Introduction to Computer Forensics
Benjamin Stephan
CISSP EnCE QDSP CISA
BSt h @Chi fS
BStephan@ChiefSecurityOfficers.com
Spectrum of Services
Internal Audit – Financial, Operational
and Information Technology
Corporate and IT Governance
Risk Assessment
Internal Audit Transformation
Fraud/Forensic Investigations
Information Technology Audit
Business Process Improvement
Operational Performance Reviews
Business Process Integration
Financial Analysis & Modeling
System Implementation Support
Project Management Office (PMO)
Customer List
Meyer Hendricks PLLC
it Offi
Technology Risk & Security
Enterprise Security
System Controls and Effectiveness
Business Continuity Planning
Privacy & Data Protection
Vulnerability Analysis and Testing
Technology & Strategy Alignment
Change Management
Computer Forensics
Compliance Services
Sarbanes-Oxley Readiness Service
Corporate Governance Assessment
Regulatory Risks (PATRIOT, HIPAA, SAS 70, GLB)
Federal and State Regulations
1
Why Chief Security Officers?

We are Information Security experts. Computer

forensics is a natural extension of what we do.
The principals bring over 75 years of IT experience
with Fortune 500, small and middle-market companies.
The average experience of our staff is over 17 years.
They know where to look.
We have EnCase certified engineers trained to
maintain the chain of custody.

CSO Team

Russell Rowe – CISSP, CISA, QDSP, PMP, MCSE, MBA

Russell Rowe is a Principal with Chief Security Officers, LLC (CSO). He has over 25
years of auditing, governance and security experience in companies ranging in size
from venture capital start-ups to Fortune 500 companies.

Mr. Rowe has held the titles of Chief Information Officer, Chief Technology
gy Officer and
Chief Security Officer. Mr. Rowe holds a B.S. degree in Computer Information Systems
from Arizona State University and an M.B.A. degree from the University of Phoenix.

He is a Certified Information Systems Security Professional (CISSP), Certified

Information Systems Auditor (CISA) and Visa Qualified Data Security Professional
(QDSP). Mr. Rowe is also an accredited Project Management Professional (PMP) and a
Microsoft Certified Systems Engineer (MCSE).

Mr. Rowe lecturers nationally on Sarbanes Oxley and counsels companies on how to
reduce compliance costs.

CSO Team
Kenneth Rowe – CISSP, CISA, QDSP, PMP, MCSE, MBA

Kenneth R. Rowe is a principal with Chief Security Officers, LLC. Mr. Rowe has over 25 years
experience in information technology in the healthcare, finance, education and supply chain
industries. He has worked for Scottsdale Healthcare, Good Samaritan Health Systems, United
Parcel Service, and was involved in the acquisition of Livingston Healthcare Services by
United Parcel Service.

Mr. R
M Rowe h has hheld
ld the
th positions
iti off CIO,
CIO CTO,
CTO and
d CSO in
i his
hi career. He
H received
i d his
hi Bachelor
B h l
of Science degree from Arizona State University. He also has a Masters degree in Technology
Management from the University of Phoenix. Mr. Rowe also holds a number of technical
certifications including: CISSP, CISA, PMP, MCSE, and Cisco CCNA.

Mr. Rowe is a member of the American Society for Quality, International Society of Six Sigma
Professionals, Project Management Institute, and the Information Systems Audit and Control
Association. Mr. Rowe is an expert in IT security issues and best practices for risk
management. He has worked on numerous technical projects that required compliance or
guidance under the following standards: Sarbanes-Oxley, Gramm Leach Bliley, HIPAA, CFR 21
Part 11, ISO 17799, and CobiT.

2
CSO Team
Benjamin Stephan – CISSP, EnCE, CISA, QDSP

Benjamin Stephan is an IT security, forensics, and audit professional for Chief

Security Officers, LLC (CSO). He has over seven years of experience in computer
security, IT governance, computer forensics, web publishing, network
administration and risk mitigation.

Mr. Stephan has a B.S.E

Mr B S E degree in Electrical Engineering from Arizona State
University. He is an EnCase Certified Examiner (EnCE) in computer forensics,
Certified Information Systems Security Professional (CISSP), Certified Information
Systems Auditor (CISA), and a Visa Qualified Data Security Professional (QDSP).

Mr. Stephan lectures nationally on computer forensics and helps to

provide education to attorneys and law firms on the importance of
computer forensics.

Important Disclaimer

A speaker’s opinions are just that - opinions

Not offering legal advice – just discussing

principles

10

Computer Forensics
What is Computer Forensics?
Computer Forensics is the acquisition, preservation
and analysis of digital information that meets the
requirements of evidence for court presentation.

11

3
E-Discovery
What is Computer Forensics?

Electronic discovery (also called e-discovery or

ediscovery) refers to any process in which
electronic data is sought, located, secured, and
searched
h d with
ith th
the iintent
t t off using
i it as evidence
id iin a
civil or criminal legal case.

http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1150017,00.html
12

E-Discovery vs. Computer Forensics

What is Computer Forensics?
E-discovery is the process of analyzing data that is
accessible without the need for additional tools or
applications. Whereas, Computer Forensics is the
process of analyzing data that can only be
accessed with proper training and tools.

13

E-Discover vs. Computer Forensics

E-Discovery involves indexing files, converting

documents into “tiff” for similar format, integrating
analysis with case management, etc.
Computer forensics involves recovering data,
analyzing corrupted files, establishing user profiles,
in-depth metadata analysis, chain of custody
preservation, fraud analysis, etc.

14

4
Why Computer Forensics?

Discovering data that resides in a computer system,

recovering deleted, encrypted or damaged file
information may help during discovery depositions
or actual litigation.
The new Federal Rules of Civil Procedures (FRCP)
mandates how Electronically Stored Information
(ESI) must be addressed.

15

Digital Evidence

Electronically Stored Information (ESI, rule 26a) is all

types of media where digital evidence can be stored.
Is a type of physical evidence.
Is less tangible than other forms of physical
evidence. However, courts have ruled that such intangible
property can be seized as evidence.
Consists of magnetic fields and electronic impulses.
May be collected and analyzed using special tools and
techniques

16

Advantages of Digital Evidence

It can be duplicated exactly and a copy can be

examined as if it were the original. Thus, risking no
threat to the original.
g

It is easy to determine if digital evidence has been

modified or tampered with by comparing it to the
original.

17

5
Advantages of Digital Evidence

Although extremely volatile, it is relatively difficult

to completely destroy digital evidence. If a suspect
deletes a file, its can still be recovered from a
storage device on the computer
computer.

Even when intentional efforts are made to

destroy evidence, latent copies may remain in the
computer’s storage devices.

18

Cyber Evidence

Partition Recovery
File Signature Analysis
Hash Sets
Recovering Deleted Files
OS Artifacts
Images

19

Internet Evidence

Email
Outlook PST Files
Webmail
B
Base64
64
History
Cookies
Temporary Internet Files

20

6
Computer Forensics and the Law

Courts mandate that computer evidence be

collected in a forensically sound manner
Proper preservation and chain of custody of
computer evidence must be established
established.

21

Collecting Computer Evidence

1. Find the evidence and determine where it is stored.

2. Find the relevant data and determine what part of
the evidence is relevant to the case. Within reason,
one should err on the side of over-collection, but do
nott collect
ll t information
i f ti that
th t is
i obviously
b i l useless.
l
3. Create an order of volatility to determine the best
order to collect the evidence and minimize data
corruption.

22

Collecting Computer Evidence (continued)

4. Remove external avenues of exchange, it is

essential that you avoid alterations to the original
data. This includes preventing anyone from
tampering with the evidence, either remotely or at
th suspectt system.
the t
5. Collect the evidence using appropriate and industry
accepted techniques and procedures.
6. Document Everything - Collection procedures may
be called into question at a later time.
7. Rule 16(b) mandates that ESI must be identified
within the first 120 days
23

7
User Profiling

Putting the pieces together

Rebuilding the user

24

Gaining Access to E-Evidence

By agreement
Request for Production of Documents
Motion to Compel
ƒ Identify what is to be accessed
ƒ Narrowness and relevance of search
ƒ Not unduly burdensome

Subpoena to Internet Service Provider

25

Preservation of Evidence Letter (‘Lit’ Hold)

No overwrite of backup media

Disable system utilities that can alter evidence
No disposal of machines or media
Override corporate destruction policies
Obtain protective order if necessary
Scope ‘Lit Hold’ during initial sit down (rule
26f)

26

8
Discovery – What to ask…..

How does backup work?

When is media overwritten?
System administration?
PDA? Laptops? Home machines?
Cell phones?Digital copiers?Thumb drives?
Remote access? How?
E-mail package?
E-mail server?
Where is e-mail stored?

27

Checklist: Working with Your Experts

Get them the pleadings

Involve them in drafting pleadings, sitting in
on relevant depositions
Give them adequate notice of deadlines and
court dates

28

Checklist: Working with Your Experts

Accept “the truth” as they report it

Respond promptly to their messages/queries
Do not discuss substantive matters via e-mail

29

9
What a Forensic Engineer Brings

Knowledge of multiple operating systems and

procedures
Hardware and software tools to recreate
environment
Lots of drive space
Maximize evidence retrieval
Case roadmap/next steps
Expert witness credentials
Proof of chain of custody/authentication

30

Choosing a Forensic Technologist

Technical certifications
Forensic certifications
Professional experience
Referrals from clients

31

4 Key Factors of E-Discovery and Forensics

1. Establish a litigation hold or

preservation of evidence request.
2. Identify all possible sources where
evidence can be stored
stored.
3. Establish a “scope” of the acquisition
and analysis.
4. Work quickly and involve forensic
professionals.

32

10