In this paper, I am going to show the basic procedures that ought to be undertaken while performing a digital forensic examination. These procedures are evaluated in form of answers to some pre written questions. From what equipments to pack to what to do first after arriving at the scene to evidence collection and finally analysis, this procedure of events could be followed step by step or some could be skipped depending on the urgency with which analysis is required.
Type of Equipment to Pack
The equipment to carry on a raid would include a laptop computer installed with various digital forensic tools. The laptop ought to have the best resources in terms of the number and Speed of CPU. The laptop ought to be at least a core 2 duo with a speed of 2.4 GHZ or more. It should have adequate RAM preferable 4 GB and above and a large storage capacity preferably more than 1 TB. Additionally, it ought to have a DVD-ROM drive that would enable booting from a CD/DVD or any form of software installation from a CD media or DVD storage media. These tools should allow for smooth analyse of any type of operating system files. I would also carry both the IDE and SATA hard drive hardware interface tools that would enable me to connect to any external storage device with minimal hustlers. I would also carry bootable forensics software tools on flash drives, CD and DVD for example the Mac-Forensic-Lab Software. These software forensics tools should comfortably be able to analyze any type of operating system files from Linux to windows to Mac and any other and should comfortably be operated from USB ports for example the COFEE (Computer Online Forensic Evidence Extractor) tool from Microsoft.
Also included would be network analysis tools which could promptly carry out a network monitoring operation and give a summary of any gadget attached to the intranet network for example wireshark. I would include an Ethernet cable to help connect my computer to their network as a back up just in case the wireless won’t work. I would also ensure that I have an external drive. I would carry a digital camera to enable me carry out documentation process. Lastly, I would be sure to carry enough storage space for any image copies that I may need to make of the storage devices that I might encounter during the raid. Lastly I would ensure that I have with me password cracking tools that are fast and can work either on an already booted computer or is bootable (Silverman, 1994).
Additional questions to the supervisor
The first question to the supervisor would be to inquire on the type of evidence that the informant gave to the federal agency that made them believe that the manager was indeed a suspect. I would also ask him to enlighten me on the type evidence she thinks might be in the suspect’s digital media. This will enable me to look for specific type of information i.e. whether it is a word document or an email message. I would also inquire on how well the suspect can use computer technology i.e. his level of education in the computer world as well as how proficient he has been analysed to be with computers. This is essential because as I would later try to recover any incriminating evidence against him I would be able to know specifically what he might have done to conceal the evidence as per his computer user level.
10 minutes briefing to the team of police officers
I would use this time to tell the police not to tamper with any hardware or software that they may encounter. I would ask them to especially be careful and properly frisk the suspect on arrest to ensure that he is not hiding any flash drives in his pockets. I would ask them to take note of any device that the suspect might try to conceal and let me know as soon as possible since most likely, that device might be containing a lot of incriminating evidence. I would also ask them not to tamper in any way with the power supply since if any computer was on and there was suddenly a loss of electrical power to the system, all information that might have been important in the RAM (Random Access Memory ) might be lost (Rogers, 2006).
Pieces of evidence in the scene
The immediate piece of evidence that I will take not of is the hard drive on top of the desk. This clearly not being an external hard drive, then it is probable that it was removed from one of the computer systems for a reason. Therefore, it is also probable that it contains some information that the suspect did not want found on the computer. Another piece of evidence is a flash drive on the desk. Due to its portability nature, it might be used to send information from any location where there i9s internet connectivity. The other pieces of evident that are in plain site include the 3 system units. This being the office of the suspect, then it is probable that these 3 systems contain the right incriminating evidence. The other pieces of evidence include some compact discs on the desk. These could also contain some information which might just be incriminating. Additionally, the phone on the desk could be analyzed to find out the last calls that were made from it. The call history could contain the numbers of the other suspect. In fact, a redial of the last number might do wonders.
Capturing the scene in situ
The best tool to archive this would be a digital camera. Several snaps could be taken of the scene and preserved as such to ensure that the scene can be reconstructed from the pictures. Use of various tools to enable the estimation of length and sizes of various gadgets on the scene could be applied. This could be achieved through placing items of known length to various other objects on the scene. A tape recorder could further be used to describe those things on the scene which needs further explanation.
Next action and why
The first action that I would do is to click on cancel. C Cleaner is a tool that allows for cleaning of files that are potentially unwanted including temporary files that might have been left by various programs including browsers like Internet Explorer, Firefox Opera, Google Chrome, Safari and many other programs. It also ensures the removal of browsing history as well as dumps of memory, cookies, logs that might have been stored in files, caches that might have been made by the system in addition to other many functions that removes any data that might be unwanted. I would therefore immediately try and stop the running of this program as soon as possible to ensure that no more data is lost. From the look of it, this person had decide to get rid of any internet files that had been temporarily been saved on the computer as well as all the cookies. He was going to get rid of all of the cookies, his browsing history and the recently typed URLs. The last download location would also been lost including the Index.dat files which contains the stamps as per the date for each request over the internet that was sent to the server. He would therefore in effect conceal any request for web pages that he would have made recently. Additionally, recent documents that he might have been working on might have been permanently deleted as well as those in the start menu i.e. those that automatically start after the computer has undergone the booting process. Other Explorer MRUs would not have been spared either including the cache of the thumbnail. Documents that the user might have recently sent to the recycle bin would also be lost including any files that had been temporarily been saved by the computer system.
Collection of evidence
The very first piece of evidence that I would collect would be all the information residing in the RAM (Random Access Memory) of the very computer on which C Cleaner was running. I would also move on to collect any evidence on any other computer that might still be on. This especially being a windows machine, COFEE tool could be applied to ensure that data that is currently residing in RAM is extracted to ensure that it is not lost should the computer be powered down due to its volatile nature. This tool could be launched on the very computer that analysis is to be done via a USB connection. After this, the computer can be powered down. A short live analysis could also be done on any powered up computer. This is especially so as to ensure that if there is any kind of systems that perform file encryption, the respective encryption keys can be collected.
The next piece of evidence to be collected will be the visible hard drive and flash disks. I would quickly bag these as evidence in a cushioned carriage so as to prevent any form of damage to the drives which might cause the data to be unusable. I would bag the three system units and leave the monitors as they are since they are not of any importance. I would bag these systems units so that later on I will be able to analyse both the hard drives within theme as well as any data that might be stored on the RAM. This is especially so from knowledge that as much as data that is stored on RAM is volatile, it not always lost immediately a computer is shut down. I would also bag what appears to be a small router on the table so that later on I would be able to analyze the routing tables that had been recorded.
Importance of custody documentation of seized evidence
From obvious knowledge that it is rear to find that all evidence will be located just in one place. Most of the time, a certain piece of evidence might be transferred from party to party. First of all, the evidence has to be transferred from the scene it was first seized to the lab for analysis. Evidence might also as well be transferred from one department of law enforcement to another department. This therefore necessitates that proper documentation with regard to all these forms of transfer be kept. This is usually with the major aim of ensuring that the so called “chain of evidence” remains intact without any form of breakages in between. Therefore, in the long run, any person who will at any point handles evidence is clearly identified and this action becomes properly documented. This is especially essential so as to ensure that the evidence which has been collected when later on is presented to the court of law, there will be minimal or no speculations with regards to its authenticity.
Other potential digital evidence
Yes, there might be other potential pieces of digital evidence not present in the raided office. This might include various types of servers especially the web server and the mail server which server the suspects computer. There might also be a router holding information concerning the routing tables. The information in the routing tables might just tell us to who certain messages were going to. If this manager had been issued with a laptop, then that laptop would also go into evidence. Alternatively, if he had access to another computer in any other room, then that very computer system would also have to go into evidence.
Interviews with the system administrator
The first question that I would ask the system administrator is for a detailed overview of the network infrastructure of the company along with any authentication that might be necessary to gain access to the various systems as an administrator. This information is generally important with regard to knowing if any essential gadget has been left out and yet might provide highly essential evidence for this case (NIST, 2011). Secondly, I would inquire on whether the computer system that had been taken as part of evidence were running as part of a domain controlled system. This would form a basis of whether I should concentrate my search for evidence more on the domain name server or the hard drive of the impounded computer systems additionally if they were running under the control of a domain name server, and then it becomes easier to immediately know the number of users that might have been using the system. Secondly, I would make an enquiry about the level of computer user that the manager might have been i.e. whether expert or novice user. With such knowledge, I would be able to estimate the extent to which he might have gone to hide evidence or alternatively to try and get rid of the incriminating evidence.
Questions for the suspect
Yes I would take this chance to test him and see why he was really deleting some files, his browsing history etc, on his computer just before the raid. I would sarcastically ask him why he was desperately deleting those documents and yet there existed excellent technology to easily recover everything that he had deleted. I would then ask him to let us know how many people were having access to his machines and how many accounts were running on his computer systems. If he confirms that only he himself was having access to the confiscated computers, then he would have tied any evidence that would be collected squarely on him. Just as to know the type of computer user that I was dealing with I would ask him to let me know how good he was at using computers and his level of knowledge regarding the use of computers.
On one of the computers, the suspect was clearing some unwanted files, folders programs, etc. I would therefore run recovery software on his computers data and recover any information that might have been deleted. I would additionally run a social agent tool like Mac-Forensic-Lab Social Agent on any computer that might still be on so as to recover all the chart logs on various social networking sites that he might have visited.
Initial Examination
I should initially find out how many users there are in the system and their various access levels. I should also have been able to identify the type of operating system that is in use that very computer and hence get to know where various types of files are stored. The various pieces of data residing in the ever so volatile RAM should also be recovered including. The recycle bin should be checked for any file and data that might prove relevant to the current case and restored. If certain items that are considered to be highly valuable have already been found, then it is advisable to check for both the security and ownership of such items.
MD5
MD5 (Message-Digest Algorithm) is a term that refers to a hash cryptographic function that is nowadays widely used. It has a hash value of 128 bits. In this context, this functions is applied to check whether a certain file’s integrity is good. Having been designed in the year 1991 by Rivest Ron, it was solely designed to replace the earlier version MD4. In simpler terms, MD5 is mostly used for verification purposes. This is so as to ensure that after making a mirror image of a suspect’s hard disk drive together with any other files that seem relevant, the made copy would contain same data as the original drive (Rodgers, M at el, 2006).
The report concerning a forensic copy of the hard drive is problematic for one reason. The reason is that the original hard drive as compared to the made forensic copy do not seem to contain similar data. This could offer a possible loop hole for litigations to be raised by the suspect’s law team concerning how accurate restored mirror image really is. They could even claim that information that was analysed was not the original information in the hard drive just because of a MD5 returning a report that the two data locations have changed.
- Importance of “C:$Recycle.Bin” directory: This directory or location contains any files or folders that had been deleted from the system using just the delete button or by right clicking on a respective file or folder then selecting delete or just by sending to the recycle bin. If this is a novice computer user, chances are that he could have just deleted all the incriminating evidence. Therefore, one look at the recycle bin and restoring the deleted files or folders would ensure the collection of all needed evidence.
- Importance of “C:Program Files” directory: This is the directory containing all the programs that any user of the computer might be using. Therefore if any program is suspected to have been used during the crime and is found loaded on the hard drive, then this would form part of the incriminating evidence.
- Importance of “C:UsersRobertsDesktop” directory: This being a windows machine, this location forms part of the logged in artifacts that belong to this user. Therefore, this location is only accessible when this user has logged in. therefore, if any incriminating evidence3 is found in this location, and then it will be proof beyond any reasonable doubt that the crime was committed by Roberts or another person who had logged in using this users login name and password.
- Importance of “C:UsersRobertsDocuments” directory: By default, all documents that Roberts may want to save would be directed to this folder unless if the destination location is changed. Therefore, this folder would again only contain files and folders that are accessible to Roberts’s account. Therefore it would only imply that it was saved by Robert or someone else who had access to the computer that had this hard drive using Roberts’ user name and password.
Determining the owner of a spreadsheet
This could be easily done through a number of steps. It however requires that the files security description is obtained. A security descriptor is later on applied to acquire an SID (Owner Security Identifier). This will later be placed into use to acquire the file’s domain name. It could also easily be done through analyzing the metadata since it will clearly show you who the creator of the file is.
Metadata
Metadata could be used as a term to describe data or information that is stored about data. Its plays quite a significant role in computer forensics. Among its uses includes providing information that could be termed as corroborative on data. In addition, it provides for a very nice analysis on the data. The analysis includes information on whether obscuration had been tried on the piece of data. Should one also have tried deletion or just simply have tried to hide a file or folder, this too will be shown by the metadata. Further still, it could be used as an important tool to carry out correlation between any two pieces of files or folders. Metadata will also give you information about the creator of the file (NISO, 2004).
Report Findings
In the report about the findings of the forensic investigation, I would put in my report details about when the Excel file was created and under whose account it was created. I would additionally include information concerning under which location the file was found i.e. if it were under Roberts’ documents or in another location. I would also include information as to how many people can access Robert’s machine and have access to that particular file.
Difference between expert and fact witness
A fact witness is a person who is usually involved in the ongoing trials due to direct knowledge that the person might have with regards to an ongoing case. On the other hand, an expert witness is usually called to give his/her testimony in court due to the profession that that person has which in this case is computer forensics. While an expert witness is free to give his/her own views, the same holds false for a fact witness. In fact, fact witnesses usually have to ensure that their testimonies are limited to the prevailing facts only.
Looking at the jury while answering questions
It is usually important to look at the jury while answering questions. This is because you will appear to be presenting credible information if while providing the information you are constantly looking at them. This is especially from a well founded tradition that most individuals have. In this tradition, they tend to believe that the more a person initiates eye contact, the more credible their information is.
Challenges of testifying as an expert
The major challenge of testifying as an expert is the possibility of the testimony becoming admissible. This could be due to factors like the testimony not having reasoning that is underlined, methodical and as well as relevant and valid. If the procedures applied by the expert has not yet been tested nor been subjected to publication and various peer reviews. Admissibility could also occur if proper controlling standards of operation do not exist and many other reasons.
How I would answer to the question
I would answer no to accusation of only helping the police as their hack. I would explain that as much as my blog post might prove otherwise, nowhere in it is it written to be truly reflects my opinions. I would also explain that the outcomes of my forensics undertaking were scientific and had followed all the initially laid down procedure while conducting my investigations. Therefore, it would not come as a surprise if any other forensic expert was to anise the same data that I had analysed and come up with the same findings as I did.
References
NISO(National Institute of Standards Oeganisation). (2004). Understanding Metadata. Bethseda:USA. NISO Press.
NIST (National Institute of Standards and Technology). (2011). Computer Forensic Tool Testing.
Rodgers, M at el. (2006). Computer Forensics Field Triage Process Model.Southern Indiana:USA.
Rogers, M. (2006). DCSA: Applied digital crime scene analysis. In Tipton & Krause. (Eds.). Information Security Management Handbook. (pp. 601-614) New York: Auerbach.
Silverman, B. (1994). So You’ve Been Asked to Be an Expert Witness.