COMPUTER FORENSICS

INVESTIGATION
Dr. Gilbert M. Tumibay
Director, Information and Communication
Technology (ICT) Department
Professor, Doctor in Information Technology
Discussion Outline
• Philippine Law Enforcement Setting
• What is Computer Forensics?
• Defining the Need
• Role of an Investigator
• PNP Operation Procedure – Rule #26
• Basic Contents of a Response Kit
• Building a Computer Forensics Lab
• Hardware Write Blockers
• Forensic Software Tools
• Disk Imaging and Duplication
• Disk Analysis
• File Analysis
• RA 8792
• Rules on Electronic Evidence
Philippine Law Enforcement
Setting
NBI – National Bureau of Investigation
• Anti-Fraud and Computer Crimes Division
(ACCD)
• now Technical Intelligence Division (TID)
– Chief Palmer Mallari – proposes a mandatory
laptop registration.
– Senator Edgardo Angara filed a senate bill that will
create a modern cybercrime and forensic
laboratories (2011).
– The bill also proposes to create a DNA database.
– www.nbi.gov.ph
• Tie-up with Symantec (Norton Anti-Virus)
Philippine Law Enforcement
Setting
PNP – Philippine National Police
• CIDG – Criminal Investigation and Detection
Group
– Anti-Transnational Crime Division (ATCD)
Senior Supt. Gilbert C. Sosa (MCP)
– Cyber Crimes, Illegal Recruitment and Human
Trafficking Cases
– Cyber Crime Unit (CCU)
– Tie-up with Trend Micro (PC-Cillin Anti-Virus)
www.cidg.pnp.gov.ph
PNP-CIDG ATCD Update
• Four (4) Digital (Computer) Forensics
Laboratories in the Philippines
– Camp Crame Quezon City, Zamboanga City,
Davao City and General Santos City
• Twelve (12) CIDG Agents/Investigators who
underwent training from the US State
Department for Computer and Cellphone
Forensics (US-Certified Forensic Experts)
• The twelve experts completed the 12-day
training on Audio-Video Forensic Investigation
last March 2011
What is Computer Forensics?
• sometimes Computer Forensic Science
• is a branch of digital forensic science
pertaining to legal evidence found in
computers and digital storage media.
Computer forensics is also known as digital
forensics.
• ww.cidg.pnp.gov.ph
What is Computer Forensics?
Five (5) basic steps to the computer forensics:
1. Preparation (of the investigator)
2. Collection (the data)
3. Examination
4. Analysis
5. Reporting
What is Computer Forensics?
• Evidence must be handled within legally
accepted standards and procedures
• Computer Forensics personnel must be
specially trained in analysis techniques
• Personnel must have a wide variety of
computer-related knowledge
Defining the Need
Reported Cases of Computer Crimes
in the Philippines from PNP-CIDG:

Year No. of Cases % of Increase

2003 37 ---
2004 56 51 %
2005 161 187%
2006 527 223%
2007 1,843 250%
Defining the Need
Estimates based on statistical trend with an
average increase of 178% every year:
Year No. of Possible Cases
2008 5,124
2009 14,244
2010 39,601
2011 110,091
Defining the Need
Some of Computer Crime Cases:
• Debit and Credit Card Fraud - Access Device (R.A.
8484)
• Internet or Online Pornography
• Identity Theft
• Violation of Copyright Laws (R.A. 8293)
• Malware (virus and Trojan horse) invasion (R.A. 8792)
• Online or Phishing Scams
• Sexual Predation (Social Networking Sites)
• Hacking, Cracking or Unauthorized Access (R.A. 8792)
• Industrial or Corporate Espionage
• Sabotage (within and from the outside)
Role of the Investigator
• Investigator Impartiality
• Skill Sets and Training
• Evidence Control and Documentation
• Investigation and Analysis
• Report and Testifying
Investigator Impartiality
• Suspect’s guilt or innocence? – let evidence
tell the story
• Responsible for reporting inculpatory and
exculpatory evidence
• Investigator’s job is just to deliver the
evidence – not convict!
Skill Sets and Training
Investigator must have technical, presentation
and professional skills
• Technical skills include:
– Computer maintenance and networking
– Knowledge of law and criminal procedure
– Network and Internet security
– Knowledge in Different Operation Systems and
Application Softwares (Programming, Database
and Internet)
– Forensic tools and procedures
Skill Sets and Training
Investigator must have technical, presentation
and professional skills

• Presentation skills include:

– Ability to translate highly technical subjects to
non-technical people
Skill Sets and Training
Investigator must have technical, presentation
and professional skills

• Professional skills include:

– Credibility
– Professionalism
– Impartiality
Evidence Control andDocumentation
• Investigator must ensure all evidence is
properly acquired, controlled and
documented at ALL TIMES!
• Time, dates and events are important
Investigation and Analysis
• Requires a lot of patience!
• Requires highly technical skills
• Highly sophisticated tools versus Basic
computer tools
• Find evidence of illegal behavior or evidence
of acquittal
• Investigator must establish what happened,
how, when (timeline), by whom and to whom
Reporting and Testifying
• Results require detailed formal report
• Testifying for the defense or prosecution
• Testify as expert witness to support or refute
another’s testimony
PNP Operational Procedure
Rule #26 (last rule)
COMPUTER CRIME INCIDENT RESPONSE
(CCIR)
Section 1
Computer Crime Response Defined
- Computer Crime Response is the actual
police intervention in a computer crime
incident where the acquisition of matters of
evidentiary value are traceable within the
computer’s hardware and its network.
Section 2
Do’s and Don’ts in Computer Crime Response
a. When the computer is OFF at the time of arrival,
do not turn it ON.
b. When it is ON, do not turn it OFF nor touch its
mouse or keyboard.
c. If available, call for the Computer Incident
Response Team (CIRT)
d. If CIRT is not available, the unplugging of the
computer whether it is ON or OFF at the time of
unplugging should be done by pulling out the
cable directly from the back of the Central
Processing Unit (CPU).
Section 2
Do’s and Don’ts in Computer Crime Response
e. Each unplugged cable must be marked in the
same marking corresponding to the socket
from where the cable was unplugged.
(Example: “Socket5” marked “A” and the
“Cable End” also marked “A”) The computer
should be carefully handled and packed for
transport to the police station.
f. Only a computer forensic expert should
search for any evidence contained in the
computer hardware.
Section 2
Do’s and Don’ts in Computer Crime Response
g. The computer hard disk should be
duplicated by the forensic expert and the
original should be kept by the evidence
custodian for future court presentation.
Search and analysis shall be undertaken
using the imaged disk.
Requirements for Examination
1. Request form by the Investigator, Case
Officer or Chief of Office.
2. Submission of Actual evidence in the
custody of the Examiner. The Requesting
party and the Court with Jurisdiction can
pull-out evidence.
3. Additional Hard Drive (normally double or
more the Hard Drive for Examination)
4. Addition CD-R for Cellphone Forensics Data
Extraction Report.
Basic Contents of a Response Kit -
Hardware
• Hardware write blockers
• Spare Hard Drives
• USB Drives / Sticks / Cables
• USB Floppy Drive, Zip and DVD Writers
• Network Cables
• Network Switch or Hub
• Laptop or any Acquisition Device
Basic Contents of a Response Kit -
Software
• Bootable floppies / CDs / USBs
• Forensics Acquisition / Analysis Software
• Image viewers
Basic Contents of Response a Kit –
Other Device and Tools
• Labels and markers for evidence catalogue
• Tapes and zip ties
• Proper forms
• Event Log Notebooks or forms
• Portable Forensic Write Blockers
• Camera or Digital Camera
Building a Computer Forensics Lab
For starters, the basic requirements are simple:
• At least two (2) Computers and a Laptop for
mobility
– A computer forensic investigator should
understand computer hardwares, softwares,
operating systems, data storage and data cables
– Enclosure, power supply, motherboard,
processor, memory, hard disk drive, video cards,
sound cards, LAN cards, CDs and DVDs drives
Building a Computer Forensics Lab
When working for an investigation, knowledge
in different storage devices are important.
• Duplication (cables and type of storage)
• Hard Disk Drive (SCSI, IDE and SATA)
– Hardware Write Blockers
• Storage Media (USB, Floppy, CDs, DVDs and
Blu-ray disk) recordable and Re-writable.
 Hardware Write Blockers
Forensic duplicator
• devices that allow
acquisition of information
on a drive without
creating the possibility of
accidentally damaging the
drive contents. They do
this by allowing read
commands to pass but by
blocking write
commands.
Hardware Write Blockers
Portable Hardware Write Blockers
Commercial Forensic Software Tools
Most products are designed for Windows,
rarely some for Linux
• Guidance Software - Encase (most popular)
• Access Data - Forensics Toolkit
• DriveSpy (DOS-based for FAT/FAT32)
• Licensing Issues
Functions of Forensic Softwares
• Storage duplication / disk imaging
• Cross-Drive Analysis
• File analysis
• Deleted File Analysis
• Image file analysis
• Hidden file analysis
• Data recovery
• Legal audit trail
EnCase (Guidance Software)
• One of the most popular Windows-based
forensic suite
• Offers wide variety of functions including
acquisition, imaging, analysis, reporting, case
management
• Available in Enterprise or Standard Version
• Supports all known file systems
• Supports RAID acquisitions
• Supports variety of image formats
• Around $3,000
EnCase (Guidance Software)
Forensics Tool Kit - FTK (Access Data)
• Second most popular Windows-based
forensic suite
• Functions include, acquisition, imaging,
analysis, reporting, case management
• Can be purchased in separate kits
• The price is almost the same with EnCase
Open Source Forensic Tools
• Easily available, usually downloadable
• Client support not available
• Linux DD – For Linux OS (commercial
Windows-based are usually expensive)
• Functionalities are almost the same with
Windows-based forensics software
Disk Imaging / Duplication
• Simple file copying (drag and drop)
• Advanced file copying (copying even deleted
files)
• Partition duplication (entire partition –
basically all files) Norton Ghost
• Forensic duplication (complete forensically
sound duplication – bit per bit)
– Bitstream Images – most accurate for forensic
investigation
– Even deleted files for years can still be recovered
Disk Analysis
• Disk Partitioning
– A hard drive can be divided into different
partitions (opposite of RAID)
– Track, sectors and clusters
– Sectors are variable sized “clusters” – depends on
OS for FAT up to 64k for NTFS only 4k
• Disk Structures – FAT / FS
– FAT 16 / FAT 32 / NTFS
– Usually higher versions can read lower versions.
File Analysis
• What are we looking for?
• Understand file category or file type
– Images, videos, audios and document files
• File Attributes
– Read-only, hidden, system (critical part of the
OS), achieve, compressed or encrypted
• Time stamps of a file
– Accessed, modified or created
File Analysis
• File signature (header)
– Automatically determine the file type and opens
it with the appropriate application
• Malware
• Steganography
R.A. 8792 E-Commerce Act
Section 33 A - Penalties
• Hacking or crackling with refers to unauthorized
access into or interference in a computer
system/server or information and
communication system; or any access in order to
corrupt, alter, steal, or destroy using a computer
or other similar information and communication
devices, without the knowledge and consent of
the owner of the computer or information and
communications system, including the
introduction of computer viruses and the like,
resulting in the corruption, destruction,
alteration, theft or loss of electronic data
messages or electronic documents.
R.A. 8792 E-Commerce Act
Section 33 – Penalties
• Minimum fine of One Hundred Thousand
pesos (P 100,000.00) and a mandatory
imprisonment of six (6) months to three (3)
years.
• Piracy through the use of telecommunication
networks, such as the Internet, that infringes
intellectual property rights is punishable. The
penalties are the same as hacking.
RULES ON ELECTRONIC EVIDENCE
RULE 11 - AUDIO, PHOTOGRAPHIC. VIDEO
AND EPHEMERAL EVIDENCE
SECTION 1
Audio, video and similar evidence. – Audio,
photographic and video evidence of events, acts or
transactions shall be admissible provided it shall be
shown, presented or displayed to the court and
shall be identified, explained or authenticated by
the person who made the recording or by some
other person competent to testify on the accuracy
thereof.
Remember!
The Role of Forensic Investigator
• Computers (storage media) can contain
information that helps law enforcement
determine:
–Chain of events leading to a crime
–Evidence that can lead to a conviction
or acquittal
Questions