Module 15: Computer

Investigations
Introduction
Digital Evidence
Preserving Evidence
Analysis of Digital Evidence
Writing Investigative Reports
Proven Security Protocols and Best Practices

J. M. Kizza - Ethical And Social Issues 1

 Introduction
Computer forensics (Computer Crime Investigation)
as is the application of forensic science investigative
techniques to computer-based material used as
evidence.
The search technique helps to reconstruct a sequence
of activities of what happened.
The investigation process involves the extraction,
documentation, examination, preservation, analysis,
evaluation, and interpretation of computer-based
material to provide relevant and valid information as
evidence in civil, criminal, administrative, and other
cases

J. M. Kizza - Ethical And Social Issues 2

 Digital Evidence
Evidence is something tangible needed to prove a fact.
Tangible evidence to prove a claim or an assertion can
be from one of following sources:
From an eye witness who provides a testimony
From physical evidence as traces of the sequence of
activities leading to the claim or assertion.
Digital evidence as digital footprints of the digital sequence
of activities leading to the claim or assertion.
Digital evidence is digital footprints left after every
digital activity form a cybertrail

J. M. Kizza - Ethical And Social Issues 3

 Looking for Digital Evidence
Looking for digital evidence is difficulty and is comparable to
searching for bits of evidence data from a haystack.
The evidence usually sought includes binary data fixed in any
medium such as on CDs, memory, and floppies, residues of
things used in the committing of a crime and physical materials
such as folders, letters, and scraps of papers.

At the start of the investigation, the examiner must decide on

things to work with like written and technical policies,
permissions, billing statements, and system application and
device logs.
Also decide early on what to monitor, if this is needed. This
may include employer and employee computing activities,
Internet e-mail, and chat rooms.

J. M. Kizza - Ethical And Social Issues 4

 Digital Evidence Previewing and
Acquisition
Dealing with digital evidence requires a lot of
care because it is very volatile. The two
processes previewing and acquiring of data
may disturb the data evidence to a point of
changing its status, thus creating doubt to its
credibility.
To make sure that this does not happen, a
strict sequence of steps must be followed in
handling the evidence.

J. M. Kizza - Ethical And Social Issues 5

 Handling Evidence through tracing the
sequence of events by looking for answers the
following questions:
Who extracted the evidence, how, and when?
Who packaged it and when?
Who stored it, how, when and where?
Who transported it, where and when?

Previewing Image Files - allows the investigator

to view the evidence media in order to
determine if a full investigation is warranted.
Evidence Acquisition is the process of evidence
extraction

J. M. Kizza - Ethical And Social Issues 6

 Preserving Evidence
Given that digital evidence is very fluid in that it can disappear or change so
fast, extra care must be taken in preserving digital evidence.
One way of preserving evidence is to strictly follow the following procedures:
secure the evidence scene from all parties that have no relevancy to it. This is to
avoid contamination usually from deposit of hairs, fibers or trace material from
clothing, footwear or fingerprints.
Securely catalog and package evidence in strong anti-static, well-padded, and
labelled evidence bags.
Image all suspected media as evidence to create a back up. Try to make several
copies of each evidence item.
Make a checksums of the original evidence disk before and after each copy.
After imaging, the two checksums must agree.
Institute a good security access control system to make sure that those handling
the evidence are the only ones authorized to handle the evidence.
Secure the evidence by encryption, where and if possible. Encryption ensures
the confidentiality of the evidence.

J. M. Kizza - Ethical And Social Issues 7

 Two common network configuration models - the
centralized and distributed
Computer networks- centralized or distributed, come in
different sizes depending on the number of computers
and other devices the network has.
The number of devices, computers or otherwise, in a
network and the geographical area covered by the
network determine the network type:
Local Area Network (LAN)
Wide Area Networks (WANs)
Metropolitan Area Networks (MANs)

J. M. Kizza - Ethical And Social Issues 8

 Analysis of Digital Evidence
Evidence analysis is the most difficult and
demanding task for investigators
It involves:
Analyzing Data Files
File Directory Structure
File Patterns
Metadata
Content
Application
User Configuration

J. M. Kizza - Ethical And Social Issues 9

 Analysis Based on Digital Media
Deleted Files
2 Hidden Files

Slack Space

Bad Blocks

Steganography Utilities

Compressed and Coded Files

Encrypted Files

Password-Protected Files

Analysis Based on Operating Systems

MicrosoftBased File Systems
UNIX and LINUX File Systems

Macintosh File System

J. M. Kizza - Ethical And Social Issues 10
 Relevance and Validity of Digital
Evidence
There a need to establish relevancy of the evidence.
The relevancy of the digital evidence depends on;
the requesting agency,
nature of the request,
type of the case in question.
The question of validity of data is tied up with the
relevance of data.
It is also based on the process of authentication of
that data.

J. M. Kizza - Ethical And Social Issues 11

 Writing Investigative Reports
A report is a summary of all findings of the investigation and it
comes from all the documentation that has been made
throughout the investigation.
Report should include the following documents[4]:
All notes taken during meetings and contacts that led to the investigation
All forms used in the investigation including the chain of custody forms
Copies of search warrants and legal authority notes granting permission
to conduct searches
Notes, video recordings, and pictures taken at the incident scene
describing the scene
Notes and any documentation made to describe the computer
components including description of peripherals and all devices.

J. M. Kizza - Ethical And Social Issues 12

 Documentation and notes describing the
networking of suspects devices
Notes made on what was discovered including
passwords, pass phrases, encryption and any data
hiding.
Any changes to the suspects scene configuration
authorized or not.
Names of everyone at the suspects scene

Procedures used to deal with the scene including

acquisition, extraction, and analysis of evidence.
Any observed or suspected irregularities including
those outside the scope of the techniques in use.

J. M. Kizza - Ethical And Social Issues 13