The Computer Forensics matrix permitted the development and refinement of a FIW research and technology Road Map that integrates data from the FIW Matrix, with on-going university research, industry interests, and real forensic case data needs.
This knowledge can help establish a framework for future research in the area and establishing computer forensics needs for all sectors of the economy. Forensic tools can be used after an information attack, to identify the intruder his motivation, and perhaps predict the next attack phase. With the enhanced understanding of Computer Forensics derived from the matrix creation, we developed a FIW Technology Road Map that integrates collected data from the FIW Matrix, in-process university research, industry participation, and actual forensic case data.
This consortium of business, industry, government, education and law enforcement was established to advance the state-of-the-art in FIW. A search is then conducted either manually or with pattern matching tools for numbers, words, or phrases that may be used as computer evidence. We have therefore divided the processes of Forensic Computing into three main areas: 1.
Image Capture - The imaging process is fundamental to any computer investigation. The process of imaging should not alter any information on the target machine. The normal procedure of taking the image to WORM media allows the investigator to search for evidence without jeopardizing the integrity of the original data. Image Processing - The processing software consists of processes that index and extract text from all areas of the target image.
Options are also available to perform a full extraction of files from the image if required. Investigation - Once the processing has taken place, full searches of all areas of the disk takes only seconds. Multiple searches for any combination of characters can be made. Frequently used words may also be set up as a library under a 'group' name for enhanced searching. Postcodes or phone numbers can be identified easily.
When analyzing retrieved information, computer forensic specialists look for key words and phrases within the stream of data obtained during a search. They are trying to find out if the computer was being used to store important information such as dates, phone numbers, names of contacts, etc.
In addition to key words that they use to find evidence, they also must search for words that would cause them to not examine a document or file due to it containing information that would be privileged. The same care must be taken when examining electronic documents. This copy does not rely on the logical contents of the drives in question, but copies the information bit-by-bit onto another device where the searches and analysis is performed. The data dumped from memory ends up being stored at the end of allocated files, beyond the reach or the view of the computer user.
Specialized forensic tools are required to view and evaluate file slack and it can prove to provide a wealth of information and investigative leads.
Like the Windows swap file, this source of ambient data can help provide relevant key words and leads that may have previously been unknown. File slack should be evaluated for relevant key words to supplement the keywords found by other means. If the memory is electronic and the printer is left powered on, then this information may be accessible. Even if the laser printer is turned off, it may store this information on hard disk, and the information will remain during the power off.
These spooler files can continue to exist, even after the document in question is printed. Hard cards circuit boards that act as disk drives can also contain valuable data that should not be overlooked. Finally, electronic devices such as modems, pagers, and especially fax machines, contain significant amounts of memory that can be accessed and saved. The Windows swap file acts as a huge data buffer, and many times fragments of data or even an entire word processing document may end up in this file.
As a result, careful analysis of the swap file can result in the discovery of valuable evidence when Windows is involved. This tedious task was done in the past with hex editors and the process took days to evaluate just one Windows swap file. By using automated tools, that process now takes just a few minutes.
This is the default setting and when the computer is turned off, the swap file is erased. However, not all is lost because the content of the swap file can easily be captured and evaluated by current applications. These programs automatically capture erased file space and create a file that can be evaluated by other programs. Most computer users are unaware of the creation of these files because they are usually erased by the program at the end of the work session.
However, the data contained within these erased files can prove to be most valuable from an evidence standpoint. This is particularly true when the source file has been encrypted or the word processing document was printed but never saved to disk. Like magic, these files can be recovered.
Many computer users are unaware the storage space associated with such files merely becomes unallocated and available to be overwritten with new files. Pointers to the data are all that is changed, the data is not actually erased from the drive. Often the DOS Undelete program can be used to restore the previously erased files. Like the Windows swap file and file slack, this source of ambient data can help provide relevant key words and leads that may have previously been unknown to the computer investigator.
If this information has been compromised an attacker can load any program and have it run at startup. The following sections highlight some of our findings. This will prevent loss of data and will be used to authenticate the validity of the data recovered. It will also be a sound defense to lawsuits claiming alteration or corruption of the data or operating system.
The name, use as evidence later. Potentially relevant data is recovered, printed, and the location where found is documented. Potentially relevant data is recovered, printed and the location where found is documented. Relevant files are printed and the location where found is documented. All members have been trained in the forensic science of seizing and processing evidence from computer systems.
Forensically sterile conditions are established. All media utilized during the examination process is freshly prepared, completely wiped of non-essential data, scanned for viruses and verified before use. The original computer is physically examined. A specific description of the hardware is made and noted. Comments are made indicating anything unusual found during the physical examination of the computer.
The contents of the CMOS, as well as the internal clock is checked and the correctness of the date and time is noted. The time and date of the internal clock is frequently very important in establishing file creation or modification dates and times. A duplicate image of the original media is made.
The duplicate image is used for the actual examination. A detailed description of the process and identification of the hardware, software and media is noted. The copy of the original HDD is logically examined and a description of what was found is noted.
BAT file are examined and findings are noted. All recoverable deleted files are restored. A listing of all the files contained on the examined media, whether they contain potential evidence of not, is made. The listing will indicate which files were printed or otherwise recovered. The unallocated space is examined for lost or hidden data. The contents of each user data file in the root directory and each sub-directory if present are examined.
Password protected files are unlocked and examined. A printout is made of all apparent evidentiary data. The file or location where any apparent evidentiary data was obtained is noted on each printout.
All exhibits printouts of data are marked, sequentially numbered and properly secured and transmitted. Executable programs of specific interest should be examined. User data files that could not be accessed by other means, are examined at this time.
Document comments and findings. In many instances, a complete examination of all of the data on media may not be authorized, possible, necessary, or conducted for various reasons. In these instances, the examiner should document the reason for not conducting a complete examination. Some examples of limited examinations would be: 1. The scope of examination is limited by the search warrant or the courts.
The equipment must be examined on premises. This may require the examination of the original media. Extreme caution must be used during this type of examination. The media size is so vast that a complete examination is not possible. The weight of the evidence already found is so overwhelming that a further search is not necessary. Preliminaries: The computer is powered off and all peripherals are disconnected. An auxiliary device to store off-loaded data is connected and the computer is booted from a clean floppy disk.
The CMOS, internal hardware and software configurations, and hard disk directory structure are examined for information and leads. If passwords or other obstacles are encountered, they are either decrypted or bypassed. Search: Forensic utilities are loaded into memory and directed to find specific text or patterns located within all data blocks including intact files, erased files, unallocated space, slack space, and cached areas on the hard drive s.
Recovery: If pertinent data is found to reside within deleted files, they are recovered as completely as possible. Retrieval: All significant data blocks are off-loaded to the auxiliary storage device for off site analysis.
Data is copied in a manner consistent with established preservation of evidence protocols and with as little disruption to normal course of business as possible. Analysis: Information specific to the case is extracted from all data blocks, printed out where appropriate, or converted to appropriate format for easy examination by clients or their representatives. Documentation: A comprehensive and professionally bound report is prepared and presented to the client.
The report details all aspects of the examination process and the results obtained. These service agencies are listed below with a short synopsis of their services and the products they use in their practice. Jon Berryhill Voice: Jberryhill computerforensics. The following information about this product was taken from the ASR web site: Expert Witness for Windows95 is a Forensic Data Acquisition and Analysis program which has been designed based on the specifications and requirements of the law enforcement community.
Expert Witness is non-invasive to the original computer evidence. All reports and extracts are designed to provide a clear, concise chain of custody. Copies of original evidence are authenticated and verified to assure the admissibility and integrity of the copy. Data Acquisition Expert Witness simplifies the data acquisition process by using a "wizard" interface.
The wizard walks the user through a series of simple steps and uses the responses and information provided by the user to create a case profile and acquire the evidence. The case profile contains all the information needed to establish a chain of custody for the evidence and document the data acquisition procedures. This approach substantially reduces the amount of time spent preparing reports and the amount of training required to use the software, virtually eliminating the possibility of user errors, simple mistakes, and oversights which can jeopardize the integrity and admissibility of computer evidence.
Expert Witness provides unparalleled flexibility in the ways it can acquire evidence. The software has been developed to allow evidence to be spanned over as many destination disks as necessary. Data compression is an option which can significantly reduce the hardware requirements of storing large amounts of evidence until a case is fully adjudicated.
An entire server may be processed as evidence and stored on several inexpensive storage cartridges instead of a large, expensive hard drive which will just sit in an evidence locker. Data Analysis Once Expert Witness has acquired, cataloged, and authenticated the evidence, the evidence is ready to be analyzed. Is it an individual, criminal, corporate, or an administrative matter? What is the "scope of work" that you will require? Does it require on-site services or can it be performed with the use of a courier service?
Is there any extra expenses that may be incurred by reason of constraints placed upon the parties by the court? We believe in a no-nonsense and clarity approach to our efforts. Since we do have the education and experience with the legal and justice systems, respectively, YOU as the client need to make the final determination.
If you want to spend your resources on a "technician" who is "feeling their way around" or someone with the experience and the "bleeding edge" tool-set to acquire data, review the data, state a solid opinion, based upon the acquisition of the accurate data and not limit it to just a peek at the hard-drive, we should be your first choice.
As the Client, maybe you'll need a second or independent opinion? Depending upon the intensity of the matter, there may be a need for researching reports, preparation of documentation for court hearings and or trial, execution of writs, testimony at deposition or trial and so forth.
Also, "vultures" live off of the carrion of animals. As long as your litigation is ongoing, you're still alive and we will do everything possible to treat your matter with dignity and respect!
How come your rates are so reasonable, considering your location? What makes Computerlegalexperts. Most of the time that is incurred will more than likely happen during the Discovery Phase of litigation, since it is important for an Expert Witness or Trial Consultant to be prepared if the matter enters the Trial Phase.
Therefore, it is important that a credible and ethical Expert Witness or Trial Consultant, who will review your matter, with you and your counsel before ever looking at a hard drive. Our scale of fees is straightforward and no-nonsense, yet is lower than one would expect, since we take a professional and polished approach with your matter.
We believe that we offer a superior set of skills, without the frills, which enables our scale of fees to be among the most reasonable in our field. We prefer to focus on the uniqueness of each case and client-care, instead of worrying about our rent.
Legal counsel does the best for their clients by the presentation of your case, since they are your advocate. If we were to look at you case as being a "project," an "Expert Witness" or "Trial Consultant" is merely one of the tools that is in your legal counsel's toolbox.
When selecting an "Expert Witness" or a "Trial Consultant," we urge you to choose wisely. If you are looking for a team of individuals who have the skill-set and knowledge, but doesn't pass on their massive overhead in their billings to their clients, we'd like to see how we can help you. Will your "Team" be able to guarantee my success in my case? Our only guarantee we offer is that we will do our best for you by providing the information that you, your legal counsel and if the event arises, the jury and judge in order to make an informed decision.
Box Why money doesn't necessarily buy quality. We work aggressively for our clients in delivering facts. We enjoy what we do, by delivering results. We understand Zinn's axiom of: "It doesn't take any talent to spend other people's money!
We use the Bob Parson's model of providing a value-added service. The ability and knowledge to use "state-of-the-art" equipment and software, for a fraction of the cost that the opposition or law enforcement would pay for. Example- Most law enforcement agencies do not have the equipment we have to perform the services we do. Our only guarantee that we offer is that we will do our best for you by providing the information that you, your legal counsel and if the event arises, the jury and judge in order to make an informed decision.
In the matters we have been involved with, ALL of our clients either prevailed on their civil complaint or cross-complaint. Knowledge of potential expenses is important. Jan — Jul Jurisdiction: U. Noction, Inc. Dec — Mar Jurisdiction: U. Dec — Jul Jurisdiction: U. Jawbone Inc. Oct — Jul Jurisdiction: U. Pro Technology Automation, Inc. International, Inc.
The Boeing Company Aug. Gordon has led development and QA teams in architecting, developing and deploying a multi-tenant SaaS-based vulnerability management platform and scanning solution which is being used worldwide by fortune organizations as part….
Isaac Pflaum has more than a decade of experience as a scientist, attorney, and consultant to Fortune technology companies and state and local government agencies.
He currently serves as an expert witness in software-related litigation — such as patent infringement and breach-of-contract matters.
0コメント