Forensic Investigation Methodology

The Computer Forensics and Investigation Methodology is a combination of 8 steps. Initially, the first 3 steps are to acquire some evidence about the system and the crime scene. Then, the followed 4 steps are repeatable and effective steps; and eventually is the final step which is writing the report. The figure below shows the Forensics Investigation Methodology; along with the PowerPoint file that explains each step:

Screen Shot 2017-03-08 at 10.40.47 am.png

The attached PowerPoint file explains the Forensic Methodology step-by-step:



Digital Forensics’ Principles

There are some principles that will lead you to achieve your investigation’s goals. The investigator should be aware of the following Four principles.

  1. Record everything.
  2. Minimise data loss.
  3. Analyse all data collected.
  4. Report your findings.


Now the question is “Where is the data that needs to be analysed?”.

Basically, everything should be analysed and investigated when approaching a crime scene; plus, no one is allowed to access the crime scene area. The following figure shows some of the digital hardware that can analysed with the potential of finding information inside it.Picture1


Everything in the crime scene is valuable and should be subjected to an investigation and analysis carefully; along with the computer itself. Remember: do not despise anything, even the small things. The table below shows two different scenarios when investigating a digital crime scene (Live system and Dead system):


Live System   Dead System
acquisition copies the data using the suspect’s (operating) system. Usually, people try to avoid this acquisition, because the attacker can modify data or software can produce tampered data. In the live system, the power is still on, processes are still running, disks being access, and removable media keeps changing.   acquisition copies the data without the assistance of the suspect’s (operating) system. In the dead system, the power is off, the power id unplugged, no changes in the removable media.



Remember: the evidence is volatile, where the most volatile evidence can be found in (Memory) and the least can be found in (Removable media). Below is the order for the most volatile to the least (from top to bottom):

  1. Memory.
  2. Network Status and Connections.
  3. Processes Running.
  4. Hard Drive Media.
  5. Removable Media such as, floppy drive, zip drive, USB sticks and more.

Note: the evidence in the Memory, Network Status and Connections and Processes Running will be destroyed if the power cut off.

Introduction to Digital Forensics – Part 2/2

There are several types of incident in which they might be discovered by implementing forensics techniques. Below are some examples of these incidents.

  • Malicious Code Attacks – For example, viruses, Trojan horse programs, worms and hacker scripts.
  • Unauthorised Access – For example, an improper logging into the users’ accounts; and unauthorised access to the files.
  • Unauthorised Utilisation of Services – For example, an intruder may also obtain access to information or plant Trojans and sniffers by misusing available services.
  • Disruption of Service – For example, disruption of network services, erase critical processes, spamming, Denial of Service (DoS).
  • Computer Misuse – For example, using the computer services of other than official purposes.
  • Espionage – For example, stealing information to subvert the interests of a company or government.
  • Hoaxes – For example, false information is spread about an incident or threat such as, the good times virus 1995 (Non-existent hoax).


There are many questions that we should ask ourselves such as, why do people do these incidents? what were stolen? and how did they do it? The answers for these questions are known as the Intellectual Property Theft. The statistics show that:

  • Why do people do these incidents?
    • Moved to competitor (70%).
    • Set-up competition (23%).
    • Other purposes (7%).
  • What were stolen?
    • Customer/client information (75%).
    • Financial info (14%).
    • Business Presentations (5%).
    • Other purposes (6%).
  • How did they do it?
    • E-mail (46%).
    • Hard copy (22%).
    • Electronic storage device (9%).
    • Other purposes (23%).


Therefore, the UK has now set up the National Crime Agency (NCA), which is new crime-fighting agency with national and international reach and the mandate and powers to work in partnership with other law enforcement organisations. This will bring the full weight of the law to bear in cutting serious and organised crime.

Introduction to Digital Forensics – Part 1/2

There are Four main principles involved that you need to keep in mind:

  1. No action taken by law enforcement agencies or their agents should change data held on a computer or storage media, which subsequently might be relied on in court.
  2. Only in exceptional circumstances, a person finds it necessary to access original data held on a computer or storage media must be competent to do so; and be able to give evidence explaining the relevance and the implications of their actions.
  3. An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. Note: an independent third party should be able to examine those processes and achieve the same result.
  4. The person in charge of the investigation is responsible for ensuring that the law and these principles are adhered to.


Below are some unique characteristics of the digital evidence:

  • The evidence is invisible to the untrained eye – Electronic evidence is often retrieved from places known or accessible only to experts.
  • Sometimes, it might need to be interpreted by a specialist – In many cases information gained requires thorough analysis to uncover properties assuring the information is valid from judicial point of view.
  • The evidence is highly volatile – A powered electronic device modifies its state every time a specific event Also, lack of power or a system overwriting old data with new data requires us to preserve electronic evidence as soon as possible.
  • The evidence might be altered or destroyed through normal use – Devices constantly change the state of memory – allocating it for programs automatically, swapping it to disk or writing chunks of it to a disk file on user request.
  • It can be copied without limits – This property allows many specialists work on the same evidence at the same time in different places. It also enables the possibility of presenting the evidence as-is in the court of law along with the specialist witness report.


In conclusion, computer forensic is a process of reveal the found evidence either by criminal and civil proceedings. Digital evidence can be used by different departments such as, Criminal justice agencies, Corporate Councils, Insurance Companies, Law Enforcement Officials, Company Legal resources, Human Resources department, Auditors, Individuals, Crackers or Hackers and many more.

Computer Forensics

Computer forensics is the application of computer investigation and analysis techniques in the interests of determining potential legal evidence.

The forensic term can be used in many different areas in where they all agree with the forensic term (the theory behind the investigation and analysis), but they are differ in the final outcome. For example, Dentistry Forensic, Archaeology Forensic, Accounting Forensic, Graphology Forensic, Medicine Forensic, Digital Forensic, Network Forensic, Pathology Forensic, Psychology Forensic, Science Forensic, Toxicology Forensic and more. However, I will be focusing on the Digital and Network Forensics, where you can learn the forensic fundamental basis, forensic methodology, Windows forensic, iOS forensic, mobile phone forensic, network forensic; along with the ability to interact with LINUX System.


The question is “Who Does the Computer Forensic Analysis?

The answer that many people might think of or will come up with is the Police. However, that is not necessary correct nowadays, because more and more companies now realise that they need “in-houseForensics employees as first response to possible, intrusion and malicious intent.


Several facts about the Digital Forensic:

  1. Digital Forensic is not a proactive security, but a reactive scene to an event or request.
  2. Digital Forensic is not about finding the bad guys, but about finding evidences that might be very of valuable.
  3. Digital Forensic is not something you do for fun, but it requires some expertise.
  4. Digital Forensic is not something can be done quickly, but it takes some time to find any malicious activity.

Note: Multi TeraByte drives are becoming available. Thus, it is getting harder and becoming very difficult to find the result. Just imagine the time takes from you when you are looking for specific sheet between more than 5000 sheets. The PowerPoint file explains this in details (Digital Forensics):


In conclusion, Digital Forensic id not CSI (Crime Scene Investigation), but it is more likely to be gathering electronic evidences in the crime scene and analyse them to find any malicious or misuse activities.

STRIDE – Part 3/3

Let’s take an example, where it is possible to implement STRIDE techniques to mitigate the threats. Note: Threats should be displayed as the highest priority. The figure below is an example of a server that is connected to many clients via the insecure network.

Screen Shot 2017-03-06 at 2.51.19 pm


Implementing STRIDE technique will help to find and fix the vulnerabilities of the system before they can be exploited by the attacker. Below are some of the vulnerabilities, that might be exploited by the attacker, which might cause threats to the system.

Attack the server STRIDE 1

  • Attacker intercepts the data, where the attacker can Tampering with data and Information disclosure or he/she can Spoofing identity.
    • Chance of occurring: (1 = very high).
    • The damage it causes: (10 = massive).
    • Risk: 10/1 = (10).



Attack the server STRIDE 2

  • Attacker floods server with bad data (Denial of service).
    • Chance of occurring: (1 = very high).
    • The damage it causes: (7 = high).
    • Risk: 7/1 = (7).



Attack the server STRIDE 3

  • Attacker accesses the configuration data, where the he/she can Tamper with data, Information disclosure and implement a Denial of service.
    • Chance of occurring: (5 = medium).
    • The damage it causes: (10 = massive).
    • Risk: 10/5 = (2).



Attack the server STRIDE 4

  • Attacker access persistent data or the audit log, where the he/she can Tamper with data, Information disclosure and implement a Denial of service.
    • Chance of occurring: (4 = medium).
    • The damage it causes: (8 = high).
    • Risk: 8/4 = (2).


There are several techniques that can be implemented to the STRIDE to mitigate these above threats such as;

  1. S – Strong authentication; and never store secrets.
  2. T – hashes, digital signatures; and tamer resistant protocols.
  3. R – Digital signature, time stamps; and secure logging.
  4. I – Strong access control mechanisms (ACLs), encryption; and never store secrets.
  5. D – Filtering, throttling; and QoS.
  6. E – Run with least privilege.

Screen Shot 2017-03-06 at 9.10.31 pm

STRIDE – Part 2/3

Keeping in mind that the occurred threats on the system might attest the different areas of your system. The table below shows what area might be affected when an attack occurs.


Prioritisation is a process of rating the actions with the highest priority or determine first things first. STRIDE can be prioritised as the following:

  • Chance of an attack occurring:
    • 1 – high.
    • 10 – low.
  • What’s the cost or damage if attack occurs:
    • 1 – little.
    • 10 – massive.
  • Risk:
    • the caused damage that might occur / the chance of the attack occurring.