Cybercrime

INVESTIGATIVE PROCESS
The Digital Forensics Process
• The Digital Forensics Research Workshop divides the digital forensics process into several stages.
• Identification: Assessment of the digital evidence that is useful to the case. This step includes the
preliminary analysis of the technical instrumentation and procedures needed for the acquisition
phase.
• Preservation: Main focus of this stage is to freeze the crime scene preventing the source from
data corruption through physical or software means.
• Collection: Every device or digital evidence identified must be collected following a strict
methodology to avoid any possible alteration of the original evidence.
• Extraction: An examination process has to be done on the collected evidence to identify the
artifact for the analysis phase.
• Analysis: The recovered data need to be interpreted and organized in a logical and structured
form and finally draw objectives and conclusion from it.
• Presentation: All the discoveries from the analysis need to be documented and summarized as a
report.
 Cybercrime Execution Stack (Technology Examination)

Data Exploitative Attack Networked

Objective Tactics Methods Technology

Investigation
Investigation
Initiation
Initiation Law Enforcement Investigative Process Outcome
Outcome

Modeling Impact /
Modeling Assessment
Assessment Planning Tools
Tools Action
Action
Risk
 Cybercrime
Damaged (Victim)
Consulting with Classification and
Readiness Cybercrime Scene
Crime Profiler Investigation
Investigation
Priority decision

Injurer
Suspect cybercrime Suspect Analysis by
Summon scene Tracking Profiler
investigation

The Investigation Procedure

Preparedness for Digital Evidence Handling
1. Policy and Procedure Development
2. Evidence Assessment
3. Evidence Acquisition
4. Evidence Examination
5. Documenting and Reporting
 DIGITAL FORENSIC ANALYSIS
METHODOLOGY
LISTS

Search Leads

PROCESS OVERVIEW
Data Search Leads Comments/Notes/Messages
Generally this involves opening a case file in
the tool of choice and importing forensic
Use this section as
image file. This could also include recreating a network
environment or database to mimic needed.
the original environment.
Sample Note:
Please notify case agent
Sample Data Search Leads:
when forensic data
Identify and extract all email and deleted items.
1 2 3 preparation is completed.
OBTAINING & CASE- Search media for evidence of child
FORENSIC PREPARATION FORENSIC pornography.
IMAGING IDENTIFICATION ANALYSIS LEVEL Configure and load seized database for data
REQUEST / EXTRACTION REPORTING mining.
FORENSIC DATA ANALYSIS Recover all deleted files and index drive for
review by case agent/forensic examiner.

Extracted Data
Prepared / Extracted Data Comments/Notes/Messages
Prepared / Extracted Data List is a list of
Use this section as needed.
items that are prepared or extracted to allow
identification of Data pertaining to the

ANALYSIS
Sample Message: Numerous
PREPARATION / EXTRACTION IDENTIFICATION forensic request.
files located in c:\movies
directory have .avi
Sample Prepared / Extracted Data items:

3
extensions but are actually

1 Start
Wait for resolution. 2 Start Start Processed hard drive image using Encase or FTK
to allow a case agent to triage the contents.
Excel spreadsheets.

Exported registry files and installed registry

Is there viewer to allow a forensic examiner to
Is there data for analysis/more examine registry entries. A seized database
No files is loaded on a database server ready for
Unprocessed data in the No data analysis data mining.

Coordinate “Prepared/Extracted needed?

Does request Data
with
contain sufficient No List“? Yes
Requester to
information to start Yes Document this Relevant Data
Determine
this process? Data item and all Relevant Data Comments/Notes/Messages
next step.
What relevant relevant meta Who/What Relevant Data List is a list of data that is
relevant to the forensic request. For example:
Use this section as needed.
type of to the data and Who or what application created, edited, modified, sent, Sample Note:
Yes. item is it. forensic attributes on received, or caused the file to be? If the forensic request is finding information
Attachment in
Outlook.pst>message05 has a
Who is this item linked to and identified with? relating credit card fraud, any credit card
“Relevant Data number, image of credit card, emails discussing
virus in it. Make sure an
anti-virus software is
Setup and validate forensic request List”. Where making credit card, web cache that shows the
installed before exporting
hardware and software; Integrity date, time and search term used to find credit
and opening it.
Return Where was it found? Where did it come from? card number program, Etc are Relevant Data as
create system configuration not OK If item or discovered If new “Data evidence. In addition, Victim information retrieved
Identified and recovered 12
package to Does it show where relevant events took place? is also Relevant Data for purpose of victim
emails detailing plan to

as needed. Incriminating If item can information can Search Leads” notification.

commit crime.

Information generate new When generate new

Requester. If new “Data generated, Start
outside “Data Search When was it created, accessed, modified, received, sent, “Data Search
Search Lead” “PREPARATION /
Duplicate and verify scope Leads”, document
viewed, deleted, and launched? Leads”, document
is generated, Start Does it show when relevant events took place? EXTRACTION”.
integrity of of the new leads to new leads to
“PREPARATION / Time Analysis: What else happened on the system at
“Forensic Data”? warrant “Data Search same time? Were registry keys modified? “Data Search Lead New Data Source Leads
EXTRACTION”.
Lead List”. List”. New Source of Data Leads Comments/Notes/Messages
Integrity OK How
This is self explanatory. Use
How did it originate on the media? New Source of Data Lead List is a list of data this section as needed.
Data NOT How was it created, transmitted, modified and used?
that should be obtained to corroborate or
further investigative efforts.
Organize / Refine relevant Does it show how relevant events occurred?
Sample Notes:

to forensic If item or discovered If “New Source of Sample New Source of Data Leads: During forensic analysis of
subject John Doe’s hard drive
forensic request and request information can generate Data Lead” Associated Artifacts and Metadata If item or discovered If “New Source Email address: [email protected]. image on credit card
fraud, a email message
select forensic “New Source of Data”, generated, Start Server logs from FTP server.
Registry entries. information can generate of Data Lead” revealed that Jane Doe
tools. document new lead on “OBTAINING & Application/system logs. Subscriber information for an IP address. asks John Doe for payment on
Stop! “New Source of Data”, generated, Start
Transaction logs from server.
credit card printing machine.
“New Source of Data IMAGING
Notify document new lead on “OBTAINING &
Yes Lead List”. FORENSIC DATA“. Other Connections
Extract data requested appropriate Do the above artifacts and metadata suggest links to any
“New Source of Data IMAGING
personnel; wait other items or events? Lead List”. FORENSIC DATA”.
Add Extracted data to Is there
more “Data for instruction What other correlating or corroborating information is
“Prepared /Extracted Consider there about the item? Analysis Results
Data List”. Search Lead” for Advising What did the user do with the item? Analysis Results Comments/Notes/Messages

processing? Requester of Analysis Result List is a list of meaningful data Use this section as needed
Identify any other information that is that answers the who, what, when, where and
initial findings how questions in satisfying the forensic request. Sample Notes:
relevant to the forensic request. Mark “Relevant 1. 10.dat, message5.eml and
No Data” item Sample Analysis Results: stegano.exe show that John
Doe used steganography tool to
Mark “Data Search Lead” Use timeline and/or other methods to processed on Start 1. \Windows\$NtUninstallKB887472$\ 10.dat
hides a ten dollar image in
Mark item processed on If there is data for 10.dat at 11:03 PM 01/05/ 03
processed on “Data document findings on “Analysis Results “Relevant Data “FORENSIC and emailed it to Jane Doe at
Start “Prepared/Extracted analysis, Start \data\sentbox.dbx\message5.eml
Search Lead List”. List”. List”. REPORTING” to \Special Tools\stegano.exe 11:10 PM 01/05/03.
“IDENTIFICATION”. Data List“. “ANALYSIS” Document Modified and emailed img to ...

Findings.
1/4/03 1/5/03

R e t urn On I n v e s t m e n t (Determine when to stop this process. Typically, after enough evidence is obtained for prosecution, the value of additional forensic analysis
diminishes.) Department of Justice (DOJ)
Computer Crime and intellectual Property Section
0100010001001111010010 100010000001000011010000110100100101010000010100110010000001001111011101100110100101100101001000000100001101100 0010111001001110010 0110111101101100011011000010000001100001011011100110010000100000010101000110100001101111011011010110000101110011001000000101001101101111011011100 1100111 0010000001000100010011110100101000100000010000110 100001101001 001010100000101001100100000
(CCIPS)
Cybercrime Lab
http://www.cybercrime.gov

(202) 514-1026
 Protocols and Procedures
• Mission statement
• Personnel
Policy and Procedure • Administrative considerations
Development
• Service request and intake
• Case management
• Evidence handling and retention
• Case processing
Developing technical procedures
• Established procedures should guide the technical process of the examination
of evidence. Procedures should be tested prior to their implementation to
ensure that the results obtained are valid and independently reproducible.
• The steps in the development and validation of the procedures should be
documented and include:
• Identifying the task or problem.
• Proposing possible solutions.
• Testing each solution on a known control sample.
• Evaluating the results of the test.
• Finalizing the procedure
• Original evidence should never be used to develop procedures.
 Case assessment
• Review the case investigator’s request for
service.
Evidence Assessment • Consult with the case investigator about the
case and let him or her know what the
forensic examination may or may not discover
• Onsite considerations
• Processing location assessment
• Legal considerations
• Evidence assessment
Digital Forensic of Windows Artifacts
– Root user Folder – Send to Artifacts – My Documents
– Desktop – Swap Files Artifacts Artifacts
– Pinned files – Thumb Cache – Recent Folder
artifacts Artifacts
– Recycle Bin Artifacts
– HKey Class Root – Restore Points
– Registry Artifacts Artifacts
Artifacts
– App Data Artifacts – Print Spooler
– Cookies Artifacts
– Favorites Artifacts Artifacts
– Program files
Artifacts – Logo Artifacts
– Meta Data Artifacts – Start menu Artifacts
– Jump lists
 File Downloads

Save/Open MRU
(Most Recently Used Email Attachment Files Places.sqlite/Index.dat Download.sqlite
files) File History

File Downloads
 Program
Execution

Most Recently Application

User Assist Visited Run MRU Files Compatibility Prefetch
Programs Cache

Program Execution
 File Open /
Create

Most Recently Recently

Save / Open Lnk / shortcut Prefetch,
Visited (MRU) Opened Files / Shell Bags
MRU files / jumplists Index.dat file://
Files MS Office Files

File Open/Create
 Physical
Location

Search Terms
Time Zone Network History Cookies used on
Browser

Physical Location Information

 USB Usage

Key First and Last Volume Serial Lnk shortcut

User History
Identification Time Usage number of USB files

USB Usage Details

 Account Usage

Recent
Last Login Successful /
Passwords RDP Usage
Details Failed Attempts
Change

Account Usage Details

 Deleted Files

ACMRU search Recently Index.dat

Thumbs.db Recyclebin
assistant Visited (MRU) files://

Deleted Files