D431 Coursebook Resource[30]

.docx

School

Western Governors University *

*We aren’t endorsed by this school

Course

D431

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

24

Uploaded by LieutenantFire12897

Report
Helpful Information from the textbook for C840 OA Digital Forensics, Investigation, and Response by Chuck Easttom Types of Digital System Forensics Analysis Disk forensics is the process of acquiring and analyzing information stored on physical storage media, such as computer hard drives, smartphones, GPS systems, and removable media. Disk forensics includes both the recovery of hidden and deleted information and the process of identifying who created a file or message. Email forensics is the study of the source and content of email as evidence. Email forensics includes the process of identifying the sender, recipient, date, time, and origination location of an email message. You can use email forensics to identify harassment, discrimination, or unauthorized activities. There is also a body of laws that deal with retention and storage of emails that are specific to certain fields, such as financial and medical. Network forensics is the process of examining network traffic, including transaction logs and real-time monitoring using sniffers and tracing. Internet forensics is the process of piecing together where and when a user has been on the internet. For example, you can use internet forensics to determine whether inappropriate internet content access and downloading were accidental. Software forensics , also known as malware forensics, is the process of examining malicious computer code. Live system forensics is the process of searching memory in real time, typically for working with compromised hosts or to identify system abuse. Each of these types of forensic analysis requires specialized skills and training. Cell-phone forensics is the process of searching the contents of cell phones. A few years ago, this was just not a big issue, but with the ubiquitous nature of cell phones today, cell-phone forensics is a very important topic. A cell phone can be a treasure trove of evidence. Modern cell phones are essentially computers with processors, memory, even hard drives and operating systems, and they operate on networks. Phone forensics also includes VoIP and traditional phones and may overlap the Foreign Intelligence Surveillance Act of 1978 (FISA), the USA PATRIOT Act, and the Communications Assistance for Law Enforcement Act (CALEA) in the United States. General Guidelines Later in this chapter, you will read about specific federal guidelines, but you should keep a few general principles in mind when doing any forensic work, as discussed in the following sections. Chain of Custody
This is the most important principle in any forensic effort, digital or nondigital. The chain of physical custody must be maintained. From the time the evidence is first seized by a law enforcement officer or civilian investigator until the moment it is shown in court, the whereabouts and custody of the evidence, and how it was handled and stored and by whom, must be able to be shown at all times. Failure to maintain the proper chain of custody can lead to evidence being excluded from trial. Don’t Touch the Suspect Drive One very important principle is to touch the system as little as possible. It is possible to make changes to the system in the process of examining it, which is very undesirable. Obviously, you have to interact with the system to investigate it. The answer is to make a forensic copy and work with that copy. You can make a forensic copy with most major forensic tools such as AccessData’s Forensic Toolkit, Guidance Software’s EnCase, or PassMark’s OSForensics. There are also open source software products that allow copying of original source information. To be specific, make a copy and analyze the copy. There are times when you will need to interact directly with live evidence. For example, when a computer is first discovered, you will want to do an initial analysis to determine running processes and connections before you make an image. You may also need to perform live forensics in certain situations such as some cloud computing environments. We will discuss these as we encounter them in this book. Document Trail The next issue is documentation. The rule is that you document everything. Who was present when the device was seized? What was connected to the device or showing on the screen when you seized it? What specific tools and techniques did you use? Who had access to the evidence from the time of seizure until the time of trial? All of this must be documented. And when in doubt, err on the side of over-documentation. It really is not possible to document too much information about an investigation. Secure the Evidence It is absolutely critical to the integrity of your investigation as well as to maintaining the chain of custody that you secure the evidence. It is common to have the forensic lab be a locked room with access given only to those who must enter. Then, evidence is usually secured in a safe, with access given out only on a need-to-know basis. You have to take every reasonable precaution to ensure that no one can tamper with the evidence. Daubert standard : Standard used by a trial judge to make a preliminary assessment of whether an expert’s scientific testimony is based on reasoning or methodology that is scientifically valid and can properly be applied to the facts at issue. Under this standard, the factors that may be considered in determining whether the methodology is valid are: (1) whether the theory or technique in question can be and has been tested; (2) whether it has been subjected to peer review and publication; (3) its known or potential error rate; (4) the existence and maintenance
of standards controlling its operation; and (5) whether it has attracted widespread acceptance within a relevant scientific community. What this means, in layman’s terms, is that any scientific evidence presented in a trial has to have been reviewed and tested by the relevant scientific community. For a computer forensics investigator, that means that any tools, techniques, or processes you utilize in your investigation should be ones that are widely accepted in the computer forensics community. U.S. Laws Affecting Digital Forensics There are many laws that affect digital forensics investigation. For example, some jurisdictions have passed laws that require the investigator to be either a law enforcement officer or a licensed private investigator to extract the evidence. Of course, that does not prevent a forensic investigator from working with information someone else extracted or extracting evidence if the information owner gave his or her permission. It is important to be aware of the legal requirements in the jurisdiction in which you work. The Federal Privacy Act of 1974 The Privacy Act of 1974 establishes a code of information-handling practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by U.S. federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual. The Privacy Protection Act of 1980 The Privacy Protection Act (PPA) of 1980 protects journalists from being required to turn over to law enforcement any work product and documentary materials, including sources, before it is disseminated to the public. Journalists who most need the protection of the PPA are those who are working on stories that are highly controversial or that describe criminal acts, because the information gathered may also be useful to law enforcement. The Communications Assistance to Law Enforcement Act of 1994 (CALEA) The Communications Assistance to Law Enforcement Act of 1994 is a federal wiretap law for traditional wired telephony. It was expanded in 2004 to include wireless, voice over packets, and other forms of electronic communications, including signaling traffic and metadata. Unlawful Access to Stored Communications: 18 U.S.C. § 2701 This act covers access to a facility through which electronic communication is provided or exceeding the access that was authorized. It is broadly written to apply to a range of offenses. Punishment can be up to 5 years in prison and fines for the first offense. The actual wording of the statute is as follows: Offense. —Except as provided in subsection (c) of this section whoever—intentionally accesses without authorization a facility through which an electronic communication service is provided; or
intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section. This law is used less frequently than the Computer Fraud and Abuse Act. However, it is written broadly enough to cover a number of acts. Primarily, the focus is on any facility, server, or device used to store electronic communications. It is sometimes the case that when employees leave a company, they seek to take information that they can use in competition with the company. This can include emails or other stored communications. The Electronic Communications Privacy Act of 1986 The Electronic Communications Privacy Act of 1986 governs the privacy and disclosure, access, and interception of content and traffic data related to electronic communications. The Computer Security Act of 1987 (CSA) The Computer Security Act of 1987 was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information. The Foreign Intelligence Surveillance Act of 1978 The Foreign Intelligence Surveillance Act of 1978 (FISA) is a law that allows for collection of “foreign intelligence information” between foreign powers and agents of foreign powers using physical and electronic surveillance. A warrant is issued by the FISA court for actions under FISA. The Child Protection and Sexual Predator Punishment Act of 1998 The Child Protection and Sexual Predator Punishment Act of 1998 requires service providers that become aware of the storage or transmission of child pornography to report it to law enforcement. The Children’s Online Privacy Protection Act of 1998 The Children’s Online Privacy Protection Act of 1998 (COPPA) protects children 13 years of age and under from the collection and use of their personal information by websites. It is noteworthy that COPPA replaces the Child Online Protection Act of 1988 (COPA), which was determined to be unconstitutional. The Communications Decency Act of 1996 The Communications Decency Act of 1996 was designed to protect persons 18 years of age and under from downloading or viewing material considered indecent. This act has been subject to court cases that subsequently changed some definitions and penalties. The Telecommunications Act of 1996
The Telecommunications Act of 1996 includes many provisions relative to the privacy and disclosure of information in motion through and across telephony and computer networks. The Wireless Communications and Public Safety Act of 1999 The Wireless Communications and Public Safety Act of 1999 allows for collection and use of “empty” communications, which means nonverbal and nontext communications, such as GPS information. The USA PATRIOT Act The USA PATRIOT Act is the primary law under which a wide variety of internet and communications information content and metadata is currently collected. Provisions exist within the PATRIOT Act to protect the identity and privacy of U.S. citizens. The Sarbanes-Oxley Act of 2002 The Sarbanes-Oxley Act of 2002 contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies. 18 USC 1030 Fraud and Related Activity in Connection with Computers This is one of the most widely used laws in hacking cases. It covers a wide range of crimes involving illicit access of any computer. 18 USC 1020 Fraud and Related Activity in Connection with Access Devices This is closely related to 1030 but covers access devices (such as routers). The Digital Millennium Copyright Act (DMCA) This controversial law was enacted in 1998. It makes it a crime to publish methods or techniques to circumvent copyright protection. It is controversial because it has been used against legitimate researchers publishing research papers. 18 USC § 1028A Identity Theft and Aggravated Identity Theft As the name suggests, this law targets any crime related to identity theft. It is often applied in stolen credit card cases. 18 USC § 2251 Sexual Exploitation of Children This law covers a range of child exploitation crimes and is often seen in child pornography cases. Related to this rather broad law are several others, such as: 18 U.S.C. § 2260 : Production of sexually explicit depictions of a minor for importation into the United States 18 U.S.C. § 2252 : Certain activities relating to material involving the sexual exploitation of minors (possession, distribution, and receipt of child pornography)
18 U.S.C. § 2252A : Certain activities relating to material constituting or containing child pornography Warrants According to the Supreme Court, a “seizure of property occurs when there is some meaningful interference with an individual’s possessory interests in that property” (United States v. Jacobsen, 466 U.S. 109, 113 [1984]). The Court also characterized the interception of intangible communications as a seizure, in the case of Berger v. New York (388 U.S. 41, 59–60 [1967]). That means that law enforcement need not take property in order for it to be considered seizure; merely interfering with an individual’s access to his or her own property constitutes seizure. Berger v. New York extends that to communications. If law enforcement’s conduct does not violate a person’s “reasonable expectation of privacy,” then formally it does not constitute a Fourth Amendment “search” and no warrant is required. There have been many cases where the issue of reasonable expectation of privacy has been argued. To use an example that is quite clear, if you save a message in an electronic diary, you clearly have a reasonable expectation of privacy; however, if you post such a message on a public bulletin board, you can have no expectation of privacy. In less clear cases, a general rule is that courts have held that law enforcement officers are prohibited from accessing and viewing information stored in a computer if it would be prohibited from opening a closed container and examining its contents in the same situation. Warrants are not needed when evidence is in plain sight. For example, if a detective is talking to someone about a string of burglaries in the neighborhood and can clearly see child pornography on that person’s computer screen, no warrant is needed. Another exception to the need for a warrant is consent. If someone who is authorized to provide consent (for example, the owner of a phone or computer) gives law enforcement that consent to a search, then no warrant is needed. In computer crime cases, two consent issues arise particularly often. First, when does a search exceed the scope of consent? For example, when a person agrees to the search of a location, such as his or her apartment, does that consent authorize the retrieval of information stored in computers at the location? Second, who is the proper party to consent to a search? Can roommates, friends, and parents legally grant consent to a search of another person’s computer files? These are all critical questions that must be considered when searching a computer. In general, courts have held that only the actual owner of a property can grant consent, or someone who has legal guardianship of the owner. For example, a parent of a minor child can grant consent to search the child’s living quarters and computers. However, a roommate who shares rent can grant consent to search only shared living quarters and computers co-owned by both parties. A roommate cannot grant consent to search the private property of the other person. There are other cases where investigators don’t need a warrant. One such circumstance is border crossing. Anyone going through customs in any country may have their belongings searched. This can include a complete forensic examination of laptops, cell phones, and other
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help