...Evidence Collection Cases 1. In this case the first thing that first responders need to recognize is that the computer was on when the suspect was arrested and there may be evidence that they need to collect right away. If data of apparent evidentiary value is in plain view onscreen. The first responder should seek out personnel who have experience and training in capturing and preserving volatile data before proceeding. First responders should also be alert to the crime scene environment. They should look out for pieces of paper with handwritten notes, passwords, usernames, and software and hardware manuals. These forms of evidence also should be documented and preserved in compliance with departmental policies. In this case the computer should also be checked for DNA so investigators can match the suspects DNA to the arson crime scenes. Also TimeFrame Analysis can be used to link any files of interest to the timeframes of the investigation. All these things can help link the suspect to the crimes, and in doing so can help tell the insurance company whether the claims are valid. 2. Case 4-4 (bomb threat) A list of what items should be included in an initial response field kit to ensure preservation if digital evidence. The initial response field kit should be lightweight and easy to transport. With this kit, you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible. * Small computer toolkit * Large-capacity drive *...
Words: 1243 - Pages: 5
...computer forensics Background of Computer forensics: What is most worth to remember is that computer forensic is only one more from many forensic subdivisions. It’s not new, it’s not revolution.. Computer forensics use the same scientific methods like others forensics subdivisions. So computer forensics is not revolution in forensic science! It’s simple evolution of crime techniques and ideas. Forensic origins: Forensic roots from a Latin word, “forensic” which generally means forum or discussion. In the reign of the Romans, any criminal who has been charged with a crime is presented before an assembly of public folks. Both of the complainant and the defendant are to present their sides through their own speeches. The one who was able to explain his side with fervent delivery and argumentation typically won the case. It is important to realize that computer forensics is only one subdivision of forensic science. It is digital, it includes most advanced computer science but still it is only branch of forensic science, an its main goal is submission of the proven claims of scientific methods and strategies to recover any significant digital traces. Computer Forensic Timeline: 1970s • First crimes cases involving computers, mainly financial fraud 1980’s • Financial investigators and courts realize that in some cases all the records and evidences were only on computers. • Norton Utilities, “Un-erase” tool created • Association of Certified Fraud...
Words: 4790 - Pages: 20
...SCHOOL OF COMPUTING Bachelor of Computer Science / Bachelor of Software Engineering Forensic Computing Practice Assignment 2 Student declaration: I declare that: I understand what is meant by plagiarism The implication of plagiarism have been explained to me by our lecturer This assignment is my own work. Name ID 1)Nicholas Tan Tian Shen 0307878 Forensic Computing Practice Assignment 2 Due Date : Soft-copy submission on 10/11/14. Individual Assignment Question 1 a. What can a cloud provider do in terms of providing digital forensics data in the event of any legal dispute, civil or criminal case, cyber-attack, or data breach? Cloud provider need to provide the evidence by being forensically ready. To...
Words: 3104 - Pages: 13
...Architectures and Their Applications (IJNCAA) 2(1): 127-137 The Society of Digital Information and Wireless Communications, 2012 (ISSN: 2220-9085) Cyber Forensics: Computer Security and Incident Response Virginiah Sekgwathe1, Mohammad Talib2 1 Directorate on Corruption and Economic Crime, Gaborone, BOTSWANA veesek@gmail.com 2 Department of Computer Science, University of Botswana, BOTSWANA talib@mopipi.ub.bw ABSTRACT The intensification of Information and Communications Technology usage in all facets of life exceedingly amplify the incidents of information security policy breaches, cyber crimes, fraud, commercial crimes, cyber laundering etc, hence require a well developed approach to tackle these incidents in order to realize legally defensible digital evidence. Since electronic evidence is fragile and can easily be modified, finding this data, collecting, preserving, and presenting it properly in a court of law is the real challenge. There is a need for use of semantic analysis to discover underlying security policy requirements and internal power structures and institutionalization of anti cyber attack, antimoney-laundering and regulatory schemes. The first responders to cyber security incidents often than always are an organization ICT personnel who are technically sound though may be deficient in investigative skill. The scientific standards of cyber forensics dictates the procedure as it promotes objectivity, a precise and well documented...
Words: 5129 - Pages: 21
...SEC 402 WK 7 CASE STUDY 2 DEVELOPING THE FORENSICS To purchase this visit here: http://www.activitymode.com/product/sec-402-wk-7-case-study-2-developing-the-forensics/ Contact us at: SUPPORT@ACTIVITYMODE.COM SEC 402 WK 7 CASE STUDY 2 DEVELOPING THE FORENSICS SEC 402 WK 7 Case Study 2 - Developing the Forensics, Continuity, Incident Management, and Security Training Write a five to seven (5-7) page paper in which you: 1. Consider that Data Security and Policy Assurance methods are important to the overall success of IT and Corporate data security. a. Determine how defined roles of technology, people, and processes are necessary to ensure resource allocation for business continuity. b. Explain how computer security policies and data retention policies help maintain user expectations of levels of business continuity that could be achieved. c. Determine how acceptable use policies, remote access policies, and email policies could help minimize any anti-forensics efforts. Give an example with your response. 2. Suggest at least two (2) models that could be used to ensure business continuity and ensure the integrity of corporate forensic efforts. Describe how these could be implemented. 3. Explain the essentials of defining a digital forensics process and provide two (2) examples on how a forensic recovery and analysis plan could assist in improving the Recovery Time Objective (RTO) as described in the first article. 4. Provide a step-by-step process that could...
Words: 1406 - Pages: 6
...U.S. Department of Justice Office of Justice Programs National Institute of Justice APR. 04 Special REPORT Forensic Examination of Digital Evidence: A Guide for Law Enforcement U.S. Department of Justice Office of Justice Programs 810 Seventh Street N.W. Washington, DC 20531 John Ashcroft Attorney General Deborah J. Daniels Assistant Attorney General Sarah V. Hart Director, National Institute of Justice This and other publications and products of the U.S. Department of Justice, Office of Justice Programs, National Institute of Justice can be found on the World Wide Web at the following site: Office of Justice Programs National Institute of Justice http://www.ojp.usdoj.gov/nij APR. 04 Forensic Examination of Digital Evidence: A Guide for Law Enforcement NCJ 199408 Sarah V. Hart Director This document is not intended to create, does not create, and may not be relied upon to create any rights, substantive or procedural, enforceable at law by any party in any matter civil or criminal. Opinions or points of view expressed in this document represent a consensus of the authors and do not represent the official position or policies of the U.S. Department of Justice. The products, manufacturers, and organizations discussed in this document are presented for informational purposes only and do not constitute product approval or endorsement by the U.S. Department of Justice. This document was prepared under Interagency Agreement #1999–IJ–R–094 between...
Words: 22743 - Pages: 91
...Case Study 3: Casey Anthony Trial In June of 2008, Cynthia Anthony reported her two year old granddaughter, Caylee Anthony missing to the authorities of Orange County in Orlando, Florida. During questioning, Casey Anthony, the mother of Caylee Anthony informed the authorities that her child hand been abducted by her nanny and that she had been searching for her unsuccessfully for a month (Alvarez, 2011). Throughout the initial investigation, detectives found a number of inconsistencies with Casey Anthony’s story which lead them to suspect she had a role in Caylee’s disappearance; this ultimately lead to charges being brought against her (Alvarez, 2011). This report will give a brief description of the background, charges and trial of Casey Anthony in the death of her daughter. It will also analyze the digital forensic evidence associated with the prosecution’s case. Investigation Details Casey Anthony stated to authorities that on the evening of June 9, 2008, after leaving work at Universal Studios she arrived at her nanny, Zenaida Fernandez’s, residence to find that both she and her daughter were gone. Casey Anthony informed detectives that she began a search of her own but was unable to locate her daughter (Alvarez, 2011). Upon further investigation, the detectives found that Casey Anthony’s statements were false. There was no record of a Zenaida Fernandez occupying an apartment at the complex Anthony listed. Additionally, she was unemployed...
Words: 772 - Pages: 4
...value. One of the problems that will occur is the collision. There are two or more text that produce the same hash value. In this case the MD5 inputs along regardless, will produce along the 128-bit hash value. That means very many input possibilities, infinite, but probably only a hash value of 2^ 128. There will be two or more input text that has the same hash value. It turns have MD5 weaknessesthat allow searched two files that have the same hash value with a short time. While the workings of the SHA-1 message given extra to make the length in multiples of 512 bits (512 lx). The number of bits is the origin of k bits. Add just enough bits to 64-bits lack of a multiple of 512 (512-64=448), which is also called congruent with 448 (mod 512). Then add 64 bit long message stating. Initiation 5 MD variable length of 32 bits, namely a, b, c, d, e. Message is divided into blocks of 512 bits, and each block od processed. Then the outputs of each block are combined with the output of the next block, thus obtained output(diggest). 7....
Words: 811 - Pages: 4
...Computer Forensic Investigator’s Role in Cases Abstract Today, more and more people are using their computers for everything, from communication, to online banking and investing, to shopping. As we do these things on a more regular basis, we open ourselves up to potential hackers and attackers. While some may be looking to phish your personal or proprietary information and identity for resale, others simply just want to use your computer as a platform from which to attack other unknowing targets. The people responsible for computer security and digital forensic examination need to continually update their skills, tools and knowledge to stay abreast with fast growing technology of today. In this day and time you can no longer just unplug a computer and leave it to be evaluated later at the lab. Information that is on computers is so critical to the investigation of a case. Systems today can easily lose data just by unplugging and turning it off, making it hard to recover any evidence needed. Without policies and procedures, investigators, one wouldn’t know this, two would potentially destroy and corrupt any evidence admissible in court and the whole unit would be lost and a total failure. That is why it is important that management establish guidelines and procedures. Although with technology continuing to change, constant revisions will be made to these documents, but ensuring they stay updated is most crucial of all. Computer Forensic examiners and investigators have...
Words: 1408 - Pages: 6
...this research paper was to analyze three anti-forensic techniques for potential methods of mitigating their impact on a forensic investigation. Existing research in digital forensics and anti-forensics was used to determine how altered metadata, encryption, and deletion impact the three most prominent operating systems. The common file systems for these operating systems were analyzed to determine if file system analysis could be used to mitigate the impact of the associated anti-forensic technique. The countermeasures identified in this research can be used by investigators to reduce the impact of anti-forensic techniques on an investigation. Also, the results could be used as a basis for additional research. File system analysis can be used to detect and mitigate the impact of the three methods of anti-forensics researched under the right circumstances. Some areas of anti-forensics and file systems have been relatively well-researched. However continued research is necessary to keep pace with changes in file systems as well as anti-forensic techniques. Keywords: Cybersecurity, Albert Orbinati, Windows, Linux, Macintosh, file table. MITIGATING THE IMPACT OF ANTI-FORENSIC TECHNIQUES THROUGH FILE SYSTEM ANALYSIS by Gabriel A. Flynn A Capstone Project Submitted to the Faculty of Utica College August 2012 in Partial Fulfillment of the Requirements for the Degree of Master of Science Cybersecurity – Intelligence & Forensics © Copyright 2012 by Gabriel Flynn All Rights...
Words: 11835 - Pages: 48
...A digital forensics investigation is conducted after a significant security incident has been identified. The goal of a forensic investigation is to answer why, when, where, what and who though a meticulous scientific process of identifying, preserving, documenting and analyzing extracted information from digital evidence (Marcella & Menendez, 2008, Chapter 1). The following are examples of activities which may warrant a forensic investigation (Marcella & Menendez, 2008, Chapter 1): Fraud Hacking Embezzlement Compromise to a customer’s electronic privacy data Peer-to-peer file sharing Leak or unauthorized disclosure of confidential information Theft of trade secrets, intellectual property Unlawful access to a computer Use of a company’s information technology resources for personal gain Violation of acceptable use policies Launching denial of service attacks against a competitor The Federal Rules of Civil Procedure (FRCP) e-discovery...
Words: 531 - Pages: 3
...International Journal of Digital Evidence Fall 2007, Volume 6, Issue 2 Computer Forensic Analysis in a Virtual Environment Derek Bem Ewa Huebner University of Western Sydney, Australia Abstract In this paper we discuss the potential role of virtual environments in the analysis phase of computer forensics investigations. General concepts of virtual environments and software tools are presented and discussed. Further we identify the limitations of virtual environments leading to the conclusion that this method can not be considered to be a replacement for conventional techniques of computer evidence collection and analysis. We propose a new approach where two environments, conventional and virtual, are used independently. Further we demonstrate that this approach can considerably shorten the time of the computer forensics investigation analysis phase and it also allows for better utilisation of less qualified personnel. Keywords: Computer Forensics, Virtual Machine, computer evidence. Introduction In this paper we examine the application of the VMWare (VMWare, 2007) virtual environment in the analysis phase of a computer forensics investigation. We show that the environment created by VMWare differs considerably from the original computer system, and because of that VMWare by itself is very unlikely to produce court admissible evidence. We propose a new approach when two environments, conventional and virtual, are used concurrently and independently. After the images...
Words: 3983 - Pages: 16
...COMPUTER FORENSICS OPERATIONAL MANUAL 1. Policy Name: Imaging Removable Hard Drives 2. Policy Number/Version: 1.0 3. Subject: Imaging and analysis of removable evidence hard drives. 4. Purpose: Document the procedure for imaging and analyzing different types of evidence hard drives removed from desktop or laptop computers. 5. Document Control:Approved By/Date: Revised Date/Revision Number: 6. Responsible Authority: The Quality Manager (or designee). 7. Related Standards/Statutes/References: A) ASCLD/LAB Legacy standards 1.4.2.5, 1.4.2.6, 1.4.2.7, 1.4.2.8, 1.4.2.11, and 1.4.2.12. B) ASCLD/LAB International Supplemental requirements: 3 (Terms and Definitions), 4.13.2.4, 5.4.1.1, 5.4.1.2, 5.4.2.1. C) ISO/IEC 17025:2005 clauses: 4.1.5 (a, f, g, h, and i), 4.2.1, 4.2.2 (d), 4.2.5, 4.3.1, 4.15.1, 5.3.2, 5.4.1, 5.4.4, 5.4.5.2, 5.4.7.2 (a - c), all of 5.5, all of 5.8, and 5.9.1 (a). 8. Scope: Imaging and examining different types of hard drives (SATA, SCSI, and IDE) removed from desktops and laptops. 9. Policy Statement: A) No analysis will be performed without legal authority (search warrant or consent form). If not submitted, the examiner must contact the investigator to obtain the necessary legal authority. B) Forensic computers are not connected to the Inter-net. C) All forensic archives created and data recovered during examinations are considered evidence. D) Changes to this procedure can be made if approved by the Quality Manager, who will document the changes...
Words: 731 - Pages: 3
...Computer Forensics Investigator/Specialist Entry Level Position & pay: Forensic Specialists work in a variety of places such as police departments, government agencies, prosecutors’ offices, law firms, insurance companies, hospitals, and consulting firms. Starting salaries in the field can also range as high as $100,000, but wages vary greatly by employer and specialty. Some entry level positions are Evidence custodians who acquire digital media & Forensic Investigators or the Forensic Consultants who usually work with everyday investigations. Starting pay is around $45,000 on average a year and increases with experience. Working with law enforcement as a computer forensic investigator: Usually your education is paid for and you get immediate experience. The average salary is $58,000 a year. Working in the military has government benefits, but salary is often less. Job Description: Computer Forensic Investigators assist individuals, businesses, and attorneys by finding and analyzing information. They connect clues to uncover facts about legal, financial, or personal matters. They investigate computer crimes such as identity theft, harassing e-mails, and illegal downloading of copyright material. They also recover deleted e-mails and documents. Computer Forensic Investigators can also be hired by individuals to prove or disprove infidelity. Example: At an insurance company, a new investigator will learn to recognize insurance fraud. At a firm that specializes...
Words: 607 - Pages: 3
...HOW DIGITAL FORENSICS WAS USED TO IDENTIFY RADER (Student’s Name) (Professor’s Name) (Course Title) (Date of Submission) Introduction Dennis Lynn Rader’s case remains the longest case to be handled ever taking almost 30 years. His case was opened when he handed in a computer floppy to the police. Careful forensics carried out on the floppy revealed a document that had been edited by someone by the name Dennis in computers at the Christ Lutheran Church. This led to physical location of the suspect. To nail down the suspect as the BTN killer, DNA tests were carried out on Rader’s daughter, Kerri Rader and it was found to be matching. Comparing this to the DNA tests from the murder cases BTN killer emerged to be Rader. This was enough evidence to convict Rader for 10 murder cases. Digital evidence uncovered from the floppy disk Immediately Rader sent a floppy to the police containing Microsoft word document, the floppy was handed over to the computer forensic experts at the FBI for examinations. Inside the floppy was a file called “Test A.RTF.” The contents of the file read “This is a test. See 3x5 Card for details on communication with me in the newspaper.” The message referred to the card that was inside the same box that had the floppy. The officers further recovered a word document that had been deleted on the drive. Careful examination on the properties of the retrieved document showed that the document which had been modified on February 10th 2005 and had...
Words: 724 - Pages: 3