Understanding Computer Technology and Forensic Strategies to Combat Cybercrime

 

Computer technology is an essential part of people’s lives, and it is rapidly growing, just as computer-related crimes are, such as financial fraud, unauthorized access, identity theft, and intellectual property theft. To combat these computer-related crimes, computer forensics plays a very important role.“Computer forensics involves the acquisition and analysis of digital information to be used as evidence in civil, criminal, or administrative cases (Nelson, B., et al., 2008).”

Computer forensic investigations typically involve examining forensic data obtained from computer hard drives or other storage devices. This process adheres to standard policies and procedures to determine whether these devices have been compromised, unauthorisedly accessed, or tampered with. Computer forensic investigations are carried out collaboratively by a team and utilise various methods (such as static and dynamic) and tools (such as ProDiscover or EnCase) to investigate computer security incidents and ensure the security of computer network systems. A successful computer forensic investigation requires familiarity with the various laws and regulations concerning computer crime in the investigator’s own country (such as the Computer Misuse Act of 1990, UK) and awareness of different computer operating systems (such as Windows and Linux) and network operating systems (such as Windows NT). According to Nielsen, B. et al., (2008), public investigations and private or corporate investigations are two distinct categories within computer forensic investigations. Public investigations are conducted by government agencies, while private investigations are carried out by private computer forensic teams. This report will focus on private investigations because the incident took place in a small to medium-sized enterprise newly established in Luton.

The report includes an examination of computer model surveys, data collection and its types, evidence of acquisition, forensic tools, malware investigation, legal issues of computer forensics, and finally, this report also provides necessary recommendations, countermeasures, and policies to ensure this small to medium-sized enterprise operates in a secure network environment.

2. Case Study

A small London-based company’s online management system recently noticed some anomalous records in account and product databases. A simple check of the system logs revealed that some IP addresses are sending large volumes of data through the firewall. Meanwhile, some users also reported encountering unusual messages during order processing and frequent redirections to what appear to be illegitimate payment pages.

The company utilized a generic e-commerce suite (osCommerce) and had a small team of six IT support personnel, but they did not feel they had the expertise to conduct a comprehensive malware/forensic investigation.

Due to increasing competition in the high-tech sector, the company is eager to ensure their systems have not been compromised. They have implemented digital forensic investigations to determine if any malicious activity has occurred and to ensure there is no malware in their systems.

Your task is to advise the IT team on how to locate and cleanse computers infected with malware and ensure that no other machines on the premises or network are compromised. The team also wants you to conduct a digital forensics investigation to see if you can trace the root cause of the issue and, if necessary, prepare a case against the perpetrator.

The company uses Windows servers, and the IT team applies basic patch packages monthly. However, the team has also noticed that some computers seem to have not been patched.

Deliverables

In this task, you are required to submit a 5000-word report that includes the following contents:

• Malware Investigation
• Digital Forensics Investigation

It is necessary to provide a valid rationale explaining why a specific method was chosen.

I can help translate content regarding digital forensics processes and the relevant legal requirements for forensics. Please see below:

  1. Identification: Determine evidence that is relevant to the case.
  2. Preservation: Safeguard the evidence to maintain its integrity.
  3. Analysis: Examine the data methodically to draw conclusions.
  4. Documentation: Record all findings and processes meticulously.
  5. Presentation: Compile the evidence and findings into a comprehensible report for legal proceedings.

Key legal requirements to consider include maintaining a chain of custody, ensuring the admissibility of evidence under local jurisdiction laws, and complying with privacy laws.

Please let me know if you need further elaboration on any specific process or legal requirement.

In the report, it is required to provide an evaluation of the tools and techniques used during the forensics process, assessing their effectiveness and identifying any existing issues (particularly the legal challenges related to cross-border forensics).

3. Association of Chief Police Officers (ACPO)

The Association of Chief Police Officers (ACPO) has established four principles that technicians involved in digital forensics must adhere to:

Principle 1:The data stored on a computer or storage medium cannot be altered or changed, because this data may later be presented as evidence in court.

Principle 2: A person must be competent enough to handle raw data on a computer or storage media. If necessary, he/she should also be able to provide an explanation of the relevance and process of the evidence related to their actions.

Principle 3: All audit trails and other documentation based on the digital forensics process must be created and preserved. An independent third party should be able to review these processes and achieve the same results.

Principle 4: The individual responsible for evidence collection must fully adhere to the forensic process under legal and ACPO principles.

4. Computer Forensics Model

According to Kruse II, W.G., and Heiser, J.G. (2010), digital forensics involves verifying, preserving, extracting, and documenting every process. It also includes validating the evidence, analyzing it to find the root cause, and providing recommendations or solutions.

“Computer forensics is a burgeoning field with a lack of consistent regulations and standardization” (US-CERT, 2012). Each electronic forensics model focuses on a specific domain, such as law enforcement or electronic discovery. At present, there is no universally accepted single digital forensic investigation model. It is widely believed that a digital forensic model framework must be adaptable to support any type of incident and new technologies (Adam, R., 2012).

Kent, K., et al. (2006) developed a basic digital forensic investigation model based on the ideas of Venter (2006), known as the Four-Step Forensic Process (FSFP), which allows even non-technical personnel to carry out digital forensic investigations. This model is more flexible than any other, enabling organizations to adopt the most suitable framework based on the event that occurred. These are the reasons we chose this model for our investigation. The FSFP consists of the following four fundamental processes, as shown in the diagram:

Computer technology
Computer technology

“Preserve and Document Evidence” indicates the necessity to maintain and log all certificates during each stage of evidence collection so that the evidence can be presented in court. We will discuss each FSFP investigation model and every process in the sections below.

5. Scope of the Investigation

In this example, the scope of the forensic investigation:

- Validate Malicious Software Behavior (5 Aspects: Why, When, Where, What, Who)
- Verify Network Security
- If the Network is Compromised, Identify the Extent of the Impact
- Validate the Legitimacy of Processes When Necessary
- Provide Remediation Measures to Harden the System

6. Legal Challenges of Investigation

In accordance with Nelson, B., et al., (2008), the legal challenges encountered during forensic processes:

- Determine whether assistance from law enforcement is necessary; if so, they may provide support during the investigation or submit the investigative report to legal authorities after its conclusion.
- Obtain written authorization for access, unless permission has already been granted in a separate incident response.
- Discuss with legal counsel to identify any legal issues that may arise from improper evidence handling.
- Ensure that the client's certifications and privacy concerns are taken into account.

7. Preliminary Preparation

It is clear that we need to conduct preparations before the investigation to ensure it proceeds effectively. The preparatory steps are as follows:

- Gather all information regarding the client being assessed, such as the severity level of incidents.
- Determine the impact of the investigation on small and medium-sized businesses, including network downtime, duration to recover from the incident, revenue loss, and loss of confidential information.
- Obtain network topology diagrams and information on network devices.
- Identify external storage devices such as voice recorders, flash drives, external hard drives, CDs, DVDs, memory cards, and remote computers.
- Verify the forensic tools used in this investigation.
- Use the "netmon" tool to capture real-time network traffic while malicious activities are still active.
- Document all actions taken during the forensic process, as these records may be submitted as evidence in court.
- Image the hard drive of the target device and calculate the hash value using MD5.

8. Collection

“The collection phase is the initial stage of this process, requiring identification, labeling, documentation, and acquisition of data from potentially relevant sources. Guidelines and procedures must ensure the integrity of the data.” (CJCSM6510.01B, 2012). In a computer forensic investigation, two different types of data can be collected: volatile data and non-volatile data (persistent data). Volatile data exists on the system and can be erased when the power is off, such as memory (RAM), registry, and cache. Non-volatile data remains on the system whether the power is on or off, such as files on a hard drive. Given the existence of volatile data, a computer forensic investigation must know the optimal way to acquire the data. Evidence can be collected locally or remotely.

8.1 Volatile Data:

The picture below illustrates how to capture volatile data. The forensic workstation and the target machine must be on the same local area network (LAN). In this scenario, the “Cryptcat” tool can be utilized for listening on a port of the target machine from the forensic workstation. On the target machine, open the command prompt (cmd.exe) and use the following command:

cryptcat < address=""> 6543-k key</>

On the forensic workstation, use the following command:

cryptcat -l -p 6543 -k key>> < name=""></>

The image below lists graphical interface tools:

Utilize various tools to acquire forensic data.

HBGray’sFastDump – Local physical memory acquisition  
HBGray’sF-Response – Remote physical memory collection  
ipconfig – Gather detailed information about the target system  
net users and qusers – Verify user login logs  
doskey/history – Collect command history  
net file – Validate services and drivers

Finally, collecting the contents of the clipboard is also a crucial aspect of a computer forensic investigation. More evidence can be gathered from a running machine, so if anomalies are still present, we can retrieve a significant amount of critical evidence from the running processes, network connections, and data stored in memory. Therefore, it’s essential to ensure that the affected computer is not shut down in order to collect this evidence.

8.2 Non-volatile Data

After acquiring volatile data, we proceed to capture non-volatile data. The first step is to clone the entire operating system, a process also known as a forensic image. This imaging preserves the original data without any alteration or modification, ensuring it can be presented as evidence in court. Forensic images can be created using tools like EnCase, ProDiscover, and FTK. A forensic investigator connects a write-blocking device to the target system and uses these forensic tools to replicate the entire contents of the target drive onto another storage device. Disk cloning involves duplicating the entire system, whereas a forensic image differs in that it can only be accessed with forensic tools, while a disk clone can be loaded onto any system for access. Disk cloning only includes the raw data, copying every bit of the disk with no additional content added. In contrast, a forensic image includes extra data such as hashes and timestamps and compresses empty disk blocks. A forensic image uses MD5 or SHA-2 values to ensure the integrity of digital evidence. (Nelson, B., et al., 2008)

Data collection can be completed through offline and online surveys. Forensic imaging can be accomplished through offline investigation. Online network transmission data can be collected using Ethereal or Wireshark; firewall logs, antivirus software logs, and domain controller logs can be obtained by investigating non-volatile data. Similarly, it’s necessary to collect web server logs, Windows event logs, database logs, IDS logs, and application logs. Once we gather all the digital evidence, we need to properly document it in the chain of custody (collection, preservation, transfer, court presentation). To ensure the integrity of the chain of custody, the entire process from the initiation of forensic collection to the conclusion of the investigation must be documented and submitted as a report.

Before proceeding with further processing, we need to create a bit-by-bit image of the disk. This requires accessing the entire disk volume and duplicating the raw media, including deleted files. Once the disk imaging is complete, a hash value needs to be used to ensure that the data obtained is authentic and complete. Data integrity must be maintained throughout the investigation, and the hash values of the evidence files should be stored in multiple locations. Most tools implement a read-only mode to avoid modifying the evidence files. In such cases, external storage devices and the hard drives of Windows NT servers must undergo forensic analysis.

9. Inspection

Once we have gathered all possible evidence, we need to consider using various forensic tools for examination. The areas that need to be checked include the file system, registry, network, and data, as follows:

9.1 File System Check

NTFS is a new file system technology. An NTFS disk can be considered a single file. The MFT, or Master File Table, is the primary file table containing all file and disk information and is also the first file in the NTFS system. MFT entries are also referred to as metadata. Files are stored in the MFT in two ways: resident and non-resident. Files smaller than 512 bytes stored within the MFT are considered resident, while those larger than 512 bytes are stored outside the MFT and are regarded as non-resident. In Windows NT, when a file is deleted, the system renames and moves it to the recycle bin. The operating system stores two types of information: file path and file name. If a file is deleted from the recycle bin, its clusters on the disk are marked as available for rewriting. NTFS is more efficient than FAT because it can reclaim deleted space more quickly. An NTFS disk is considered a data stream, which means another file can be attached to it. Data streams can be stored in the following manner:

C:echo text_mess >file1.txt:file2.txt

Files can be retrieved using the following command:

C:more < file1.txt:file2.txt

W2K.Stream and Win2K.Team are viruses developed using data streams, designed to alter the original data streams. As researchers, we must be aware of the differences between the FAT and NTFS file systems in Windows (Nelson, B., et al., 2008).

9.2 Windows Registry Inspection

According to (Carvey, H., 2005), a registry can be considered as a log file because it contains what forensic investigators deem as critical, such as the last file modification time in FILETIME. By analyzing the system’s registry, resolving internal and external issues within the organization, and maintaining the organization’s reputation becomes truly remarkable.

Since Windows 98, the registry has been a critical component of the Windows operating system. The Windows registry structure is typically organized into “Hives”:

- HKEY_CLASSES_ROOT: Ensures the required programs are executed.
- HKEY_CURRENT_USER: Contains general information about the user currently logged into the system.
- HKEY_LOCAL_MACHINE: Contains information about the system's hardware and drivers.
- HKEY_USERS: Contains all user information for the specific system.
- HKEY_CURRENT_CONFIG: Stores the system's current configuration information.

The Windows registry contains both volatile and non-volatile information. This means forensic analysts need to be familiar with the keys and values of the Windows registry and the data it holds.

Autostart Location: Auto-start Registry Entries

HKEY_LOCAL_MACHIN/SOFTWARE/Microsoft/WindowsNT/CurrentVersion/ImageFile Execution Option For redirect program functionality, it is possible to exploit it to redirect to a trojan file.

Analysts can inspect the startup locations to determine whether the issue is caused by malware, user error, or an attacker. They can use the AutoRuns tool from SysInternals.com to assist in the analysis.

User Activity: User behavior can be tracked by looking up HKEY_USERSID which is created in HKEY_CURRENT_USER. NTUSER.DAT contains relevant configuration information from the user’s registry, and examining this file may provide clues related to user activity.

Most Recent Used (MRU) List:The MRU contains specific recent actions of the user and can potentially be used to infer future behavior. The registry key HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/RunMRU maintains a detailed list of user commands, wherein a key value is added for each command executed.

Forensic analysts can examine this registry value to determine whether the issue was caused by user actions or malicious software.

UserAssist: UserAssist is located in HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/UserAssist and includes two key values that appear to be encrypted records of a globally unique identifier maintained for each application or object. The UserAssist keys mainly contain information about the EXE files and links you frequently open. These records may include data about malware triggered by the user. To decrypt and view related content, you can use UserAssistview.

USB Removable Storage: All devices that have been connected to the system leave a record in the registry, which can be viewed at HKEY_LOCAL_MACHINE/System/ControlSet00x/Enum/USBSTOR. The image below shows the ID of a USB device.

Investigators can search for relevant clues by analyzing USB devices connected to the system.

Wireless SSIDs: The wireless SSID used on a computer can be found in `HKEY_LOCAL_MACHINE/Software/Microsoft/WZCSVC/Parameters/Interface` (for Windows 8, the location is `HKEY_LOCAL_MACHINE/Software/Microsoft/WlanSVC/Interfaces`). These subkeys resemble a globally unique identifier and reveal each wireless SSID the system has connected to. By right-clicking and selecting modify, you can see the plain text SSID. IP addresses and other network information can be located under `HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/TCPIP/Interfaces/GUID`.

The Windows Registry is a crucial information source for digital forensics. If investigators know where to look, they can analyze data related to page redirects, track user activities, and examine network configurations.

9.3 Network Forensics Investigation

The process of gathering and collecting information within a network is known as network forensics, sometimes referred to as packet capturing or packet mining. The goal is to gather network packet traffic, such as emails, web browsing data, etc., and ensure the consistency of these information sources, enabling more thorough investigations.

There are two primary methods of network forensics. The first is security-related, where a network monitoring system observes suspicious traffic and any type of intrusion. This is because attackers might delete all log files from an infected host, so in such cases, network-based evidence plays a key role in forensic analysis. The second method of network forensics involves law enforcement, where captured network traffic can be analyzed through keyword searches and interpretation by human experts.

9.3.1 Tools and Techniques for Network Forensics

We can use a forensic boot DVD/CD-ROM, USB flash drive, or even a floppy disk to perform any operations. First, we need to dump the memory, preferably using a sufficiently large USB flash drive. If it is necessary to collect non-volatile data and real-time data, we must also conduct a risk assessment to evaluate whether all operations are safe, as this data can be extremely useful in an investigation. Throughout the process, we should utilize a forensic toolkit because this will help meet the requirements of forensic investigation. These tools should be reliable and can be either commercial or open-source solutions.

Reliable tools should be used on a machine to gather some very important and sensitive information, such as:

- Process listings.
- Service listings.
- System information.
- Logged on and registered users.
- Network connections.
- Registry information.
- Binary dump of memory.

(7safe,2013)

There are many different types of network forensics tools, each with distinct functionalities. Some are solely for packet sniffing, while others include processing identification, fingerprint recognition, geolocation, mapping, email communication, network services, and more. The table below lists some open-source tools available for network forensics along with their functionalities.

Tool

Platform

Web Site

Attributes

TCPDumpWindump

Unix & Windows

www.tcpdump.org

F

NetStumbler

Windows

www.netstumbler.com

F

Wireshark

Unix & Windows

www.wireshark.org

F

Sleuth Kit

Unix

www.sleuthkit.org

F R C

Argus

Unix

www.qosient.com/argus

F L

SNORT

Windows /Unix

www.snort.org

F

F: Filtering and Collecting; L: Log Analysis; R: Restructuring Data Flow; C: Correlating Data; A: Application Layer View

9.4 Digital Forensics Investigation

A database is a collection of data that represents information in the form of files or a collection of files. Retrieving data from a database can be accomplished through a set of queries. Database forensics can be defined as the application and analysis of techniques in computer investigations to collect evidence from databases and present it in court. As databases contain sensitive data, there is a higher likelihood that they could be targeted by attackers due to a security vulnerability, allowing intruders to access and obtain this personal information.

In the case study mentioned, a substantial amount of data was transferred from the database, so the current task for the forensic team is to conduct a forensic investigation of the database with the help of forensic tools. Database forensics focuses on identifying, preserving, and analyzing data. Users accessing the database need to be authorized and authenticated by the database server. Once authorization is completed, only that user can access or modify the data. Now, if we examine the database audit logs, we can obtain a list of users who were granted permission to access the data. The forensic team needs to locate the remote IP addresses connected to the database.

This investigation can also help us determine if there are any data rows deliberately deleted by users and recover them. Moreover, it assists in proving or refuting data security vulnerabilities and helps us ascertain the extent of unauthorized access to the database. The Windows forensic tool v1.0.03 utilizes DMV (Dynamic Management Views) and DBCC (Database Consistency Check) commands to gather sufficient evidence as stated, to either confirm or deny an intrusion.

10. Analysis

First, we need to analyze and review the evidence we’ve collected. We will examine whether the evidence contains any hidden files or unusual files. Then, we will look for any abnormal processes running, open unusual ports, or abnormal application requests. Next, we will inspect any atypical accounts. We also need to determine whether the system is fully patched. Based on these analyses, we will discern if there is any malicious activity. Subsequently, we will formulate further strategic forensic investigations, such as comprehensive memory analysis, file system examination, event correlation, and full timeline analysis. In this case, malicious activity on network systems was confirmed, aligning with our initial analysis. To identify malicious code, we need to conduct an analysis of the malware’s executable files. Malware executable analysis can be divided into static analysis and behavioral analysis.

11. Malware Analysis

According to the Verizon “2012 Data Breach Investigations Report”, 99% of vulnerabilities led to data being compromised in days or less, while 85% took weeks to investigate. This is a significant challenge for security departments, as attackers gain substantial time in a controlled environment. More “free time” results in more data theft and more severe damage.

When conducting malware forensics, it’s important to note how the installation and operational indicators of malware are stored in certain parts of a Windows PC. Legal departments require an audit of the recorded hash values, signatures, packaged files, collision logs, system restore points, and page caches. The current file system and event log analysis can discern the behavior of malware on the system. Advanced experts can focus on key areas, such as the system’s auto-start locations, to determine the installation time of the malware and search for characteristic keywords of the malware to locate other infected hosts. Recognize common attack characteristics, including email attacks, browser history, and unauthorized logins.

Accordingto Syngress “Malware Forensics – Investigating and Analyzing Malicious Code,2003″ there should be done an investigation based on the following:

The objectives for malware analysis are as follows:

- Search for known malware
- Review installed programs
- Inspect prefetch files
- Examine executable files
- Check autostart entries
- Inspect scheduled tasks
- Review logs
- Examine user accounts
- Analyze file system
- Inspect registry
- Restore points
- Keyword search

Before conducting malware analysis, it’s necessary to set up an analysis environment. Using virtual machines and Ghost can assist in the analysis process.

11.1 Static Analysis

Static software analysis is a method that allows for the analysis of malware without execution. Compared to dynamic analysis, static analysis is safer because the malware is not run, so there is no alteration or deletion of files. It is advisable to conduct analyses using different operating systems, as accidental double-clicking could lead to the execution of malware. There are numerous static analysis techniques, including file fingerprinting, virus scanning, packet inspection, data strings analysis, examining the FE format of the file system, or disassembly.

11.2 Dynamic Analysis

Dynamic analysis is a method of analyzing malware by running it and observing its behavior, also known as behavioral analysis. Dynamic analysis is not a safe activity, so a secure analysis environment must be established first. There are many dynamic analysis tools, but SysInternals’ Process Monitor and Wireshark are the most commonly used analysis tools.

In many malware analysis instances, a simple static and dynamic analysis can uncover all the answers about the malware.

12. Discovery

In the current stage of the investigation, we summarize all our findings:

- Identity of attackers continuously accessing company computers remotely
- Forensic analysis confirms the computer has been compromised.
- On some systems, upgrade patches have not been applied.
- Suspicious malware discovered on some infected computers.
- The functionality and targets of the malware lead us to conclude it's a "spam" sender software.
- Detected that attackers could access client systems using the malware, redirecting client access to payment gateways to another address.

13. Corrective Measures

Determine that attackers can provide malicious website links through malware on the client’s system when customers use the payment gateway. Here, two important conclusions can be summarized.

- Most of the described methods involve the human factor to some extent; therefore, employees need regular training. Security training will enhance network security.

- Numerous cases of hackers compromising legitimate websites to distribute malware demonstrate that even a competent user can have their computer infected with malicious software. Hence, we need to implement several security measures: antivirus software, promptly installing system updates, and monitoring internet traffic.

Main countermeasures to prevent malware include:

- Authentication and Password Protection
- Antivirus Software
- Firewall (Software or Hardware)
- DMZ (Demilitarized Zone)
- IDS (Intrusion Detection System)
- Packet Filtering
- Routing and Switching
- Proxy Services
- VPN (Virtual Private Networks)
- Logging and Auditing
- Access Control Timing
- It is impossible to completely secure a system in a public domain

In our example, the two most useful are the following:

- Firewall
- Login Audit

The firewall examines all web pages entering the user’s computer. Each web page is intercepted and analyzed for malicious code. If a web page accessed by the user contains malicious code, access is blocked, and a notification is displayed indicating that the requested page is infected. If the web page does not contain malicious code, the user can proceed to access it.

By logging, we mean the ability to collect and store information about events occurring within an information system. For example, who attempted to log into the system, when this attempt ended, which information resources were accessed, and who modified this information, among other details.

Auditing involves the analysis of accumulated data, comparison with near real-time data, and executing log audits to achieve the following objectives:

- Audit regular users and administrators
- Offer options for restoration time
- Detect records of attempted information security violations
- Provide information for verification and analysis

13.1 Security Policies

The content of the ISO/IEC 27000 series of international standards includes guidelines on how to develop and implement an organization’s information security strategy.

The practical rules comprise the following sections:

– Security Strategy

I’m here to assist with translating content into American English while maintaining the formatting and HTML structure. It seems like the text you’ve provided doesn’t contain any translatable content. Could you please provide the content you need assistance with?

– Asset Management

– Human Resources Security

– Physical and Environmental Security

– Communication and Operational Security

– Access Control

– Purchase, Development, and Maintenance of Information Systems

– Information Security Incident Management

– Business Continuity Management

– Compliance with laws and regulations

In conducting business on the Internet, several key issues need to be considered: What types of software, hardware, and organizational measures are required to meet organizational needs? What constitutes a risk? What ethical standards should be applied, and what ethical guidelines must be adhered to when conducting business online? Who is responsible for these aspects? Based on the answers to these questions, the concept of organizational security policies can be developed.

The following section contains excerpts from a hypothetical security policy related to Internet security work. These excerpts are primarily designed based on an analysis of the types of security devices.

The overall strategy primarily includes two categories: technical strategy (encompassing the hardware and software used) and management strategy (how employees use and operate the system).

CommonSecurity Policy for an Organisation:

A General Security Policy for an Organization

Any information system must have a security policy.

Security strategy epistaxis accepted by senior management

Security policies should be in a simple and easily understandable format that can be embraced by all employees.

Security strategies should include

Define the objects, scope, and mechanisms of information security, allowing for shared usage.

Leadership’s Stance and Principles on Information Security

Identify the general and specific responsibilities of information security.

Guidance and Protocols Related to Security Strategies

Security strategies must meet the following requirements

Compliant with national and international laws

Incorporating personal training on security issues

Guidelines for Detecting and Defending Against Malware

Define the consequences of violating security policies

Considering Business Continuity Requirements

It is essential to designate a person responsible for reviewing and updating the security policies.

Security policies need to be modified under the following circumstances

Changed the organizational structure

Change Organizational Technical Structure

Regular compliance investigations of security policies are necessary.

Assessment of the cost-effectiveness of implementing security policies in an organization (ISO/IEC 17799:2005)

14. Report

The forensic report emphasizes the evidence and additional evidence collected which can be utilized in a court of law. The report must outline the scope of the forensic investigation, and the computer forensic investigator must understand the types of forensic reports, such as formal reports, written reports, and oral reports. A formal report includes factual findings, while a written report resembles a statement or affidavit, needing to be clear, accurate, and detailed. An oral report is less structured and serves as a preliminary report for areas of the investigation not yet covered. An investigation plan is a structured document that assists attorneys in understanding anticipated issues with defense evidence. The investigation plan also aids attorneys in comprehending the terminology and functions used in computer forensic investigations. Typically, a computer forensic report includes the following features:

- Purpose of the Report
- Author of the Report
- Incident Summary
- Evidence
- Analysis
- Conclusion
- Supporting Documentation

Many forensic tools can generate forensic investigation reports, such as ProDiscover.

15. Summary

This article covers how to conduct computer forensics and introduces various forensic tools. It also includes the four principles of the ACPO and discusses the implementation of the ISO17799 information security policies to enhance the secure network architecture of the organization. Additionally, it explains why we use this forensic model and analyzes the first four steps of the model, which are the most crucial steps in forensics. The report includes the analysis process—evidence obtained, and results of the analysis, along with recommendations to avoid the recurrence of similar issues.

Digital forensic investigations are a challenging process because each incident is distinct from others. Computer forensic investigations must be conducted when both technical and legal preparations are adequately made. Because evidence provided by a computer forensic investigation can form a crucial part of evidence in a significant case, the investigative report must be accurate and detailed.

[via infosecinstitute]

Security