An Approach to Digital Evidence Collection for Successful Forensic Application: An Investigation of Blackmail Case Kemal Hajdarevic * , Vahidin Dzaltur ** , * Faculty of Electrical Engineering, University of Sarajevo, Sarajevo, Bosnia and Herzegovina ** American University in Bosnia and Herzegovina, Sarajevo, Bosnia and Herzegovina * khajdarevic@etf.unsa.ba, ** vdzaltur@aubih.edu.ba Abstract – Computer forensic is the practice of collecting, analyzing and reporting evidences in a way that is legally admissible “in open court” or “public” as a part of criminal investigation process. It can be used in the detection and prevention of crime and in any dispute where evidence is stored digitally. In this paper we presented case of criminal activity in progress where forensic using hacker tools helped to proactively prevent criminal act of blackmail in progress. This approach was acceptable to company owner because public case would bring negative publicity and because incident resolution time was very important criteria for this case. Many organizations suffer great losses because of missing implementing standards for information security that includes segregation of duties, and active monitoring. In this paper we described how we used network hacking for forensic investigation for the right cause which is to prevent criminal activity in progress. This paper shows how different techniques and tools can be jointly used in step by step process to successfully perform forensic analysis and reporting. I. INTRODUCTION Computer forensics follows a similar process to other forensic disciplines, and faces similar issues. Purpose is to give answer to questions of a legal system related to computers. Forensics has it’s role in any sort of legal issue, trial, civil court cases or any other legal processing that has computer involved. “Computer forensics usually refers to the forensic examination of computer components and their contents...” [1] A. Presenting the case before forensic investigation The case presented in this paper started when forensic team was called by company’s IT manager with company’s owner permit with request to investigate if data base (DB) administrator was hiding important organisation’s data on PC computer. There was fear that data DB administrator collects and use company information without permit. Another reason for believing that stealth blackmail is in process was the fact that DB administrator initiated negotiation for changing salary terms and conditions and refusing to provide system password to IT manager. The PC that was used by DB administrator was database administrator’s device because company allows bring your own device (BYOD) and bring your own technology (BYOT) policy. The database administrator’s PC was password protected at all time. Other issues included fear that database administrator will permanently destroy entire hard drive with data of the system which he manages or just quit the job and leave company without important company and user’s data. Knowing that, and because there were still no elements for criminal prosecution, data or hardware was not destroyed, nor there were no formal blackmail request, it was decided to acquire access to all data without knowledge of database administrator. This case was more prevention of the possible crime. Because no one was able to tell any information regarding what operating systems, type of the software and version DB administrator used on his PC. Decision was made with company owner that forensic team will work after office working hours. In order to keep low profile it was decide to keep the contact only with IT manager, to avoid that the other employees inform DB administrator that forensic process in progress. Because DB administrator’s PC was running all the time, the idea of shutting it down and creating forensic image was out of the question. Reason for this is that DB administrator would probably be able to detect if PC was rebooted without his presence. Network presented in this case was structured UTP wired infrastructure with central router, IP addressing of local network communication was configured by using DHCP server service located at the router. B. Rationale for documenting the forensic case The main reason for documenting and presenting whole process of forensic analysis was to show how hacker techniques can be used for right purpose which is stopping criminal activity in progress. Criminal are usually aware of this possibilities and they are trying to mitigate detection and prevention of their activities. While hacker tools are used to fight with criminals it is possible MIPRO 2015, 25-29 May 2015, Opatija, Croatia 1387