- Do some online research and come up with a “Day in the life of a computer forensic investigator”.
The day in the life of a computer forensics investigator can vary drastically from day to day. The type of work you will be conducting highly depends on the type of cases you are involved in. Generally, the goal of a computer forensics investigator is to gather data or evidence from electronic devices. The devices can vary depending on what electronic device evidence or data needs to be extracted from. A computer forensics investigator will implement a wide range of forensic software and hardware tools in order to gather data from devices. This is all done in order to provide evidence for court cases to assist in the prosecution of a subject. Additionally, digital forensic investigators use their background and skills with technology to collaborate with people that aren’t versed in technology. There are many different roles forensic investigators may play depending on the company they work for. This could mean a forensic investigator could be tasked with gathering evidence on how a cyber attack was done. In order to prevent it from occurring again in the future.
- 2. What are some of the “gotchas” when attempting to acquire evidence? (What could hamper evidence collection). How can we get evidence from damaged systems/media?
There are many things that can hamper the ability to collect digital evidence. Some of these issues can be with equipment or the device that data needs to be collected from others can be from outside issues. Some technical issue that can be present is if the information has been encrypted or deleted. This would make it harder to access the information that was encrypted. This would also require more effort and resources being put into the incident in order to gather the evidence. Another thing that could hamper the ability to gather evidence could be legal reasons or laws that prolong the process. This can make it hard to gather evidence because you have to follow the ethical guidelines and make sure that the way you gather evidence is allowed. This is done to make sure that all evidence gathered can be used in court without the worry of it being thrown out because it was gathered without permission from the law. Lastly, time can be an issue when it comes to gathering evidence. This could be due to evidence being deleted or lost over time.
One way that evidence can be recovered from damaged systems is by attempting to repair the problems. Additionally, the use of recovery and repair tools can be used to ensure data stays intact. If repairs can’t be done then looking for backups of the information can be done to see if there are recent backups.
- 3. What rules and regulations to we have to follow for getting, analyzing, and storing evidence? Do the same rules apply to government investigations as for private organizations?
In order to conduct any form of data analysis when it comes to digital forensics it should be done on a copy of the original data. This helps maintain the integrity of the original data and prevents the data from accidentally being deleted. Using digital forensic tools on a copy ensures that the original data stays the way it was found. A regulation that should be followed is that the person who is gathering the original data are doing so in an ethical and proper manner. Making sure that a proper digital forensics professional is the one who is gathering the original data. Allows for the data to be gathered in the safest way and allows for the proper documentation of the process to be completed. Regulations that are set by each state and country should be followed to make sure that the evidence that is being collected is surmisable in court. Inportching on citizens’ rights by not following the property regulations set could lead to evidence not being valid.
Yes, the same rules and regulations that apply to private organizations apply to the government. In some areas, the government is granted special privileges when it comes to gathering data. Overall, most regulations and rules should be adhered to by both the government and private organizations in order to maintain the integrity of evidence.
- 4. What hives and entries are forensically interesting when doing an investigation? What forensic tools are available?
Hives are created and store users’ information on a computer. There are separate hives that store different data types for each user in the system. One such hive is the Security Account Manager or “SAM” hive. The SAM hive stores the users’ passwords in a hashed format among other security features for a user’s account. Accessing this hive would allow a forensics professional to potentially get the account’s password which would allow the professional to access other parts of the computer easier. There are other hives such as the Security hive, Software hive, and System hive. Each contains different types of data that are stored on the computer. Gaining access to a certain hive will grant forensic professionals access to useful information that could be used to assist them in gathering evidence.
There is a wide source of tools that digital forensics can make use of in certain situations that can assist them in gathering or analyzing data. EnCase and Autopsy are two tools that are used in order to analyze data that has been collected. Additionally, Prodiscovery and AccessData FTK are used in order to gather data.
- 5. Windows, apple and linux all have different file systems. How does each of them work? What files and logs are forensically interesting when doing an investigation?
Each of the operating systems has a different type of file system they use. Windows uses a New Technology File System or “NTFS” which was developed by Microsoft. This file system helps with organizing, storing, and assisting in finding files that are on a storage device. NTFS is known for allowing users to encrypt files or require permission to gain access to files. Additionally, this OS integrates with the MFT better than other file types. This file system is a journaling file system that keeps a log of the interaction that takes place on the file. This brings many benefits such as recovering files as well as being able to see logs of what took place. As this file type is created by Microsoft there are many limitations when it comes to interacting with Mac devices. NTFS is more advanced than FAT32 file types and was meant to be an improved version.
Apple uses an HFS+ file system which was developed by Apple for Mac devices. This file system has similar features to NTFS. HFS+ is also a journaling file system that keeps a log of interaction in the file system. The major benefit of a journaling file system is the ability to recover files due to deletion or other system errors.
Linux’s current file system is the ext4 file system. Before ext4 there were the ext3 and ext2 file systems. Ext4 makes use of delayed allocation when transmitting data. Like the other two ext4 file system is a journaling file type that has all the benefits mentioned in the other two file systems. This type of file system makes use of a tree-like directory and subdirectories. This is different than Microsoft which use of folders that create a more linear and Hierarchical structure.
Files that are forensically interesting when it comes to investigation would be network logs, application logs, and system logs. Each of these logs provides a different type of information that could assist someone that is doing an investigation. Application logs can show what type of applications have recently been used on a computer. Network logs can help determine if a network-based attack has occurred. Making use of these logs could help an investigator piece together what took place on a system.
- 6. What metadata can we get from various files? How can it help in an investigation?
Metadata is essentially data about other data. Metadata is useful because it can tell you more information about a larger or more broad amount of data. Some of the information that metadata can tell you is the origins of files, access records, or modification records. This is information that can help support a case or provide evidence that someone has accessed a file. Metadata can tell the size of the file, what type of file, and the attributes that the file has.
This is all useful to a digital forensic professional because it makes sit easier to gather data. Metadata allows a professional to sort through data and evidence faster. For instance, if an investigator is looking for a certain type of file or a file of a certain size. They can look at the metadata or set restrictions that only show the approximate size of a file they are looking for. Overall, increasing the efficiency of analyzing data.
- 7. What techniques might criminals use to hide data or activities?
Criminals have a lot of different ways they can hide data or their activities when using an electronic device. One notable and common thing used to mask a user’s IP or identity is a VPN. This can be used to prevent the location of the user from being obtained. Another thing that is commonly used is encryption. This makes it harder to gather data due to the data being encrypted or unreadable. This also prolongs the time it takes to gather data because it can take a long time to decipher the encryption. Criminals can damage physical systems resulting in the loss of information that could have been useful. Steganography is another advanced technique that can be used by criminals. Overall, criminals have a lot of techniques to help when it comes to hiding what they are doing. It is common for criminals to make use of all these techniques to ensure they are protected if one of them fails.
- 8. What is special/different about forensic analysis of virtual machines? (NOT WHAT IS A VIRTUAL MACHINE)
When it comes to analyzing a virtual machine the major difference is the tools that are used. Specialized tools and techniques are required in order to get data from a virtual machine. Since the tools that are used are different it requires someone who has an understanding of virtual machines and virtual tools. Analyzing a virtual machine takes a different approach than a physical device. Virtual machines can also be manipulated more by the user. This can result in the user programming the vm to alter or delete files after turning it off. Making it harder to get accurate and unaltered information. Additionally, virtual machines can be run across multiple host computers introducing an additional level of complexity. This can make it hard to determine who was using the machine.
- 9. What is special/different about forensic analysis of cloud based machines? (NOT WHAT IS A CLOUD MACHINE/SYSTEM)
Cloud-based machines present some major differences in the approach that comes with complete digital forensics. One issue that cloud-based machines bring is the lack of physical hardware or storage. Cloud storage is data virtualized which makes it hard to collect data or access data that is being kept in one particular place. Additionally, the information that is stored can be kept across multiple storage devices and across multiple geographical locations. Data being kept across multiple geographical locations brings forth another issue when it comes to the legality of data collection. The laws could be different depending on where the data is being kept which can further prolong the ability to collect evidence. Cloud storage is also considered to be volatile. This is due to when interacting with the cloud or machine information is only stored on volatile memory.
- 10. What qualifies a person to be an expert witness?
An expert witness is someone who has extensive training or knowledge in a certain field. An expert witness is necessary for many testimonies to help make sense of complex evidence that most others in the courtroom wouldn’t understand. The witness may have to have credentials or other forms of qualifications that prove they are an expert in their field. This would help qualify them when it comes to being reliable and trustworthy when it comes to the information they are presenting in court. Additionally, an expert witness would have to be able to explain and present evidence to people that aren’t as educated in the field.