Thursday , 28 March 2024
Home 4 Security 4 Fundamental Computer Investigation Guide For Windows

Fundamental Computer Investigation Guide For Windows

Internet connectivity and technological advances expose computers and computer networks to criminal activities such as unauthorized intrusion, financial fraud, and identity and intellectual property theft. Computers can be used to launch attacks against computer networks and destroy data. E-mail can be used to harass people, transmit sexually explicit images, and conduct other malicious activities. Such activities expose organizations to ethical, legal, and financial risks and often require them to conduct internal computer investigations.

This guide discusses processes and tools for use in internal computer investigations. It introduces a multi-phase model that is based on well-accepted procedures in the computer investigation community. It also presents an applied scenario example of an internal investigation in an environment that includes Microsoft® Windows®–based computers. The investigation uses Windows Sysinternals tools (advanced utilities that can be used to examine Windows–based computers) as well commonly available Windows commands and tools.

Some of the policies and procedures invoked in investigations that result from computer security incidents might also exist in disaster recovery plans. Although such plans are beyond the scope of this guide, it is important for organizations to establish procedures that can be used in emergency and disaster situations. Organizations should also identify and manage security risks wherever possible. For more information, see the Security Risk Management Guide.

Computer Investigation Model
According to Warren G. Kruse II and Jay G. Heiser, authors of Computer Forensics: Incident Response Essentials, computer forensics is “the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.” The computer investigation model in the following figure organizes the different computer forensics elements into a logical flow.
1.gif

The four investigation phases and accompanying processes in the figure should be applied when working with digital evidence. The phases can be summarized as follows:

  • Assess the situation. Analyze the scope of the investigation and the action to be taken.
  • Acquire the data. Gather, protect, and preserve the original evidence.
  • Analyze the data. Examine and correlate digital evidence with events of interest that will help you make a case.
  • Report the investigation. Gather and organize collected information and write the final report.

Detailed information about each of the phases is provided in the chapters of this guide.

Initial Decision-Making Process
Before you begin each of the general investigation phases you should apply the initial decision-making process shown in the following figure.
2.gif

You should determine whether or not to involve law enforcement with the assistance of legal advisors. If you determine that law enforcement is needed, then you need to continue the internal investigation unless law enforcement officials advise you otherwise. Law enforcement might not be available to assist in the investigation of the incident, so you must continue to manage the incident and investigation for later submission to law enforcement.

Depending on the type of incident being investigated, the primary concern should be to prevent further damage to the organization by those person(s) who caused the incident. The investigation is important, but is secondary to protecting the organization unless there are national security issues.

If law enforcement is not involved, your organization may have existing standard operating procedures and policies that guide the investigation process. Refer to the “Reporting Computer-Related Crimes” section in Appendix: Resources in this guide for types of crimes that need to be reported to law enforcement.

Chapter Summary
This guide is comprised of five chapters and an appendix, which are briefly described in the following list. The first four chapters provide information about the four phases of the internal investigation process:

Assess the Situation explains how to conduct a thorough assessment of the situation and prepare for the internal investigation.

  • Acquire the Data provides guidance about how to gather digital evidence.
  • Analyze the Data examines the standard techniques of evidence analysis.
  • Report the Investigation explains how to write the investigation outcome report.
  • Applied Scenario Example describes a fictional scenario that depicts unauthorized access to confidential information.
  • Resources includes information about how to prepare for a computer investigation, contact information for reporting computer-related crimes and obtaining computer investigation training, worksheets that can be used in computer investigations, and lists of certain computer investigation tools.

References and Credits
The information in this guide is based on information provided by recognized industry experts and other guidance, including the following publications:

Check Also

What No One Knows About

Charity is a good deed The Bible has a lot to say about charitable giving. In fact, the concept of giving to those in need is a recurring theme throughout the Old and New Testaments. Here are some key verses that highlight the importance of giving and generosity: 1. Deuteronomy 15:10 – ” Give generously …

A Quick History of

The Necessity of Expert Mole and Gopher Management Moles and gophers, despite their small size, …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.