Section A: E-Mail Crime Investigation- A Case Study Analysis

a) Role of a Principal Computer Forensic Investigator in a Criminal Investigation (2 Marks):

The Principal Computer Forensic Investigator is responsible for the scientific collection, preservation,
analysis, and presentation of digital evidence in a criminal investigation. They ensure the evidence is
handled legally and maintains its chain of custody.

b) Goals of Forensics Analysis (5 Marks):

 Identify: Locate and recognize digital evidence related to the crime.

 Collect: Secure and preserve digital evidence in a forensically sound manner.

 Analyze: Examine and interpret the collected evidence to extract relevant information.

 Report: Document the findings and generate a comprehensive report for legal proceedings.

 Present: Testify in court as an expert witness to explain the findings and their significance.

c) Steps involved in creating a bit-stream image of a hard drive using FTK Imager (5 Marks):

1. Write-block the drive to prevent accidental modifications.

2. Connect the drive to a forensic workstation.

3. Launch FTK Imager and select the source drive.

4. Choose a destination for the image file.

5. Configure imaging options (e.g., compression).

6. Verify the image creation process by comparing MD5 hashes.

d) Importance of MD5 Hashes (3 Marks):

MD5 hashes are a checksum used to verify the integrity of the digital evidence. They ensure the image is
an exact copy of the original hard drive and hasn't been tampered with during acquisition or storage.
This is crucial for maintaining the admissibility of evidence in court.

e) Artifacts Analyzed and Why (10 Marks):

 FTK Search Results (PST file): Identified email client software and potential location of relevant
emails.

 Email Header Analysis: Extracted sender's email address, IP address, and potential location for
further investigation.

 Email Domain Analysis: Determined if the sender's email originated from a free public service or
a registered domain.

 Domain Registrant Details: Gathered information about the domain owner to identify potential
leads.
  Hosting Company Details: Identified the email service provider to obtain server logs and
potentially user information.

 Mail Server Logs: Analyzed login activity to determine if the sender's email originated from the
reported location.

 Video Footage: Verified the suspect's physical presence at her desk during the time of the
email's sending (establishing alibi).

 Email Attachment: Checked for hidden messages using steganography techniques (Stegdetect).

f) Countermeasures to Secure Evidence (5 Marks):

 TrueCrypt Encryption: Protected the acquired image file with a password.

 Chain-of-Custody Documentation: Tracked the movement and handling of evidence.

 Forensic Lab Storage: Maintained the evidence in a secure and controlled environment.

 Write-Blocking: Prevented accidental modifications to the original hard drive.

 Password Protection: Secured access to the forensic workstation and software.

g) Chain-of-Custody (5 Marks):

A chain-of-custody document is a record that tracks the possession, movement, and handling of
evidence throughout the investigation. It ensures the evidence is authentic and hasn't been tampered
with. It's crucial for establishing the admissibility of evidence in court.

h) Challenges Faced During Computer Forensics Analysis (5 Marks):

 Data Volatility: Deleted or fragmented data can be difficult or impossible to recover.

 Encryption: Encrypted data may require specialized tools or decryption keys for access.

 Data Volume: Analyzing large amounts of data can be time-consuming and resource-intensive.

 Emerging Technologies: Keeping pace with new devices, software, and digital storage methods.

 Legal Issues: Understanding and complying with electronic evidence laws and regulations.

Answers to Your Computer Forensics Questions:

Question 1: Internal Fraud Investigation

a) Problems and Solutions:

 Data Volume: Analyzing TBs of data can be overwhelming.

o Solution: Use filtering techniques based on user access logs, file types, and date ranges
to focus on relevant data.

 Data Integrity: Ensuring data hasn't been tampered with is crucial.

 Employee Access: System and network admins can provide information on user activity and data
access patterns.

o Solution: Collaborate with them to identify suspicious access attempts or data transfers.

b) Data Acquisition Methods and Strategies:

 Logical Acquisition: Preferred method as it creates a copy without altering the original data.

o Use specialized forensic software to acquire a bit-by-bit copy of the suspect's hard drive
and relevant network shares.

 Keyword Searching: Can help identify specific files or documents related to the stolen data.

 Timeline Analysis: Reconstruct the timeline of data access and transfers to pinpoint suspicious
activity.

Question 2: Murder Investigation - Legal and Ethical Issues

 Chain of Custody: Maintaining a documented record of evidence handling is critical to ensure its
admissibility in court.

 Privacy Concerns: Only acquire data relevant to the investigation and avoid accessing personal
information not related to the case.

 Authorization: Obtain a warrant for data acquisition unless there's exigent circumstances
(immediate threat to life or evidence).

Question 3: Network Forensics

a) Network Forensics Process:

1. Collection: Capture network traffic data using packet sniffers or network taps.

2. Analysis: Identify suspicious network activity, intrusions, and data exfiltration attempts.

3. Reconstruction: Piece together the sequence of events and identify the source of the attack.

4. Reporting: Document the findings and generate a report for legal proceedings.

b) Network Forensics Artifacts:

 Network Traffic Logs: Records of data packets flowing through the network, including source,
destination, and content (if unencrypted).

 Firewall Logs: Information about blocked attempts to access unauthorized resources.

 IDS/IPS Logs: Data from Intrusion Detection/Prevention Systems identifying suspicious network
activity.

 DNS Logs: Records of Domain Name System queries, revealing websites accessed.
Question 4: Importance of Report Writing in Computer Forensics

a) Importance:

 A well-written report clearly documents the investigation process, findings, and conclusions.

 It serves as a permanent record for legal proceedings and future reference.

b) Eye Witness vs. Expert Witness:

 Eye Witness: Reports observations of an event (e.g., seeing someone using a computer).

 Expert Witness: Analyzes digital evidence and interprets its technical significance in the context
of the case (e.g., explaining deleted files recovered from a computer).

c) Role of an Expert Witness:

 Presents technical findings from the computer forensic investigation to the court in
understandable terms.

 Explains the methodology used and the implications of the evidence for the case.

d) Report Writing Guidelines:

 Clarity and Conciseness: Use clear language and avoid technical jargon where possible.

 Accuracy: Ensure all information is factually correct and verifiable.

 Objectivity: Present findings without bias or speculation.

 Chain of Custody: Document the handling and preservation of evidence.

Question 5: Computer Forensics and Law Enforcement

a) What is Computer Forensics and its Use in Law Enforcement?

Computer forensics is the scientific method of collecting, analyzing, and preserving digital evidence from
electronic devices. Law enforcement uses it to investigate cybercrime, financial fraud, identity theft, and
other crimes where digital evidence is present.

b) Seizing Digital Evidence at the Scene

 Secure the scene to prevent further tampering with evidence.

 Identify and document all electronic devices.

 Employ write-blocking techniques to create a forensic copy of the data.

 Maintain a chain of custody record for all seized evidence.

c) Types and Characteristics of Computer Forensic Evidence

 Two Types of Evidence:

o Direct: Digital evidence directly related to the crime (e.g., incriminating documents).
 o Indirect: Supports the existence or nature of direct evidence (e.g., access logs).

 Characteristics of Computer Forensic Evidence:

o Intangible: Exists as electronic data, requiring special handling techniques.

o Volatile: Can be easily altered or destroyed.

o Duplicable: Can be easily copied