Professional Documents
Culture Documents
Describe the environments where cyber forensics examinations are carried out and the range of offences and issues examined. The environments where cyber forensics examinations are carried out:
Public investigations: Involve government agencies responsible for and prosecutions
Private investigations corporate and individual. Private organisations are not governed by criminal law. They usually involve litigation disputes Private investigations seek evidence to support allegations of abuse of an organisations assets. On occasions the information gleaned may be used for intelligence, review or disciplinary purposes
1- Public investigations: These organisations work within the framework of criminal law Public investigations seek evidence to support allegations of criminal activity. They are granted search and seizure powers under relevant criminal locate and capture devices suspected of: Being used in crimes, or Used to facilitate crimes laws that enable them to
2- Private investigations: Most cyber forensic investigations in the corporate sector involve misuse of computing assets Often referred to as employee violation of company rules Usually centre on email and Internet misuse by employees May also include using company resources to produce a product for personal profit Excessive use of assets for personal use Posting malicious, threatening or disruptive emails Viewing, downloading and sending adult content, web-surfing, etc
Q2:
Explain why chain of custody of the evidence plays a critical part in cyber forensic investigations.
To ensure that the extracted evidence was not contaminated
Not altered during the process of its extraction Not altered between the time of its extraction and its presentation in proceedings.
When identifying and capturing digital evidence there are some common pitfalls
It is easy for an over-zealous investigator to unintentionally alter evidence when attending the scene. For example, the last accessed date/time may be unintentionally deleted or overwritten.
How would you preserve the digital evidence you have identified at the suspects home you investigated in Assignment 1, to the highest professional standards?
Picture of seized equipments. (Computer). Picture of computer serial number. Figure prints lifting. Keeping sticky notes in a save place.
Collecting the volatile data Record the system data and time. Check for suspicious processes on the system and record them if they are existed.
Unplug the network cable, best practice is to connect it to an empty hub or switch to prevent log messages about a down link. Provide a time line to record all the steps. Record Network connection details Create a forensic image of the computer with write blocker
Keeping the evidence in a safe location.
Q3
Describe and explain live analysis and dead analysis of digital evidence. Discuss advantages and disadvantages of using each process to acquire AND preserve digital evidence located on your suspects home. Live analysis:
A live analysis is where the suspect operating system is still running and being used to copy data
Advantages:
Goal of any live analysis is to extract and preserve the volatile data on a system while it is running, to the best extent possible, preserving the state of the system.
Some disk editing programmes such as Norton Diskedit are able to capture the entire contents of RAM. Something else to consider disk encryption software: If a live analysis was available, useful information would allow potential access to the encryption key/password.
Disadvantages:
With a live analysis there is a distinct risk of obtaining false and incomplete evidence because of software that may be untrustworthy and may hide or falsify data. Also an attacker may has modified the operating system.
Dead analysis
Dead analysis requires termination of all processes by turning the system off. Dead acquisition analysis is undertaken when running trusted applications in a trusted operating environment to find evidence. Following that, duplicate copies of data may be made Write blockers may be used to prevent evidence from being overwritten.
Advantages:
Avoid any modification could occur during live acquisition, i.e. an attacker may has modified the operating system or other software to provide false data during the acquisition. Write blockers may be used to prevent evidence from being overwritten. Least chance of modifying data on disk.
Disadvantage:
Although less chance of modifying data on disk, but live data is lost forever. Much data may be lost when this occurs. For example: Data that was stored on the clipboard Malware that only exists in memory.
In many case it may not be desirable or necessary to shut a system down as the first step Volatile data may need to be collected before a suspect system is shut down but when the system is shut down the volatile data is lost forever.
Q4: Define the terms inculpatory evidence AND exculpatory evidence as they relate to cyber forensic investigations.
- inculpatory evidence: It is a legal term used to describe evidence that shows, or tend to show a persons involvement in an act, or evidence that can establish guilt. - exculpatory evidence: It is the evidence favourable to the defenders in a criminal trial, which clears the accused of guilt.
The objectives, importance and benefits of developing alternative hypotheses when reconstructing a cyber crime. Alternative hypotheses will help the investigator to see if he is leading the investigation correctly. The suspect may have been framed by someone or maybe he is going on the wrong track. Thus having an alternative hypothesis will clear all doubts. He may as well find new suspects.
Provide examples of exculpatory evidence you found in the investigation you undertook of the crime scenes in completion of Assignment 1. Cyber forensic investigation poorly conducted. Trojan planted. OS differ from seizure OS. Pictures were edited using some photo editing tools. Remote control software was installed in the suspect PC. GPS files were modified.
Q5:
Describe the processes you used to validate evidence metadata in the crime scene you examined in Assignment 1.
By using ProDiscover software which provides metadata information such as creation, modification, and accessed date of a file.