SlideShare una empresa de Scribd logo

File000176

Desmond Devendran
Desmond Devendran
TecnologíaEmpresariales
1 de 62
Descargar para leer sin conexión
Module LXIII - Forensic Frameworks
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Forensics Framework Provides Savings for Police Source: http://www.npia.police.uk/
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • What is Forensics Framework? • Fundamental Principles in Digital Forensics Investigation Procedures • FORZA Framework • FORZA Framework Layers • An Event-Based Digital Forensic Investigation Framework • Digital Analysis Types • Enhanced Digital Investigation Process Model • Phases of Enhanced Digital Investigation Process Model • An Extended Model of Cybercrime Investigations • Activities in Cybercrime Investigations • Computer Forensics Field Triage Process Model • Computer Forensics Field Triage Process Model Phases • Objectives-Based Framework for the Digital Investigations Process • Proposed Digital Investigation Process • Objectives-Based Framework Phases This module will familiarize you with:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Phases of Enhanced Digital Investigation Process Model Computer Forensics Field Triage Process Model Activities in Cybercrime Investigations Proposed Digital Investigation Process Objectives-Based Framework for the Digital Investigations Process Computer Forensics Field Triage Process Model Phases An Extended Model of Cybercrime Investigations Objectives-Based Framework Phases Fundamental Principles in Digital Forensics Investigation Procedures What is Forensics Framework? Enhanced Digital Investigation Process Model FORZA Framework Digital Analysis Types FORZA Framework Layers An Event-Based Digital Forensic Investigation Framework
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FORZA Framework
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited What is Forensics Framework? Forensics framework is a digital forensics investigation procedure developed by the personnel or by the particular organization Many organizations developed their own framework, some focused on the technology aspects in data acquisition and some focused on data analysis portion of the investigation
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Fundamental Principle in Digital Forensics Investigation Procedures • Reconnaissance • Reliability • Relevancy Fundamental principles: Digital Forensics Investigation is a process to determine and relate the extracted information and digital evidence to establish factual information for judicial review Digital forensics investigation have a core principle that enables the practitioners to view the underlying concept across different digital forensics investigation procedures Digital Forensics Reconnaissance ReliabilityRelevancy
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FORZA Framework FORZA framework depends on the participants in the organization In a typical digital forensics investigation process, system owners, digital forensics investigators, and legal practitioners are expected to be involved FORZA framework participants: • Case leader • System/business owner • Legal advisor • Security/system architect/auditor • Digital forensics specialist • Digital forensics investigator/system administrator/operator • Digital forensics analyst • Legal prosecutor Source: http://www.dfrws.org/
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles and Responsibilities of Participants in Digital Forensics Investigation Procedures • The case leader is the planner and orchestrator of the entire digital investigation process Case leader • The system/business owner is the owner of the system being inspected • He/she is usually the victim and sponsor of the case System/business owner • Legal advisor is the first legal practitioner the case leader would seek for legal advice • He/she would advise the case leader whether it is applicable to proceed forward for legal disputes Legal advisor • Case leader explores and understands more about the system and security design of the system to be inspected from security/system architect Security/system architect
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles and Responsibilities of Participants in Digital Forensics Investigation Procedures (cont’d) • Digital forensics specialists should reconsider all the inputs and requirements from legal advice to plan the entire investigation strategy Digital forensics specialist • Digital forensics investigator collects, extracts, preserves and stores the digital evidence from the systems Digital forensics investigator/system administrator/operator • Digital forensics analyst extracts relevant data, analyze them against the hypothetical model proposed for investigation Digital forensics analyst • Legal prosecutor advise the case leader whether the collected evidence is sufficient, relevant, admissible and favorable to which party Legal prosecutor
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Process Flow in FORZA Framework Digital Forensics Specialists (Technical Preparation Layer) Forensics Investigators/ System Administration/ Operator (Data Acquisition Layer) Forensics Investigators/ Forensics Analysis (Data Analysis Layer) Legal Prosecutor (Legal Presentation Layer) Case Leader (Contextual Investigation Layer) System Owner (if any) (Contextual Layer) Security/ System Architect/ Auditor (Conceptual Security Layer) Legal Advisor (Legal Advisor Layer)
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited High-level View of FORZA Framework
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FORZA Framework Layers • What (the data attributes) • Why (the motivation) • How (the procedures) • Who (the people) • Where (the location) • When (the time) FORZA Framework layers are interconnected to each other through sets of six categories of questions namely: • Contextual investigation layer • Contextual layer • Legal advisory layer • Conceptual security layer • Technical presentation layer • Data acquisition layer • Data analysis layer • Legal presentation layer FORZA Framework Layers are:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Contextual Investigation Layer Case leader (such as the law enforcement team for criminal investigation) after receiving the report of the case would: • Determine the motivation (Why) of the case • Identify the involved parties (Who) • Confirm the time of the incident (When) • Verify the location of the case (Where) • Determine the reported event nature (What) • Plan the next step procedure (How)
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Contextual Layer The case leader seek input from the system owner or his representative He/she would have to perform an interview with the system owner and person who report the case to: • Understand the business nature of the company and the business objectives (Why) of the affected system • Determine the business and event nature (What) • Confirm business and system process model (How) • Explore the business geography (Where) • Determine the business and incident timeline (When) • Understand organization and participants’ relationship (Who)
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Legal Advisory Layer • The legal objectives (Why) of the case • Legal background and preliminary issues (What) of the case • Legal geography and jurisdiction (Where) • Legal entities and participants (Who) of the case • Legal timeframe (When) of the case • Legal procedures for further investigation (How) of the case After understanding the background case, the case leader should seek legal adviser to determine:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conceptual Security Layer • Explore the system/security control objectives (Why) that has been implemented to protect against external attacks • Understand the system’s information and security control model (What) • Collect the implemented security mechanisms details (How) • Explore the security domain and network infrastructure (Where) • Determine the user and security entity model (Who) • Determine the security timing and sequencing (When) The case leader would: After seeking legal advice, the case leader would explore and understand the design of the information system and the relevant security controls, from the system owner recommended technical staff
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Technical Presentation Layer Case leader could assign relevant digital forensics specialists to plan before on-site investigation The Digital Forensics Specialists should: • Understand the objective and plan the relevant forensics investigation strategy objectives (Why) • Determine the forensics data model (What) • Explore geography location within the forensics data model (Where) • Draft the entity lists for the forensics entity model (Who) • Propose a hypothetical forensics event timeline (When) • Define the forensics strategy (How)
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition Layer • Understand the Forensics Acquisition Objectives (Why) assigned by the forensics specialists • Perform on-site Forensics Data Observation (What) • Interview participants and witnesses identified (Who) • Perform Forensics Acquisition and Seizure Procedures (How) • Perform site network forensics data acquisition (Where) • Keep the forensics acquisition timeline and chain of custody (When) The investigators should: Based on the strategies and tasks outlined by the digital forensics specialists, forensics investigators, system administrators, or operators could follow the outline procedures strictly
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Analysis Layer • Extract information that is critical for proving the case which matches the forensics examination objectives (Why) • Reconstruct the event data based on the extracted data (What) • Extract network information (Where) • Extract entity, accounts information, and rebuilding the relationship linkage (Who) • Analyze the extracted data based on forensics analysis procedures (How) • Reconstruct the event timeline (When) of the hacking activity Digital forensics analysts would have to: After collecting the necessary data being and transporting to the digital forensics laboratory for further analysis and investigation, digital forensics analysts would have to extract the relevant information and review them according to the hypothetical model
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Legal Presentation Layer After extracting and analyzing the information collected from the victim, together with the IP address information from the network service providers, legal prosecutor has to discuss with the case leader and the system owner on: • Legal Presentation Objectives (Why) • Legal Presentation Attributes (What) • Legal Presentation Procedures (How) • Legal Jurisdiction Location (Where) • Entities in Litigation Procedures (Who) • Timeline of entire event for Presentation (When)
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited An Event-Based Digital Forensic Investigation Framework
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Event-based Framework Event-based framework is used to develop hypotheses and answer questions about an incident or crime Hypotheses are developed by collecting objects that may have played a role in an event that was related to the incident Once the objects are collected as evidence, the investigator can develop hypotheses about previous events at the crime scene Source: http://www.digital-evidence.org/
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Analysis Types A digital investigation may encounter many formats of digital data and therefore several types of analysis exist Common digital analysis types include: • Media Analysis • Media Management Analysis • File System Analysis • Application Analysis • Network Analysis • Operating System Analysis • Executable Analysis • Image Analysis • Video Analysis
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Investigation Process Model This model is based on the phases that are documented for investigating physical crime scenes Readiness Phases Presentation PhaseDeployment Phases Physical Crime Scene Investigation Phases Digital Crime Scene Investigation Phases
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Investigation Process Model (cont’d) Phase 1: Readiness Phases • Readiness phase includes the operations readiness phase that trains the appropriate people and tests the tools that will be used to investigate a system Phase 2: Deployment Phases • Deployment phase includes the detection and notification phase where the incident is detected by the victim or another party and the investigators are alerted • It also includes the confirmation and authorization phase where the investigators receive authorization to conduct the investigation Phase 3: Physical Crime Scene Investigation Phases • Physical Crime Scene Investigation Phases include the search for physical evidence and the reconstruction of physical events
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Investigation Process Model (cont’d) Phase 4: Digital Crime Scene Investigation Phases • Digital Crime Scene Investigation Phases includes three sub phases: • Digital crime scene preservation and documentation • Digital Evidence searching and documentation phase • Digital evidence reconstruction and documentation Phase 5: Presentation Phase • The result must be presented to either a corporate audience or a court of law
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Crime Scene Investigation Phases Sub phase 1: Digital crime scene preservation and documentation • This phase occurs when the first responder arrives at the scene and assists the wounded, detains suspects, and limits the amount of unofficial traffic in the area • The crime scene is documented through video, photography, and sketches System Preservation and Documentation Phase Evidence Searching and Documentation Phase Event Reconstruction and Documentation Phase Digital Crime Scene Investigation Phases
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Crime Scene Investigation Phases (cont’d) Sub phase 2: Digital evidence searching and documentation
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Crime Scene Investigation Phases (cont’d) Sub phase 3: Digital Event Reconstruction and Documentation
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited An Event-Based Digital Forensic Investigation Framework FORZA Framework Enhanced Digital Investigation Process Model Objectives-Based Framework for the Digital Investigations Process An Extended Model of Cybercrime Investigations Computer Forensics Field Triage Process Model
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Enhanced Digital Investigation Process Model Enhanced Digital Investigation Process Model is based on the Integrated Digital Investigation Model Phase of Integrated Digital Investigation Model(IDIP): Readiness Phases Deployment Phases Physical Crime Scene Investigation Phases Digital Crime Scene Investigation Phases Review Phase Source: http://www.dfrws.org/
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Physical Crime Scene Investigation • Preserves the crime scene so that evidence can be later identified and collected by personnel trained in digital evidence identification Preservation phase: • Identifies the pieces of physical evidence, determines the extent of the search, identifies potential evidence Survey phase: • Takes photographs, sketches, and videos of the crime scene and the physical evidence Documentation phase: • Performs in-depth search Search and collection phase: • Transports identified electronic evidence to the digital investigation team Presentation phase: Physical crime scene investigation includes five phases:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Crime Scene Investigation • Preserves the digital crime scene so that evidence can be later synchronized and analyzed for further evidence Preservation phase: • Identifies and separates potentially useful data from the imaged dataset Survey phase: • Performs in-depth analysis of the digital evidence Search and collection phase: • Properly documents the digital evidence when it is foundDocumentation phase: Digital crime scene investigation includes four phases:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phases of Enhanced Digital Investigation Process Model Readiness Phases Deployment Phases Traceback Phases Dynamite Phases Review Phase
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phases of Enhanced Digital Investigation Process Model (cont’d) Phase 1: Readiness phases: • Readiness phases ensure that the operations and infrastructure are able to fully support an investigation • It includes two phases: • Operations Readiness phase • Infrastructure readiness phase Phase 2: Deployment phases: • The deployment phases provide a mechanism for an incident to be detected and confirmed • It consists of five phases: • Detection and Notification phase • Physical Crime Scene Investigation • Digital crime scene investigation phase • Confirmation phase • Submission phase
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phases of Enhanced Digital Investigation Process Model (cont’d) Phase 3: Traceback phases: • Within these phases, the perpetrator’s physical crime scene of operation is tracked down leading to identification of the devices that were used to perform the act Phase 4: Dynamite phases: • In these phases, analysis is performed on the items found from the crime scene to obtain further evidence • It includes the following phases: • Physical crime scene investigation phase • Digital crime scene investigation phase • Reconstruction phase • Communication phase Phase 5: Review phase: • The whole investigation is reviewed and areas of improvement identified
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited An Event-Based Digital Forensic Investigation Framework FORZA Framework Enhanced Digital Investigation Process Model Objectives-Based Framework for the Digital Investigations Process An Extended Model of Cybercrime Investigations Computer Forensics Field Triage Process Model
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Extended Model of Cybercrime Investigations An extended model of cybercrime investigations provides a common reference framework for discussion and for the development of terminology It provides a unified structure for case studies/lessons learned materials to be shared among investigators, and for the development of standards, conformance testing, and investigative best practices Source: http://www.utica.edu/
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Extended Model of Cybercrime Investigations
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Activities in Cybercrime Investigations • Awareness is typically created by events external to the organization which will carry out the investigation • It allows the relationship with the events requiring investigation to be made clear Awareness: • Authorization is required to carry out the investigation • It requires interaction with both external and internal entities to obtain the necessary authorization Authorization: • The planning activity is strongly influenced by information from both inside and outside the investigating organization Planning:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Activities in Cybercrime Investigations (cont’d) • Notification refers to informing the subject of an investigation or other concerned parties that the investigation is taking place Notification: • This activity deals with locating the evidence and identifying what should be the next activity Search and identification of evidence: • Collection is the activity in which the investigating organization takes possession of the evidence in a form which can be preserved and analyzed Collection of evidence: • Transport evidence to a suitable location for later examination • Transmission of data through networks Transport of evidence:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Activities in Cybercrime Investigations (cont’d) • The collected evidence needs to be stored because examination cannot take place immediately Storage: • Examination of the evidence will involve the use of potentially large number of techniques to find and interpret significant data Examination: • Based on the examination of the evidence, the investigators must construct a hypothesis of what occurred • The degree of formality of this hypothesis depends on the type of investigation Hypothesis:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Activities in Cybercrime Investigations (cont’d) • The hypothesis must be presented to persons other than the investigators Presentation: • In general, the hypothesis will not go unchallenged; a contrary hypothesis and supporting evidence will be placed before a jury Proof/Defense: • The final activity in the model is the dissemination of information from the investigation • Some information may be made available only within the investigating organization, while other information may be more widely disseminated Dissemination:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited An Event-Based Digital Forensic Investigation Framework FORZA Framework Enhanced Digital Investigation Process Model Objectives-Based Framework for the Digital Investigations Process An Extended Model of Cybercrime Investigations Computer Forensics Field Triage Process Model
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model The traditional cyber forensics approach of seizing a system(s)/media, transporting it to the lab, making a forensic image(s), and then searching the entire system for potential evidence, is no longer appropriate in some circumstances In cases such as child abductions, pedophiles, missing or exploited persons, time is of the essence The Cyber Forensic Field Triage Process Model (CFFTPM) proposes an onsite or field approach for providing the identification, analysis, and interpretation of digital evidence in a short time frame, without the requirement of having to take the system(s)/media back to the lab for an in-depth examination or acquiring a complete forensic image(s) Source: http://www.digitalforensics-conference.org/
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model (cont’d) The computer forensics field triage process model (CFFTPM) is defined as: • Those investigative processes that are conducted within the first few hours of an investigation and provide information used during the suspect interview and search execution phase The focus of the model is to: • Find useable evidence immediately • Identify victims at acute risk • Guide the ongoing investigation • Identify potential charges • Accurately assess the offender’s danger to society
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model Planning Triage User Usage Profiles Chronology Timeline Internet Case Specific Home Directory File Properties Registry Browser Artifacts Email IM At Scene
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model Phases • Lead investigator will have a matrix that quantifies the various possibilities of the crime scene, the suspect and the digital evidence, and qualifies the expertise of the various investigators on the investigation team • It is used to define what is known and what is not known thus aiding in determining what is wanted to be known Planning: • A process in which things are ranked in terms of importance or priority Triage:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model Phases (cont’d) Usage/User Profiles: • When compelling evidence is found on the digital media, it is essential to show a link between that evidence and a specific, identifiable suspect • User profile is a collection of files, folders, registry keys, and file properties that are exclusively associated with a unique user account • Digital evidence is found by examining the: • Home Directory • File Properties (security) • Registry
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model Phases (cont’d) Chronology/Timeline: • The chronological scope of the investigation can be defined by the case intelligence • For the CFFTPM, several quantifications should be examined by sorting the files on their various MAC times within the chronological scope of the investigation such as: • Time periods of normal use by the suspect and other known users of the computer or device • Identification and analysis of software applications and data files used or accessed during qualified times of interest • Identification and analysis of recent shortcuts and stored information
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model Phases (cont’d) Internet: • An effective practice is for the computer forensic examiner to evaluate what type of Internet activities they believe the suspect (or victim) was involved in, and to evaluate if and how each of those activities relate to the case • Types of activities include: • Web browsing • E-mail • Instant messaging • Reading or posting to USENET newsgroups • Trading files
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model Phases (cont’d) • It is important for the computer forensic examiner to adjust the focus of every examination to the specifics of that case • A computer forensic examiner should be able to evaluate time resources, utilize pre-raid intelligence, customize search goals, and prioritize search goals Case Specific Evidence:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited An Event-Based Digital Forensic Investigation Framework FORZA Framework Enhanced Digital Investigation Process Model Objectives-Based Framework for the Digital Investigations Process An Extended Model of Cybercrime Investigations Computer Forensics Field Triage Process Model
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Objectives-based Framework Objectives-based framework for the digital investigations process is based on higher ordered (first tier) phases, more definitive sub-phases (second tier), objectives, and framework principles Proposed phases and sub-phases are objectives-based which are distinct, discrete steps in the process that are usually a function of time, and suggest a necessarily sequential approach Phases and sub-phases are applicable to various layers of abstraction and are used to analyze and translate data into more manageable formats Source: http://faculty.business.utsa.edu/
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Proposed Digital Investigation Process Single Tier Digital Investigations Process Framework Two-Tier Digital Investigations Process Framework
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Objectives-Based Framework Phases • Preparation phase maximizes the availability and quality of digital evidence when needed, while minimizing the associated organizational and financial burden • Preparation activities include: • Develop information retention plan • Develop evidence preservation and handling procedures Preparation phase: • Incident response phase consists of the detection and initial, pre- investigation response to a suspected security incident • The purpose of this phase is to detect, validate, assess, and determine a response strategy for the suspected security incident Incident response phase:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Objectives-Based Framework Phases (cont’d) • The purpose of the data collection phase is to collect digital evidence in support of the response strategy and investigative plan • Data collection activities include: • Complete live response data collection, which began during the Incident Response Phase • Obtain network-based and host-based evidence from applicable sources Data collection phase: • The purpose of the data analysis phase is confirmatory analysis (to confirm or refute allegations of suspicious activity) and/or event reconstruction (answer “who, what, where, when, why, and how” type questions) • Data analysis activities include: • Conduct initial data survey to recognize obvious pieces of digital evidence and assess the skill level of the suspect(s) • Examine, analyze, and event reconstruct the data to answer critical investigative questions Data analysis phase:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Objectives-Based Framework Phases (cont’d) • The purpose of the presentation of findings phase is to communicate relevant findings to a variety of audiences, including management, technical personnel, legal personnel, and law enforcement Presentation of findings phase: • The incident closure phase includes the following steps: • Conduct a critical review of the entire process and investigation to identify and apply lessons learned • Make and act upon decision(s) that result from the findings presentation phase • Collect and preserve all information related to the incident Incident closure phase:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Forensics framework is a digital forensics investigation procedures developed by the personnel or by the particular organization FORZA framework layers are interconnected to each other through sets of six categories of questions Event-based framework is used to develop hypotheses and answers questions about an incident or crime An extended model of cybercrime investigations provides a common reference framework for discussion and for the development of terminology Objectives-Based Framework for the Digital Investigations Process is based on higher ordered (first tier) phases, more definitive sub-phases (second tier), objectives, and framework principles
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Recomendados

File000163
File000163File000163
File000163Desmond Devendran
 
File000172
File000172File000172
File000172Desmond Devendran
 
File000162
File000162File000162
File000162Desmond Devendran
 
File000169
File000169File000169
File000169Desmond Devendran
 
CHFI
CHFICHFI
CHFIDesmond Devendran
 
File000168
File000168File000168
File000168Desmond Devendran
 
File000171
File000171File000171
File000171Desmond Devendran
 
File000166
File000166File000166
File000166Desmond Devendran
 

Recomendados

File000163
File000163File000163
File000163Desmond Devendran
 
File000172
File000172File000172
File000172Desmond Devendran
 
File000162
File000162File000162
File000162Desmond Devendran
 
File000169
File000169File000169
File000169Desmond Devendran
 
CHFI
CHFICHFI
CHFIDesmond Devendran
 
File000168
File000168File000168
File000168Desmond Devendran
 
File000171
File000171File000171
File000171Desmond Devendran
 
File000166
File000166File000166
File000166Desmond Devendran
 
File000164
File000164File000164
File000164Desmond Devendran
 
File000170
File000170File000170
File000170Desmond Devendran
 
File000118
File000118File000118
File000118Desmond Devendran
 
File000117
File000117File000117
File000117Desmond Devendran
 
File000114
File000114File000114
File000114Desmond Devendran
 
File000116
File000116File000116
File000116Desmond Devendran
 
File000113
File000113File000113
File000113Desmond Devendran
 
File000120
File000120File000120
File000120Desmond Devendran
 
File000115
File000115File000115
File000115Desmond Devendran
 
File000119
File000119File000119
File000119Desmond Devendran
 
File000167
File000167File000167
File000167Desmond Devendran
 
Ce hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingCe hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingVi Tính Hoàng Nam
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays Worldgueste0d962
 
File000173
File000173File000173
File000173Desmond Devendran
 
File000175
File000175File000175
File000175Desmond Devendran
 
Lect 6 computer forensics
Lect 6 computer forensicsLect 6 computer forensics
Lect 6 computer forensicsKabul Education University
 
File000139
File000139File000139
File000139Desmond Devendran
 
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVCS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVArthyR3
 
Ce Hv6 Module 44 Internet Content Filtering Techniques
Ce Hv6 Module 44 Internet Content Filtering TechniquesCe Hv6 Module 44 Internet Content Filtering Techniques
Ce Hv6 Module 44 Internet Content Filtering TechniquesKislaychd
 
EC-Council Computer Hacking Forensic Investigator v9
EC-Council Computer Hacking Forensic Investigator v9EC-Council Computer Hacking Forensic Investigator v9
EC-Council Computer Hacking Forensic Investigator v9ITpreneurs
 
iStart - Cybercrime scene investigation
iStart - Cybercrime scene investigationiStart - Cybercrime scene investigation
iStart - Cybercrime scene investigationHayden McCall
 
Systematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation ModelSystematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation ModelCSCJournals
 

Más contenido relacionado

La actualidad más candente

Ce hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingCe hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingVi Tính Hoàng Nam
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays Worldgueste0d962
 
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVCS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVArthyR3
 
Ce Hv6 Module 44 Internet Content Filtering Techniques
Ce Hv6 Module 44 Internet Content Filtering TechniquesCe Hv6 Module 44 Internet Content Filtering Techniques
Ce Hv6 Module 44 Internet Content Filtering TechniquesKislaychd
 
EC-Council Computer Hacking Forensic Investigator v9
EC-Council Computer Hacking Forensic Investigator v9EC-Council Computer Hacking Forensic Investigator v9
EC-Council Computer Hacking Forensic Investigator v9ITpreneurs
 

La actualidad más candente (20)

File000164
File000164File000164
File000164
 
File000170
File000170File000170
File000170
 
File000118
File000118File000118
File000118
 
File000117
File000117File000117
File000117
 
File000114
File000114File000114
File000114
 
File000116
File000116File000116
File000116
 
File000113
File000113File000113
File000113
 
File000120
File000120File000120
File000120
 
File000115
File000115File000115
File000115
 
File000119
File000119File000119
File000119
 
File000167
File000167File000167
File000167
 
Ce hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingCe hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handling
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays World
 
File000173
File000173File000173
File000173
 
File000175
File000175File000175
File000175
 
Lect 6 computer forensics
Lect 6 computer forensicsLect 6 computer forensics
Lect 6 computer forensics
 
File000139
File000139File000139
File000139
 
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVCS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IV
 
Ce Hv6 Module 44 Internet Content Filtering Techniques
Ce Hv6 Module 44 Internet Content Filtering TechniquesCe Hv6 Module 44 Internet Content Filtering Techniques
Ce Hv6 Module 44 Internet Content Filtering Techniques
 
EC-Council Computer Hacking Forensic Investigator v9
EC-Council Computer Hacking Forensic Investigator v9EC-Council Computer Hacking Forensic Investigator v9
EC-Council Computer Hacking Forensic Investigator v9
 

Destacado

iStart - Cybercrime scene investigation
iStart - Cybercrime scene investigationiStart - Cybercrime scene investigation
iStart - Cybercrime scene investigationHayden McCall
 
Systematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation ModelSystematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation ModelCSCJournals
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
Best Practices For Seizing Electronic Evidence v.3: A Pocket Guide for Firs...
Best Practices For Seizing Electronic Evidence v.3: A Pocket Guide for Firs... Best Practices For Seizing Electronic Evidence v.3: A Pocket Guide for Firs...
Best Practices For Seizing Electronic Evidence v.3: A Pocket Guide for Firs...David Sweigert
 
Best Practices For Seizing Electronic Evidence -- DoJ
Best Practices For Seizing Electronic Evidence -- DoJ Best Practices For Seizing Electronic Evidence -- DoJ
Best Practices For Seizing Electronic Evidence -- DoJDavid Sweigert
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 

Destacado (8)

iStart - Cybercrime scene investigation
iStart - Cybercrime scene investigationiStart - Cybercrime scene investigation
iStart - Cybercrime scene investigation
 
Systematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation ModelSystematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation Model
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
 
Best Practices For Seizing Electronic Evidence v.3: A Pocket Guide for Firs...
Best Practices For Seizing Electronic Evidence v.3: A Pocket Guide for Firs... Best Practices For Seizing Electronic Evidence v.3: A Pocket Guide for Firs...
Best Practices For Seizing Electronic Evidence v.3: A Pocket Guide for Firs...
 
Best Practices For Seizing Electronic Evidence -- DoJ
Best Practices For Seizing Electronic Evidence -- DoJ Best Practices For Seizing Electronic Evidence -- DoJ
Best Practices For Seizing Electronic Evidence -- DoJ
 
Cybercrime investigation
Cybercrime investigationCybercrime investigation
Cybercrime investigation
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 
Cyber Crime Evidence Collection Ifsa 2009
Cyber Crime Evidence Collection Ifsa 2009Cyber Crime Evidence Collection Ifsa 2009
Cyber Crime Evidence Collection Ifsa 2009
 

Similar a File000176

Digital Forensics Triage and Cyber Security
Digital Forensics Triage and Cyber SecurityDigital Forensics Triage and Cyber Security
Digital Forensics Triage and Cyber SecurityAmrit Chhetri
 
164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.ppt164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.pptharshbj1801
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public InvestigationsCTIN
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsHiren Selani
 
Digital forensic
Digital forensicDigital forensic
Digital forensicChandan Sah
 
Certified Ethical Hacking - Book Summary
Certified Ethical Hacking - Book SummaryCertified Ethical Hacking - Book Summary
Certified Ethical Hacking - Book Summaryudemy course
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftDamir Delija
 
Science of Security: Cyber Ecosystem Attack Analysis Methodology
Science of Security: Cyber Ecosystem Attack Analysis MethodologyScience of Security: Cyber Ecosystem Attack Analysis Methodology
Science of Security: Cyber Ecosystem Attack Analysis MethodologyShawn Riley
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureOllie Whitehouse
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 

Similar a File000176 (20)

CyberOps.pptx
CyberOps.pptxCyberOps.pptx
CyberOps.pptx
 
Digital Forensics Triage and Cyber Security
Digital Forensics Triage and Cyber SecurityDigital Forensics Triage and Cyber Security
Digital Forensics Triage and Cyber Security
 
Lect 1 computer forensics
Lect 1 computer forensicsLect 1 computer forensics
Lect 1 computer forensics
 
164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.ppt164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.ppt
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital forensic
Digital forensicDigital forensic
Digital forensic
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
 
cyber forensics
cyber forensicscyber forensics
cyber forensics
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Network Forensics.pdf
Network Forensics.pdfNetwork Forensics.pdf
Network Forensics.pdf
 
Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditing
 
Careers in Cyber Security
Careers in Cyber SecurityCareers in Cyber Security
Careers in Cyber Security
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
 
Certified Ethical Hacking - Book Summary
Certified Ethical Hacking - Book SummaryCertified Ethical Hacking - Book Summary
Certified Ethical Hacking - Book Summary
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draft
 
Science of Security: Cyber Ecosystem Attack Analysis Methodology
Science of Security: Cyber Ecosystem Attack Analysis MethodologyScience of Security: Cyber Ecosystem Attack Analysis Methodology
Science of Security: Cyber Ecosystem Attack Analysis Methodology
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 

Más de Desmond Devendran

Siam foundation-process-guides
Siam foundation-process-guidesSiam foundation-process-guides
Siam foundation-process-guidesDesmond Devendran
 
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeSiam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeDesmond Devendran
 
Enterprise service-management-essentials
Enterprise service-management-essentialsEnterprise service-management-essentials
Enterprise service-management-essentialsDesmond Devendran
 
Service Integration and Management
Service Integration and Management Service Integration and Management
Service Integration and Management Desmond Devendran
 
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDiagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDesmond Devendran
 

Más de Desmond Devendran (18)

Siam key-facts
Siam key-factsSiam key-facts
Siam key-facts
 
Siam foundation-process-guides
Siam foundation-process-guidesSiam foundation-process-guides
Siam foundation-process-guides
 
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeSiam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
 
Enterprise service-management-essentials
Enterprise service-management-essentialsEnterprise service-management-essentials
Enterprise service-management-essentials
 
Service Integration and Management
Service Integration and Management Service Integration and Management
Service Integration and Management
 
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDiagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
 
CHFI 1
CHFI 1CHFI 1
CHFI 1
 
File000174
File000174File000174
File000174
 
File000165
File000165File000165
File000165
 
File000161
File000161File000161
File000161
 
File000160
File000160File000160
File000160
 
File000159
File000159File000159
File000159
 
File000158
File000158File000158
File000158
 
File000157
File000157File000157
File000157
 
File000156
File000156File000156
File000156
 
File000155
File000155File000155
File000155
 
File000154
File000154File000154
File000154
 
File000153
File000153File000153
File000153
 

Último

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Último (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

File000176

  • 1. Module LXIII - Forensic Frameworks
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Forensics Framework Provides Savings for Police Source: http://www.npia.police.uk/
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • What is Forensics Framework? • Fundamental Principles in Digital Forensics Investigation Procedures • FORZA Framework • FORZA Framework Layers • An Event-Based Digital Forensic Investigation Framework • Digital Analysis Types • Enhanced Digital Investigation Process Model • Phases of Enhanced Digital Investigation Process Model • An Extended Model of Cybercrime Investigations • Activities in Cybercrime Investigations • Computer Forensics Field Triage Process Model • Computer Forensics Field Triage Process Model Phases • Objectives-Based Framework for the Digital Investigations Process • Proposed Digital Investigation Process • Objectives-Based Framework Phases This module will familiarize you with:
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Phases of Enhanced Digital Investigation Process Model Computer Forensics Field Triage Process Model Activities in Cybercrime Investigations Proposed Digital Investigation Process Objectives-Based Framework for the Digital Investigations Process Computer Forensics Field Triage Process Model Phases An Extended Model of Cybercrime Investigations Objectives-Based Framework Phases Fundamental Principles in Digital Forensics Investigation Procedures What is Forensics Framework? Enhanced Digital Investigation Process Model FORZA Framework Digital Analysis Types FORZA Framework Layers An Event-Based Digital Forensic Investigation Framework
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FORZA Framework
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited What is Forensics Framework? Forensics framework is a digital forensics investigation procedure developed by the personnel or by the particular organization Many organizations developed their own framework, some focused on the technology aspects in data acquisition and some focused on data analysis portion of the investigation
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Fundamental Principle in Digital Forensics Investigation Procedures • Reconnaissance • Reliability • Relevancy Fundamental principles: Digital Forensics Investigation is a process to determine and relate the extracted information and digital evidence to establish factual information for judicial review Digital forensics investigation have a core principle that enables the practitioners to view the underlying concept across different digital forensics investigation procedures Digital Forensics Reconnaissance ReliabilityRelevancy
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FORZA Framework FORZA framework depends on the participants in the organization In a typical digital forensics investigation process, system owners, digital forensics investigators, and legal practitioners are expected to be involved FORZA framework participants: • Case leader • System/business owner • Legal advisor • Security/system architect/auditor • Digital forensics specialist • Digital forensics investigator/system administrator/operator • Digital forensics analyst • Legal prosecutor Source: http://www.dfrws.org/
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles and Responsibilities of Participants in Digital Forensics Investigation Procedures • The case leader is the planner and orchestrator of the entire digital investigation process Case leader • The system/business owner is the owner of the system being inspected • He/she is usually the victim and sponsor of the case System/business owner • Legal advisor is the first legal practitioner the case leader would seek for legal advice • He/she would advise the case leader whether it is applicable to proceed forward for legal disputes Legal advisor • Case leader explores and understands more about the system and security design of the system to be inspected from security/system architect Security/system architect
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles and Responsibilities of Participants in Digital Forensics Investigation Procedures (cont’d) • Digital forensics specialists should reconsider all the inputs and requirements from legal advice to plan the entire investigation strategy Digital forensics specialist • Digital forensics investigator collects, extracts, preserves and stores the digital evidence from the systems Digital forensics investigator/system administrator/operator • Digital forensics analyst extracts relevant data, analyze them against the hypothetical model proposed for investigation Digital forensics analyst • Legal prosecutor advise the case leader whether the collected evidence is sufficient, relevant, admissible and favorable to which party Legal prosecutor
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Process Flow in FORZA Framework Digital Forensics Specialists (Technical Preparation Layer) Forensics Investigators/ System Administration/ Operator (Data Acquisition Layer) Forensics Investigators/ Forensics Analysis (Data Analysis Layer) Legal Prosecutor (Legal Presentation Layer) Case Leader (Contextual Investigation Layer) System Owner (if any) (Contextual Layer) Security/ System Architect/ Auditor (Conceptual Security Layer) Legal Advisor (Legal Advisor Layer)
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited High-level View of FORZA Framework
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FORZA Framework Layers • What (the data attributes) • Why (the motivation) • How (the procedures) • Who (the people) • Where (the location) • When (the time) FORZA Framework layers are interconnected to each other through sets of six categories of questions namely: • Contextual investigation layer • Contextual layer • Legal advisory layer • Conceptual security layer • Technical presentation layer • Data acquisition layer • Data analysis layer • Legal presentation layer FORZA Framework Layers are:
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Contextual Investigation Layer Case leader (such as the law enforcement team for criminal investigation) after receiving the report of the case would: • Determine the motivation (Why) of the case • Identify the involved parties (Who) • Confirm the time of the incident (When) • Verify the location of the case (Where) • Determine the reported event nature (What) • Plan the next step procedure (How)
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Contextual Layer The case leader seek input from the system owner or his representative He/she would have to perform an interview with the system owner and person who report the case to: • Understand the business nature of the company and the business objectives (Why) of the affected system • Determine the business and event nature (What) • Confirm business and system process model (How) • Explore the business geography (Where) • Determine the business and incident timeline (When) • Understand organization and participants’ relationship (Who)
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Legal Advisory Layer • The legal objectives (Why) of the case • Legal background and preliminary issues (What) of the case • Legal geography and jurisdiction (Where) • Legal entities and participants (Who) of the case • Legal timeframe (When) of the case • Legal procedures for further investigation (How) of the case After understanding the background case, the case leader should seek legal adviser to determine:
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conceptual Security Layer • Explore the system/security control objectives (Why) that has been implemented to protect against external attacks • Understand the system’s information and security control model (What) • Collect the implemented security mechanisms details (How) • Explore the security domain and network infrastructure (Where) • Determine the user and security entity model (Who) • Determine the security timing and sequencing (When) The case leader would: After seeking legal advice, the case leader would explore and understand the design of the information system and the relevant security controls, from the system owner recommended technical staff
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Technical Presentation Layer Case leader could assign relevant digital forensics specialists to plan before on-site investigation The Digital Forensics Specialists should: • Understand the objective and plan the relevant forensics investigation strategy objectives (Why) • Determine the forensics data model (What) • Explore geography location within the forensics data model (Where) • Draft the entity lists for the forensics entity model (Who) • Propose a hypothetical forensics event timeline (When) • Define the forensics strategy (How)
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition Layer • Understand the Forensics Acquisition Objectives (Why) assigned by the forensics specialists • Perform on-site Forensics Data Observation (What) • Interview participants and witnesses identified (Who) • Perform Forensics Acquisition and Seizure Procedures (How) • Perform site network forensics data acquisition (Where) • Keep the forensics acquisition timeline and chain of custody (When) The investigators should: Based on the strategies and tasks outlined by the digital forensics specialists, forensics investigators, system administrators, or operators could follow the outline procedures strictly
  • 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Analysis Layer • Extract information that is critical for proving the case which matches the forensics examination objectives (Why) • Reconstruct the event data based on the extracted data (What) • Extract network information (Where) • Extract entity, accounts information, and rebuilding the relationship linkage (Who) • Analyze the extracted data based on forensics analysis procedures (How) • Reconstruct the event timeline (When) of the hacking activity Digital forensics analysts would have to: After collecting the necessary data being and transporting to the digital forensics laboratory for further analysis and investigation, digital forensics analysts would have to extract the relevant information and review them according to the hypothetical model
  • 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Legal Presentation Layer After extracting and analyzing the information collected from the victim, together with the IP address information from the network service providers, legal prosecutor has to discuss with the case leader and the system owner on: • Legal Presentation Objectives (Why) • Legal Presentation Attributes (What) • Legal Presentation Procedures (How) • Legal Jurisdiction Location (Where) • Entities in Litigation Procedures (Who) • Timeline of entire event for Presentation (When)
  • 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited An Event-Based Digital Forensic Investigation Framework
  • 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Event-based Framework Event-based framework is used to develop hypotheses and answer questions about an incident or crime Hypotheses are developed by collecting objects that may have played a role in an event that was related to the incident Once the objects are collected as evidence, the investigator can develop hypotheses about previous events at the crime scene Source: http://www.digital-evidence.org/
  • 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Analysis Types A digital investigation may encounter many formats of digital data and therefore several types of analysis exist Common digital analysis types include: • Media Analysis • Media Management Analysis • File System Analysis • Application Analysis • Network Analysis • Operating System Analysis • Executable Analysis • Image Analysis • Video Analysis
  • 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Investigation Process Model This model is based on the phases that are documented for investigating physical crime scenes Readiness Phases Presentation PhaseDeployment Phases Physical Crime Scene Investigation Phases Digital Crime Scene Investigation Phases
  • 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Investigation Process Model (cont’d) Phase 1: Readiness Phases • Readiness phase includes the operations readiness phase that trains the appropriate people and tests the tools that will be used to investigate a system Phase 2: Deployment Phases • Deployment phase includes the detection and notification phase where the incident is detected by the victim or another party and the investigators are alerted • It also includes the confirmation and authorization phase where the investigators receive authorization to conduct the investigation Phase 3: Physical Crime Scene Investigation Phases • Physical Crime Scene Investigation Phases include the search for physical evidence and the reconstruction of physical events
  • 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Investigation Process Model (cont’d) Phase 4: Digital Crime Scene Investigation Phases • Digital Crime Scene Investigation Phases includes three sub phases: • Digital crime scene preservation and documentation • Digital Evidence searching and documentation phase • Digital evidence reconstruction and documentation Phase 5: Presentation Phase • The result must be presented to either a corporate audience or a court of law
  • 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Crime Scene Investigation Phases Sub phase 1: Digital crime scene preservation and documentation • This phase occurs when the first responder arrives at the scene and assists the wounded, detains suspects, and limits the amount of unofficial traffic in the area • The crime scene is documented through video, photography, and sketches System Preservation and Documentation Phase Evidence Searching and Documentation Phase Event Reconstruction and Documentation Phase Digital Crime Scene Investigation Phases
  • 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Crime Scene Investigation Phases (cont’d) Sub phase 2: Digital evidence searching and documentation
  • 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Crime Scene Investigation Phases (cont’d) Sub phase 3: Digital Event Reconstruction and Documentation
  • 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited An Event-Based Digital Forensic Investigation Framework FORZA Framework Enhanced Digital Investigation Process Model Objectives-Based Framework for the Digital Investigations Process An Extended Model of Cybercrime Investigations Computer Forensics Field Triage Process Model
  • 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Enhanced Digital Investigation Process Model Enhanced Digital Investigation Process Model is based on the Integrated Digital Investigation Model Phase of Integrated Digital Investigation Model(IDIP): Readiness Phases Deployment Phases Physical Crime Scene Investigation Phases Digital Crime Scene Investigation Phases Review Phase Source: http://www.dfrws.org/
  • 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Physical Crime Scene Investigation • Preserves the crime scene so that evidence can be later identified and collected by personnel trained in digital evidence identification Preservation phase: • Identifies the pieces of physical evidence, determines the extent of the search, identifies potential evidence Survey phase: • Takes photographs, sketches, and videos of the crime scene and the physical evidence Documentation phase: • Performs in-depth search Search and collection phase: • Transports identified electronic evidence to the digital investigation team Presentation phase: Physical crime scene investigation includes five phases:
  • 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Crime Scene Investigation • Preserves the digital crime scene so that evidence can be later synchronized and analyzed for further evidence Preservation phase: • Identifies and separates potentially useful data from the imaged dataset Survey phase: • Performs in-depth analysis of the digital evidence Search and collection phase: • Properly documents the digital evidence when it is foundDocumentation phase: Digital crime scene investigation includes four phases:
  • 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phases of Enhanced Digital Investigation Process Model Readiness Phases Deployment Phases Traceback Phases Dynamite Phases Review Phase
  • 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phases of Enhanced Digital Investigation Process Model (cont’d) Phase 1: Readiness phases: • Readiness phases ensure that the operations and infrastructure are able to fully support an investigation • It includes two phases: • Operations Readiness phase • Infrastructure readiness phase Phase 2: Deployment phases: • The deployment phases provide a mechanism for an incident to be detected and confirmed • It consists of five phases: • Detection and Notification phase • Physical Crime Scene Investigation • Digital crime scene investigation phase • Confirmation phase • Submission phase
  • 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phases of Enhanced Digital Investigation Process Model (cont’d) Phase 3: Traceback phases: • Within these phases, the perpetrator’s physical crime scene of operation is tracked down leading to identification of the devices that were used to perform the act Phase 4: Dynamite phases: • In these phases, analysis is performed on the items found from the crime scene to obtain further evidence • It includes the following phases: • Physical crime scene investigation phase • Digital crime scene investigation phase • Reconstruction phase • Communication phase Phase 5: Review phase: • The whole investigation is reviewed and areas of improvement identified
  • 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited An Event-Based Digital Forensic Investigation Framework FORZA Framework Enhanced Digital Investigation Process Model Objectives-Based Framework for the Digital Investigations Process An Extended Model of Cybercrime Investigations Computer Forensics Field Triage Process Model
  • 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Extended Model of Cybercrime Investigations An extended model of cybercrime investigations provides a common reference framework for discussion and for the development of terminology It provides a unified structure for case studies/lessons learned materials to be shared among investigators, and for the development of standards, conformance testing, and investigative best practices Source: http://www.utica.edu/
  • 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Extended Model of Cybercrime Investigations
  • 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Activities in Cybercrime Investigations • Awareness is typically created by events external to the organization which will carry out the investigation • It allows the relationship with the events requiring investigation to be made clear Awareness: • Authorization is required to carry out the investigation • It requires interaction with both external and internal entities to obtain the necessary authorization Authorization: • The planning activity is strongly influenced by information from both inside and outside the investigating organization Planning:
  • 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Activities in Cybercrime Investigations (cont’d) • Notification refers to informing the subject of an investigation or other concerned parties that the investigation is taking place Notification: • This activity deals with locating the evidence and identifying what should be the next activity Search and identification of evidence: • Collection is the activity in which the investigating organization takes possession of the evidence in a form which can be preserved and analyzed Collection of evidence: • Transport evidence to a suitable location for later examination • Transmission of data through networks Transport of evidence:
  • 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Activities in Cybercrime Investigations (cont’d) • The collected evidence needs to be stored because examination cannot take place immediately Storage: • Examination of the evidence will involve the use of potentially large number of techniques to find and interpret significant data Examination: • Based on the examination of the evidence, the investigators must construct a hypothesis of what occurred • The degree of formality of this hypothesis depends on the type of investigation Hypothesis:
  • 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Activities in Cybercrime Investigations (cont’d) • The hypothesis must be presented to persons other than the investigators Presentation: • In general, the hypothesis will not go unchallenged; a contrary hypothesis and supporting evidence will be placed before a jury Proof/Defense: • The final activity in the model is the dissemination of information from the investigation • Some information may be made available only within the investigating organization, while other information may be more widely disseminated Dissemination:
  • 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited An Event-Based Digital Forensic Investigation Framework FORZA Framework Enhanced Digital Investigation Process Model Objectives-Based Framework for the Digital Investigations Process An Extended Model of Cybercrime Investigations Computer Forensics Field Triage Process Model
  • 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model The traditional cyber forensics approach of seizing a system(s)/media, transporting it to the lab, making a forensic image(s), and then searching the entire system for potential evidence, is no longer appropriate in some circumstances In cases such as child abductions, pedophiles, missing or exploited persons, time is of the essence The Cyber Forensic Field Triage Process Model (CFFTPM) proposes an onsite or field approach for providing the identification, analysis, and interpretation of digital evidence in a short time frame, without the requirement of having to take the system(s)/media back to the lab for an in-depth examination or acquiring a complete forensic image(s) Source: http://www.digitalforensics-conference.org/
  • 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model (cont’d) The computer forensics field triage process model (CFFTPM) is defined as: • Those investigative processes that are conducted within the first few hours of an investigation and provide information used during the suspect interview and search execution phase The focus of the model is to: • Find useable evidence immediately • Identify victims at acute risk • Guide the ongoing investigation • Identify potential charges • Accurately assess the offender’s danger to society
  • 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model Planning Triage User Usage Profiles Chronology Timeline Internet Case Specific Home Directory File Properties Registry Browser Artifacts Email IM At Scene
  • 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model Phases • Lead investigator will have a matrix that quantifies the various possibilities of the crime scene, the suspect and the digital evidence, and qualifies the expertise of the various investigators on the investigation team • It is used to define what is known and what is not known thus aiding in determining what is wanted to be known Planning: • A process in which things are ranked in terms of importance or priority Triage:
  • 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model Phases (cont’d) Usage/User Profiles: • When compelling evidence is found on the digital media, it is essential to show a link between that evidence and a specific, identifiable suspect • User profile is a collection of files, folders, registry keys, and file properties that are exclusively associated with a unique user account • Digital evidence is found by examining the: • Home Directory • File Properties (security) • Registry
  • 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model Phases (cont’d) Chronology/Timeline: • The chronological scope of the investigation can be defined by the case intelligence • For the CFFTPM, several quantifications should be examined by sorting the files on their various MAC times within the chronological scope of the investigation such as: • Time periods of normal use by the suspect and other known users of the computer or device • Identification and analysis of software applications and data files used or accessed during qualified times of interest • Identification and analysis of recent shortcuts and stored information
  • 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model Phases (cont’d) Internet: • An effective practice is for the computer forensic examiner to evaluate what type of Internet activities they believe the suspect (or victim) was involved in, and to evaluate if and how each of those activities relate to the case • Types of activities include: • Web browsing • E-mail • Instant messaging • Reading or posting to USENET newsgroups • Trading files
  • 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Field Triage Process Model Phases (cont’d) • It is important for the computer forensic examiner to adjust the focus of every examination to the specifics of that case • A computer forensic examiner should be able to evaluate time resources, utilize pre-raid intelligence, customize search goals, and prioritize search goals Case Specific Evidence:
  • 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited An Event-Based Digital Forensic Investigation Framework FORZA Framework Enhanced Digital Investigation Process Model Objectives-Based Framework for the Digital Investigations Process An Extended Model of Cybercrime Investigations Computer Forensics Field Triage Process Model
  • 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Objectives-based Framework Objectives-based framework for the digital investigations process is based on higher ordered (first tier) phases, more definitive sub-phases (second tier), objectives, and framework principles Proposed phases and sub-phases are objectives-based which are distinct, discrete steps in the process that are usually a function of time, and suggest a necessarily sequential approach Phases and sub-phases are applicable to various layers of abstraction and are used to analyze and translate data into more manageable formats Source: http://faculty.business.utsa.edu/
  • 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Proposed Digital Investigation Process Single Tier Digital Investigations Process Framework Two-Tier Digital Investigations Process Framework
  • 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Objectives-Based Framework Phases • Preparation phase maximizes the availability and quality of digital evidence when needed, while minimizing the associated organizational and financial burden • Preparation activities include: • Develop information retention plan • Develop evidence preservation and handling procedures Preparation phase: • Incident response phase consists of the detection and initial, pre- investigation response to a suspected security incident • The purpose of this phase is to detect, validate, assess, and determine a response strategy for the suspected security incident Incident response phase:
  • 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Objectives-Based Framework Phases (cont’d) • The purpose of the data collection phase is to collect digital evidence in support of the response strategy and investigative plan • Data collection activities include: • Complete live response data collection, which began during the Incident Response Phase • Obtain network-based and host-based evidence from applicable sources Data collection phase: • The purpose of the data analysis phase is confirmatory analysis (to confirm or refute allegations of suspicious activity) and/or event reconstruction (answer “who, what, where, when, why, and how” type questions) • Data analysis activities include: • Conduct initial data survey to recognize obvious pieces of digital evidence and assess the skill level of the suspect(s) • Examine, analyze, and event reconstruct the data to answer critical investigative questions Data analysis phase:
  • 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Objectives-Based Framework Phases (cont’d) • The purpose of the presentation of findings phase is to communicate relevant findings to a variety of audiences, including management, technical personnel, legal personnel, and law enforcement Presentation of findings phase: • The incident closure phase includes the following steps: • Conduct a critical review of the entire process and investigation to identify and apply lessons learned • Make and act upon decision(s) that result from the findings presentation phase • Collect and preserve all information related to the incident Incident closure phase:
  • 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Forensics framework is a digital forensics investigation procedures developed by the personnel or by the particular organization FORZA framework layers are interconnected to each other through sets of six categories of questions Event-based framework is used to develop hypotheses and answers questions about an incident or crime An extended model of cybercrime investigations provides a common reference framework for discussion and for the development of terminology Objectives-Based Framework for the Digital Investigations Process is based on higher ordered (first tier) phases, more definitive sub-phases (second tier), objectives, and framework principles
  • 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited