Module Code: Comp40571

Module Title: Computer Forensics

Module Leader: Dr John Haggerty

Computer Forensics Process for an Organisation

Submitted by

Fahad Niazi

Submission date: 8th of December 2017

 1. Introduction
Computer forensics is the process of retrieving and examining digital information that can be
used as a form of evidence in illegal, civil and organisational cases (Nelson, B., et al., 2008).
The advancement of computer technology leading digital criminals to target computers in order
to get involved in criminal activities like theft of data, pornography and an eradication of
individuals property. The understanding of digital forensic process and procedures helps to
gather information that might be helpful to sue a criminal who misused the use of computer or
network. The identification, use of right set of tools and equipment is an essential part for the
computer investigation. Also, evidence that is referred to as “Digital Evidence” is, “any form
of data that support a remarkable connection between the criminal and victim” (Wang, 2007).
In addition, data can be obtain from computer hard disk or other media storage devices and it
is important to understand that there is a distinctive difference between computer forensics and
data recovery. Data recovery is the process of recovering data or information that was lost due
to an uncertain incidence and it is certain that one knows what type of data is needed to recover.
On the other hand, computer forensic is the process of recovering data or information that is
intentionally hidden or deleted by the user that might lead users in difficult situations. This
report tends to show the discussion of digital investigations in organisational perspective and
how different it is from the digital investigations conducting by the law enforcement. In
addition, this report will also highlight the role and expectations of the CFA (Computer
Forensic Analyst) at NTU (Nottingham Trent University) department of science and
technology. Furthermore, a detailed model will be presented for the digital investigation
process used at NTU department of science and technology that might help conducting an
investigation.

(T0074639) 2
 2. Digital Investigations in Law Enforcement and within an
Organisation
Law enforcement agencies works under the government of a particular country and
engage with criminal investigations and prosecution and must work under the legal
instructions. For example, the search and seizure order protects the people rights that
also includes the person who is suspected of a crime. Therefore, a digital investigator
must follow the rules and law. On the other hand, organisations do not fall under the
criminal legislation and follow organisational policies that determine the worker, user
and staff member actions in an organisation. Notwithstanding, organisations look after
civil proceedings but it can turn out to be a civil case or vice versa. . As such
organisation do not have any framework or model to follow (Haggerty, 2016).
Law enforcement agencies follows ACPO (Association of Chief Police Officers) good
practice guide for investigation that helps an examiner to carry out an investigation and
follows all the rules and principles. According to ACPO (2012) guidelines it has four
principles:
Principle 1: Data should not be changed or altered by the law enforcement or their
agents while conducting the investigation as the data may later presented in the court.
Principle 2: A competent investigator should handle situations where it is necessary
for an investigator to access original data and in doing so must provide evidence
describing the relevance and the implications of their actions.
Principle 3: All the process and procedures used to collect or applied on digital
evidence should be formed and preserved. Third party should be able to follow the same
process and procedures to achieve the same results.
Principle 4: An investigator who is in charge of an investigation holds a full
responsibility to make sure all the process and procedures, laws and ACPO guide
principles are followed.

As a forensic investigator in law enforcement one needs to understand the urban areas, its
surroundings, country, and legislations on misconducts that are linked directly with computer
as a target of crime (Cengage, 2011). Computer forensic investigator needs to follow the
approved legislation processes and procedures that might help form a criminal case. A suspect

(T0074639) 3
is often question with murder, robbery, etc. In criminal investigation, an investigator needs a
search warrant in order to take over the mediums might use in conducting a crime. “When
destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there
is probable cause to believe that the item seized Constitutes evidence of criminal activity” (D.
Nev. 1991). In contrast, a forensic investigator working on behalf of an organisation can obtain
the search and seizure warrant from a top management or head of the department. According
to Cengage (2011) in law enforcement, criminal investigations pass throw three type of phases.

Investigation
Complaint Prosecution

Figure 1: Law enforcement mode of digital investigation.

In an organisation investigation passes through two initial phases and prosecution

depends on the situation and circumstances.

Prosecution depends on
Complaint Investigation
situation and circumstances.

Figure 2: Organisational mode of Digital investigation.

Figure 1 and Figure 2 shows that law enforcement agency pass through three phases and end
up on prosecution but in organisation prosecution depends on top management or department
and it also depends on the sensitivity of the case and cost too. Furthermore, in law enforcement
all the investigation carries out on the basis of allegation to look for an evidence that might
support the criminal allegation. In comparison, organisational investigation carry out on the
basis of allegation that base on the misuse of company’s assets, policy or against company’s
privacy or cases that lead towards the criminal activity.

2.2 Complaint
When an individual experience unlawful act or witness any misconduct in response it leads to
the criminal case. In law enforcement perspective, if an individual complaints to a police either
by witness or sufferer that some misconduct happened it leads to an allegation that crime took

(T0074639) 4
place. In this regard, a police officer fills up the report and start planning the investigation. In
an organisation, the process of complaining any security misconduct to the computer forensic
investigator is reported by the head of department or system administrator or person responsible
for the activity. In this context, computer forensic investigator with the help of system
administrator starts an investigation.

2.3 Investigation
Organisational relevant crimes usually base on email-harassment, corrupting data, gender
equity, race equity, and fraud, damage to the organisation assets, passing confidential company
secrets or information to the competitor. An organisation investigation is followed by internal
policies that illustrates employee behaviour in the work place and it also address company
violation. On the other hand, the common problem that law enforcement faces includes,
identity theft, drug trafficking, cyber stalking, hacking, credit card fraud, financial fraud etc.
According to the EC-Council (2010) both within law enforcement and organisation, the
computer forensic investigator follows the same processes of digital forensic investigation:-

 Initial assessment
 Outline for investigation
 Methodology
 Resources
 Collecting evidence
 Make sure to work on copy disk evidence
 Identification of risk involvement
 Reduce the risks
 Reviewing the whole process
 Analysing collected evidence data
 Data recovery
 Reporting
 Opinion base on experience(if needed)

(T0074639) 5
2.4 Prosecution
When the evidence data is collected and analysed, the computer forensic investigator needs to
make a report. In this report the investigator has to define the whole process of investigation
and what standard procedures were considered. The findings can then be presented in the court
of law. In an organisational context, it depends on the senior management or department what
steps need to be taken in order to address the incident. According to the EC-Council (2010)
organisations tend not to report any computer related crime and it is certain that in response
criminal cases go unreported. Reasonably because of:-

 Underestimating the threat

 Afraid of bad reputation
 Probability of losing customers
 Attempt to resolve issues internally
 Unaware of possible attacks and lack of knowledge
 Cost

3. Computer Forensic Analyst Responsibilities

 Ask for an authorized signed permission or warrant from the relevant department
in order to conduct the investigation.
 Must and proper use of process and procedures.
 An investigator must know its limits to conduct the process of an investigation.
 The usage of relevant forensic tools.
 Appropriate use of productive methodologies for productive outcome.
 Document evidence that can be further use in criminal trials if needed.
 Write and review the digital investigation reports.
 To inform the department about the techniques used in recovering data.
 Analyse the relevant evidence data.
 Presentation (if needed)

(T0074639) 6
 4. Proposed Model

Authorization Capturing and Identification Imaging and

Handling Collection

Examination Recovery Analysis Document and

Reporting

Figure 3: Proposed model for the digital investigation process to be used within Nottingham Trent
University department of Science and Technology.

4.1 Authorisation
The best practise for an investigator is to obtain written authorization and instructions from the
head of department before conducting any investigation or gathering any sort of digital
evidence relating to an investigation. In cases, where it is needed to search the user personal
computer and related data without the will of user it might permissible to do so (Cengage, 2011).

4.2 Capturing and handling

According to the EC-Council (2010) an investigator at this point of investigation should not
try to change the state of computer or any equipment if computer is switched off. All the
equipment and computer state should be in the same position so the investigator can document
and capture the evidence. Moreover, when computer is in the mode of switched-on the
investigator must think before taking any action. The investigator must not switch off the
computer as it lead to data loss on RAM (Random Access Memory). The investigator should
be able to take pictures of the viewable screen and document the running programs and
applications. The investigator should also handle the storage devices like portable devices as
proof of evidence.

4.3 Identification
According to (Reith, Carr and Gunsch, 2002) identification is a process of identifying unusual
circumstances base on signs and understanding incident kind. The investigator must identify

(T0074639) 7
the security incident and it is important for an investigator to identify each source of digital
evidence including the content of hard drives, storage devices and log files to search pieces of
hidden information relevance to the inspection. It is also important for an investigator to review
all the available media and identify which item holds the relevant evidence.

4.4 Imaging and Collection

The investigator needs to make sure that the hard disk used for copying bit-stream image is
exactly same like the original hard disk. Therefore, an investigator should analyse the copy
evidence to make sure that the data is not changed and hold its integrity and this process can
be done by hashing.

Creating Bit-Stream image copy of Evidence Utilising Image

According to the EC-Council (2010) an investigator should make a bit-stream image file that
is exact copy of the original evidence. Firstly an image file called evidence.img should be
created using FTK imager, this imager file is stored in work folder\folder\subfolder and is
copied to an external device for forensic analysis.

 Go to my Computer and look for evidence.img file in the folder\subfolder data files.
 Copy the evidence.img file from data files to the folder\subfolder on the disk
 Utilising command prompt enter cd\work folder\folder\subfolder and press Enter.
 Put the copying disk in the disk drive.
 Write image evidence.img a: and press enter
 On the copy disk write Testing Copy

During the collection process an investigator must need to know where the data is stored. The
investigator must know what type of relevant data is needed. Therefore, it is important for an
investigator to identify the relevant data otherwise it can be waste of time. In collection phase,
an investigator should have a pattern of volatility to make sure that the relevant data is gathered.
The investigator needs to mark the evidence so it can be identify later. There are two ways of
collecting data:

 Volatile
 Non-Volatile

(T0074639) 8
4.4.1 Volatile Data
The investigator should focus on the collection of volatile data that contains useful information
and while doing so an investigator should not shut down the system unless the volatile data is
recorded. The volatile memory is dynamic and should be recorded in real time. It can include:

 Running processes
 System time
 Command history
 Network connection

4.4.2 Non-volatile Data

According to InfoSec institute (2014) the investigator should also be attentive when recovering
non-volatile data and it includes:

 Event logs
 Registries
 Cookies
 Boot sectors
 Browser cache
 Firewall logs
 Antivirus logs
 Domain controller logs
 Web server logs
 Database logs
 Ids logs
 Application logs

4.5 Examining Evidence

In this phase, an investigator must extract the data and then look into the information and make
sure it is available for analysis process (Reith, Carr & Gunsch, 2002). The investigator should
consider these steps while examining the evidence.

(T0074639) 9
  Preparation
 Extraction

4.5.1 Preparation
This step allows an investigator to prepare the working directories through mediums like Write
Blocker and FTK and helps recover or extract data and files.

4.5.2 Extraction
During the extraction process investigator should keep in mind these two types of extraction:

4.5.2.1 Physical Extraction

The identification and recovery of data taken place throughout the physical hard disk
without consideration of the file system. It may also include:

 Keyword searching
 Empty space on the physical disk
 File carving
 Extraction of the partition table

4.5.2.2 Logical extraction

The logical extraction helps recover data and files located on operating system, file system and
application. According to the EC-Council (2010) based on the file system it may include data
from areas such as:

 Deleted files,
 Active files,
 Extraction of file slack
 Extraction of unallocated file space
 Recovery of deleted files

(T0074639) 10
4.5.3 File systems Examination
New technology file system (NTFS) disk is a file. Master File Table (MFT) holds all the
information about all files, disks and files in MFT also contain metadata. Metadata is data about
data (Nelson, B., et al., 2008). NTFS as a data stream can add to another existing file. According
to InfoSec institute (2014) an investigator can stored data stream files as follows:

C: /more < echo text_mess > file1.txt:file2.txt

In order to retrieved the file use command:

C: /more < file1.txt:file2.txt

As an investigator we must have in depth knowledge of windows file system FAT and NTFS
(Nelson, B., et al., 2008).

4.5.4 Windows Registry

A registry can be consider as a log file because it holds data that can be recover (Carvey, H.,
2005). The framework of windows registry is divided into “Hive” such as:

 HKEY_CLASSES_ROOT: Make sure that required programs are accomplished.

 HKEY_CURRENT_USER: Shows information about currently logged users.
 HKEY_LOCAL_MACHINE: holds information about the system.
 HKEY_USERS: contains all information of users on a particular system.
 HKEY_CURRENT_CONFIG: shows and stores current configuration of the system.

4.5.5 Autostart Location

An investigator must look deeper into the autostart location to find if the Luton SME issue is
taken place the user, intrusion or malware. According to (Carvery, H., 2005) the best method
to access to the autostart location is to use the autorun tools.

(T0074639) 11
4.6 Recovery
It is a process of explaining how deleted files and file fragments are recovered (Mohay, G., et
al., 2003). The investigator must extract data from accessible sources including deleted items,
hidden files or data that is unavailable for examine utilising the original operating system. The
main purpose is to obtain all the data weather it is needed for the investigation or not (EC-
Council, 2010). In some cases, there is a possibility to reconstruct data fragments to restore
information. In result, it may also provide full data timeline and information that can be helpful
conducting investigation.

4.7 Analysis
The investigator must interpret the recovered data and put into logical order. At this phase of
investigation collected data turn into evidence. Data that is extracted from the disk depending
on the file system (unallocated file space, deleted files, active files, file slack) should be used
to find the following information or metadata.

 File size
 File location
 Data and time stamps
 Directory structure
 File names and attributes

Some of the features of data that can be further analysed are:

 File
 Application
 Time Frame
 Data Hiding
 Ownership

4.8 Documenting and Reporting

The vital responsibility of an investigator is to address the outcome of an analysis and which
steps are taken analysing the digital evidence. The investigator needs to document every step

(T0074639) 12
taken place during the investigation and make sure that it is accurate and reliable. The document
should explain the entire process of collection and examination. According to the EC-Council
(2010) the report must include:

 Deleted and hidden files that helped investigator backing the findings
 String and text string searches
 Keyword searches
 Cache files
 E-mail
 Chat logs
 Data Analysis
 Graphic image analysis

Conclusion
In conclusion, law enforcement have a model and ACPO guide to follow with the consideration
of all standard procedures and principles but organisation are more security focus and there is
not such a frame or model to conduct forensic investigation. The CFA must follow the process
and procedures to fulfil the responsibility of CFA role within NTU department of science and
technology. Furthermore, the model can help CFA investigator to conduct investigation and
follow all phases such include authorization, capture and handling, identification, imaging and
collection, examine, recovery, analysis, documenting and reporting.

(T0074639) 13
 References
Ademu, I. (2013). A Comprehensive Digital Forensic Investigation Model and Guidelines for
Establishing Admissible Digital Evidence. Master. University of East London.

Casey, E. and Schatz, B. (2011). Digital Evidence and Computer Crime. 3rd ed. Elsevier inc,
pp.187-224.

Carvey, H. (2005). Windows Forensic and Incident Recovery. Boston: Pearson Education.
Computer Forensics and Investigations as a Profession. (2011). Cengage, 4th ed. pp.1-28.

Haggerty, J. (2016.). Digital Forensics in the Organisation.

InfoSec Resources. (2013). Forensic Investigation on Windows Machines. [online] Available

at: http://resources.infosecinstitute.com/forensic-investigation-windows-machines/#gref
[Accessed 6 Nov. 2017].

InfoSec Resources. (2014). Computer Forensics Investigation – A Case Study. [online]

Available at: http://resources.infosecinstitute.com/computer-forensics-investigation-case-
study/#gref [Accessed 23 Nov. 2017].

InfoSec Resources. (2014). Computer Forensics Investigation – A Case Study. [online]

Available at: http://resources.infosecinstitute.com/computer-forensics-investigation-
case-study/ [Accessed 6 Nov. 2017].

InfoSec Resources. (2014). Computer Forensics Investigations. [online] Available at:

http://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-
study/computer-forensics-investigations/#gref [Accessed 6 Nov. 2017].

Investigation Procedures and Response. (n.d.). USA: EC COUNCIL I PRESS, pp.1-171.

Jafri, F. and Satti, R. (2015). Comparative Analysis of Digital Forensics Models. Journal of
Advances in Computer Networks, [online] 3(1), pp.1-5. Available at:
http://www.jacn.net/vol3/146-C121.pdf [Accessed 7 Nov. 2017].

(T0074639) 14
Mohay, G., Anderson, A., Collie, B., De Vel, O. and McKEMMISH, R. (2003). Computer and
Intrusion Forensics. Boston-London: Artech House, pp.1-417.

Nelson, B., Phillips, A. and Steuart, C. (2004). Guide to Computer Forensics and Investigation.
3rd ed. Boston: Thomson Course Technology, pp.1-715.

Pladna, B. (2008). Computer Forensics Procedures, Tools and Digital Evidence Gags: What
They Are and Who Should Use Them. East Caroline University, pp.1-15.

Reith, M., Carr, C. and Gunsch, G. (2002). An Examination of Digital Forensics Models.
International Journal of Digital Evidence, [online] Volume 1(3), pp.1-12. Available at:
http://www.just.edu.jo/~Tawalbeh/nyit/incs712/digital_forensic.pdf [Accessed 25 Nov. 2017].

Rowlingson, R. (2014). A ten step process for Forensic Readiness. International Journal of
Digital Evidence, [online] Volume 2(3), pp.1/28. Available at:
http://file:///A:/Computer%20Forensics/10.1.1.65.6706.pdf [Accessed 31 Oct. 2017].

V, D. (2016). Collecting Volatile and Non-Volatile Data. [online] Available at:

https://www.linkedin.com/pulse/collecting-volatile-non-volatile-data-vuppala-
dhanunjaya [Accessed 5 Nov. 2017].

Wang, S. (2007). Measures of Retaining Digital Evidence to Prosecute Computer-Based

Cyber-Crimes. Computer Standards and Interfaces, pp.216-223.

(T0074639) 15