Topanswers
1. You have been assigned to investigate whether or not an employee at a local hospital has been accessing patient records and setting information to online pharmacies. It is your first day of the investigation. Put together a list of data sources that must be examined during the investigation. (Chapter 6 PPT attached) https://www.youtube.com/watch?v=ZUqzcQc_syE&t=1s (400 words)
2. Go online and research some tools that would be valuable in collecting both live memory images and images of various forms off media. Put together a shopping list for your manager that includes tools needed to be purchased. Include a price if applicable. (Chapter 7 PPT attached) https://www.youtube.com/watch?v=ehRCA8eYJzk (400 words).
3. When we talk about promotional mix what exactly do we mean and how does this help us in our marketing process? After reviewing this week’s resources and your research, in your own words how would you explain promotional mix and how it helps in the marketing process? Share one of the elements and apply it to a product you personally use. How would use the element to promote the product for a new market segment and why? (400 words)
Chapter 6
First Response and The Digital Investigator
1
Forensics and Computer Science
Just what does “forensics” mean?
Suitable for presentation in court
Digital forensics combines legal process with technology
The job of the digital forensic investigator
NEVER do harm to the investigation
Acquire evidence from computer devices that can be used as evidence
Locard’s Principle
If you touch it, you change it
Whatever a criminal touches, there is evidence to be found
Whatever an investigator touches, there is evidence to be destroyed
BUT… changing the evidence does not necessarily render it unusable
Characteristics of Evidence
Class characteristics
A large group can share the same characteristic
Used to narrow the search pattern
Individual characteristics
A descriptive element that is unique to a sample
Colors are not unique—but serial numbers are
Digital Versus Physical Evidence
A paper document is physical
May carry fingerprints or chemical elements to analyze
Will not prove who created it
Will not carry metadata for further analysis
A digital document has the metadata and can be traced to the owner
They are not the same piece of evidence
Digital Media
A paper document that is burned is gone for good
A digital document that is deleted can be restored
Digital sources carry evidence of the document other than the document itself
File system metadata
Registry entries
Temporary files
First on the Scene
Always find out who is in charge before you begin
It will never be you
There might be multiple “owners” of the scene
Secure the scene
People’s safety first
Integrity of the evidence next
Identify potential sources of evidence
Document the Scene
Take a LOT of photographs
Always carry a digital camera
Try to make it a point to also carry a video camera
Make an inventory of all potential devices that might contain evidence (start a chain of custody)
Make notes on your observations (and remember that they can be subpoenaed)
Identifying Data Sources
Obvious sources
Computers
PDAs
Cell phones
External drives
CDs
Other media
Less obvious sources
Less Obvious Sources
Digital cameras and video recorders
Game machines
Digital audio recorders
Printer/Fax machines
Answering machines
Owner’s manuals may point to sources not present
Handling Evidence
Identify and photograph the evidence
Document the evidence (make, model, S/N, etc.)
Package the evidence for transport
Should you block signals?
Should power be maintained?
Transport the evidence safely and securely
Store the evidence safely and securely
Chain of Custody
Must identify the material in a way unique to that individual item
One of the most critical pieces of documentation
Follows each piece of evidence around everywhere it goes
Must be updated each time it moves or changes hands
Documenting Evidence
Where was it found?
What state was it in?
What time and on what date was it collected?
Give a physical description of the evidence
Type of device
Capacity, condition, etc.
Identify make, model, S/N if applicable
Packaging Evidence
Protect from impact
Protect from electro-magnetic radiation
Protect from extreme temperature and moisture
Protect from tampering
Make sure it is clearly labeled
Transporting Evidence
Never assume that a computer is stand-alone
Determine if it should remain powered up
If it must be shut down, document the state of the computer before breaking it down
What application was active?
Running processes (if possible)
Network connections (if possible)
Protect portable devices and media from external corruption
Storing Evidence
Chain of custody rules apply to storage
Log in/log out must include who, what, when, where, and why
Rules of protection during transport apply equally to storage
Access to storage must be limited and monitored
Disposition of Evidence
When the job is done, evidence must be destroyed or returned
All contraband must be destroyed, regardless of provenance
Private or intellectual property may be either returned or destroyed, depending on the courts
If destroyed, the material must be rendered completely unrecoverable
Chapter 7
Data Acquisition
1
Never Work on the Original
Make forensically sound copies
Keep a master copy and make several working copies
Calculate a hash value of each copy and make sure they match
Each copy must have a unique identifier
Order of Volatility
RAM
Temporary files
Local disks
External storage media
Network attached storage (NAS or SAN)
Archival backups
Memory and Running Processes
Memory can hold passwords
Can be difficult to extract, but in a pinch may be all you have
Running processes can identify malware running on the system
Routing tables can be extracted from memory
Network connections reside in RAM
Capturing Memory
Memory is a device
Memory can be dumped into a file
The amount of memory capture may be different from the amount of installed RAM
Some utilities capture device cache memory
Some utilities don’t capture installed RAM devoted as a device cache
Memory Capture Utilities
Most commercial forensic suites offer memory capture capability
DD utility (both Windows and Linux)
Dumpit
Memoryze
Memory Capture Tips
Keep your memory footprint to a minimum
Run from a flash drive if possible
Copy memory image to an external device
Make sure device capturing image can handle large files
Computers today have large amounts of RAM
Many USB drives continue to be formatted to FAT32 (4GB maximum file size)
Memory Capture Procedures
Start the documentation process
Run a batch file that collects user information, network connections, time/date, and open files
Collect a memory dump
Copy the paging file
Copy any hibernation files
Media Capture
Document everything
Use a forensic write-blocker when copying any data
Do NOT use standard copy utilities to make copies
Store all images on forensically sound media
Disk Image File Formats
DD Images (bit-for-bit)
Expert Witness Format (EWF)
Advanced Forensic Format (AFF)
Safeback (by NTI)
ILook Imager
ProDiscover File Format