Forensic Methodology and Logistics
This session will provide a condensed review of the key learning objectives related to the forensic process: issues to consider and strategic planning for this component of the fraud examination.
How the data is forensically acquired is perhaps the most important step in the forensic process. Precautions against alteration of the original evidence and other issues will be discussed. Basic steps in data acquisition using one or two of the forensic software applications will be demonstrated.
Understanding File Systems
In this section, participants will get a better understanding of how operating systems store information. We will examine how the most common file systems function and how data is stored on these systems.
Cell Phone and Other Mobile Device Forensics
Cell phones and other moble devices are everywhere and they are turning up in investigations on a regular basis. Learn what can be stored on these devices, how to extract it and use it to support your case. We will take a closer look at tools and techniques specific to analyzing these and other storage devices.
Analyzing Windows Systems
In this block, we will examine where evidence resides on current Windows platforms. Participants will learn how to examine the Windows Registry, Windows Event logs as well as Internet usage, focusing on the tools and techniques used to perform such analysis.
The average computer hard disk drive today is 100 gigabytes (and growing), which is the equivalent of 7-10 million printed pages. Due to the volume of data that may require examination, the creation of an effective and efficient search strategy requires a great deal of thought and planning. The examiner will need to construct a keyword search of names, terms, numbers, etc. that are relevant to the analysis. The selection of keywords that provide only the desired information is almost an art, and will be addressed in detail.
An ever-growing variety of computer forensic hardware and equipment is now available in the marketplace which can be brought to bear in a fraud examination. Specialized computers have been designed for both laboratory and field use to provide a wide range of forensic capabilities far beyond those of standard consumer products. Portable devices designed to create forensic images of computer hard drives, and a wide variety of write-blocking devices (to ensure that no data can be written to a drive being imaged) now provide the computer forensic examiner with a significant variety of useful tools.
There are significant artifacts on Windows-based computer systems that could be useful to the fraud examiner. Data from the Windows Registry, the Recycle Bin, file slack, the Windows paging file (or “swap” file) and other areas can provide critical evidence in an examination. In addition, files and folders that may have previously been deleted can be recovered with special forensic utilities. We will discuss all of these areas where important evidence may be hidden and how to extract it.
Specialized forensic software applications contain useful tools to facilitate forensic data acquisition and validation of the acquired data, and can provide analytical capabilities that allow the fraud examiner to uncover and document electronic evidence. However, the features of these applications can vary widely, and computer forensic examiners must be aware of both what products are available and their capabilities. The leading products, such as EnCase and The Forensic Toolkit, will be discussed along with other software alternatives that the examiner may wish to consider for their computer forensics toolbox.
Tracking Internet Activities & Tracing Email
There may be a significant amount of information related to a user’s Internet activities that is captured by the operating system. Some of this information is saved in files that the normal user cannot view. However, there are special tools that can assist the fraud examiner in deciphering the Internet History. We will discuss the construction of the Internet History files and the valuable information that they can provide. Also, in many investigations there is a need to determine where an email message originated. How to trace emails back to the point of origin will be discussed in detail.
View Event Details