TechNet Home > TechNet Security > Library > Disaster Recovery

Fundamental Computer Investigation Guide For Windows

Overview

Published: January 11, 2007
*

Internet connectivity and technological advances expose computers and computer networks to criminal activities such as unauthorized intrusion, financial fraud, and identity and intellectual property theft. Computers can be used to launch attacks against computer networks and destroy data. E-mail can be used to harass people, transmit sexually explicit images, and conduct other malicious activities. Such activities expose organizations to ethical, legal, and financial risks and often require them to conduct internal computer investigations.

This guide discusses processes and tools for use in internal computer investigations. It introduces a multi-phase model that is based on well-accepted procedures in the computer investigation community. It also presents an applied scenario example of an internal investigation in an environment that includes Microsoft® Windows®–based computers. The investigation uses Windows Sysinternals tools (advanced utilities that can be used to examine Windows–based computers) as well commonly available Windows commands and tools.

Some of the policies and procedures invoked in investigations that result from computer security incidents might also exist in disaster recovery plans. Although such plans are beyond the scope of this guide, it is important for organizations to establish procedures that can be used in emergency and disaster situations. Organizations should also identify and manage security risks wherever possible. For more information, see the Security Risk Management Guide.

On This Page
Computer Investigation ModelComputer Investigation Model
Initial Decision-Making ProcessInitial Decision-Making Process
Chapter SummaryChapter Summary
AudienceAudience
Caveats and DisclaimersCaveats and Disclaimers
References and CreditsReferences and Credits
Style ConventionsStyle Conventions
Support and FeedbackSupport and Feedback

Computer Investigation Model

According to Warren G. Kruse II and Jay G. Heiser, authors of Computer Forensics: Incident Response Essentials, computer forensics is "the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis." The computer investigation model in the following figure organizes the different computer forensics elements into a logical flow.

Computer Investigation Model

The four investigation phases and accompanying processes in the figure should be applied when working with digital evidence. The phases can be summarized as follows:

Assess the situation. Analyze the scope of the investigation and the action to be taken.

Acquire the data. Gather, protect, and preserve the original evidence.

Analyze the data. Examine and correlate digital evidence with events of interest that will help you make a case.

Report the investigation. Gather and organize collected information and write the final report.

Detailed information about each of the phases is provided in the chapters of this guide.

Initial Decision-Making Process

Before you begin each of the general investigation phases you should apply the initial decision-making process shown in the following figure.

Initial Decision Making Process

You should determine whether or not to involve law enforcement with the assistance of legal advisors. If you determine that law enforcement is needed, then you need to continue the internal investigation unless law enforcement officials advise you otherwise. Law enforcement might not be available to assist in the investigation of the incident, so you must continue to manage the incident and investigation for later submission to law enforcement.

Depending on the type of incident being investigated, the primary concern should be to prevent further damage to the organization by those person(s) who caused the incident. The investigation is important, but is secondary to protecting the organization unless there are national security issues.

If law enforcement is not involved, your organization may have existing standard operating procedures and policies that guide the investigation process. Refer to the "Reporting Computer-Related Crimes" section in Appendix: Resources in this guide for types of crimes that need to be reported to law enforcement.

Chapter Summary

This guide is comprised of five chapters and an appendix, which are briefly described in the following list. The first four chapters provide information about the four phases of the internal investigation process:

Chapter 1: Assess the Situation explains how to conduct a thorough assessment of the situation and prepare for the internal investigation.

Chapter 2: Acquire the Data provides guidance about how to gather digital evidence.

Chapter 3: Analyze the Data examines the standard techniques of evidence analysis.

Chapter 4: Report the Investigation explains how to write the investigation outcome report.

Chapter 5: Applied Scenario Example describes a fictional scenario that depicts unauthorized access to confidential information.

Appendix: Resources includes information about how to prepare for a computer investigation, contact information for reporting computer-related crimes and obtaining computer investigation training, worksheets that can be used in computer investigations, and lists of certain computer investigation tools.

Audience

This guide is intended for IT professionals in the United States who need a general understanding of computer investigations, including many of the procedures that can be used in such investigations and protocols for reporting incidents.

Caveats and Disclaimers

This guidance does not constitute legal advice, and is not a substitute for individualized legal and other advice from legal advisors. You should always consult your legal advisors before you decide whether to implement any of the described processes. The tools and technologies described in this guide are current at the time of its release, and may change in the future.

It is also important to understand that legal restrictions may limit your ability to implement these procedures. For example, the United States has many laws related to the rights of people who are suspected of committing illicit acts. Unless legal restrictions are specifically referenced in existing policies and procedures established by the organization, it is important that you obtain legally binding written approvals from legal advisors, management, and key stakeholders throughout the internal investigation.

  Note

This guide does not include information about incident response policy and procedure development, specific data imaging product guidance, guidance about building a forensics lab, or computer investigations in non-Windows environments. For information about incident response policy and procedure development, see the Microsoft Operations Framework (MOF) Web site.

References and Credits

The information in this guide is based on information provided by recognized industry experts and other guidance, including the following publications:

Forensic Examination of Digital Evidence: A Guide for Law Enforcement by the National Institute of Justice, an agency of the U.S. Department of Justice.

Guide to Integrating Forensic Techniques into Incident Response PDF document by the National Institute of Standards and Technology.

"RFC3227 - Guidelines for Evidence Collection and Archiving" by D. Brezinski and T. Killalea.

Style Conventions

This guidance uses the style conventions that are described in the following table.

Element Meaning

Bold font

Signifies characters typed exactly as shown, including commands, switches, and file names. User interface elements also appear in bold.

Italic font

Titles of books and other substantial publications appear in italic.

<Italic>

Placeholders set in italic and angle brackets <Italic> represent variables. 

Monospace font

Defines code and script samples.

Note

Alerts the reader to supplementary information.

Important

Alerts the reader to essential supplementary information.

Support and Feedback

The Solution Accelerators – Security and Compliance (SASC) team would appreciate your thoughts about this and other Solution Accelerators. Please contribute comments and feedback to secwish@microsoft.com. We look forward to hearing from you.

Solution Accelerators provide prescriptive guidance and automation for cross-product integration. They present proven tools and content so you can plan, build, deploy, and operate information technology with confidence. To view the extensive range of Solution Accelerators and for additional information, visit the Solution Accelerators page on Microsoft TechNet.


**
**

Download

Get the Fundamental Computer Investigation Guide For Windows

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions

Windows Sysinternals

Learn about Windows Sysinternals tools used in this guide.