For those interested in computer forensics each week this blog will supply some content related to the topic. We will start with the basics and continue to delve into more technical detail in the weeks to come as well as probe into the area of mobile forensics.
1. By the 1970s, electronic crimes were increasing, especially in the financial sector.
2. To be a successful computer forensics investigator, you must be familiar with more than one computing
platform.
3. Computer investigations and forensics fall into both private and public investigations.
4. The law ofsearch and seizure protects the rights of all people, including people suspected ofcrimes
5. After a judge approves and signs a search warrant, it’s ready to be executed, meaning you can collect evidence as defined by the warrant.
6. The FBI Computer Analysis and Response Team (CART) was formed in 1984 to handle the increasing number of cases involving digital evidence
7. Data Revovery involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example
8. Disaster Recovery involves preventing data loss by using backups, uninterruptible power supply (UPS) devices, and off-site monitoring
9 The computer investigations group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime.
10. . By the early 1990s, the IACS introduced training on software for forensics investigations
11. . In the Pacific Northwest, CTIN meets monthly to discuss problems that law enforcement and corporations face
12. In a criminal case, a suspect is tried for a criminal offense, such as burglary, murder, or molestation
13. In general, a criminal case follows three stages: the complaint, the investigation, and the prosecution
14. Based on the incident or crime, the complainant makes an allegation, an accusation or supposition of fact that a crime has been committed.
15. . In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit an affidavit.
16. It’s the investigator’s responsibility to write the affidavit, which must include exhibits (evidence) that support the allegation to justify the warrant.
17. The affidavit must be notarized under sworn oath to verify that the information in the affidavit is true
18. Published company policies provide a line of authority for a business to conduct internal investigations
19. A warning banner usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.
20. An end user is a person using a computer to perform routine tasks other than systems administration
21. Without a warning banner, employees might have an assumed right of privacy and network accesses
22. In addition to warning banners that state a company’s rights of computer ownership, businesses should specify an authorized requester who has the power to conduct investigations
23. Most computer investigations in the private sector involve misuse of computing assets
24. Corporations often follow the Silver Platter doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer
25. Your professional conduct as a computer investigation and forensics analyst is critical because it determines your credibility.
26. Maintaining objectivity means you must form and sustain unbiased opinions of your cases
27. Computer Forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal, or administrative cases
28. The 4th ammendment to the U.S. Constitution (and each state’s constitution) protects everyone’s rights to be secure in their person, residence, and property from search and seizure.
29. The term enterprise network environment refers to large corporate computing systems that might include disparate or formerly independent systems.
30. When you work in the vulnerability assessment and risk management group you test and verify the integrity of standalone workstations and network servers.
31. The police blotter provides a record ofclues to crimes that have been committed previously.
32. Litigation is the legal process of proving guilt or innocence in court
33. XTREE Gold recognizes file types and retrieves lost or deleted files
34. Computer Forensics investigates data that can be retrieved from a computer’s hard disk or other storage media
35. An affidavit is sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search
36. Case law allows legal counsel to use previous cases similar to the current one because the laws don’t yet exist
37. Line of authority specifies who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence
38. The HTCIA organization exchanges information about techniques related to computer investigations and security
39. Network forensics yields information about how a perpetrator or an attacker gained access to a network
40. Industrial espionage involves selling sensitive or confidential company information to a competitor
41. There is a triad for computer security involving confidentiality, integrity, availability but for forensics is a bit different. The Triad is Vulnerability Assessment and risk management (The group that determines the weakest points in the system which covers physical security and OSs/Apps), Network intrusion detection and network response (Detecting attacks by intruders by using automated tools and manual process of monitoring network firewall logs) and computer investigations (Conducting forensic analysis of systems suspected of containing evidence related to an incident or evidence of a crime).
42. The main characteristics of public investigations involve government agencies responsible for criminal investigations and prosecutions. This must follow Article 8 in the charter rights of Canada/ U.S. 4th amendment search and seizure rules
43. The main characteristics of private investigations include dealing with private companies. Non law enforcement govt agencies and lawyers. They are not governed by 4th amendment law of criminal law but by internal policies that define expected employee behavior and conduct in the workplace. Private corps can also involve litigation inclusive is civil or criminal
44. Some questions an investigator should ask to determine whether a computer crime was committed are What was the tool used to commit the crime, was it a simple trespass, was it theft/burglary/vandalism and did the perp infringe on someone elses right by cyberstalking or email harassment
45. The three levels of law enforcement expertise established by CTIN:
Level 1- acquiring and seizing digital evidence normally performed by a police officer on the scene
Level 2- Managing high tech investigations, teaching investigators what to ask for, and understanding computer terminology and what can and can't be retrieved from digital evidence. The assigned detectives usually handle this case
Level 3- specialist training in retrieving digital evidence, normally conducted by a data recovery or computer forensic expert, network forensic expert or Internet fraud investigator. This person may also be qualified to manage a case depending on his/her background
46. The most common types of corporate computer crimes are Email harassment, falsification of data, gender and age discrimination, Embezzlement, sabatoge and industrial espionage.
47. An example of embezzlement. Typically where an owner trust a person who takes advantage and if that person leaves the owner can find customers were overbilled, some were not billed or false accounts exist
48. An example of corporate sabotage. Often committed by a disgruntled worker where he takes a job at a competitors firm and collects confidential files on a USB flash drive or disk before leaving.
49. As describes in a previous blog but for additional review text that could be used in internal warning banners include access to this system and network is restricted, use of this system network is for official business use only, systems and networks are subject to monitoring at anytime by the owner, using this system implies monitoring by the owner and unauthorized or illegal users of the system or network will be subject to discipline or prosecution.
50. Groups that should have direct authority to request computer investigations in the corporate environment include corporate security investigations, corporate ethics office, corporate equal employment opportunity office, Internal auditing and the general counsel or legal department
Again this is pretty simple stuff but for those interested we will probe deeper into this area and the material will get a bit more difficult as time goes on.
