7.1 Understand and comply with investigations

  • Evidence collection and handling
  • Reporting and documentation
  • Investigative techniques
  • Digital forensics tools, tactics, and procedures
  • Artifacts (computer, network, mobile device)

Investigation Types

Recall that there are four types of investigations, and each one has its own standard of evidence collection.

  • Administrative Investigations

    • We are investigating a violation of an internal policy or trying to resolve an issue

    • We might be helping determine whether there was a violation of an HR policy

    • The standard for collecting and storing evidence is very low because our only purpose is to resolve the issue, and we have the right to do whatever we want in our own organization.

    • We might call this a root cause analysis because we are trying to figure out the reason that the issue occurred so that it can be prevented

    • Evidence discovered from an administrative investigation might lead to a criminal investigation, so we might take care to preserve it properly

  • Criminal Investigation

    • Conducted by law enforcement

    • Results in criminal charges

    • Evidence collection and preservation must be very strict or else it won’t be admissible.  That means following the law and the constitution when collecting it.

    • There must be a clear chain of custody.  That means we must always know where the evidence is stored.

    • The police have experts who are skilled at collecting each type of evidence.

    • The standard is “beyond a reasonable doubt”

  • Civil Investigation

    • Completed by employees or contractors

    • May be overseen by a law firm or lawyer

    • The civil investigation has a lower standard of evidence known as “preponderance of the evidence”.  That means that the evidence is more likely than not to prove our case.

    • We must still follow the law when collecting this evidence.

  • Regulatory Investigation

    • The government might conduct an investigation to determine whether a violation of a regulation took place

    • Agencies that conduct these include the FTC and the SEC

    • A regulatory investigation could lead to an administrative procedure, a civil procedure, or a criminal procedure

    • The standard of evidence could vary depending on the procedure

Electronic Discovery

  • In a civil suit, each side has an obligation to preserve relevant evidence and give it to the other side.  If a party destroys evidence, it could be found liable, or the court could assume that the destroyed evidence was incriminating.

  • Even if we haven’t been sued, but somebody threatens to sue us, we now have an obligation to not delete the information in case it must be produced in discovery

  • The process of providing your evidence to the opposing party is known as discovery or eDiscovery (for electronic discovery).

  • The more data your organization preserves, the more difficult your discovery will be and the more likely that you will find something incriminating.

  • A party suing can’t generally get a search warrant to search through your stuff – you have to provide them with the evidence. 

  • Electronic Discovery Reference Model.  This model was created to make eDiscovery easier.

    • Information Governance – we must organize our information so that it is easy to search.  That means putting it in electronic format and indexing it.

    • Identification – we identify the information that is relevant to the discovery

    • Preservation – we make sure that the information is not deleted

    • Collection – we gather the data in response to the request

    • Processing – we cut out the irrelevant data

    • Review – we review the data to make sure that it is relevant and that none of it is legally privileged.  We may also have proprietary data that is relevant, but that could cause irreparable harm if disclosed.

    • Analysis – we perform an inspection of the data again

    • Production – we convert the data into a format that is useful

    • Presentation – we present the data to other parties


Each court has rules about whether a type of evidence is admissible. 

In the US Federal Courts, whether something is admissible is governed by the Federal Rules of Evidence.  Each state has their own rules.  In Canada, the rules are governed by the Canada Evidence Act.

Some general rules about admissibility

  • The evidence must be relevant to the proceeding.  In Federal Court, Rule 401 says that evidence is relevant if

    • it has any tendency to make a fact more or less probable than it would be without the evidence; and

    • the fact is of consequence in determining the action.

  • The fact that we are trying to prove must be material.  That means that it must be significant to the case.  If you robbed a bank, a video of you robbing the bank (obtained from bank security cameras in response to a warrant) would be admissible.  It proves that you robbed the bank, the fact that you robbed the bank is material, and the video was obtained legally.  A video of you eating a cheeseburger at McDonalds might be relevant to proving that you ate a cheeseburger but the fact that you at a cheeseburger is not material.

  • The evidence must be competent.  That means that it was obtained legally and that we can authenticate the source of the evidence.

  • The evidence must not be prejudicial.  If the evidence makes the Defendant look bad in front of the jury, then the value of the evidence must greatly outweigh its negative effect.

  • Rule 403 of the Federal Rules of Evidence says that the court can exclude evidence if it causes unfair prejudice, confuses the issues, misleads the jury, creates undue delay, wastes time, or repeats other evidence already introduced

  • A court can choose to admit prejudicial evidence for a limited purpose only (to prove a specific fact).  This is difficult to do.

  • Communication between an attorney and a client is protected.  The client can be an individual or a corporation.

  • Communication between a husband and a wife is protected in Canada.

  • The party introducing the evidence must show it is reliable.  That means that the party should bring a witness who can testify about the evidence.  There are two types of witnesses

    • A material witness.  The material witness testifies about what he saw and did.  If he collected the evidence, then he can testify about how and where he collected the evidence.  A material witness cannot testify about his opinion and he cannot speculate.

    • An expert witness.  An expert witness testifies about what he knows (his opinion).   An expert witness can testify about how he analysed the evidence and what it means.  An expert witness can also testify about what he saw.

      An expert witness is one who is qualified as an expert by knowledge, skill, experience, training, or education.  The party calling the witness must prove that he is an expert. 

      The witness will usually prepare a report about what he will testify about.  This report will include his CV, which may include his education, publications, past testimony, books and articles written, etc.  The court will then hold a hearing to determine whether this person is an expert.

      The expert can testify if

      • the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue

      • the testimony is based on sufficient facts or data

      • the testimony is the product of reliable principles and methods; and
  • the expert has reliably applied the principles and methods to the facts of the case.

In order for the expert witness testimony to be admitted, we must prove that it is competent.  In the US Federal system, this is known as the Daubert standard.  It asks five questions

  • whether the theory or technique in question can be and has been tested

    • whether it has been subjected to peer review and publication

    • its known or potential error rate

    • the existence and maintenance of standards controlling its operation

    • whether it has attracted widespread acceptance within a relevant scientific community.

  • Hearsay rule

    • A person cannot testify about something he heard somebody else say.  This is called hearsay.

    • Hearsay is inadmissible because the person who was heard is not available to testify under oath or be cross-examined.  You have the constitutional right to question somebody who is testifying against you.

    • Business Records Exception: records created in the ordinary course of business are admissible because they are made on a regular basis.  The records are admissible even when the person who created them is unable to testify as to their authenticity.  We might call somebody from the business to testify.

    • There are other exceptions to the hearsay rule

  • It is preferred to admit the original document as evidence, but if we can’t then a duplicate is admissible

  • The rules of evidence do not apply to some proceedings such as bail hearings

  • The rules of evidence are lengthy and beyond the scope of this book.  Every jurisdiction has its own set of rules, and further standards established by case law.

On top of all these general rules, and the specific rules of evidence that are part of the law, we also have many tens of thousands of federal court cases, federal court of appeals cases, and supreme court cases, where each court made decisions about whether to admit a particular piece of evidence under a particular set of circumstances.

If push comes to shove, the court will look at the law.  It will then look at the case law to see how other courts have ruled in similar circumstances.  The court is obligated to rule in a way that is consistent with previous courts, especially the appeals court and the supreme court.

There are different types of Evidence

  • Real Evidence

    • Real evidence is actual things like guns, drugs, clothes, a computer, or fingerprints.

    • Real evidence is subject to a chain of custody.  That means that we must know where the evidence was stored from when it was seized to when it was brought to court, and who had custody of it.

    • We might have a chain of custody log that lists where the evidence was stored and who had possession of it.

    • The chain of custody tells us that the evidence wasn’t modified (that nobody had the opportunity to modify it).  If somebody could have modified it, then the evidence is not admissible.

  • Documentary Evidence

    • Documentary evidence is written evidence

    • It could be something like business records, a credit card statement, or logs or data from a computer

    • A witness must come in to court and authenticate the evidence

    • For example, if the evidence is a log from a computer, then the system administrator who extracted the log must come in and testify as to its authenticity

    • The Business Records Exception says that a record created during the ordinary course of business is admissible without requiring the testimony of a person who created it.  This is part of the hearsay rule.

    • The best evidence rule says that when we introduce documentary evidence, we should introduce the original document if possible.  We can introduce a copy of the document only under certain exceptions.

    • The parol evidence rule says that when two parties have a written agreement, the written agreement is assumed to have all of the terms and conditions between the two parties.  Other discussions made prior to the agreement are not binding or admissible or considered binding on the parties.

  • Testimonial Evidence

    • This is evidence in a person’s brain

    • The person must come to court and testify under oath, because people have a right to confront their accusers

    • In a civil case, people usually testify in depositions so as to not waste the court’s time.  The deposition is a testimony that usually takes place in a lawyer’s office.  The witness comes in and the parties ask them questions, for about a day.  Usually, the deposition is videotaped and then the lawyers extract the specific relevant portions that are useful for their case.  The court does not have time to listen to possibly hundreds of hours of testimony.

    • A person who testifies about stuff he saw is a material witness.  They can only talk about facts that they personally know.  They can’t talk about their opinions or speculate.

    • A person who testifies about his opinion is known as an expert witness.  Either side might hire expert witnesses to analyse the evidence and testify about their opinions. 

    • A person cannot testify about hearsay evidence.  You can’t testify as to stuff that you heard somebody else say.

Collecting Evidence

  • Follow all of the forensic procedures when collecting the evidence

  • Make sure not to take any actions to change the digital evidence

  • We must document all access to the digital evidence.  We must also document the seizure, storage, and transfer of the evidence.

  • The person with custody of the evidence is responsible for that evidence.

  • The agency that collects, stores, or analyses the evidence must follow the rules regarding the evidence.

  • We should collect the original evidence and store it in a secure place.  We should then make an exact copy of the original evidence.  This is the master copy.  We then make multiple copies of the master copy.  We perform our analysis on the copies of the master copy.  If we run out of copies, we go back to the master copy and make more copies.  This way, we do not ever go back to the original evidence and we can be sure that it remains unchanged.

  • Media analysis

    • We can analyse storage media such as magnetic media, optical media, or memory

    • We might recovery deleted files, analyse storage media, or collect data from live computer systems

  • Network Analysis

    • We might want to monitor or collect data on a network

    • Data is not preserved on a network

    • We will need to either know that the incident was taking place, and then we can start the logging, or we can use software that logs the network data

    • We can collect data from IDS or IDPs, packet sniffers, and firewall logs

    • We take all of this data and put it together to create a picture of what actually happened

  • Software Analysis

    • We might want to review the computer applications running on our system

    • We are looking for back doors, logic bombs and other vulnerabilities

    • We might also look for intrusions, viruses, or other malicious activity

  • Hardware Analysis

    • We might analyse firmware or software on physical devices, where we can’t extract the data

    • Devices include computers, phones, tablets, embedded computers in GPS systems, medical equipment and security cameras

    • The person who analyses these devices must be an expert in how the device operating systems and memory function

    • We might seek assistance from the device manufacturer

Investigation Procedure

  • First, we start the investigation.  We put together a team of experts who will contribute to the investigation.  We give the team a charter, which is a license or permission to operate.  The charter defines the scope of the investigation, who is in charge, the roles of each person, and the rules that they must follow.

  • Second, we start gathering evidence.  We have three ways to gather evidence

    • The owner can voluntarily surrender it.  When the owner of the evidence is also the person under investigation, this might work.  When the owner is the hacker, then it is not possible.  We also don’t want to alert the hacker that we are investigating him.  

    • We can obtain a court subpoena.  The subpoena is a court order that commands a person to hand the evidence over.  The person who receives the subpoena may be able to go to court and fight the subpoena before having to handle the evidence.  If the party destroys the evidence or fails to comply with the subpoena, they might be held in contempt.  It is still possible for a person to delete or modify the evidence.

      We generally can obtain the subpoena after filing the civil suit and serving the Defendant.  By then, the Defendant is already aware of the investigation.

    • We can obtain a search warrant.  The search warrant is only available to law enforcement in criminal cases.  

      In Canada, an Anton Piller order is available in civil cases when a search warrant is required.  It is rarely granted, but it offers the element of surprise.  It allows private lawyers to conduct a search prior to serving the Defendant with a civil suit.  The Anton Piller order is much more restrictive than a search warrant.

  • Law enforcement.  We need to decide whether to refer the matter to law enforcement.  Law enforcement has more resources and experience than internal investigators.  They also have the power to obtain search warrants and subpoenas.  If we call in law enforcement, the investigation might become known to the public, which could cause the company to have a bad reputation.  Also, law enforcement officers must follow the law.  Employees are not obligated to cooperate with law enforcement even if they signed an agreement to cooperate with an internal investigation.

  • Perform the investigation.

  • Interviews.  We might interview people who are involved in the incident or who might know something about it.  We should have experienced people perform the interviews because they know how to deal with uncooperative subjects. 

    People have the right to not cooperate with law enforcement and have the right to not be detained.  People also lie.

  • Data Integrity.  We must make sure that all of the data we collect has integrity.  We might take a hash of the data at collection and then later in analysis and if the hashes match, we know that the data has not been modified.

  • Reporting.  Once we complete the investigation, we write a report that explains what the purpose of the investigation was, what evidence we collected, and what we learned.  The report is given to the administrator, lawyer, or prosecutor, who determines whether further action should be taken.  This could include
    • Taking disciplinary action against an employee

    • Filing a civil suit

    • Filing criminal charges

    • Improving security measures

There are some tools that we need to have.  One of the most important tools gives us the ability to create an image.  An image is a digital copy of the data a physical device such as a hard disk drive.

  • dd.  dd was one of the oldest forensics tools created.  It ran on UNIX.  It allows you to make an image of a physical device from a command line.  It isn’t very good, but some advanced versions have been created.

  • memdump.  memdump allows us to dump the contents of the computer’s memory into a file.  We can dump the entire contents or the contents associated with a specific process.  We can take the dump file and analyse it later, but now we have a permanent record of volatile memory.

  • WinHex.  WinHex is a tool that allows us to view the contents of a file in hexadecimal format.  It lets us view the actual 0’s and 1’s of a file.  Why is this good?  Two common scenarios

    • A suspect deletes a file.  When you delete a file, the computer deletes the corresponding entry from the file allocation table, and the space where the file was is marked as being “free space”.  The actual file is still there until a new file is created and the space is required.  Then the old file contents are overwritten.  Sometimes only parts of the file are overwritten.

      It’s like if you have an index of books in a library.  We can delete the book from the index, but the book is still on the shelf until somebody needs the space and replaces it with a new book.

      If we made an image of an entire hard disk drive, we are reading all the 0’s and 1’s from it directly.  If we open the image in WinHex, we can view the raw data, including the deleted data.

      WinHex also shows us the hexadecimal translation of those 0’s and 1’s.  Remember that 0’s and 1’s can be converted into actual letters and numbers.  This allows us to review deleted content and fragments of deleted content.

      There are tools that specifically scan for deleted files, but they are not always great at finding fragments, especially when a large portion is lost.

    • Many programs (especially phones) store data in databases.  A database stores its data in a file (or multiple files).  For example, your iPhone stores text messages in a database file.  When you delete a text message, your iPhone doesn’t automatically delete the message.  Instead, it marks the message for deletion.

      When the database gets too big, the database runs a tool to erase the content marked for deletion.  Sometimes, the database overwrites messages marked for deletion, and we are left with fragments of messages.  We can open the database in WinHex and view the fragments.

WinHex is powerful and supports

  • Editing content on a disk directly

  • Various file systems including FAT 16, FAT 32, NTFS, CDFS

  • RAID

  • Editing contents of RAM directly

  • Ability to search binary and HEX for key words

  • FTK Imager.  FTK Imager is a tool that allows us to produce images of different physical devices.  It is free.  The paid version is called Forensic Toolkit and includes features to

    • Automatically produce images from physical drives, mobile devices, and cloud sources.

    • Automatically analyse, index, and process all the content

    • Decrypt files

    • Isolate data from different mobile devices such as WhatsApp and Facebook Messenger

Essentially, it provides you with a single platform to manage and analyse data for a single investigation.  It can quickly gather and highlight important data.  But it is not a substitute for other tools like WinHex.  You might use FTK as a starting point, but you might need to dig deeper.

  • Autopsy.  Autopsy is free open source forensics program that does what FTK does.  It has different modules that can be used to analyse specific types of content, such as mobile data.  Autopsy does not have a tool that creates the images, so we must first use another tool to create the different images and load them into autopsy.

     is a collection of command line tools that work with autopsy to analyse disk images.

  • Cellebrite UFED.  UFED is a tool (software-based or hardware-based) that can create images of mobile devices.  It can also bypass user locks, encryption, and passcodes.  UFED can also download data from social media and cloud accounts.

    Not every device can be unlocked, but out of all the mobile forensics tools, UFED is the most effective and most regularly updated.

  • Forensic Toolkit for SQLite.  I recommend Sanderson Forensics’ Toolkit because it contains advanced features for analysing SQLite databases.  Most mobile device content is stored inside SQLite database files.

Types of Computer Crimes – what is the motivation behind the attack?

  • Intelligence Attack

    • This is an attack launched by a foreign government to obtain classified information from military or other sources. 

    • The hackers are looking for military information, intelligence information, law enforcement information, foreign policy information, or other sensitive information that can hurt the government.

    • Military and government computers must have very good security

    • People who perform these types of attacks are very sophisticated and will likely cover their tracks.  It is likely that many of these attacks go unnoticed because the hackers are skilled.

  • Business Attack

    • This is an attack where we try to obtain confidential business information such as trade secrets, recipes, manufacturing information, or data about upcoming products

    • The attack may also try to seek information that could embarrass or harm the company

    • We might call this industrial espionage

    • Businesses hack their competitors so that they can gain an advantage.  Some foreign countries encourage or support their industries in their efforts to hack their competitors.

    • The hack itself does not damage the company, but the loss of information can be catastrophic.

  • Financial Attack

    • This is an attack where the hacker is trying to steal money

    • The hacker might steal credit card numbers, online banking logins, or other confidential data.  The hacker might use social engineering to convince others to transfer money.

    • The hacker’s skill sets might range from basic to highly sophisticated

  • Terrorist Attack

    • A terrorist attack is designed to cause fear or disruption

    • It is not designed to obtain money or to steal secrets, but terrorists may perform intelligence attacks to discover vulnerabilities first and then follow up with terrorist attacks

    • Many critical infrastructure computers should be offline (air gapped) so that they cannot be hacked

  • Grudge Attack

    • A grudge attack is designed to hurt a person or organization or to harm their reputation

    • The person who does so has anger.  They may be a disgruntled employee who wants revenge.

    • They may not be sophisticated, but they will be very familiar with the inner workings of the organization.  They may also have had the opportunity to install back doors.

    • Many large intelligence leaks happened because a person inside the military did not agree with some of the programs in place and felt that the public needed to know.

  • Thrill Attack

    • A Thrill Attack is an attack that is implemented for fun.

    • The people who commit thrill attacks do so just for fun, but they might cause a lot of damage.

    • Some hackers engage in attacks for political purposes.