Hello, and welcome back to Computer Forensics Bootcamp. In this module, we're going to talk about the forensic methodology and investigations. The investigative process. The first thing we want to do is we want to do some case preparation. What case preparation is, is we're going to gather information before we even start up our computer. Before the start of our forensic examination, the first things we do is to try to define what type of case we are looking at. To do that, we're going to need to answer some basic questions. First and foremost, what is this case about? Is this a larceny case? Is this a robbery case? Is this an intellectual property theft? What type of case are looking at? The next thing we're going to talk about is, what evidence can we expect to recover? What crime do we think or violation do we think was committed and what type of evidence do we expect to find on this particular computer that we're examining? The next question we may want a answer is where most likely will this evidence be located on the computer itself within the file system? To do that, we're going to have to know a little bit about where computers store certain data as a default location and we're going to talk about that throughout this course. The next thing we have to think about is what are our legal restrictions? Is there a limitation on the scope of our search warrant or on the scope of our search authority? Or is this a special case where we may be dealing with something that is proprietary property or privileged information? The next question we're going to want to answer is, who is involved in this and what is their role? Are they a suspect? Are they a victim? Are they a witness? These will help us determine what we're going to do and how we're going to formulate our search strategies. Commonly, there are four phases in the investigative process. We have our collection and storage, our preservation, our analysis and testing, and our reporting and testifying. Criminal investigations. If you're doing a criminal investigation, this deals with offenses against the state. Somebody broke some sort of law, whether it's state, federal, local. In these cases, a court must authorize the search warrant, and we must abide by the rules of evidence. We have to keep these in mind. I'm going to talk about legal issues throughout this course. Each investigative model is going to have to follow the procedures of their particular jurisdiction, their particular court system. A civil investigation. This covers a lot of things that are not covered by criminal law. It could be a violation of contract, it could be a civil lawsuit, it could be a custody dispute, a divorce, or any other type of civil case. Usually, with civil cases, there is a financial aspect. Nobody's going to go to jail or lose their freedom but there is some type of financial aspect. Usually, the equipment and the data that can be inspected are going to be negotiated and a long time may pass before these devices are seized. Civil investigations tend to be data-driven and the extracted data, like I said, must be filtered by the court's requirements. You may have limitations on what you can examine and what you can look at. You may only be able to look at photos or you may only be able to look at messages or documents. It depends on the type of case and what the court decides. Administrative investigations are usually fact-finding inquiries. These type of things are that somebody broke a rule or a policy or a protocol. It's some type of professional misconduct. A lot of times we're talking about fraud audits or somebody looking at something they're not supposed to be on their company computer or using it for something they're not supposed to be using it for. This is a generic model of on scene flow that we would use when we're dealing with collecting evidence on a scene. The first concern is going to be scene safety and that's going to apply no matter what type of investigation you are doing. The next thing we want to think about when we're collecting evidence is we want to isolate the evidence. If the evidence is connected to a network, the evidence could be altered or remotely wiped so we want to get the evidence off the network. The next thing we want to do is we want to document the scene. You want to take photographs, draw a diagram, do a video. But you want to show that scene as it was when you first arrive before anybody moves anything. The next thing we're going to do is we're going to scan the scene and identify what could be evidence to us. Once we've identified our possible sources of evidence, we're going to collect them and we're going to do so in a proper manner, and we're going to document that collection. What I mean by that is you're going to document who found it, where they found it, what time. All these things are very important when it comes to authenticating the evidence later on in any type of court action. Now these next three boxes you see in that reddish color are only going to apply if you have a forensic expert on scene, because if you don't, after documenting the collection, what's going to happen is people are going to pull the plugs from the back of the computers, and package the evidence, but if you have a forensic person on scene, a forensic examiner, and you come across a running computer, the first thing you want to do is look and see if there's any type of destructive process running. The three things we want to look for is RAM, encryption, and destruction. I like to use the acronym RED. The R stands for RAM, and that's going to be random access memory. Once the computer is shut off, that random access memory is gone, so we're going to lose all that data. The E in RED, encryption. If you have an encrypted volume that is up and open in RAM and you shut the computer off, you may never be able to examine that volume because encryption is going to kick in and if you can't get back in, you will not be able to see what is on that encrypted volume. Then I mentioned destructive, if this destructive process is running, you want to immediately pull the plug from the back of the computer to stop that destructive process from running. If it's a laptop, make sure you take the battery out. If we do have an up and running computer, the first thing we want to do is collect RAM. If we have an encrypted volume up, we want to take a logical image of that volume, so at least we have that in case we cannot get back into that encrypted volume. Maybe the suspect won't give up the password, or there could be other reasons why we can't get back in. Again, destructive processes pull the plug. If you come across a computer that is off and you have a forensic expert on the scene and you suspect that there might be evidence on that computer and the case is urgent, it could be a missing kid, it could be that you want to get enough evidence to make an arrest because you're afraid your suspect will flee, you might want to do an on-scene preview of that computer. The other issue is triage. If you come upon a scene where you have multiple devices, you don't just want to collect everything. You don't want to take 10 or 20 computers when only one or two may have evidence that's going to be relevant to your case. You might want to do some triage, so you don't have to collect everything. Once that is done, you would properly package the evidence. Package computers in plastic unless there is some liquid on the computer. It could be a body fluid or there just could be some type of liquid, in that case, package the computer in paper. You're going to properly then transport the evidence. You want to package it so that it's secure and not going to be damaged during transport, and when you get the evidence back to your location, you're going to want to put that evidence in a secure room where access is limited. Forensic analysis preparation. Now that we've got our evidence back to our lab, we're going to examine it. The first thing we're going to do is you want to review all the paperwork. What I mean by that is you want to read all the reports that were written. If there is a search warrant involved or a court order, you want to read that too. You want to make sure you understand where the scope of your authority comes from and what your scope is. You may have a limited search and you want to make sure you understand that before you begin your analysis. You want to make a plan to examine the computer. Again we talked about understanding what type of case you're investigating and what type of evidence you want to find, and where you think that evidence might be located. Again confirm your search authority and scope. That is so important, because you may have a limited scope, and that may be one sentence in an entire search warrant, but if you miss that one sentence, you're going to be violating your search authority. Be aware of and plan for conflicts. What I mean by that is you may have a computer that came from an attorney's office and that's going to be privileged information. You could have medical information that would be limited by HIPAA. You could have somebody who's a writer and they have their proprietary information on there. You want to make sure you're aware of all the conflicts. You also want to be aware of what tools you have, what tools are available, and what tools you might need for this investigation in case you have to obtain another tool. You're going to have to go back and refine your plan as needed as you progress through the investigation. This is a generic model for what happens at the lab. When a detective or somebody brings a computer to you to examine, there's going to be some form of intake where you documented who brought it to you and what date and time you received it. Then you're going to photograph the evidence and you're going to document the evidence noting any damage to that evidence before it became in your custody. You want to photograph and document the evidence. You're going to document the make, model, serial number, and any type of damage and you're going to take photographs. You're going to preserve the evidence, and this usually involves some type of write blocking. You're not writing to the original evidence. Then you're going to create a bit-stream copy. You're going to image that drive. Once you're done with that, you're going to validate the copy, you're going to take one last hash and validate if you haven't made any changes to the original evidence, and then you're going to secure the original evidence in a place where access is controlled. When you're done with that, you're going to examine the copy of the evidence. We never work on the original evidence, we always work off of a copy. You're going to report your findings. You're going to have your report peer reviewed, you're going to have it looked at by another professional and then you're going to present your findings. We have some special type of cases that you'll probably come across in the corporate world, like an intellectual property theft investigation. In this case, you want to always consider the suspect's computer a crime scene. That device should be considered a crime scene. You want to immediately preserve. Do not access that device and do not allow anybody else to access that device. You're going to want to take a look and see how the suspect may have exfiltrated data. We're looking at how the suspect got the data off the computer. Did he use a DVD or CD or USB device? Did he use that computer to transfer data to a home network? What type of activities was he doing? Was he negotiating a salary with another company, with a competitor? Was he selling proprietary information? Were there any mass deletions or drive wiping or programs that are meant to hide or destroy data? You want to take a look at all that when you're investigating and intellectual property theft case. E-discovery cases, which would be another case you would come across in a corporate type environment, are not the same as your ordinary examination. What you're doing in an e-discovery case is you're collecting information and this may be in response to a lawsuit, a freedom of information request, or some other type of investigation. These types of data that you're going to be looking to collect are going to be emails, documents, presentations, databases, perhaps voicemails or some other type of media file, you're going to look at social media remnants that may be left on the computer and websites. E-discovery, you're going to be looking at metadata. It's focused on the metadata as opposed to collecting the data. How, when and where was this document created, these are going to be more of a focus than the actual content. Then you must know where the data is. Where is it you're going to locate this data? Is it archived? A lot of companies use email archival systems. So you're going to have to understand where this data is, you're going to be thinking about the documents metadata, when, how, and where it was collected. When you're doing an e-discovery project, you're going to have to scope it and this is going to begin with a data mapping exercise. You're also going to have to identify the physical location of the data. The data maybe on a server off-site, the data may be in the Cloud. You're going to have to understand all of those aspects when you're doing an e-discovery case. In the next module, we're going to download software and get our systems ready to start examining digital evidence.