Computer Investigations

• Introduction
• Digital Evidence
• Preserving Evidence
• Analysis of Digital Evidence
• Writing Investigative Reports

Mary Komunte 1
Computer Investigations
 Introduction
• The computer advent - revolutionized the way people live,
work and play; allowing our businesses to run more effectively.
• However, some individuals use them to lash out malicious
assaults including fraud, identity theft, hacking, embezzlement
and a wide array of other activities.
• To avert these crimes; specialists known as computer
investigators are called in to seize and gather information from
these computers.
• Computer investigation is the science of locating; extracting,
analyzing and protecting specific data from computers and
digital storage media, which can be interpreted to serve as legal
evidence in courts of law.
 Introduction cont….

• The search technique helps to reconstruct a

sequence of activities of what happened.

• The investigation process involves the extraction,

documentation, examination, preservation,
analysis, evaluation, and interpretation of
computer-based material to provide relevant and
valid information as evidence in civil, criminal,
administrative, and other cases
Mary Komunte 4
 Digital Evidence
• Evidence is something tangible needed to prove a
fact.
• Tangible evidence to prove a claim or an assertion
can be from one of following sources:
– From an eye witness who provides a testimony
– From physical evidence as traces of the sequence of
activities leading to the claim or assertion.
– Digital evidence as digital footprints of the digital
sequence of activities leading to the claim or assertion.
• Digital evidence is digital footprints left after every
digital activity form a cybertrail

Mary Komunte 5
 Looking for Digital Evidence
• Looking for digital evidence is difficulty and is comparable to
searching for bits of evidence data from a haystack.
• The evidence usually sought includes binary data fixed in any
medium such as on CDs, memory, and floppies, residues of
things used in the committing of a crime and physical
materials such as folders, letters, and scraps of papers.

• At the start of the investigation, the examiner must decide on

things to work with like written and technical policies,
permissions, billing statements, and system application and
device logs.
• Also decide early on what to monitor, if this is needed. This
may include employer and employee computing activities,
Internet e-mail, and chat rooms.

Mary Komunte 6
 Digital Evidence Previewing and Acquisition

• Dealing with digital evidence requires a lot of

care because it is very volatile. The two
processes previewing and acquiring of data
may disturb the data evidence to a point of
changing its status, thus creating doubt to its
credibility.
• To make sure that this does not happen, a strict
sequence of steps must be followed in handling
the evidence.
Mary Komunte 7
• Handling Evidence – through tracing the
sequence of events by looking for answers the
following questions:
– Who extracted the evidence, how, and when?
– Who packaged it and when?
– Who stored it, how, when and where?
– Who transported it, where and when?
• Previewing Image Files - allows the
investigator to view the evidence media in
order to determine if a full investigation is
warranted.
• Evidence Acquisition is the process of
evidence extraction
Mary Komunte 8
 Preserving Evidence
• Given that digital evidence is very fluid in that it can disappear or change
so fast, extra care must be taken in preserving digital evidence.
• One way of preserving evidence is to strictly follow the following
procedures:
– secure the evidence scene from all parties that have no relevancy to it.
This is to avoid contamination usually from deposit of hairs, fibers or
trace material from clothing, footwear or fingerprints.
– Securely catalog and package evidence in strong anti-static, well-
padded, and labelled evidence bags.
– Image all suspected media as evidence to create a back up. Try to make
several copies of each evidence item.
– Make a checksums of the original evidence disk before and after
each copy. After imaging, the two checksums must agree.
– Institute a good security access control system to make sure that those
handling the evidence are the only ones authorized to handle the
evidence.
– Secure the evidence by encryption, where and if possible. Encryption
ensures the confidentiality of the evidence.

Mary Komunte 9
 Analysis of Digital Evidence
• Evidence analysis is the most difficult and
demanding task for investigators
• It involves:
– Analyzing Data Files
• File Directory Structure
• File Patterns
• Metadata
• Content
• Application
• User Configuration
Mary Komunte 10
– Analysis Based on Digital Media
• Deleted Files
• Hidden Files
• Slack Space
• Bad Blocks
• Steganography Utilities
• Compressed and Coded Files
• Encrypted Files
• Password-Protected Files
– Analysis Based on Operating Systems
• Microsoft–Based File Systems
• UNIX and LINUX File Systems
• Macintosh File System
Mary Komunte 11
– Documentation and notes describing the
networking of suspect’s devices
– Notes made on what was discovered including
passwords, pass phrases, encryption and any data
hiding.
– Any changes to the suspect’s scene configuration
authorized or not.
– Names of everyone at the suspect’s scene
– Procedures used to deal with the scene including
acquisition, extraction, and analysis of evidence.
– Any observed or suspected irregularities including
those outside the scope of the techniques in use.

Mary Komunte 12
 When can Computer Forensics be useful?

When a computer crime has been committed; criminal prosecutors use

computer evidence in a variety of ways for crimes where
incriminating documents or files can be found; E.g.

a) In instances of homicide,
b) Financial fraud,
c) Drug and embezzlement record keeping,
d) Child pornography,
e) Mitigation of costs by insurance agencies.
f) Civil litigations; on discrimination and harassment cases.
g) Armed robberies (west-gate scandal)
h) International counter-terrorism (Osama bin Laden)
i) Unlawful access to company information
j) Employees’ wrongful termination, etc.
 Investigation Reports:
• The Computer Forensic Investigation Report of any
cross-examination has to be perfectly documented.

• Should contain details of the investigating team,

requester, the suspect, nature of offence, findings,
evidences found and a conclusion to determine whether
or not the offence was committed.

• If evidences are sufficient, they should be able to be

interpreted and used in legal proceedings. (e.g. for
conviction in courts of law)
 Writing Investigative Reports
• A report is a summary of all findings of the investigation and it
comes from all the documentation that has been made throughout
the investigation.
• Report should include the following documents[4]:
– All notes taken during meetings and contacts that led to the investigation
– All forms used in the investigation including the chain of custody forms
– Copies of search warrants and legal authority notes granting permission to
conduct searches
– Notes, video recordings, and pictures taken at the incident scene describing
the scene
– Notes and any documentation made to describe the computer components
including description of peripherals and all devices.

Mary Komunte 15
– Documentation and notes describing the
networking of suspect’s devices
– Notes made on what was discovered including
passwords, pass phrases, encryption and any data
hiding.
– Any changes to the suspect’s scene configuration
authorized or not.
– Names of everyone at the suspect’s scene
– Procedures used to deal with the scene including
acquisition, extraction, and analysis of evidence.
– Any observed or suspected irregularities including
those outside the scope of the techniques in use.

Mary Komunte 16
 Challenges of Computer Forensics

Technical Issues:
• Encryption – Encrypted data can be impossible to view without
the correct key or password.
• Increasing storage space – Storage media hold ever greater
amounts of data,
• New technologies – Computing is a continually evolving field,
with new hardware, software and operating systems emerging
constantly.
• Anti-forensics – Anti-forensics is the practice of attempting to
thwart computer forensic analysis. This may include encryption,
the over-writing of data to make it unrecoverable, the
modification of files’ metadata and file obfuscation (disguising
files).
 Challenges continued
• Legal Issues
Trojans have many uses, and include key-logging, uploading and
downloading of files and installation of viruses. A lawyer may be able
to argue that actions on a computer were not carried out by a user but
were automated by a Trojan without the user’s knowledge;

Administrative Issues
-Accepted standards – There are multiples of standards and guidelines
in computer forensics, few of which appear to be universally accepted.

-Fit to practice – In many jurisdictions there is no qualifying body to

check the competence and integrity of computer forensics
professionals
 Challenges continued:
• Another major challenge is maintaining credible
certifications and industry standards in the field.

• Cost of Hiring Computer Forensics Specialists

The price of hiring an analyst or a team of
analysts is usually high.

• Demand for Computer Forensic Services is

growing exponentially
 Conclusion:
- For computer forensics to progress, the law must keep pace with
technological advancements.
- Clear and consistent legal procedures regarding computer system
searches must be developed so that police and investigators can be
properly trained.
- An International Code of Ethics for Cyber Crime and Cyber Terrorism
should also be established to develop protocols for “obtaining and
preserving evidence, maintaining the chain of custody of that evidence
across borders.”
- Global use of Interpol’s Computer Crime Manual with “training
courses” and “a rapid information exchange system” that serves as a
foundation for international cooperation.
- Equip the police department with state-of-the-art training and
equipment for forensic analysis. Only then is the world safely prepared
to face the future of technology.
(Extracted from Barry Chen at Barry.Y.Chen.16@dartmouth.edu