Module 02

Computer Forensics Investigation Process

5 NIDS Ali GHORBEL
2024-25 ali.ghorbel@esprit.tn
 Module objectives
After completing this chapter, you will be able to:
2.1. Understand the importance of computer forensics process
2.2. Describe the various phases of the computer forensics investigation
process
2.3. Identify the requirements for building a computer forensics lab and an
investigation team
2.4. Understand the roles of a First Responder
2.5. Perform search and seizure, evidence collection, management and
preservation
2.6. Understand chain of custody and its importance
2.7. Discuss about data duplication, deleted data recovery and evidence
examination
2.8. Write an investigative report and testify in a court room
 Computer Forensics Process Phases
The Pre-investigation Phase:
 Setting up a computer forensics lab (CFL), toolkit, and workstation,
 The investigation team and getting approval from the relevant authority
 Planning the process, defining mission goals, and securing the case perimeter and
devices involved
The Investigation Phase:
 Acquisition, preservation, and analysis of the data to identify the source of crime
and the culprit.
 Implementing the technical knowledge to find evidence, examine, document, and
preserve the findings
The Post-investigation Phase:
 Ensure that the target audience can easily understand the report,
Ensure the report provides adequate and acceptable evidence
Ensure the report complies with all local laws and standard
It is legally sound and acceptable in the court of law
 Setting up a Computer Forensics Lab
A Computer Forensics Lab (CFL) is a designated location for conducting
computer-based investigation of the collected evidence in order to solve the
case and find the culprit.
The lab houses the instruments, software and hardware tools, suspect
media, and the forensic workstations required to perform investigation of all
types
 Building Forensics Workstation
Before building a forensic workstation, computer forensics approach
should be clearly defined.
The computer forensics workstation should have facilities and tools
that can perform the following functions:
1. Support hardware-based local and remote network drive
duplication.
2. Validate the image and the file's integrity.
3. Identify the date and time when the files have been modified,
accessed, or created.
4. Identify the deleted files.
5. Support the removable media.
6. Isolate and analyze free drive space.
 Build Investigation Team
People involved in an investigation team
Notify decision makers and acquire authorization

Decision makers implement policies and procedures for handling an incident.

If there are no written incident response policies and procedures, the
decision makers should be notified to be authorized. After the authorization,
the situation should be assessed and the course of action should be defined.

The following are the best practices to get authorization:

 Obtain the authorization from an authorized decision maker to
conduct the investigation.
 Document all the events and decisions that occurred during the
incident and incident response.
Depending on the scope of the incident and absence of any
national security issues or life safety issues, the first priority is to
protect the organization from further harm.
 Review policies and laws
Review policies and laws include the following:
 Understand the laws: Before starting the investigation process, it is required
to understand the laws that apply to the investigation including the internal
organization policies.
 Identify possible concerns: Identify possible concerns that are related to
applicable Federal statutes, State statutes, and local policies and laws.
Best practices:
Best practices include the following:
Determine the extent of the authority to search.
 Determine the legal authorities for conducting an investigation.
 Consult with a legal advisor with issues raised for any improper handling of
the investigation.
Make sure the customer's privacy and confidentiality.
 Review policies and laws
Forensic Laws
18 USC §1029 - Fraud and related activity in connection with access devices
18 USC §1030 - Fraud and related activity in connection with computers
18 USC §1361-2 - Prohibits malicious mischief
18 USC §2252A -law about child pornography
18 USC §2252B -misleading domains on Internet
18 USC §2702 - voluntary disclosure of contents to government and non-government entities
42 USC §2000AA -Privacy Protection Act, special steps to take during seizure that don't prevent
freedom of expression
Rule 402 - General Admissibility of Relevant Evidence
Rule 502 - Attorney-Client privilege and work product; Limitations on waiver
Rule 608 - Evidence of character and conduct of witness
Rule 609 - Impeachment by evidence of a criminal conviction
Rule 614 - Calling and interrogation of witnesses by court
Rule 701 - Opinion testimony by lay witnesses
Rule 705 - Disclosure of facts or data underlying expert opinion
Rule 801 - hearsay
Rule 901 - Authenticating or Identifying Evidence
Rule 1002 - Requirement of original
Rule 1003 - Admissibility of duplicates
Rule 1004 - Admissibility of other evidence of Content
 Risk Assessment

Risk assessment includes the following:

Identify the incident and their effects.
Characterize the incident according to its severity.
Determine the data loss or damage caused to the computer because
of the incident.
Determine the possibility of other devices and systems being
affected by the incident.
Break the communications with other devices to prevent the
incident from spreading.
 Build Computer Forensics Toolkit
Computer forensics tools can be divided into two types:
 Build Computer Forensics Toolkit
Forensic Hardware Tools:
FRED systems are optimized for stationary laboratory acquisition and analysis. FRED
will acquire data directly from IDE/EIDE/ATA/SATA/ATAPI/SAS/Firewire/USB hard drives
and storage devices and save forensic images to Blu-Ray, DVD, CD, or hard drives.
Paraben's StrongHold Faraday Bags block out wireless signals to protect evidence.
PC-3000 Data Extractor diagnoses and fixes file system issues, so that the client's data
can be obtained.
Paraben's Chat Stick is a thumb drive device that will search the entire computer and
scan it for chat logs
RAPID IMAGE 7020 X2 designed to copy one "Master" hard drive to up to 19 "Target"
hard drives
RoadMASSter-3 X2 is a forensic ruggedized portable lab for hdd data acquisition and
analysis.
Image MASSterTM Wipe PRO is a hard Drive Sanitization Station.
PC-3000 Flash is a hardware and software suite for recovering flash- based storage
ZX-Tower provides secure sanitization of hard disk
WriteProtect-DESKTOP provides secure, read-only write-blocking of suspect hard
drives.
Data Recovery Stick can recover deleted files.
Tableau T8-R2 Forensic USB Bridge offers secure, hw-based write blocking of USB
storage devices.
 Build Computer Forensics Toolkit
Forensic Software Tools (1/2):
Cain & Abel pw recovery for MS OS. Uses sniffing, dictionary, brute-force, and
cryptanalysis attacks. Also record VoIP, decode scrambled passwords, recover wireless
keys, reveal password boxes, uncover cached passwords and analyze routing protocols.
Recuva recover lost pictures, music, docs, video, email, or other file type from all
types of media
Capsa sniffer with support for over 300 network protocols
R-Drive Image utility that provides creation of disk image files for backup or
duplication purposes.
FileMerlin converts word processing, xls, ppt and database files between a wide range
of file formats.
AccessData FTK court-cited digital investigations platform that provides processing
and indexing up front, so filtering and searching is fast. FTK can be setup for distributed
processing and incorporate web-based case management and collaborative analysis.
Guidance Software’s EnCase Rapidly acquire data from variety of devices and unearth
potential evidence with disk-level forensic analysis. Produce comprehensive reports on
your findings and maintain the integrity of your evidence in a format the courts have
come to trust
 Build Computer Forensics Toolkit
Forensic SoftwareTools (2/2):

PALADIN is a modified “live” Linux distribution based on the PALADIN Toolbox.

The Sleuth Kit cmd line tools and a C library to analyze disk images and recover files
from them.
Autopsy digital forensics platform and gui to The Sleuth Kit® and other digital
forensics tools.
Nuix Corporate Investigation Suite used to collect, process, analyze, review, and
report evidence.
Oxygen Forensic Kit is a ready-to-use and customizable mobile forensic solution for
field and in-lab usage. Allows extraction of data from the device but also creates reports
and analyzes data in the field.
L0phtCrack is a password auditing and recovery software.
Ophcrack is a free GUI driven Windows password cracker based on rainbow tables
NIST has launched the Computer Forensic Tool Testing Project (CFTT), which establishes
a “methodology for testing computer forensic software tools by development of general
tool specifications, test procedures, test criteria, test sets, and test hardware.”
Checklist to Prepare for a Computer Forensics Investigation
1. Do not turn the computer off or on, run any programs, or attempt to access data
on the computer.
2. Secure any relevant media including hard drives, cell phones, DVDs, USB drives, etc
subject may have used
3. Suspend document destruction and recycling that may pertain to relevant media or
users at the time of issue
4. Perform a preliminary assessment of the crime scene and identify the type of data
you are seeking, the information you are looking for, and the urgency level of the
examination
5. Once the machine is secured, obtain info about the machine, the peripherals, and
network where connected
6. If possible, obtain passwords to access encrypted or password-protected files
7. Compile a list of names, e-mails, and other info of those with whom the subject
might have communicated
8. If the computer is accessed before the forensic expert is able to secure a mirror
image, note the user(s) who accessed it, what files accessed, and when access
occurred. If possible, find out why the pc was accessed
9. Maintain a chain of custody for each piece of original media, indicating where the
media has been, whose possession it has been in, and the reason for that
possession.
10. Create a list of key words or phrases to use when searching for relevant data
Computer Forensics Investigation Methodology
Computer Forensics Investigation Methodology
 Obtain Search Warrant

A search warrant is a written order

issued by a judge that directs a law
enforcement officer to search for a
particular piece of evidence at a particular
location

“When destruction of evidence is imminent, a warrantless seizure of that evidence

is justified if there is probable cause to believe that the item seized constitutes
evidence of criminal activity.” United States v. David, 756 F. Supp. 1385, 1392 (D. Nev. l991).
“Agents may search a place or object without a warrant or probable cause, if a
person with authority has consented”. Schneckloth v. Bustamonte, 412 U.S. 218, 219
(1973).
 Evaluate and Secure the Scene
Forensics Photography
Digital photography helps in correcting the perspective of the
image which is used in taking the measurements of the evidence.

Snapshots of the evidence and incident-prone areas need to be

taken to help in the forensic process.

Forensic photography helps to capture, edit and transfer the

images faster

Take the photograph of all the evidence or that which helps in

evidence finding

Label the photographed evidence according to the methodology

Photograph the evidence after the label is applied

 Evaluate and Secure the Scene
Gather the Preliminary Information at the Scene
 Evaluate and Secure the Scene
First Responder

First responder is the first person at the scene of the incident who
collects and preserves evidence.

S/he should collect the evidence on all sorts of devices available at

the scene of the incident.

The first responder should follow all laws while collecting the
evidence, and contact a computer forensic examiner as soon as
possible.
 Collect the Evidence
Collect Physical Evidence

Electronic devices and other media found at the crime scene

should be collected.

They may be removable media, cables, computer equipment,

and miscellaneous items.

The objects that are identified as evidence should be tagged.

The tag provides detailed information about the evidence.

The evidence should be handled carefully in order to preserve

the integrity of it.
 Collect the Evidence
Evidence Collection Form
An evidence collection form includes the following information:
Submitting agency
Item number
Date of collection
Time of collection
Badge number
Location where collected
Case number
Description of enclosed evidence
Type of offences
Victim's full name
Suspect's full name
Collected by
 Collect the Evidence
Collect Electronic Evidence
Data Files:
office desktop computer/workstation
notebook computer
home computer
computer of personal assistants/secretary/staff
palmtop devices
network file servers/mainframes/mini-computers
*To assure that all data, including residual data, is captured, an image copy is
recommended when copying data from local computer hard drives.

Backup Tapes
system-wide backups (monthly/weekly/incremental)
disaster recovery backups (stored off site)
personal or "ad hoc" backups (look for diskettes and other portable media)

Other Media Sources

Tape Archives
Replaced/Removed Drives
Floppy Diskettes & Other Portable Media (e.g., CDs, Zip cartridges)
 Collect the Evidence
Guidelines for Acquiring Evidence:

The following are the guidelines for acquiring evidence:

Sample banners are used to record the system activities when the
system is used by unauthorized users.
In warning banners, organizations give clear notice to intruders that
by signing onto the system they are expressly consenting to such
monitoring.
The equipment is seized which is connected to the case, knowing
the role of the computer which will indicate what should be taken.
The computer should not be powered off at the time of seizing
process.
Make sure that examiner's storage device is forensically clean while
acquiring the evidence.
Write protection should be initiated to preserve and protect the
original evidence, if it is available.
 Secure the Evidence
Evidence Management :
Evidence management includes the following:
Protection: Evidence management helps in protecting the true
temperament of the evidence.
Documentation: Proper handling and documentation of the evidence is
required to protect it.
Evidence transfer: Both sender and receiver have to give the information
about date and time of transfer in the chain of custody record at the time
of evidence transfer.
Procedures: The following procedures are used to protect the evidence
and document when collecting and shipping:
The log book of the project
A tag to uniquely identify any evidence
A chain of custody record
 Secure the Evidence
Chain of Custody:
Legal document that demonstrates the progression of evidence as it
travels from the original evidence location to the forensic laboratory.
It is a roadmap that shows how investigators collected, analyzed, and
preserved the evidence.
It ensures accurate auditing of the original data evidence, imaging of the
source media, tracking of the logs, and so on.
The chain of custody shows the technology used and the methodology
adopted in the forensic phases as well as the persons involved in it.
The chain of custody administers the collection, handling, storage,
testing, and disposition of evidence.
It helps to ensure protection of evidence against tampering or
substitution of evidence.
Chain of custody documentation should list all the people involved in the
collection and preservation of evidence and their actions, with a stamp for
each activity.
 Secure the Evidence
Chain of Custody:
 Secure the Evidence
Exhibit numbering:
The process of tagging evidence with sequential number, which includes
case and evidence details. This will allow the investigator to easily identify
the evidence and know its details.

The investigators should mark all the evidence in a pre-agreed format,

such as: aaa/ddmmyy/nnnn/zz.
 aaa are the initials of the forensic analyst or law enforcement
officer seizing the equipment.
 dd/mm/yy is the date of seizure.
 nnnn is the sequential number of the exhibits seized by aaa, starting
with 001 and going to nnnn.
zz is the sequence number for parts of the same exhibit (e.g., ‘A’
could be the CPU, ‘B’ the monitor, ‘C’ the keyboard, etc.)
 Acquire the Data
Duplicate the Data (Imaging) :
Original data should not be used for analysis. Data imaging is
performed to preserve the original data.
The data should be duplicated bit by bit to represent the same
original data.
Various hardware and software tools are available that can
duplicate the data. The duplicated data is sent to the forensic lab for
further analysis.
 Acquire the Data
Verify Image Integrity:

To verify image integrity, calculate and match the MD5 hash for
the original evidence and the forensic image. Same hash values
shows that the image is same as the evidence. There are
various tools that can be used to calculate the hash value, such
as HashCalc, MD5 Calculator, HashMyFiles, and Md5sum.

Image Integrity Tools:

HashCalc-created MD5 hash for files, text and hex strings; 13
different algorithms
MDF Calculator-view MD5 hash to compare to provided
hash value
HashMyFiles-calculate MD5 hash on one or more files. Can
also display MD5 hashes of files or folders
 Acquire the Data
MD5 Hash Calculators:
HashCalc, MD5 Calculator and HashMyFiles :
 Acquire the Data
Recover Lost or Deleted Data :

It is required to recover and collect the lost or deleted data for

evidence in the internal and external devices. There are various tools
that can be used to recover the data, such as recover My Files, Digital
Rescue Premium, EASEUS Data Recovery Wizard, PC INSPECTOR File
Recovery, Advanced Disk Recovery, and Total Recall.

Recover Lost or Deleted Data

Recover My Files-recover deleted files emptied from recycle bin,
accidental format, hard disk crash, etc.
Recuva-recover all types of lost files from disk or removable media
Advanced Disk Recovery-quick or deep scan for lost or deleted files
UndeletePlus-same as above
 Analyse the Data
Data Analysis :
The acquired data should be thoroughly analyzed to get the
conclusions related to the case. Data analysis techniques depend
on the scope of the case and requirements of client. It includes the
following:
Analysis of the file's content, date and time of file creation and
modification, users associated with file creation, access and file
modification, and physical storage location of the file
Timeline generation
The data should be identified and categorized in order of
relevance. Forensic tools help in sorting and analysis of a large
volume of data to draw meaningful conclusions. Some data
analysis tools are: AccessData's FTK, Guidance Software's
EnCase Forensics, and Brian Carrier's The Sleuth Kit.
 Analyse the Data
Data Analysis Tools :
FTK Imager- data preview and imaging tool that enables analysis of files and
folders on local hard drives, CDs/DVDs, network drives, and examination of the
content of forensic images or memory dumps. FTK Imager can also create MD5 or
SHA1 hashes of files, review and recover files deleted from the Recycle Bin, export
files and folders from forensic images to disk and mount a forensic image to view its
contents in Windows Explorer.
EnCase Forensic- popular multi-purpose forensic platform that includes many
useful tools to support several areas of the digital forensic process. It also generates
an evidence report. EnCase Forensic can help investigators acquire large amounts of
evidence, as fast as possible from laptops and desktop computers to mobile devices.
EnCase Forensic directly acquires the data and integrates the results into the cases.
The Sleuth Kit (TSK) -library and collection of command line tools that allows
investigating disk images. The core functionality of TSK allows analyzing volume and
filing system data. The plug-in framework also allows incorporating additional
modules to analyze file contents and build automated systems. The library can be
incorporated into larger digital forensics tools and the command line tools can be
directly used to find evidence.
 Dealing with Powered Off Computers
At this point of the investigation, do not change the state of any
electronic devices or equipment:
If it is switched OFF, leave it OFF
If a monitor is switched OFF and the display is blank:
 Turn the monitor ON, move the mouse slightly, observe the
changes from a blank screen to another screen, and note the
changes and photograph the screen.
If a monitor is switched ON and the display is blank
 Move the mouse slightly. If the screen does not change, do not
perform any other keystroke.
 Photograph the screen.
 Dealing with Networked Computers
If the victim’s computer has an Internet connection, the first responder must
follow the following procedure in order to protect the evidence:
Unplug the network cable from the router and modem internet can make it
vulnerable to further attack
Don’t use the pc for evidence search because it may alter or change the
integrity of the existing evidence
Unplug all the cords and devices connected to the computer and label them
for later identification
Unplug the main power cord from the wall socket
Pack the collected electronic evidence properly and place it in a static-free
bag
Keep the collected evidence away from magnets, high temperature, radio
transmitters, and other elements that may damage the integrity of the
evidence
Document all the steps that involved in searching and seizing the victim’s
computer for later investigation
 Assess Evidence and Case
Evidence Assessment :
The following are the best practices to assess the evidence:
Review the name of files for relevance and patterns.
Correlate the file headers to the corresponding file extensions to identify
any mismatches.
Review the time and date stamps in the file system metadata.
Analyze the physical and logical evidence for their value to the case.
Use a safe cabinet to secure the evidence.
Examine network service logs for any events of interest.
Examine the large amount of host data, where only a portion of that data
might be relevant to the incident.
Perform offline analysis on a bit-wise copy of the original evidence.
Search the contents of all gathered files to help identify files that may be
of interest.
 Assess Evidence and Case
Case Assessment :
The functions of a case assessment are as follows:
It reviews the case investigator's request for service.
It identifies the legal authority for the forensic examination request.
It documents the chain of custody.
It determines the potential evidence being sought, such as photographs,
spreadsheets, documents, databases, and financial records.
It discusses whether other forensic processes need to be performed on
the evidence, such as DNA analysis, fingerprint, tool marks, trace, and
questioned documents.
It discusses the possibility of pursuing other investigative avenues to
obtain additional digital evidence.
It considers the relevance of peripheral components to the investigation.
For example, in child pornography cases, consider digital cameras.
It determines additional information regarding the case which may be
obtained through interviews with the system administrator, users, and
employees.
 Assess Evidence and Case
Importance of Case Assessment :

Importance of case assessment is as follows:

It makes the best use of the time and resources.
It helps to clarify whether a person is likely to qualify.
It avoids giving false hope to those who do not qualify.
It allows people who do not qualify for the resettlement
program to begin looking for other solutions.
 Assess Evidence and Case
Processing location Assessment :

The evidence should be assessed in order to determine where

to conduct the examination. It is preferable to complete the
examination in a controlled environment, such as a dedicated
forensic work area or lab. An attempt to control the
environment should be made whenever circumstances require
an onsite examination to be conducted. Assessment
considerations include the following:
The time required onsite to accomplish evidence recovery
Logistic and personnel concerns associated with long-term
deployment
The impact on the business due to a lengthy search
The suitability of the equipment, resources, media, training,
and experience for an onsite examination
 Prepare the Final Report
Documentation in Each Phase :
The documentation in each phase is defined below:
Access the data: The documentation in this phase includes the following:
An initial estimate of the impact of the situation on the organization's
business
Summaries of interviews with users and system administrators
Outcomes of any legal and third-party interactions
Reports and logs generated by tools used during the assessment phase
A proposed course of action
Acquire the data: In this phase, a check-in/check- out list is created. This
list includes the name of the person examining the evidence, the exact date
and time they check out the evidence, and the exact date and time they
return it.
Analyze the data: The documentation in this phase includes the
following:
The information regarding the number and type of operating system
The file's content
The result of correlation of files to the installed applications
The user's configuration settings
 Prepare the Final Report
Gather and Organize Information :

Documentation made in each phase should be identified for its

relevance in the investigation. The following procedures are used
to gather and organize the required documentation:
Gather all notes from the assess, acquire, and analyze phases.
Identify parts of the documentation that are relevant to the
investigation.
Identify facts to support the conclusions that will be made in the
report.
Create a list of all evidence to be submitted with the report.
List any conclusions that you want to make in the report.
Organize and classify the gathered information in order to make
sure that you get a clear and concise report.
 Prepare the Final Report
The Final Report :
The final report is an important stage in the outcome of the investigation. It
should be clear, concise, and written for the appropriate audience. The final report
must include the findings of the investigation in detail. This report has:
Purpose of report
Author of report
 Incident summary
 Specific files related to the request
 Other files, such as hidden and deleted files that support the findings
 String searches, keyword searches, and text string searches
 Evidence found relating to the use or abuse of the Internet, such as Web site
traffic analysis, chat logs, cache files, e-mail, newsgroup activity, and Internet history
 Graphic image analysis
 Indicators of ownership, such as program registration data
 Data analysis
 Descriptions of relevant applications on the observed items
 Techniques used to hide data, such as encryption, steganography, hidden
attributes, hidden partitions, and file name anomalies
 Supporting materials, such as the chain of custody documentation, digital copies
of evidence, and printouts of specific evidence
 Prepare the Final Report
Write the Final Report :
Maintain the final report in the following sections:

Details: This section provides a detailed description of the analyzed

evidence, the used analysis methods, and the findings of the analysis. It also
lists the procedures followed during the investigation, the used analysis
techniques and the proof of the findings.

Conclusion: This section summarizes the outcome of the investigation. The

conclusion should be clear and unambiguous, and specific evidence should be
refereed to prove the conclusion.

Supporting documents: This section includes a background information

referred to throughout the report. The supporting documents should provide
enough information for the report reader to understand the incident
completely.
 Testifying as an Expert Witness
Expert Witness :

An expert or professional witness is a witness, who by virtue of

education, training, skill, or experience, is believed to have
knowledge in a particular subject beyond that of the average person,
sufficient that others may officially (and legally) rely upon the
witness's specialized (scientific, technical or other) opinion about an
evidence or fact issue within the scope of their expertise.
This opinion is referred to as the expert opinion.
Expert witnesses may also deliver expert evidence about facts
from the domain of their expertise. They investigate a crime,
evaluate the evidence, educate the public and court, and testify in
court.
 Testifying as an Expert Witness
Roles of an expert witness in presenting evidence to court:

The following are the roles of an expert witness in presenting

evidence to court:

Assist the court in understanding complex evidence.

Help the attorney to get the truth.

Honestly and fully express his or her expert opinion, without

regard to any views.
 Testifying as an Expert Witness
Testifying in the Court Room:

Presenting digital evidence in the court requires knowledge of new,

specialized, evolving, and complex technologies.
An expert testifying in court should satisfy the requirements of Fed. R.
Evid. 702. Under Rule 702, an expert is a person with "scientific, technical,
or other specialized knowledge" who can "assist the trier of fact". A
qualified expert can testify "in the form of an opinion or otherwise" so long
as: The testimony is based upon sufficient facts or data.
The testimony is the product of reliable principles and methods.
The witness has applied the principles and methods reliably to the facts
of the case.
The expert witness should be familiarized with the usual processes that
are followed during a trial.
The attorney introduces the expert witness with high regards and the
opposing counsel tries to discredit him or her.
The attorney leads the expert witness through the evidence. After that, it
is followed by the cross examination with the opposing counsel.
 Testifying as an Expert Witness
Closing the Case :

The investigator should include analysis and result in the final

report.
The basic report should cover who, what, when, where, and how.
The report should explain the computer and network processes
and inner working of the system.
The investigator should provide explanation for various processes
and the various interrelated components.
In a good computing investigation, the process can be repeated
and the results obtained are same every time.
 Testifying as an Expert Witness
Maintaining Professional Conduct :
Take the following steps to maintain professional conduct:
Consider all the available facts that account to the crime scene.
Ignore external biases to maintain the integrity of the fact-finding in all
investigations.
Keep the case confidential.
Stay current on the latest technical changes in computer hardware and
software, networking, and forensic tools.
Maintain a chain of custody.
The following are the criteria to maintain professional conduct:
Credibility
Ethics and morals
Standards of behavior
Maintain objectivity and confidentiality
Enriched technical knowledge
Conduct with integrity
 Testifying as an Expert Witness
Investigating a Company Policy Violation :
While investigating, the business must continue with minimal
interruption.
Employees using company's resources for personal use not
only waste company's time and resources, but they also violate
the company's policy.
The misuse of resources costs companies' millions of dollars.
These resources consist of surfing the Internet, sending
personal e-mails, and using company computers for personal
tasks.
In order to maintain this, trace such employees and tell them
about the company's policy, and take suitable action if this
happens again.
 Testifying as an Expert Witness
Computer Forensics Service Providers :
The field of computer forensics consists of locating, collecting, analyzing, and authenticating of potential
evidence that are located in computers and digital media storage devices. This type of information can be very
helpful to individuals and companies involved in various criminal or civil litigation or other commercial or
personal situations. There are a number of computer forensic service providers, some of them are here:
Burgess Forensics is a computer forensics consulting company. It offers computer forensic, electronic discovery,
and expert witness and testimony since 1985. Burgess Forensics uses various tools, such as EnCase, SMART
Forensics, Paraben, FTK, etc., to provide Macintosh Digital Forensics, Windows Digital Forensics, and Cell
Phone/Mobile/PDA Forensics.
AC Forensics, Inc. provides forensic collection, examination and analysis of electronic evidence as well as email
conversion, extraction and document production in various standard review formats.
ACR Data Recovery, Inc. is a full-scale data recovery center. It provides computer forensic software and in-house
services to corporations and individuals.
The Center for Computer Forensics (CCF) is a leading provider of services to law firms and corporations. It was
established in the year 1997. It is uniquely qualified to offer a solution that is scaled to the requirement of the
case, large or small. The CCF provides an inclusive list of data preservation, computer forensics, and e-discovery
services to make sure that the case is handled economically. It also fulfills the data recovery requirements by
working with the Data Recovery Group.
Computer Forensics Services (CFS) provides a complete suite of computer forensics, electronic evidence, and
data recovery services.
Elluma Discovery provides computer forensics, electronic discovery, forensic data recovery, forensic analysis, and
computer expert witness services.
CyberControls provides litigation consultancy and computer forensic services on a nationwide basis. It maintains
a secured forensics lab along with a team of litigation consultants who provide a blending of technical and legal
advice about e-discovery specifics.
 Module 02 Summary
3 phases in Computer Forensics Investigation Process, Pre-investigation,
Investigation and Post-Investigation
A CFL is a location designated for conducting a computer-based
investigation on the collected evidence
Search warrant is an order from a judge that directs LE to search for a
particular piece of evidence at a particular location
Make a duplicate of the collected data so as to preserve the original
To preserve the integrity of the physical evidence, all evidence collected
should be handled carefully
All digital evidence must be stored in a container, which must be secured
to prevent unauthorized access
Documentation of the electronic crime scene is a continuous process
during the investigation that creates a permanent record of the scene
Final report should include what the investigator did during the
investigation, and what he or she found