Professional Documents
Culture Documents
Submitted by
Fahad Niazi
(T0074639) 2
2. Digital Investigations in Law Enforcement and within an
Organisation
Law enforcement agencies works under the government of a particular country and
engage with criminal investigations and prosecution and must work under the legal
instructions. For example, the search and seizure order protects the people rights that
also includes the person who is suspected of a crime. Therefore, a digital investigator
must follow the rules and law. On the other hand, organisations do not fall under the
criminal legislation and follow organisational policies that determine the worker, user
and staff member actions in an organisation. Notwithstanding, organisations look after
civil proceedings but it can turn out to be a civil case or vice versa. . As such
organisation do not have any framework or model to follow (Haggerty, 2016).
Law enforcement agencies follows ACPO (Association of Chief Police Officers) good
practice guide for investigation that helps an examiner to carry out an investigation and
follows all the rules and principles. According to ACPO (2012) guidelines it has four
principles:
Principle 1: Data should not be changed or altered by the law enforcement or their
agents while conducting the investigation as the data may later presented in the court.
Principle 2: A competent investigator should handle situations where it is necessary
for an investigator to access original data and in doing so must provide evidence
describing the relevance and the implications of their actions.
Principle 3: All the process and procedures used to collect or applied on digital
evidence should be formed and preserved. Third party should be able to follow the same
process and procedures to achieve the same results.
Principle 4: An investigator who is in charge of an investigation holds a full
responsibility to make sure all the process and procedures, laws and ACPO guide
principles are followed.
As a forensic investigator in law enforcement one needs to understand the urban areas, its
surroundings, country, and legislations on misconducts that are linked directly with computer
as a target of crime (Cengage, 2011). Computer forensic investigator needs to follow the
approved legislation processes and procedures that might help form a criminal case. A suspect
(T0074639) 3
is often question with murder, robbery, etc. In criminal investigation, an investigator needs a
search warrant in order to take over the mediums might use in conducting a crime. “When
destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there
is probable cause to believe that the item seized Constitutes evidence of criminal activity” (D.
Nev. 1991). In contrast, a forensic investigator working on behalf of an organisation can obtain
the search and seizure warrant from a top management or head of the department. According
to Cengage (2011) in law enforcement, criminal investigations pass throw three type of phases.
Investigation
Complaint Prosecution
Prosecution depends on
Complaint Investigation
situation and circumstances.
Figure 1 and Figure 2 shows that law enforcement agency pass through three phases and end
up on prosecution but in organisation prosecution depends on top management or department
and it also depends on the sensitivity of the case and cost too. Furthermore, in law enforcement
all the investigation carries out on the basis of allegation to look for an evidence that might
support the criminal allegation. In comparison, organisational investigation carry out on the
basis of allegation that base on the misuse of company’s assets, policy or against company’s
privacy or cases that lead towards the criminal activity.
2.2 Complaint
When an individual experience unlawful act or witness any misconduct in response it leads to
the criminal case. In law enforcement perspective, if an individual complaints to a police either
by witness or sufferer that some misconduct happened it leads to an allegation that crime took
(T0074639) 4
place. In this regard, a police officer fills up the report and start planning the investigation. In
an organisation, the process of complaining any security misconduct to the computer forensic
investigator is reported by the head of department or system administrator or person responsible
for the activity. In this context, computer forensic investigator with the help of system
administrator starts an investigation.
2.3 Investigation
Organisational relevant crimes usually base on email-harassment, corrupting data, gender
equity, race equity, and fraud, damage to the organisation assets, passing confidential company
secrets or information to the competitor. An organisation investigation is followed by internal
policies that illustrates employee behaviour in the work place and it also address company
violation. On the other hand, the common problem that law enforcement faces includes,
identity theft, drug trafficking, cyber stalking, hacking, credit card fraud, financial fraud etc.
According to the EC-Council (2010) both within law enforcement and organisation, the
computer forensic investigator follows the same processes of digital forensic investigation:-
Initial assessment
Outline for investigation
Methodology
Resources
Collecting evidence
Make sure to work on copy disk evidence
Identification of risk involvement
Reduce the risks
Reviewing the whole process
Analysing collected evidence data
Data recovery
Reporting
Opinion base on experience(if needed)
(T0074639) 5
2.4 Prosecution
When the evidence data is collected and analysed, the computer forensic investigator needs to
make a report. In this report the investigator has to define the whole process of investigation
and what standard procedures were considered. The findings can then be presented in the court
of law. In an organisational context, it depends on the senior management or department what
steps need to be taken in order to address the incident. According to the EC-Council (2010)
organisations tend not to report any computer related crime and it is certain that in response
criminal cases go unreported. Reasonably because of:-
(T0074639) 6
4. Proposed Model
Figure 3: Proposed model for the digital investigation process to be used within Nottingham Trent
University department of Science and Technology.
4.1 Authorisation
The best practise for an investigator is to obtain written authorization and instructions from the
head of department before conducting any investigation or gathering any sort of digital
evidence relating to an investigation. In cases, where it is needed to search the user personal
computer and related data without the will of user it might permissible to do so (Cengage, 2011).
4.3 Identification
According to (Reith, Carr and Gunsch, 2002) identification is a process of identifying unusual
circumstances base on signs and understanding incident kind. The investigator must identify
(T0074639) 7
the security incident and it is important for an investigator to identify each source of digital
evidence including the content of hard drives, storage devices and log files to search pieces of
hidden information relevance to the inspection. It is also important for an investigator to review
all the available media and identify which item holds the relevant evidence.
According to the EC-Council (2010) an investigator should make a bit-stream image file that
is exact copy of the original evidence. Firstly an image file called evidence.img should be
created using FTK imager, this imager file is stored in work folder\folder\subfolder and is
copied to an external device for forensic analysis.
Go to my Computer and look for evidence.img file in the folder\subfolder data files.
Copy the evidence.img file from data files to the folder\subfolder on the disk
Utilising command prompt enter cd\work folder\folder\subfolder and press Enter.
Put the copying disk in the disk drive.
Write image evidence.img a: and press enter
On the copy disk write Testing Copy
During the collection process an investigator must need to know where the data is stored. The
investigator must know what type of relevant data is needed. Therefore, it is important for an
investigator to identify the relevant data otherwise it can be waste of time. In collection phase,
an investigator should have a pattern of volatility to make sure that the relevant data is gathered.
The investigator needs to mark the evidence so it can be identify later. There are two ways of
collecting data:
Volatile
Non-Volatile
(T0074639) 8
4.4.1 Volatile Data
The investigator should focus on the collection of volatile data that contains useful information
and while doing so an investigator should not shut down the system unless the volatile data is
recorded. The volatile memory is dynamic and should be recorded in real time. It can include:
Running processes
System time
Command history
Network connection
Event logs
Registries
Cookies
Boot sectors
Browser cache
Firewall logs
Antivirus logs
Domain controller logs
Web server logs
Database logs
Ids logs
Application logs
(T0074639) 9
Preparation
Extraction
4.5.1 Preparation
This step allows an investigator to prepare the working directories through mediums like Write
Blocker and FTK and helps recover or extract data and files.
4.5.2 Extraction
During the extraction process investigator should keep in mind these two types of extraction:
Keyword searching
Empty space on the physical disk
File carving
Extraction of the partition table
Deleted files,
Active files,
Extraction of file slack
Extraction of unallocated file space
Recovery of deleted files
(T0074639) 10
4.5.3 File systems Examination
New technology file system (NTFS) disk is a file. Master File Table (MFT) holds all the
information about all files, disks and files in MFT also contain metadata. Metadata is data about
data (Nelson, B., et al., 2008). NTFS as a data stream can add to another existing file. According
to InfoSec institute (2014) an investigator can stored data stream files as follows:
As an investigator we must have in depth knowledge of windows file system FAT and NTFS
(Nelson, B., et al., 2008).
An investigator must look deeper into the autostart location to find if the Luton SME issue is
taken place the user, intrusion or malware. According to (Carvery, H., 2005) the best method
to access to the autostart location is to use the autorun tools.
(T0074639) 11
4.6 Recovery
It is a process of explaining how deleted files and file fragments are recovered (Mohay, G., et
al., 2003). The investigator must extract data from accessible sources including deleted items,
hidden files or data that is unavailable for examine utilising the original operating system. The
main purpose is to obtain all the data weather it is needed for the investigation or not (EC-
Council, 2010). In some cases, there is a possibility to reconstruct data fragments to restore
information. In result, it may also provide full data timeline and information that can be helpful
conducting investigation.
4.7 Analysis
The investigator must interpret the recovered data and put into logical order. At this phase of
investigation collected data turn into evidence. Data that is extracted from the disk depending
on the file system (unallocated file space, deleted files, active files, file slack) should be used
to find the following information or metadata.
File size
File location
Data and time stamps
Directory structure
File names and attributes
File
Application
Time Frame
Data Hiding
Ownership
(T0074639) 12
taken place during the investigation and make sure that it is accurate and reliable. The document
should explain the entire process of collection and examination. According to the EC-Council
(2010) the report must include:
Deleted and hidden files that helped investigator backing the findings
String and text string searches
Keyword searches
Cache files
E-mail
Chat logs
Data Analysis
Graphic image analysis
Conclusion
In conclusion, law enforcement have a model and ACPO guide to follow with the consideration
of all standard procedures and principles but organisation are more security focus and there is
not such a frame or model to conduct forensic investigation. The CFA must follow the process
and procedures to fulfil the responsibility of CFA role within NTU department of science and
technology. Furthermore, the model can help CFA investigator to conduct investigation and
follow all phases such include authorization, capture and handling, identification, imaging and
collection, examine, recovery, analysis, documenting and reporting.
(T0074639) 13
References
Ademu, I. (2013). A Comprehensive Digital Forensic Investigation Model and Guidelines for
Establishing Admissible Digital Evidence. Master. University of East London.
Casey, E. and Schatz, B. (2011). Digital Evidence and Computer Crime. 3rd ed. Elsevier inc,
pp.187-224.
Carvey, H. (2005). Windows Forensic and Incident Recovery. Boston: Pearson Education.
Computer Forensics and Investigations as a Profession. (2011). Cengage, 4th ed. pp.1-28.
Jafri, F. and Satti, R. (2015). Comparative Analysis of Digital Forensics Models. Journal of
Advances in Computer Networks, [online] 3(1), pp.1-5. Available at:
http://www.jacn.net/vol3/146-C121.pdf [Accessed 7 Nov. 2017].
(T0074639) 14
Mohay, G., Anderson, A., Collie, B., De Vel, O. and McKEMMISH, R. (2003). Computer and
Intrusion Forensics. Boston-London: Artech House, pp.1-417.
Nelson, B., Phillips, A. and Steuart, C. (2004). Guide to Computer Forensics and Investigation.
3rd ed. Boston: Thomson Course Technology, pp.1-715.
Pladna, B. (2008). Computer Forensics Procedures, Tools and Digital Evidence Gags: What
They Are and Who Should Use Them. East Caroline University, pp.1-15.
Reith, M., Carr, C. and Gunsch, G. (2002). An Examination of Digital Forensics Models.
International Journal of Digital Evidence, [online] Volume 1(3), pp.1-12. Available at:
http://www.just.edu.jo/~Tawalbeh/nyit/incs712/digital_forensic.pdf [Accessed 25 Nov. 2017].
Rowlingson, R. (2014). A ten step process for Forensic Readiness. International Journal of
Digital Evidence, [online] Volume 2(3), pp.1/28. Available at:
http://file:///A:/Computer%20Forensics/10.1.1.65.6706.pdf [Accessed 31 Oct. 2017].
(T0074639) 15