![Page 1: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/1.jpg)
Practical Application of Practical Application of Computer Forensics Computer Forensics
Lisa Outlaw, CISA, CISSP, ITIL CertifiedLisa Outlaw, CISA, CISSP, ITIL Certified
![Page 2: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/2.jpg)
OverviewOverview Definition of Computer ForensicsDefinition of Computer Forensics Computer Forensics & IT AuditingComputer Forensics & IT Auditing Why We Need Computer Forensics Why We Need Computer Forensics The Process (Do’s & Don’ts)The Process (Do’s & Don’ts)
IdentificationIdentification Collection of EvidenceCollection of Evidence Required DocumentationRequired Documentation ImagingImaging ExaminationExamination Report PreparationReport Preparation Returning of EvidenceReturning of Evidence
![Page 3: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/3.jpg)
Definition of Computer ForensicsDefinition of Computer Forensics
Computer forensics involves the: Computer forensics involves the: IdentificationIdentification CollectionCollection PreservationPreservation Examination, and Examination, and Analysis of digital informationAnalysis of digital information
Digital Information becomes Digital EvidenceDigital Information becomes Digital Evidence
![Page 4: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/4.jpg)
What is Digital Evidence?What is Digital Evidence?
Digital evidence is any information of value Digital evidence is any information of value that is either stored or transmitted in a that is either stored or transmitted in a binary form, including digital audio, image, binary form, including digital audio, image, and video.and video.
![Page 5: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/5.jpg)
Computer Forensic ExaminationComputer Forensic Examination
The Computer forensic examination The Computer forensic examination is:is:
Locating digital evidence Locating digital evidence Evidence can withstand close Evidence can withstand close
scrutiny or a legal challenge. scrutiny or a legal challenge.
![Page 6: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/6.jpg)
Computer Forensics & IT AuditComputer Forensics & IT Audit Incorporate computer forensic services Incorporate computer forensic services Cases are requiring computer forensicsCases are requiring computer forensics IT Auditors have:IT Auditors have:
authority authority technical know howtechnical know how
![Page 7: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/7.jpg)
Reasons for Reasons for Computer Forensic ServicesComputer Forensic Services
Inappropriate Use of State SystemsInappropriate Use of State Systems Determining a Security BreachDetermining a Security Breach Detection of Disloyal Employees Detection of Disloyal Employees Evidence for Disputed DismissalsEvidence for Disputed Dismissals Malicious File Identification Malicious File Identification Theft of Information AssetsTheft of Information Assets Forgeries of DocumentsForgeries of Documents
![Page 8: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/8.jpg)
The ProcessThe Process
(1)(1)IdentificationIdentification
(2)(2)Collection of EvidenceCollection of Evidence
(3)(3)Required DocumentationRequired Documentation
(4)(4)ImagingImaging
(5)(5)ExaminationExamination
(6)(6)Report PreparationReport Preparation
(7)(7)Returning of EvidenceReturning of Evidence
![Page 9: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/9.jpg)
IdentificationIdentification
IT AUDITOR’S ROLEIT AUDITOR’S ROLE
(Forensic Specialist)1. Determine if reason for
computer forensics is appropriate.
2. Identify where additional digital evidence may reside.
CLIENT’S ROLECLIENT’S ROLE
(ex. State University)1. Determine when to use
Computer Forensic Services:
2. Identify where digital evidence may reside.
![Page 10: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/10.jpg)
Collection of EvidenceCollection of Evidence
• IT AUDITOR’S ROLE– Help Client Secure the
computer to be examined
– Require and Complete Necessary Forms
– Securely Collect Computer from Client
• CLIENT’S ROLE– Ensure that computer
to be examined remains secure until collected
– Notify Appropriate Personnel
– Complete Chain of Custody Form
![Page 11: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/11.jpg)
Collection of Evidence – Collection of Evidence – (Do's & Don'ts)(Do's & Don'ts)
Do not disturb the computer in question. Do not disturb the computer in question.
![Page 12: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/12.jpg)
Computer is off, Leave it offComputer is off, Leave it off
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
![Page 13: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/13.jpg)
Computer is on, Leave it onComputer is on, Leave it on
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
![Page 14: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/14.jpg)
Do not run any programs on the Do not run any programs on the computer.computer.
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
![Page 15: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/15.jpg)
Do not make any changesDo not make any changes
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
![Page 16: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/16.jpg)
Do Not Insert Anything Into The Do Not Insert Anything Into The ComputerComputer
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
![Page 17: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/17.jpg)
Secure the computerSecure the computer
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
![Page 18: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/18.jpg)
Required DocumentationRequired Documentation
Computer Forensic Request Form Computer Forensic Request Form
Chain of Custody FormChain of Custody Form
Signatures Signatures
Disclosures and Disclaimers Disclosures and Disclaimers
![Page 19: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/19.jpg)
Required DocumentationRequired Documentation
![Page 20: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/20.jpg)
Required DocumentationRequired Documentation
IT Auditor’s Role Assign a Case Number
Assign A Team Date & Time When
device was secured
Client’s Role Document Date & Time
of Request Name of Requestor Date & Time Client
secured the device Agency Name Head of the Agency
Name
![Page 21: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/21.jpg)
Required DocumentationRequired DocumentationIT Auditor’s Role Document Hard Drive
Serial Numbers
Client’s RoleDocument computers: Mac Address -Static IP
Address Serial Number -Make &
Model Reason For Request Desired Objectives
![Page 22: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/22.jpg)
Approval From OSA ISA Director & Approval From OSA ISA Director & Legal CounselLegal Counsel
We also obtain approval from both the ISA We also obtain approval from both the ISA director and legal counsel before director and legal counsel before commencing Computer Forensic services. commencing Computer Forensic services.
This approval will be documented on the This approval will be documented on the requisition forms and filed with the case requisition forms and filed with the case evidence as well.evidence as well.
![Page 23: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/23.jpg)
IT Auditor’s Role Sign and Date form Obtain Director and
Legal Counsel approval
Client’s Role Sign and Date form Obtain Agency Head
Approval
Required DocumentationRequired Documentation
![Page 24: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/24.jpg)
Additional Chain of Custody Form
Chain of Custody form continued on the reverse side of the computer forensic request form.
Device Serial#
FAS
Make Model
Signature Print Name
Reason Date Time
Relinquished By:
Received By:
![Page 25: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/25.jpg)
Why Are These Documents Why Are These Documents Necessary?Necessary?
Collect important informationCollect important information Legal AspectsLegal Aspects
Get out of jail free cardGet out of jail free card
![Page 26: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/26.jpg)
ImagingImaging
• IT AUDITORS ROLE– Determine where to
perform the image:– Onsite
– In the Lab
• CLIENTS ROLE– escort our staff to
physically collect the computer from the computer’s secure location.
![Page 27: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/27.jpg)
Hardware Imaging
![Page 28: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/28.jpg)
ImagingImaging Here are some of the procedures we use Here are some of the procedures we use
during imaging to ensure that evidence during imaging to ensure that evidence collected is clearly identified and preserved:collected is clearly identified and preserved:
![Page 29: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/29.jpg)
Scan HardcopiesScan Hardcopies
We scan all hardcopy forms to PDF and this electronic We scan all hardcopy forms to PDF and this electronic copy is kept with the images of the evidence.copy is kept with the images of the evidence.
![Page 30: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/30.jpg)
Tag EvidenceTag Evidence
We manually tag all evidence items with an We manually tag all evidence items with an assigned case number using the following naming assigned case number using the following naming convention:convention:
Case Number and Hard Drive Serial Number Case Number and Hard Drive Serial Number (Ex., 01-2008-04-Agency Name – HDD Serial#)(Ex., 01-2008-04-Agency Name – HDD Serial#)
![Page 31: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/31.jpg)
Connect Suspect Drive to Write BlockerConnect Suspect Drive to Write Blocker
![Page 32: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/32.jpg)
Connect Write Blocker to Connect Write Blocker to the suspects hard drivethe suspects hard drive
![Page 33: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/33.jpg)
Imaging Regular Hard DriveImaging Regular Hard Drive
To image a regular sized To image a regular sized hard drive, implement hard drive, implement the following procedures:the following procedures: Request the client to Request the client to
purchase a storage device. purchase a storage device. Reduces CostReduces Cost Ensure enough space is Ensure enough space is
available to process the available to process the evidence. evidence.
Easy transfer of images to Easy transfer of images to clientclient
![Page 34: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/34.jpg)
Storage DeviceStorage Device
•
![Page 35: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/35.jpg)
Organize Evidence InformationOrganize Evidence Information Create the following folders on the Create the following folders on the
destination drive for every case:destination drive for every case: Case Name-Evidence Item Number (Folder)Case Name-Evidence Item Number (Folder)
1.1. Evidence (sub-folder)Evidence (sub-folder)1.1. HDD1 (sub-folder)HDD1 (sub-folder)2.2. HDD2 (sub-folder)HDD2 (sub-folder)
2.2. Export (sub-folder)Export (sub-folder)3.3. Temp (sub-folder)Temp (sub-folder)4.4. Index (sub-folder)Index (sub-folder)5.5. Drive Geometry (sub-folder)Drive Geometry (sub-folder)6.6. Report (sub-folder)Report (sub-folder)7.7. Case Back-up (sub-folder)Case Back-up (sub-folder)
Place all images produced in the Evidence Folder
![Page 36: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/36.jpg)
Use FTK Imager Use FTK Imager Create the image using FTK imagerCreate the image using FTK imager
Through experience, we have found this to be one of the Through experience, we have found this to be one of the easiest and most portable software to create images. easiest and most portable software to create images. Also, this image can be used in both FTK and Encase. Also, this image can be used in both FTK and Encase.
![Page 37: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/37.jpg)
Image Physical DriveImage Physical Drive
Always image the Physical drive.Always image the Physical drive.
![Page 38: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/38.jpg)
Imaging A Raid ServerImaging A Raid Server Redundant Array of Inexpensive Disks Have the systems administrator to help Have the systems administrator to help
you review the RAID information. you review the RAID information. You need to gather the following You need to gather the following
information: information: Stripe SizeStripe Size Element Order (Disk Order)Element Order (Disk Order) Element Size, whether it is a RAID 1, 5, etc. Element Size, whether it is a RAID 1, 5, etc. Right hand, left hand, forward, back, or Right hand, left hand, forward, back, or
dynamic disk.dynamic disk.
![Page 39: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/39.jpg)
Imaging A Raid Server (con’t)Imaging A Raid Server (con’t) RAID RecontructorRAID Recontructor
![Page 40: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/40.jpg)
Examination/AnalysisExamination/Analysis
Remove hard drive from the Write Remove hard drive from the Write Block device. Block device.
Reassemble the computerReassemble the computer Ensure evidence remains tagged.Ensure evidence remains tagged.
![Page 41: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/41.jpg)
Examination/Analysis (con’t)Examination/Analysis (con’t)
FTKFTK
![Page 42: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/42.jpg)
Examination/Analysis (con’t)Examination/Analysis (con’t)
FTK can take a few days to process FTK can take a few days to process your image.your image.
During this time, we return to our During this time, we return to our normal audit work normal audit work
![Page 43: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/43.jpg)
Examination/Analysis (con’t)Examination/Analysis (con’t)
Run Keyword SearchesRun Keyword Searches Obtain from ClientObtain from Client
Review Corroborating Review Corroborating EvidenceEvidence EmailsEmails Surveillance VideoSurveillance Video DVD & CDsDVD & CDs
![Page 44: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/44.jpg)
Examination/Analysis (con’t)Examination/Analysis (con’t) EncaseEncase
![Page 45: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/45.jpg)
Examination/Analysis (con’t)Examination/Analysis (con’t) Do not answer orDo not answer or Provide additional information to Provide additional information to
agency personnel. agency personnel. Agency personnel can accidentally Agency personnel can accidentally
leak information.leak information.
![Page 46: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/46.jpg)
Forensic ReportForensic Report
The IT Auditor will issue a report to The IT Auditor will issue a report to appropriate personnel once the appropriate personnel once the examination is completed.examination is completed.
![Page 47: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/47.jpg)
If court action is anticipated, inform If court action is anticipated, inform Agency Head to preserve the original Agency Head to preserve the original evidence if possible.evidence if possible.
If original evidence cannot be preserved, If original evidence cannot be preserved, NC Court Rules of evidence allow for the NC Court Rules of evidence allow for the image to be admitted as evidence. image to be admitted as evidence.
![Page 48: Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified](https://reader035.vdocuments.us/reader035/viewer/2022081518/5514dade550346b0478b545f/html5/thumbnails/48.jpg)
Questions????Questions????