Chapter 3

STW109SE
Digital Forensics Fundamentals

Chapter 3: The Investigation Process

Lesson Objectives
 Digital Media
The Roles of Digital Evidence
Systematic approach to an investigation
Policies and Guidelines
The Investigation process and procedure
Incident Response
Digital Forensic Investigation Methodology
Chapter 3: Handling Digital Evidences
a) Identification
 Identify all the Digital media in the crime scene.
 Digital Media holds the Digital Evidence
 Digital Media Can be computer, mobile phone, digital camera,
biometric devices, printer, scanner, ipod, laptop etc.
Chapter 3: Handling Digital Evidences
b) Preserving and Securing the Digital Evidence
 Protect it from any sort of manipulation or accident. The best way to do this is;
 Disk Imaging
A bit stream image is a copy that records every data bit that was recorded to the
original storage device.
 Hash Value
 Digital signatures should be used to make sure no changes have been made to
the file or storage device.
 Preserving the authenticity and Integrity of the documents.
 Altering even the smallest bit of data will generate a completely new hash value.
 Hash Function like SHA, MD5 etc. can be used.
 Chain of Custody
 As investigators collect media from their client and transfer it when needed, they
should document all transfers of media and evidence on Chain of Custody (CoC)
forms and capture signatures and dates upon media handoff.
 Secure it from any kind, environmental harm, magnetic fields, temperature,
unauthorized access etc.
Chapter 3: Handling Digital Evidences
c) Collecting and Discovering The Digital Evidence
 Information can be in the form of transaction, a document, or
some type of media such as an audio or video.
 Transactions include financial transactions created during the
process of making a purchase, paying a bill, withdrawing cash, and
even writing a check
 Documents can be hidden files, temp files, corrupted files, file
fragments, erased files, logs, cache, history, Registry, Events etc.
Chapter 3: Handling Digital Evidences
d) Storing the Digital Evidence
 When securing digital evidence, consider how and on what type of media to
save it and what type of storage device is recommended to secure it.
 The media you use to store digital evidence usually depends on how long you
need to keep the evidence.

e) Documenting the Digital Evidence

Documentation is critical as it:
 allows officers to revisit the scene as often as necessary
 makes a permanent record of all actions taken and all evidence uncovered
 provides a pictorial representation of the appearance and position of
objects at the scene and supports the testimony of investigating officers
 protects officers against accusations that the provisions of ECPA were
violated. State the main ideas you’ll be talking about.
Chapter 3: Digital Device as Digital Evidences
Devices = unsleeping witnesses
 Devices monitor a great deal of what we do.
 Strong records about interactions, schedules, hobbies etc.
 Witnesses !!!

For example : A person is missing

Mobile phone –what can we find out?
Computer – what can we find out?
Chapter 3: Analogy of the Crime Scene
Closed System Vs. Open System

 Closed System
 Any system that has not been connected to Internet
 Controlled and known environment
 Closed room – evidence maintained
 Ability to identify the perimeter and every item belonging to it.
 Open System
 Any system that has been connected, at any point, to the Internet.
 Outdoor Environment – evidences could be contaminated.
 More complex Investigation process ; what external influences were
involved etc.
Chapter 3: Analogy of the Crime Scene
Locality of Offence

 Where does the Digital Crime Takes Place.

 If open system is involved then establishing this could be difficult.
 We have to determine the place so we know what law to apply.

Witness

 Passive observer.
 No Contact, but may be able to provide some details related to the
participants and the activity involved.
 Example, Network Management Devices, Log Management etc.
Chapter 3: Analogy of the Crime Scene
Victim

 Target of the attack.

 Usually the target is a human being or company using the victim device

Guardian

 Routine Activity Theory – a crime can only happen when a motivated attacker
and a suitable victim are brought together in the absence of appropriate
guardian.
 Digital Devices can perform some guradian related functions.
Chapter 3: Analogy of the Crime Scene
Tools

 Something that makes activity easier.

 Not essential.
 Piece of software, network of devices etc.

Accomplice

 Participant who plays important role in the activity.

 Impossible to carry the act without them.
 Direct contact with the criminal.
 Result of flaw or weakness in design.
Chapter 3: Investigation Guidelines
a) Protect the subject computer system during the forensic
examination from any possible alteration, damage, data
corruption, or virus introduction.
b) Discover all files on the subject system.
c) Recover all (or as much as possible) of discovered deleted
files.
d) Reveal the contents of hidden files as well as temporary or
swap files used by both the application programs and the
operating system.
e) Access (if possible and legally appropriate) the contents of
protected or encrypted files
Chapter 3: Investigation Guidelines
f) Analyze all possible relevant data found in special (and
typically inaccessible) areas of disk.
g) Print out an overall analysis of the subject computer
system, as well as a listing of al possible relevant files and
discovered file data.
h) Provide an opinion of the system layout; the file structures
discovered, as well as a discovered data and authorship
information; and anything else that has been discovered
and appears to be relevant to the overall computer system
examination.
i) Documentation and Reporting
j) Provide expert consultation and/or testimony, as required
Chapter 3: Planning your Investigation
A basic investigation plan should include the following activities:

 acquire the evidence

 establish a chain of custody
 transport the evidence to a computer forensics lab
 secure evidence in an approved secure container
 prepare a forensics workstation
 make a forensic copy of the evidence
 process the copied evidence with computer forensics tools
 Prepare the Reports.
Chapter 3: Incident Response
What is an incident?
Any such activity that materialize the risk and may interrupt desirable
outcome of business processes.

Few examples of Incidents are;

 Malicious code attack
 Unauthorized access to IT/IS resources
 Unauthorized utilization of services
 Unauthorized changes to systems, network devices or information
 Denial of service
 Misuse
 Surveillance and espionage
 Hoaxes/social engineering
 Data Lost
 etc.
Chapter 3: Incident Response
How to identify an incident?
 Determine any unusual activity has occurred
 Determine any system or service has malfunction.
 Determine if a crime has occurred
 Review complaint
 Inspect damage
 Interview witnesses
 Examine logs
 Identify investigation requirements
Chapter 3: Incident Response
Procedure for Handling Incident?
 Detection and Reporting
The ability to receive and review event information, incident reports, and alerts
 Triage
The action taken to categorize, prioritize and assign events and incidents
 Analysis
The attempt to determine what has happened, what are the impact and
threat, what damage has resulted, and what recovery or mitigation steps should be
followed.
 Incident response
The action taken to resolve or mitigate an incident, coordinate and
disseminate information, and implement follow-up strategies to prevent recurring
incidents.
Chapter 3: Incident Response
Incident Management Processes
Incident management is a key process that performs risk assessments
to determine the most types of incidents, and also outline the policies
and procedures for the response team to follow.

 Prepare/improve/sustain (prepare)
 Protect infrastructure (protect)
 Detect events (detect)
 Triage events (triage)
 Respond
Chapter 3: Incident Response
 Prepare/improve/sustain (prepare)
Sub-processes in this process include:
 Coordinate planning and design
 Identify incident management requirements
 Establish vision and mission
 Obtain funding and sponsorship
 Develop implementation plan
 Coordinate implementation
 Develop policies, processes and plans
 Establish incident handling criteria
 Implement defined resources
 Evaluate incident management capability
 Conduct post-mortem review
 Determine incident management process changes
 Implement incident management process changes
Chapter 3: Incident Response
 Protect infrastructure (protect)

Sub-processes in this process include:

 Implement changes to computing infrastructure to mitigate

ongoing or potential incident.
 Implement infrastructure protection improvements from
post-mortem reviews or other process improvement
mechanisms
 Evaluate computing infrastructure by performing proactive
security assessment and evaluation.
 Provide input to detect process on incidents/potential
incidents.
Chapter 3: Incident Response
 Detect events (detect)
Sub processes in this process include:

 Proactive detection
 Detect process is conducted regular prior to incident.
 Incident Management Team (IMT) monitors various information from
online/periodic vulnerability scanning, network monitoring, antivirus and
personal firewall alert, commercial vulnerability alert services, risk analysis,
and security audit/assessment.

 Reactive detection
 Detect process is conducted when there are reports from system users or
other organizations.
 Users may notice unusual or suspicious activity and report them to IMT.
 It is also possible that other organization’s IMT provide advisories when
their system has received malicious activity from your organization.
Chapter 3: Incident Response
 Triage events (triage)

 Categorization
 Correlation
 Prioritization
 Assignment
Chapter 3: Incident Response
 Respond
 Technical Response
 Appropriate for technical IMT members such as incident handlers and IT
representatives to analyze and resolve an incident. Technical response forms
may include the following:
 Collecting data for further analysis
 Analyzing incident supporting information such as log files
 Researching corresponding technical mitigation strategies and recovery
option.
 Phone or e-mail technical assistance
 Onsite assistance
 Analysis of logs
 Development and deployment of patches and workarounds
Chapter 3: Incident Response
 Respond
 Management Response
 Management response includes activities that require
supervisory or management intervention, notification,
interaction, escalation or approval as part of response to be
undertaken.
 This response is normally executed by business managers and
senior management and spread across business units.
Chapter 3: Incident Response
 Respond
 Legal Response
 Legal response is associated with activity that relate to
investigation, prosecution, liability, copyright and privacy issues,
laws, regulation, nondisclosure agreements.
 As this response may require in-depth knowledge on legal
matters, it is best to be done by the legal team with consultation
with senior management.
Chapter 3: Incident Response
Computer Security Incident Response Team (CSIRT) Overview

 CSIRTs are complex groups that are the first line of response when an
event is detected.
 These teams need to have a wide range of skills sets and follows the
Incident Managements Process.
 Nepal has also formed Response team in the name of NP CERT
(computer emergency response team) by the Department of
Information Technology (DoIT), Training, Research and
Development Section
 NP CERT Committee is under the supervision of Director General of
DoIT for the design and implementation of Nepalese CERT.
Chapter 3: Incident Response
The NP CERT Committee has formed as follows:
CERT Committee are responsible for the addressing the legal mandates in upcoming IT
Umbrella ACT of Nepal, and also responsible for identification of IT Infrastructure,
Hardware and Software as well as the Security tools for the NPCERT.

 Director General - Department of Information Technology --- Coordinator

 Office of Prime Minister and Council of Ministries --- Member
 Ministry of Home Affairs --- Member
 Ministry of Communication and Information Technology --- Member
 Ministry of Law Justice and Parliamentary Affairs --- Member
 Nepal Rastra Bank --- Member
 Nepal Telecommunication Authority --- Member
 Nepal Army --- Member
 Nepal Police, Central Investigation Bureau --- Member
 Office of Controller of Certification --- Member
 IT Officer, Department of Information Technology, T, R&D Section --- Member
 Director, Department of Information Technology, T, R&D Section --- Member Secretary
Chapter 3: Incident Response
CERT related services provided by DoIT in line with NPCERT are:

 IT System Audit
 Website and Web application Audit
 Vulnerability Assessment and Penetration Testing
 Cyber Security Awareness and Training
 IT System Security specific Training for building the capacity of Team member
 Publish security alerts
 Perform  Analysis and Forensic investigation of cyber incidents
 Response to cyber security incidents
 Coordination with global and local agencies towards Cyber crime
Chapter 3: First Responder
 The first responder is the person or team or committee to whom suspicions and
fears or requirements to produce evidence are first reported.
 In an incident, this is the individual who will make the initial diagnosis.
 Every member of the organisation should be clear about to whom reports should
be made. Those who receive such reports should have, among other things,
excellent diagnostic skills.
Chapter 3: Systematic Approach to Investigation

 Make an initial assessment about the type of case you are investigating
 Determine a preliminary design or approach to the case
 Determine the resources you need
 Obtain and copy an evidence disk drive
 Identify the risks and mitigate or minimise them
 Test the design
 Analyse and recover the digital evidence
 Investigate the data you recover
 Complete the case report and critique the case
Chapter 3: Digital forensic investigation methodology

1)Verification
2)System Description
3)Evidence Acquisition
4)Timeline Analysis
5)Media Analysis
6)String or Byte search
7)Data Recovery
8)Reporting Results
Chapter 3: Digital forensic investigation methodology

1)Verification
 VERIFY that an incident has taken place.
 What is the situation?
 What is the nature of the case and its specifics?

 help determining the characteristics of the incident and

defining the best approach to identify, preserve and
collect evidence.
Chapter 3: Digital forensic investigation methodology
2) System Description
 Gathering data about the specific incident.
 Taking notes and describing the system you are going
to analyses.
 Where is the system being acquired?
 What is the system role in the organization and in the
network?
 Outline the operating system and its general
configuration such as disk format, amount of RAM
and the location of the evidence.
Chapter 3: Digital forensic investigation methodology
3) Evidence Acquisition
 Identify the Possible Source of Data and make a copy.
 A bit stream image of a disk drive is a clone copy of the disk drive which copies
virtually everything included in the drive, including sectors and clusters, which makes
it possible to retrieve files that were deleted from the drive.
 Acquire Volatile and Non-volatile data
 Volatile data changes over a time. Hence, should be acquired first.
 network connections
 Login session
 running processes
 open files
 The contents of RAM.
 Non-volatile Data
 Hard Drives,
 Flash Drives etc.
Chapter 3: Digital forensic investigation methodology
3) Evidence Acquisition
 Verify and preserve the Integrity of the data
 Accuracy and consistency of data
 Prevents from Data Alteration and modification.
 Generation of Hash Values of Data.
 Use of common algorithms like MD5, SHA etc.

 Ensure the Chain of Custody

 Clearly describe how the evidence was found
 how it was handled
 Who handled it
 everything that happened to it
Chapter 3: Digital forensic investigation methodology
4) Timeline Analysis
 The end goal of the Timeline Analysis is to generate a
snapshot of the activity done in the system including its
date, the artifact involved, action and source.
 it includes information such as when files were
identified, modified, accessed, changed and created
 Tools like “SIFT Workstation” can be used for Timeline
Analysis.
Chapter 3: Digital forensic investigation methodology
5) Media Analysis
 Refers to examining the various types of media and evaluating for Digital
Forensic.
• What programs were executed?
• Which files were downloaded?
• Which files were clicked on?
• Which directories were opened?
• Which files were deleted?
• Where did the user browsed to?
 Things that investigator will be looking are:
• evidence of account usage
• browser usage
• file downloads
• file opening/creation
• program execution
• USB key usage.
Chapter 3: Things to Consider: Accessing the Case
Physical Location
Safety is the foremost consideration for all first responders. Assessing a physical location, first
consideration its physical address, its description, and the type of structure it is. After determining
the type of location, consider its size, scope, and other special characteristics.
Case Details
Systematically outline the case details:
situation; nature of the case; specifics of the case; type of evidence; operating system;
known disk format; location of evidence.
Based on case details, determine the case requirements
type of evidence; digital forensics tools; special operating system
Forensic Toolbox
 Digital camera to capture live data on screens and the state of the scene.
 Forensically sound bootable CDs.
 Storage hard drives on which to place images, wiped and formatted.
 Extension cords, surge protectors, and uninterruptible power supplies (UPSs).
 Hub or switch and network cables for setting up a small network in the field.
 Pack power supply, IDE 80 wire, SCSI, SATA, USB and FireWire cables.
 Field logbook or notebook, pens, and pencils.
Chapter 3: Things to Consider: Accessing the Case
Search Authority
 Regardless of your response capacity, your actions must be authorised.
 All responders are bound to certain limits imposed by the authorising process. All first responders
must be fully aware of the limits of that search authority
 The limits may be specified computers, specified types of files, specified user files, or types of
evidence.
Handling Evidence in the Scene
 Securing the Scene
 Recording the Scene
 Documenting the Scene
 Identifying the evidence
 Seizing the evidence
 contemporaneous note taking
essential feature of the forensic analysis process – the way you demonstrate the care and
integrity with which you have worked, and it enables others to follow precisely in your paths. The
notes explain what you did & why.
Safe Working Environment
 A common feature of forensic tools is their potential to do harm.
Chapter 3: Things to Consider: Accessing the Case
Contemporaneous Notes
 Contemporaneous Notes are notes made at the time or shortly after
an event occurs.
 Contemporaneous notes are documentary evidence of what you did,
said, observed, or were. 
 It can be handwritten notes, a typed document, logs/screenshots from
tools, emails, photographs/videos.
 They also assist others working in your team to know what actions you
took. This will avoid errors, duplication of work, or (worse) missing
steps that need to be undertaken.
 contemporaneous notes will provide evidence and accountability of
your actions in the weeks, months, or even years after the fact
Chapter 3: Things to Consider: Accessing the Case
Contemporaneous Notes
 The notes should include atleast;
 All entries, photos or logs should have a date and time.
 Date/time you became involved in an investigation/incident.
 Where you are located (on-site, over the phone, remote access etc.).
 When you receive information; who provided this information.
 When you provided advice or a status update; to whom; and what information was provided.
 Steps you took when dealing with an incident or handling evidence.
 Meetings held; who was present at those meetings; critical decisions made at that meeting.
 If you provided verbal options or recommendations to a client or management (e.g. the scale
of a breach, what sensitive data was potentially infiltrated, illicit data identified, possible
containment or remediation steps); what were those options? Who did you provide them to?
 Did the client understand those options? What did they choose (or not choose) to do?
 When you received data/evidence/information and from whom.
 When you passed data/evidence/information to someone, or placed it somewhere.
 Success of a tool (e.g. hard disk successfully imaged).
 Failure of a tool (e.g. memory capture failure, script breaking, hard drive not readable).
 When you stopped working or made a shift change. Who did you transfer ownership to?
What information did you provide them?
Chapter 3: Things to Consider: Accessing the Case
Contemporaneous Notes
E – No Erasures
 Avoid;
 If you are handwriting notes, avoid  
erasing. Cross out what you wrote with a L – No Leaves are torn out
single line, so it is still readable, write  
what you meant, then sign and date the
crossed-out section. B – No Blank spaces
 No leaves to be torn out.  
 No blank spaces to be left
 No Over writing O – No Overwriting
 No writing between lines;  
 No separate pieces of paper
 No writing in the margins
W – No Writing in margins
 Follow ELBOWS Principle  
 Maintain S – Statements to be written
 The integrity or originality of the notes. in direct speech
 Timeline
Chapter 3: Things to Consider: Accessing the Case
A lot of Questions
 What type of evidence is believed to be present? Are you searching for bootleg software? Are you looking for
child pornography? Or a set of data in an embezzlement case?
 What will be the limit or scope of your search? Are you only authorised to search certain computers? Are you
authorised for specific files?
 Is the storage volatile or non-volatile
 How many computers will be at the location? Are those computers expected to be running, or does company
policy dictate that they be turned off at night?
What kinds of computers are present? Are they all new with 250GB drives in each machine, or are they older
machines with 20GB drives? What kind of operating systems are in use?
Is any form of encryption employed?
 Are network connections, running processes, or volatile data important to the investigation? how are you
going to be preserved and acquired?
 Where are the proxy server, router, firewall, web server, and other critical system logs stored?
 Is a map available showing the network topology?
 Is a wireless network present, what is its type, scope, and other particulars?
Will the network or specific machines have to be shut down?
Will the computers be shut down if they are running? If so, at what point, how, and by whom?
Who has the root or administrator passwords?
Chapter 3: Investigators Ethics
Codes of ethics should be backed by professional bodies that are prepared to investigate
allegations of breach and then punish infractions.

The British Computer Society’s (BCS) Code is for computer professionals in general and is divided
into four concerns: the Public Interest, Duty to Relevant Authority, Duty to the Profession, and
Professional Competence and Integrity.
• www.bcs.org/upload/pdf/conduct.pdf

The Council for the Registration of Forensic Practitioners (CRFP) has a code directed towards