights of all people, including suspects
Categories of investigations
Private or corporate investigations

• Deal with private companies, non-law-enforcement

government agencies, and lawyers

• Governed by internal policies that define expected

employee behavior and conduct in the workplace

• Private corporate investigations also involve litigation

disputes

• Investigations are usually conducted in civil cases

Understanding Law Enforcement Agency
Investigations
• In a criminal case, a suspect is tried for a criminal
offense such as burglary or murder

• Computers and networks are sometimes only tools that

can be used to commit crimes

• Many states have added specific language to criminal

codes to define crimes involving computers, such as
theft of computer data

• Legal processes depend on local custom, legislative

standards, and rules of evidence
Understanding Law Enforcement Agency
Investigations
In Legal process, criminal case follows three
stages :
The complaint, the investigation, and the
prosecution
 Understanding Law Enforcement Agency
Investigations
• Distinguishing personal and company property

• Many company policies distinguish between personal

and company computer property

• One area that’s difficult to distinguish involves cell

phones, and personal notebook computers

• The safe policy is to not allow any personally owned

devices to be connected to company-owned resources

• Limiting the possibility of commingling personal and

company data
Forming Incident Response Team
• An incident response team analyzes information,
discusses observations and activities, and shares
important reports and communications across the
organization.

• The amount of time spent on any of one of these

activities depends on one key question: Is this a time of
calm or crisis? When not actively investigating or
responding to a security incident, the team should meet
at least quarterly, to review current security trends and
incident response procedures.
Forming Incident Response Team
ROLE RESPONSIBILITY

Team Leader Drives and coordinates all incident response team

activity, and keeps the team focused on minimizing
damage, and recovering quickly.

Lead Investigator Collects and analyzes all evidence, determines root

cause, directs the other security analysts, and
implements rapid system and service
Communications Lead Leads the effort on messaging and
communications for all audiences, inside and
outside of the organization

Documentation & Timeline Documents all team activities, especially

Lead investigation, discovery and recovery tasks, and
develops reliable timeline for each

HR/Legal Representation Since an incident may or may not develop into

. criminal charges, it’s essential to have legal and
HR guidance and participation
Incident Response Plan

• An incident response plan is a documented,

written plan with 6 distinct phases that helps IT
professionals and staff recognize and deal with a
computer or cyber security incident like a data
breach or cyber attack.

• Properly creating and managing an incident

response plan involves regular updates and
training.
Incident Response Phases

In incident response plan should be set up to address

a suspected data breach in a series of phases.
Within each phase, there are specific areas of need
that should be considered.

The incident response phases are:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned
 Incident Response Phases

1. Preparation

This phase will be the work horse of the incident

response planning, and in the end, the most crucial
phase to protect the organization operation and
business. Part of this phase includes:

• Ensure employees are properly trained regarding their

incident response roles and responsibilities in the event of
data breach
• Develop incident response drill scenarios and regularly
conduct mock data breaches to evaluate your incident
response plan.
• Ensure that all aspects of your incident response plan
(training, execution, hardware and software resources,
etc.) are approved and funded in advance
Incident Response Phases

2. Identification

This is the process to determine whether any data had

been breached. A breach, or incident, could originate
from many different areas.

Questions to address :

• When did the event happen?

• How was it discovered?
• Who discovered it?
• Have any other areas been impacted?
• What is the scope of the compromise?
• Does it affect operations?
• Has the source (point of entry) of the event been discovered?
Incident Response Phases

3. Containment

Contain the breach so it doesn’t spread and cause further

damage to the business.
Disconnect affected devices from the Internet. Have short-
term and long-term containment strategies ready. It’s also
good to have a redundant system back-up to help restore
business operations.

Questions to address :

• What’s been done to contain the breach short and long term?
• Has any discovered malware been quarantined from the rest of the
environment?
• What sort of backups are in place?
• Have all access credentials been reviewed for legitimacy and
strengthened?
 Incident Response Phases
4. Eradication

Need to find and eliminate the root cause of the breach.

This means all malware should be securely removed,
systems should again be hardened and patched, and
updates should be applied.

If any trace of malware or security issues remain in your

systems, the organization still be losing valuable data,
and liability could increase.

Questions to address :

• Have malware from the attacker been securely removed?

• Has the system be hardened, patched, and updates applied?
• Can the system be re-imaged?
 Incident Response Phases
5. Recovery

This is the process of restoring and returning affected

systems and devices back into your business
environment. During this time, it’s important to get all the
systems and business operations up and running again
without the fear of another breach.

Questions to address

• When can systems be returned to production?

• Have systems been patched, hardened and tested?
• Can the system be restored from a trusted back-up?
• How long will the affected systems be monitored and what will to
look for when monitoring?
• What tools will ensure similar attacks will not reoccur?
Incident Response Phases
6. Lessons Learned

Once the investigation is complete, hold an after-action

meeting with all Incident Response Team members and
discuss what have learned from the data breach.
Determine what worked well in the response plan, and
where there were some holes.
Lessons learned from real events will help strengthen
any systems against the future attacks.

Questions to address :

• What changes need to be made to the security?

• How should employee be trained differently?
• What weakness did the breach exploit?
• How to ensure a similar breach doesn’t happen again?