Examination of the Evidence

Previous page
Table of content
Next page
‚  < ‚  Free Open Study ‚  > ‚  

The acquisition of the media, although tedious , is generally clear-cut . A trained investigator , following a set of rules, can be reasonably certain that the data was acquired properly and is not tainted. Examining the evidence to find proof of wrong-doing, however, can be anything but straightforward.

Planning the Search

The most important step in the examination is to plan what items to search for. A poorly designed search will result in either no results at all or so many results that they are unusable. A well-designed search consists of unique items that are unlikely to occur outside the scope of the investigation but that are also likely to be present in any incriminating evidence. This might be a simple task, but it is often anything but. The examples in the sidebar are useful to illustrate this.

Search Examples

Misuse of company resources: The suspect is accused of using the company computer and Internet connection to visit adult web sites and download images. In this case, the search criterion is simple. The investigator needs only to demonstrate that the suspect did visit these sites. Any unique image or fragment of an image might be sufficient to establish this. One of the simplest things the investigator might search for is image files, including files in the browser cache (and deleted files). The investigator can also search the history and bookmark files for URLs, cookies from the sites, and the Windows Registry for connection data. Any items found are probably conclusive to demonstrate that the computer, at least, was used to visit those sites. Placing the person at the computer might involve several additional steps. For example, network logon records, physical security records, or eyewitness accounts can be used to correlate to the date stamps on the recovered files.

Harassing or inappropriate email: The suspect is accused of sending harassing emails to other persons. A search of the mail server logs might be inconclusive or inconvenient. A direct search of the user 's computer is always valuable in any event to provide corroborating evidence. The first place the investigator might choose to look would be the actual mail client files. Many of these are encrypted or use some proprietary format that cannot be read without the proper software. The investigator might have to copy the mail files to the forensics machine and open them using the mail client to view old messages. If this is unsuccessful , a possible next step would be to search the computer (first all the files and then all the deleted files and slack space) for text fragments that correspond to the offending emails. The keywords for the text search must be refined to provide a complete search without returning an overly large (and unmanageable) number of "hits." Each successful search must then be manually examined, in the context of the surrounding file fragments , to determine whether it provides a match to a pattern from the email or is simply a false positive.

File Recovery

As part of the examination, data might be found in file fragments or file slack. To examine this data in context, it is often necessary to recover the deleted files. Most of the forensics suites described in this chapter provide a recovery capability. File recovery is often a hit or miss proposition, however. File header information might be missing and contain vital information. For example, the text of a word processing document could be recovered in its entirety, but the header information that contains data (such as the name of the creator and "Undo" information) might be unavailable.

Image files are especially difficult to reconstruct because they are often highly compressed. Fragments missing from image files might make it impossible to decode the compression and view the file.

In any case, viewing the recovered file can provide a clearer picture of the evidence, along with surrounding data. Some of the forensics tools can provide date and time information for deleted files, including a created, modified, and deleted date (which might be useful in establishing a pattern during the investigation).

Operating System Files

Certain operating system files might contain crucial evidence. The Windows Registry, for example, might contain information such as recently accessed files, system usernames and passwords, and network connections. Some files can be viewed or examined on other systems. For example,Windows NT stores some logging information in event log files with an .evt extension.Any NT machine can open and examine those files.

Other information, however, is not so readily accessible. The Registry is the best example of this. Much of the information in the Windows Registry cannot be accessed unless the operating system is running. In this case, it is necessary to restore the entire evidence drive to a backup copy and then use this copy to boot up a machine for examination. This copy will be irreversibly altered by the boot process. However, the investigator should be able to demonstrate empirically that the copy produces the same Registry information every time and that the specific data recovered is not modified by the boot and examination process.

‚  < ‚  Free Open Study ‚  > ‚  

Previous page
Table of content
Next page
Incident Response. A Strategic Guide to Handling System and Network Security Breaches
Incident Response: A Strategic Guide to Handling System and Network Security Breaches
ISBN: 1578702569
EAN: 2147483647
Year: 2002
Pages: 103
Authors: E. Eugene Schultz, Russell Shumway
BUY ON AMAZON
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
C++ GUI Programming with Qt 3
101 Microsoft Visual Basic .NET Applications
InDesign Type: Professional Typography with Adobe InDesign CS2
Java All-In-One Desk Reference For Dummies
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy