Computer Investigation Made Easy with Windows: A Step-by-Step Guide
Fundamental Computer Investigation Guide for Windows
Computers are ubiquitous in our modern society, and so are the threats and crimes that involve them. Whether it is hacking, phishing, malware, data breaches, fraud, or cyberattacks, there are countless ways that malicious actors can use computers to harm individuals, organizations, or even nations. Therefore, it is essential to have the skills and tools to investigate these incidents and find out what happened, who did it, how they did it, and what can be done to prevent or mitigate it.
Fundamental Computer Investigation Guide for Windows
In this article, we will provide you with a fundamental computer investigation guide for Windows, based on two free solution accelerators from Microsoft: The Fundamental Computer Investigation Guide for Windows (www.microsoft.com/uk/investigationguide) and The Malware Removal Starter Kit (www.microsoft.com/uk/malware). We will explain what computer investigation is, why it is important, what are the challenges and limitations of it, and how to follow a four-phase computer investigation model: assess, acquire, analyse, and report. We will also show you how to use a bootable Windows PE environment to collect and preserve evidence from a Windows-based computer, and how to use Windows Security to scan for malware.
Introduction
What is computer investigation?
Computer investigation, also known as digital forensics or cyber forensics, is the process of collecting, preserving, analysing, and presenting digital evidence from computers or other electronic devices. It involves applying scientific methods and techniques to examine digital data and determine its origin, authenticity, integrity, and relevance. Computer investigation can be used for various purposes, such as criminal investigations, civil litigation, internal audits, incident response, compliance monitoring, or security testing.
Why is it important?
Computer investigation is important because it can help identify the perpetrators of cybercrimes or cyberattacks, recover lost or stolen data or assets, protect intellectual property or trade secrets, prove or disprove allegations or claims, resolve disputes or conflicts, enhance security or performance of systems or networks, or improve policies or procedures. Computer investigation can also provide valuable insights into the motives, methods, and capabilities of cyber adversaries, which can help prevent or deter future attacks.
What are the challenges and limitations of computer investigation?
Computer investigation is not an easy task. It faces many challenges and limitations that can affect its accuracy, reliability, validity, admissibility, or usefulness. Some of these challenges and limitations are:
The volume and complexity of digital data: Computers can store huge amounts of data in various formats and locations. Finding relevant evidence among this data can be time-consuming and difficult.
The volatility and fragility of digital data: Digital data can be easily altered or deleted by users or programs. It can also be corrupted or damaged by hardware failures or environmental factors. Therefore, it is crucial to preserve the original state of the data as much as possible.
The encryption and obfuscation of digital data: Digital data can be protected or hidden by encryption or obfuscation techniques, such as passwords, encryption keys, compression, steganography, or malware. These techniques can make the data inaccessible or unreadable without the proper tools or keys.
The legal and ethical implications of computer investigation: Computer investigation can involve accessing or processing sensitive or personal data, such as emails, documents, photos, or browsing history. It can also involve accessing or processing data that belongs to third parties, such as service providers, customers, or partners. Therefore, it is important to comply with the applicable laws and regulations, such as data protection, privacy, or intellectual property laws. It is also important to respect the rights and interests of the data owners or subjects, such as consent, notification, or confidentiality.
The Computer Investigation Model
To conduct a computer investigation effectively and efficiently, it is helpful to follow a structured and systematic approach. The Fundamental Computer Investigation Guide for Windows provides a four-phase computer investigation model that can be used for any type of computer investigation. The four phases are: assess, acquire, analyse, and report.
Assess
The assess phase is the first and most important phase of the computer investigation model. It involves identifying the scope and objectives of the investigation, determining the legal and ethical implications of the investigation, and planning the investigation strategy and resources.
Identify the scope and objectives of the investigation
The scope and objectives of the investigation define what you want to achieve and what you need to do to achieve it. They help you focus your efforts and resources on the most relevant and important aspects of the investigation. To identify the scope and objectives of the investigation, you should answer questions such as:
What is the reason or purpose of the investigation?
What is the expected outcome or deliverable of the investigation?
What are the key questions or hypotheses that need to be answered or tested?
What are the sources or types of evidence that need to be collected or analysed?
What are the criteria or standards that need to be met or followed?
Determine the legal and ethical implications of the investigation
The legal and ethical implications of the investigation define what you can and cannot do during the investigation. They help you avoid potential risks or liabilities that may arise from violating laws or regulations, infringing rights or interests, or causing harm or damage. To determine the legal and ethical implications of the investigation, you should answer questions such as:
What are the applicable laws or regulations that govern the investigation?
What are the relevant policies or procedures that guide the investigation?
What are the potential legal consequences or remedies that may result from the investigation?
What are the ethical principles or values that underpin the investigation?
What are the potential ethical dilemmas or conflicts that may arise during the investigation?
Plan the investigation strategy and resources
The investigation strategy and resources define how you will conduct and manage the investigation. They help you optimize your time and effort, ensure quality and consistency, and facilitate collaboration and communication. To plan the investigation strategy and resources, you should answer questions such as:
What are the steps or tasks that need to be performed during the investigation?
What are the tools or techniques that need to be used during the investigation?
What are the roles or responsibilities that need to be assigned during the investigation?
What are the timelines or milestones that need to be met during the investigation?
What are the risks or challenges that need to be addressed during the investigation?
Acquire
The acquire phase is the second phase of the computer investigation model. It involves collecting and documenting the evidence from the computer, using a bootable Windows PE environment to preserve the evidence, and using Windows Security to scan for malware.
Collect and document the evidence from the computer
The evidence from the computer is the digital data that contains the information that can help answer the key questions or hypotheses of the investigation. It can include files, folders, registry entries, logs, emails, browsing history, and so on. To collect and document the evidence from the computer, you should follow these steps:
Identify the computer that contains the evidence. It can be a desktop, laptop, tablet, or smartphone. It can also be a server, router, switch, or firewall.
Determine the state of The state of the computer can be either live or dead. A live computer is one that is powered on and running. A dead computer is one that is powered off or not functioning. The state of the computer affects how you can collect the evidence from it.
Choose the appropriate method to collect the evidence from the computer. There are two main methods to collect the evidence from the computer: static acquisition and live acquisition. Static acquisition involves creating a bit-by-bit copy of the entire hard drive or a specific partition of the computer. Live acquisition involves extracting specific files or data from the computer while it is running. The method you choose depends on the state of the computer, the type and location of the evidence, and the legal and ethical implications of the investigation.
Use a reliable and forensically sound tool to collect the evidence from the computer. There are many tools available for collecting evidence from computers, such as FTK Imager, EnCase, Autopsy, or X-Ways Forensics. These tools can help you create an image or a snapshot of the hard drive or a specific file or folder, verify the integrity of the data using hash values, and document the metadata and properties of the data.
Label and store the evidence in a secure and tamper-proof manner. You should label the evidence with relevant information, such as date, time, location, device, investigator, case number, and description. You should also store the evidence in a locked container or a safe location, and maintain a chain of custody that records who accessed or handled the evidence and when.
Use a bootable Windows PE environment to preserve the evidence
A bootable Windows PE environment is a lightweight version of Windows that can run from a CD, DVD, USB drive, or network location. It can be used to access and manipulate files and data on a computer without affecting or altering its original state. It can also be used to run various tools and applications that can help with the investigation. To use a bootable Windows PE environment to preserve the evidence, you should follow these steps:
Create a bootable Windows PE media using the Windows Assessment and Deployment Kit (ADK). You can download the ADK from https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install. You can also use the Malware Removal Starter Kit to create a bootable Windows PE media with pre-installed tools and scripts.
Boot the computer from the Windows PE media. You can do this by changing the boot order in the BIOS settings or by pressing a key during the startup process.
Mount the hard drive or partition that contains the evidence. You can do this by using the diskpart command-line tool or by using a graphical user interface tool such as Disk Management.
Copy the evidence from the hard drive or partition to another storage device or location. You can do this by using the xcopy command-line tool or by using a graphical user interface tool such as File Explorer.
Unmount and detach the hard drive or partition that contains the evidence. You can do this by using the diskpart command-line tool or by using a graphical user interface tool such as Disk Management.
Use Windows Security to scan for malware
Malware is any software or code that is designed to harm or compromise a computer or its data. It can include viruses, worms, trojans, ransomware, spyware, adware, rootkits, or backdoors. Malware can affect the integrity, availability, confidentiality, or authenticity of the evidence. To use Windows Security to scan for malware, you should follow these steps:
Open your Windows Security settings. You can do this by clicking on the Start button and typing Windows Security in the search box.
Select Virus & threat protection > Scan options.
Select Windows Defender Offline scan, and then select Scan now. This will restart your computer and run a scan that can detect and remove malware that is hidden or persistent.
View the results of your scan. You can do this by opening your Windows Security settings again and selecting Virus & threat protection > Protection history. This will show you any malware that was detected or removed by the scan.
Analyse
the third phase of the computer investigation model. It involves examining and interpreting the evidence using forensic tools, identifying and verifying the relevant findings, and correlating and cross-referencing the findings with other sources.
Examine and interpret the evidence using forensic tools
The evidence is the digital data that contains the information that can help answer the key questions or hypotheses of the investigation. It can include files, folders, registry entries, logs, emails, browsing history, and so on. To examine and interpret the evidence using forensic tools, you should follow these steps:
Choose a suitable forensic tool to examine and interpret the evidence. There are many forensic tools available for examining and interpreting evidence, such as FTK Imager, EnCase, Autopsy, or X-Ways Forensics. These tools can help you view, search, filter, sort, analyse, and extract data from various sources and formats.
Load the evidence into the forensic tool. You can do this by opening the image or snapshot of the hard drive or a specific file or folder that you created during the acquire phase. You can also connect the storage device or location that contains the evidence to your computer.
Explore and analyse the evidence using the features and functions of the forensic tool. You can do this by browsing through the file system or registry structure, searching for keywords or patterns, filtering by date or size or type, sorting by name or extension or attribute, analysing by hash or entropy or signature, extracting by carving or decoding or decrypting, and so on.
Interpret the data and draw conclusions based on your analysis. You can do this by comparing the data with your expectations or assumptions, identifying any anomalies or discrepancies or inconsistencies, explaining any causes or effects or relationships or patterns, and inferring any motives or methods or capabilities or identities.
Identify and verify the relevant findings
The findings are the facts or information that are derived from the evidence and that support or refute the key questions or hypotheses of the investigation. They can include file names, file contents, file metadata, registry values, log entries, email headers, email bodies, browsing history entries, and so on. To identify and verify the relevant findings, you should follow these steps:
Select the findings that are relevant to the scope and objectives of the investigation. You can do this by reviewing your analysis and interpretation of the evidence and selecting the findings that answer your key questions or hypotheses.
Verify the accuracy and reliability of the findings. You can do this by checking the integrity of the data using hash values, checking the authenticity of the data using digital signatures or certificates, checking the consistency of the data using timestamps or sequence numbers, checking the source of the data using metadata or properties, and checking the validity of the data using logic or common sense.
Document the findings in a clear and concise manner. You can do this by recording the details and context of the findings, such as date, time, location, device, investigator, case number, and description. You should also record the source and method of the findings, such as image, snapshot, tool, technique, and command.
Correlate and cross-reference the findings with other sources
The other sources are the additional data or information that can help corroborate or contradict the findings or provide more insights or perspectives into the investigation. They can include external sources, such as databases, websites, reports, or witnesses, or internal sources, such as logs, emails, browsing history, or documents. To correlate and cross-reference the findings with other sources, you should follow these steps:
Identify the other sources that are relevant to the scope and objectives of the investigation. You can do this by reviewing your key questions or hypotheses and identifying the other sources that can provide more evidence or information to answer them.
Access and process the other sources using appropriate tools or techniques. You can do this by querying databases, crawling websites, reading reports, interviewing witnesses, or analysing logs, emails, browsing history, or documents.
Compare and contrast the findings with other sources using analytical methods or techniques. You can do this by matching hash values, comparing timestamps, measuring similarities, calculating differences, testing hypotheses, or applying statistics.
Document the correlation and cross-reference in a clear and concise manner. You can do this by recording the details and context of the correlation and cross-reference, such as date, time, location, device, investigator, case number, and description. You should also record the source and method of the correlation and cross-reference, such as database, website, report, witness, tool, technique, and command.
Report
The report phase is the fourth and final phase of the computer investigation model. It involves organizing and presenting the findings in a clear and concise manner, using charts, tables, and graphs to illustrate the findings, and providing recommendations and conclusions based on the findings.
Organize and present the findings in a clear and concise manner
The findings are the facts or information that are derived from the evidence and that support or refute the key questions or hypotheses of the investigation. They can include file names, file contents, file metadata, registry values, log entries, email headers, email bodies, browsing history entries, and so on. To organize and present the findings in a clear and concise manner, you should follow these steps:
Structure the report according to the scope and objectives of the investigation. You can do this by following a standard format or template, such as introduction, background, methodology, results, discussion, conclusion, and appendix.
Write the report using a clear and concise language and style. You can do this by using simple and direct sentences, avoiding jargon or technical terms, defining acronyms or abbreviations, explaining concepts or processes, providing examples or scenarios, and using active voice or passive voice appropriately.
Edit and proofread the report for accuracy and readability. You can do this by checking the spelling and grammar, verifying the facts and figures, correcting any errors or inconsistencies, adding any missing information or details, deleting any redundant or irrelevant information or details, and improving the flow and coherence of the report.
Use charts, tables, and graphs to illustrate the findings
Charts, tables, and graphs are visual representations of data or information that can help illustrate the findings. They can help highlight patterns or trends, compare or contrast values or c