8/9/2019 Computer Forensics is the Collection

1/8

IntroductionComputer forensics is the collection, preservation, analysis and court presentation ofcomputer-related evidence. In addition to civil and criminal jury trials, computer evidenceoften is presented in arbitration, administrative and mediation proceedings,

congressional/government hearings and presentations to corporate management.Accordingly, the proper collection and analysis of computer evidence through acceptedcomputer forensic protocols is a critical component to any internal investigation or auditwhere the results have at least the potential to be presented in legal proceedings.Improperly handled computer evidence is likely to be ecluded or limited by the trial court.

Choosing an ExpertComputer !orensics re"uires speciali#ed epertise that generally goes beyond normal datacollection and preservation techni"ues available to end-users or system support personnel.As with choosing any other epert, it is crucial that $ega-Corp scrutini#es the computerforensic epert%s "uali&cations and eperiences. 'he epert must have the propereperience and training to successfully identify and attempt to retrieve possible evidencethat may eist on a computer system.

The ProblemIn the &eld of digital forensics, there is no governing body at the national or state level thataccredits eaminers as being competent in their &eld. 'he industry does not have a baream or other accreditation system to ensure that eperts have even the minimum"uali&cations necessary to practice in this &eld. 'his means that anyone can call themselvesa digital forensics eaminer regardless of their capabilities, eperience, or competence. 'hisis why the selection process of a digital forensics epert is so critical.

Some guidelinesInvestigation &rms that truly speciali#e in computer forensic investigations are few and farbetween. $ost private investigators don(t have the eperience or understand the sensitivelegal issues involved in dealing with situations that could result in costly litigation. )ere aresome crucial guidelines for &nding a "uali&ed investigation &rm to perform computerforensic investigations*

Agreements and !ees* +perienced and reputable &rms provide proposals and contractsprior to accepting cases. If one is not provided, re"uest a projected budget estimate at thevery least. It(s common to pay a retainer at the start of the case. )owever, it(s perfectly okayto ask the &rm for references before making a payment.

Attorney and aw +nforcement Involvement* +perienced investigators understand therelevance of involving "uali&ed counsel in the investigation. !irms that do not seek toinvolve your legal counsel should not be retained to conduct your investigation. 'he decisionto prosecute the illegal acts of your current or past employees lies between you and yourlegal counsel and, ultimately, the istrict Attorney(s or nited tates Attorney(s o0ce.1rosecution can be "uick and easy or time consuming, complicated and epensive,depending on certain variables. A competent 1rivate Investigation &rm can let you know inadvance the probable amount of time your case would re"uire if prosecuted. 2enerally, thebetter job your investigator does, the faster your case will go through the court system. In

8/9/2019 Computer Forensics is the Collection

2/8

fact, less than 34 of people prosecuted as a result of our investigations actually go to trial.Instead, they opt to 5cop a plea5 in the face of a bewildering amount of solid evidence.

+perience* +nsure the &rm, as well as the employees assigned to your case, have theeperience and "uali&cations necessary to conduct the investigation. 6ery few investigation&rms speciali#e in workplace-related investigations. Choose a &rm that is familiar with

employment law-related investigations, who knows criminal law and is familiar with civiltorts and union environments. 'he &rm must know how to navigate areas that present alegal mine&eld--one wrong move can lead to unwanted litigation.

Insurance* All reputable private investigation &rms carry general liability insurance. omestates re"uire insurance prior to issuing a license. Ask for a Certi&cate of insurance andensure the coverage is 5per occurrence,5 not 5claims-made.5

1roof of icense* 1rivate investigators are re"uired to be licensed in all but eight states7Alabama, Alaska, Colorado, Idaho, $ississippi, $issouri, outh akota, 8yoming9. !lorida,2eorgia, ouisiana and :regon have limited reciprocity agreements with California. 8hengoing to another state for investigative services, re"uest a copy of their license, or theirre"uired permits or business licenses. 1erform your own due diligence to avoid vulnerabilityto litigation.

;eferences and ;eputation* ;eputations vary widely in our industry.

8/9/2019 Computer Forensics is the Collection

3/8

olomon, $ichael 2., ;udolph, ., and 'ittel, +d. Computer !orensics Bumptart 7nd +dition9.)oboken, DB, A* Bohn 8iley E ons, ?>>. 1ro !ebruary ?>3.Copyright F ?>>. Bohn 8iley E ons. All rights reserved.

'ools of the 'rade* etermine whether your potential investigators really have a full-scalecomputer forensics laboratory. ome purported eperts simply 5make do5 with whatever

e"uipment they have. As new technology is always emerging, state of the art labs includefre"uent software and e"uipment updates.

'he primary federal law enforcement agencies that investigate domestic crime on theInternet include* the !ederal Gureau of Investigation 7!GI9, the nited tates ecret ervice,the nited tates Immigration and Customs +nforcement 7IC+9 , the nited tates 1ostalInspection ervice, and the Gureau of Alcohol, 'obacco and !irearms 7A'!9 . +ach of theseagencies has o0ces conveniently located in every state to which crimes may be reported.Contact information regarding these local o0ces may be found in local telephonedirectories. In general, federal crime may be reported to the local o0ce of an appropriatelaw enforcement agency by a telephone call and by re"uesting the 5uty Complaint Agent.

+ach law enforcement agency also has a head"uarters 7)

8/9/2019 Computer Forensics is the Collection

4/8

Internet bomb threats!GI local o0ceA'! local o0ce

Copyright piracy 7e.g.,

software, movie, soundrecordings9

!GI local o0ce

.. Immigration and Customs +nforcement 7IC+9Internet Crime Complaint Center

'rademark counterfeiting

!GI local o0ce.. Immigration and Customs +nforcement 7IC+9Internet Crime Complaint Center

'heft of trade secrets/+conomic +spionage !GI local o0ce

8/9/2019 Computer Forensics is the Collection

5/8

:ther Cybercrime ;eporting ;esources

'he Internet Crime Complaint Center 7ICH9'he Internet Crime Complaint Center 7ICH9 is a partnership between the !ederal Gureau ofInvestigation 7!GI9 and the Dational 8hite Collar Crime Center 7D8HC9. ICH(s mission is toserve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly

epanding arena of cybercrime. 'he ICH gives the victims of cybercrime a convenient andeasy-to-use reporting mechanism that alerts authorities of suspected criminal or civilviolations. !or law enforcement and regulatory agencies at the federal, state, and local level,ICH provides a central referral mechanism for complaints involving Internet related crimes.

epartment of )omeland ecurity(s Dational Infrastructure Coordinating Center* 7?9 -J?> 7report incidents relating to national security and infrastructure issues9.. Computer +mergency ;eadiness 'eam 7.. C+;'9 7online reporting for technicians9

:ther 2overnment Initiatives to Combat CybercrimeDational Intellectual 1roperty ;ights Coordination Center

'he I1; Coordination Center(s responsibilities include*

Coordinating .. government domestic and international law enforcement activitiesinvolving I1; issues.

erving as a collection point for intelligence provided by private industry, as well as achannel for law enforcement to obtain cooperation from private industry 7in speci&claw enforcement situations9.

Integrating domestic and international law enforcement intelligence with privateindustry information relating to I1; crime, and disseminating I1; intelligence forappropriate investigative and tactical use.

eveloping enhanced investigative, intelligence and interdiction capabilities.

erving as a point of contact regarding I1; law enforcement related issues.

'he ':1 Initiative 7www.stopfakes.gov9

'he stopfakes.gov website provides information to consumers and businesses on intellectualproperty, including information on how to report trade in fake goods.

'hose with speci&c information regarding intellectual property crime can submit an I1;Coordination Center Complaint ;eferral !orm.

8/9/2019 Computer Forensics is the Collection

6/8

InformationC+;' Coordination Center http*//www.cert.org/tech@tips/win-DIK-system@compromise.htmlComputer !orensics, Cybercrime and teganography ;esources http*//www.forensi.org/linksepartment of efense Cyber Crime Center http*//www.dcH.mil/home.php epartment ofefense, Dational Industrial ecurity 1rogram :perating $anual 7clearing and saniti#ingstandard9 o 3?.-$ http*//www.dtic.mil/whs/directives/corres/pdf/3?m.pdf

epartment of Bustice Computer Crime and Intellectual 1roperty ectionhttp*//www.cybercrime.gov/ !GI Dational Computer Crime "uadhttp*//www.tscm.com/compcrim.html !ederal 2uidelines for earching and ei#ingComputers http*//www.knock-knock.com/federal@guidelines.htm Dational Institute of Bustice!orensic ciences http*//www.ojp.usdoj.gov/nij/topics/forensics/welcome.htm DationalInstitute of tandards and 'echnology 7DI'9 Computer ecurity ;esource Center 7C;C9.7C;C is maintained by the Computer ecurity ivision of the DI'.9http*//csrc.nist.gov/groups/$A/ate/ Dational 8hite Collar Crime Centerhttp*//www.nwHc.org/ Dational Institute of tandards 'echnology 7DI'9 Computer !orensic

'ool 'esting 1rogram http*//www.cftt.nist.gov/ AD Information ecurity ;eading ;oomhttp*//www.sans.org/reading@room/ cienti&c 8orking 2roup on igital +videncehttp*//www.swgde.org/documents/current-documents/ nited tates ecret ervicehttp*//www.forwardedge.com/pdf/best1ractices.pdf .. ecret ervice +lectronic Crimes

'ask !orces and 8orking 2roups http*//www.secretservice.gov/ectf.shtml

:rgani#ationsigital !orensic ;esearch 8orkshop 7!;8 ?>>9 http*//www.dfrws.org/ )igh 'ech CrimeConsortium http*//www.hightechcrimecops.org/ )igh 'echnology Crime InvestigationAssociation 7)'CIA9 http*//htcia.org/ International Association for Identi&cation 7IAI9 cienti&c8orking 2roup on igital +videncehttp*//www.theiai.org/disciplines/digital@evidence/inde.php International Association ofComputer Investigative pecialists International Information ystems !orensic Association7II!A9 http*//www.iisfa.info/certi&cation.htm International :rgani#ation on Computer+vidence 7I:C+9 http*//www.ioce.org/

1ublicationsigital !orensics $aga#ine* upporting the 1rofessional Computer ecurity Industryhttp*//www.digitalforensicsmaga#ine.com/ igital Investigation* 'he International Bournal ofigital !orensics and Incident ;esponse 7+lsevier9http*//www.elsevier.com/wps/&nd/journaldescription.cws@home/L?>H?/description !orensic+amination of igital +vidence* A 2uide for aw +nforcement by the Dational Institute of

Bustice http*//www.ojp.usdoj.gov/nij/pubs-sum/>JJM?.htm International Bournal of igital+vidence 7IB+9 7tica College9 http*//www.utica.edu/academic/institutes/ecii/ijde/ i1hone!orensics by Bonathan Nd#iarski http*//www.#d#iarski.com/blog/Opage@idP>H earching andei#ing Computers and :btaining +lectronic +vidence in Criminal Investigations manualQComputer Crime and Intellectual 1roperty ection Criminal ivision of the nited tatesepartment of Bustice http*//www.cybercrime.gov/ssmanual/inde.html

'raining

Accessata 2roup, C http*//www.accessdata.com/trainingCyber ecurity Institute http*//www.cybersecurityinstitute.bi#/ IG A, Inc.http*//www.dibsusa.com/ +C-Council iClass online learning programhttps*//iclass.eccouncil.org/ 2lobal igital !orensics, Inc.http*//www.evestigate.com/Computer@!orensic@'raining.htm 2uidance oftwarehttp*//www.guidancesoftware.com/computer-forensics-training.htm )igh 'ech Crime Institutehttp*//www.gohtci.com/inde.phpO"Pcategory/division/training Indiana !orensic Institutehttp*//www.i&-indy.org/ International Association of Computer Investigative pecialists 7IACI9http*//www.iacis.com/training ey Computer ervice CC+ Gootcamp http*//www.cce-

http://www.secretservice.gov/ectf.shtmlhttp://www.cybercrime.gov/ssmanual/index.htmlhttp://www.accessdata.com/traininghttp://www.cybercrime.gov/ssmanual/index.htmlhttp://www.accessdata.com/traininghttp://www.secretservice.gov/ectf.shtml

8/9/2019 Computer Forensics is the Collection

7/8

8/9/2019 Computer Forensics is the Collection

8/8

An incident response program is a critical component for an organi#ation%s sustainability andsecurity in the face of a computer security incident. Computer security incidents are amenacing threat for organi#ations and their information assets. 'hese incidents are oftentargeted and decisive, leaving the victim organi#ation in complete disarray. ecurityincidents are deliberate electronic attacks on the communications or information processingsystems of an organi#ation and could be carried out by just about anyone, ranging from a

disgruntled employee to a malicious competitor or even a hacker who &nds yourorgani#ation%s information valuable.

:rgani#ations should have a formal incident response program and know how to respond toand handle a security incident to control the costs and conse"uences that may result. In theevent of a security incident, organi#ations should take immediate action to investigate theincident and limit the eposure of con&dential data such as cardholder data, banking data,any non-public customer information, and any other sensitive information that falls underthe purview of a law. It is often at testing times like these that many organi#ations areunable to respond eRectively and decisively to minimi#e the damage and potential spread ofthe impact.