Chapter 5

Chapter 5

Guide to Computer Forensics and Investigations Fourth Edition Chapter 5 Processing Crime and Incident Scenes Identifying Digital Evidence Digital evidence Can be any information stored or transmitted in digital form U.S. courts accept digital evidence as physical evidence Digital data is a tangible object

Some require that all digital evidence be printed out to be presented in court Guide to Computer Forensics and Investigations 2 Identifying Digital Evidence (continued) General tasks investigators perform when working with digital evidence: Identify digital information or artifacts that can be used as evidence Collect, preserve, and document evidence Analyze, identify, and organize evidence Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably

Collecting computers and processing a criminal or incident scene must be done systematically Guide to Computer Forensics and Investigations 3 Understanding Rules of Evidence Consistent practices help verify your work and enhance your credibility Comply with your states rules of evidence or with the Federal Rules of Evidence Evidence admitted in a criminal case can be used in a civil suit, and vice versa Keep current on the latest rulings and directives on collecting, processing, storing, and admitting

digital evidence Guide to Computer Forensics and Investigations 4 Understanding Rules of Evidence (continued) Data you discover from a forensic examination falls under your states rules of evidence Or the Federal Rules of Evidence Digital evidence is unlike other physical evidence because it can be changed more easily The only way to detect these changes is to compare the original data with a duplicate

Most federal courts have interpreted computer records as hearsay evidence Guide to Computer Forensics and Investigations 5 Understanding Rules of Evidence (continued) Business-record exception Allows records of regularly conducted activity, such as business memos, reports, records, or data compilations

Generally, computer records are considered admissible if they qualify as a business record Computer records are usually divided into: Computer-generated records Computer-stored records Guide to Computer Forensics and Investigations 6 Understanding Rules of Evidence (continued) Computer records must be shown to be authentic and trustworthy To be admitted into court Computer-generated records are considered

authentic If the program that created the output is functioning correctly Collecting evidence according to the proper steps of evidence control helps ensure that the computer evidence is authentic Guide to Computer Forensics and Investigations 7 Understanding Rules of Evidence (continued) When attorneys challenge digital evidence Often they raise the issue of whether computergenerated records were altered Or damaged after they were created

One test to prove that computer-stored records are authentic is to demonstrate that a specific person created the records The author of a Microsoft Word document can be identified by using file metadata Guide to Computer Forensics and Investigations 8 Understanding Rules of Evidence (continued) The process of establishing digital evidences trustworthiness originated with written documents and the best evidence rule Best evidence rule states:

To prove the content of a written document, recording, or photograph, ordinarily the original writing, recording, or photograph is required Federal Rules of Evidence Allow a duplicate instead of originals when it is produced by the same impression as the original Guide to Computer Forensics and Investigations 9 Understanding Rules of Evidence (continued) As long as bit-stream copies of data are created and maintained properly

The copies can be admitted in court, although they arent considered best evidence Guide to Computer Forensics and Investigations 10 Collecting Evidence in Private-Sector Incident Scenes Private-sector organizations include: Businesses and government agencies that arent involved in law enforcement Agencies must comply with state public disclosure and federal Freedom of Information Act (FOIA) laws

And make certain documents available as public records FOIA allows citizens to request copies of public documents created by federal agencies Guide to Computer Forensics and Investigations 11 Collecting Evidence in Private-Sector Incident Scenes (continued) A special category of private-sector businesses includes ISPs and other communication companies ISPs can investigate computer abuse committed by their employees, but not by

customers Except for activities that are deemed to create an emergency situation Investigating and controlling computer incident scenes in the corporate environment Guide to Computer Forensics and Investigations Much easier than in the criminal environment 12 Collecting Evidence in Private-Sector Incident Scenes (continued) Typically, businesses have inventory databases of computer hardware and software

Help identify the computer forensics tools needed to analyze a policy violation And the best way to conduct the analysis Corporate policy statement about misuse of computing assets Allows corporate investigators to conduct covert surveillance with little or no cause And access company systems without a warrant Guide to Computer Forensics and Investigations 13 Collecting Evidence in Private-Sector Incident Scenes (continued)

Companies should display a warning banner or publish a policy Stating that they reserve the right to inspect computing assets at will Corporate investigators should know under what circumstances they can examine an employees computer Every organization must have a well-defined process describing when an investigation can be initiated Guide to Computer Forensics and Investigations 14 Collecting Evidence in Private-Sector

Incident Scenes (continued) If a corporate investigator finds that an employee is committing or has committed a crime Employer can file a criminal complaint with the police Employers are usually interested in enforcing company policy Not seeking out and prosecuting employees Corporate investigators are, therefore, primarily concerned with protecting company assets Guide to Computer Forensics and Investigations 15

Collecting Evidence in Private-Sector Incident Scenes (continued) If you discover evidence of a crime during a company policy investigation Determine whether the incident meets the elements of criminal law Inform management of the incident Stop your investigation to make sure you dont violate Fourth Amendment restrictions on obtaining evidence Work with the corporate attorney to write an affidavit confirming your findings Guide to Computer Forensics and Investigations 16

Processing Law Enforcement Crime Scenes You must be familiar with criminal rules of search and seizure You should also understand how a search warrant works and what to do when you process one Law enforcement officer may search for and seize criminal evidence only with probable cause Facts or circumstances that lead a reasonable person to believe a crime has been committed Guide to Computer Forensics and Investigations 17 or is about to be committed

Processing Law Enforcement Crime Scenes (continued) With probable cause, a police officer can obtain a search warrant from a judge That authorizes a search and seizure of specific evidence related to the criminal complaint The Fourth Amendment states that only warrants particularly describing the place to be searched, and the persons or things to be seized can be issued Guide to Computer Forensics and Investigations 18

Guide to Computer Forensics and Investigations 19 Understanding Concepts and Terms Used in Warrants Innocent information Unrelated information Often included with the evidence youre trying to recover Judges often issue a limiting phrase to the warrant Allows the police to separate innocent information from evidence

Guide to Computer Forensics and Investigations 20 Understanding Concepts and Terms Used in Warrants (continued) Plain view doctrine Objects falling in plain view of an officer who has the right to be in position to have that view Are subject to seizure without a warrant and may be introduced in evidence Knock and announce With few exceptions, warrants require that officers knock and announce their identity When executing a warrant

Guide to Computer Forensics and Investigations 21 Preparing for a Search Preparing for a computer search and seizure Probably the most important step in computing investigations To perform these tasks You might need to get answers from the victim and an informant Who could be a police detective assigned to the case, a law enforcement witness, or a manager or coworker of the person of interest to the investigation

Guide to Computer Forensics and Investigations 22 Identifying the Nature of the Case When youre assigned a computing investigation case Start by identifying the nature of the case Including whether it involves the private or public sector The nature of the case dictates how you proceed And what types of assets or resources you need to use in the investigation Guide to Computer Forensics and Investigations

23 Identifying the Type of Computing System For law enforcement This step might be difficult because the crime scene isnt controlled If you can identify the computing system Estimate the size of the drive on the suspects computer And how many computers to process at the scene Determine which OSs and hardware are

involved Guide to Computer Forensics and Investigations 24 Determining Whether You Can Seize a Computer The type of case and location of the evidence Determine whether you can remove computers Law enforcement investigators need a warrant to remove computers from a crime scene And transport them to a lab If removing the computers will irreparably harm a business

The computers should not be taken offsite Guide to Computer Forensics and Investigations 25 Determining Whether You Can Seize a Computer (continued) An additional complication is files stored offsite that are accessed remotely If you arent allowed to take the computers to your lab Determine the resources you need to acquire digital evidence and which tools can speed data acquisition Guide to Computer Forensics and Investigations

26 Obtaining a Detailed Description of the Location Get as much information as you can Identify potential hazards Interact with your HAZMAT team HAZMAT guidelines Put the target drive in a special HAZMAT bag HAZMAT technician can decontaminate the bag Check for high temperatures Guide to Computer Forensics and Investigations

27 Determining Who Is in Charge Corporate computing investigations Require only one person to respond Law enforcement agencies Handle large-scale investigations Designate lead investigators Guide to Computer Forensics and Investigations 28 Using Additional Technical Expertise Look for specialists

OSs RAID servers Databases Finding the right person can be a challenge Educate specialists in investigative techniques Prevent evidence damage Guide to Computer Forensics and Investigations 29 Determining the Tools You Need Prepare tools using incident and crime scene information Initial-response field kit

Lightweight Easy to transport Extensive-response field kit Includes all tools you can afford Guide to Computer Forensics and Investigations 30 Guide to Computer Forensics and Investigations 31 Guide to Computer Forensics and Investigations

32 Guide to Computer Forensics and Investigations 33 Preparing the Investigation Team Review facts, plans, and objectives with the investigation team you have assembled Goals of scene processing Collect evidence Secure evidence Slow response can cause digital evidence to be lost

Guide to Computer Forensics and Investigations 34 Securing a Computer Incident or Crime Scene Goals Preserve the evidence Keep information confidential Define a secure perimeter Use yellow barrier tape Legal authority Professional curiosity can destroy evidence Involves police officers and other professionals

who arent part of the crime scene processing team Guide to Computer Forensics and Investigations 35 Seizing Digital Evidence at the Scene Law enforcement can seize evidence With a proper warrant Corporate investigators rarely can seize evidence When seizing computer evidence in criminal investigations Follow U.S. DoJ standards for seizing digital data

Civil investigations follow same rules Require less documentation though to Computer Forensics and Investigations Guide Consult with your attorney for extra guidelines36 Preparing to Acquire Digital Evidence The evidence you acquire at the scene depends on the nature of the case And the alleged crime or violation Ask your supervisor or senior forensics examiner in your organization the following questions: Do you need to take the entire computer and all

peripherals and media in the immediate area? How are you going to protect the computer and media while transporting them to your lab? Guide Computer Forensics and Investigations 37 Isto the computer powered on when you arrive? Preparing to Acquire Digital Evidence (continued) Ask your supervisor or senior forensics examiner in your organization the following questions (continued): Is the suspect youre investigating in the immediate area of the computer?

Is it possible the suspect damaged or destroyed the computer, peripherals, or media? Will you have to separate the suspect from the computer? Guide to Computer Forensics and Investigations 38 Processing an Incident or Crime Scene Guidelines Keep a journal to document your activities Secure the scene Be professional and courteous with onlookers Remove people who are not part of the investigation

Take video and still recordings of the area around the computer Pay attention to details Sketch the incident or crime scene Check computers as possible Guide to Computer Forensicsas andsoon Investigations 39

Processing an Incident or Crime Scene (continued) Guidelines (continued) Dont cut electrical power to a running system unless its an older Windows 9x or MS-DOS system Save data from current applications as safely as possible Record all active windows or shell sessions Make notes of everything you do when copying data from a live suspect computer Close applications and shut down the computer Guide to Computer Forensics and Investigations 40

Processing an Incident or Crime Scene (continued) Guidelines (continued) Bag and tag the evidence, following these steps: Assign one person to collect and log all evidence Tag all evidence you collect with the current date and time, serial numbers or unique features, make and model, and the name of the person who collected it Maintain two separate logs of collected evidence Maintain constant control of the collected evidence and the crime or incident scene Guide to Computer Forensics and Investigations 41

Processing an Incident or Crime Scene (continued) Guidelines (continued) Look for information related to the investigation Passwords, passphrases, PINs, bank accounts Collect documentation and media related to the investigation Hardware, software, backup media, documentation, manuals Guide to Computer Forensics and Investigations 42

Processing Data Centers with RAID Systems Sparse acquisition Technique for extracting evidence from large systems Extracts only data related to evidence for your case from allocated files And minimizes how much data you need to analyze Drawback of this technique It doesnt recover data in free or slack space Guide to Computer Forensics and Investigations 43

Using a Technical Advisor Technical advisor Can help you list the tools you need to process the incident or crime scene Person guiding you about where to locate data and helping you extract log records Or other evidence from large RAID servers Can help create the search warrant by itemizing what you need for the warrant Guide to Computer Forensics and Investigations 44 Using a Technical Advisor (continued)

Responsibilities Know aspects of the seized system Direct investigator handling sensitive material Help secure the scene Help document the planning strategy Conduct ad hoc trainings Document activities Guide to Computer Forensics and Investigations

45 Documenting Evidence in the Lab Record your activities and findings as you work Maintain a journal to record the steps you take as you process evidence Goal is to be able to reproduce the same results When you or another investigator repeat the steps you took to collect evidence A journal serves as a reference that documents the methods you used to process digital evidence

Guide to Computer Forensics and Investigations 46 Processing and Handling Digital Evidence Maintain the integrity of digital evidence in the lab As you do when collecting it in the field Steps to create image files: Copy all image files to a large drive Start your forensics tool to analyze the evidence Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital hash Secure the original media in an evidence locker

Guide to Computer Forensics and Investigations 47 Storing Digital Evidence The media you use to store digital evidence usually depends on how long you need to keep it CD-Rs or DVDs The ideal media Capacity: up to 17 GB Lifespan: 2 to 5 years Magnetic tapes Capacity: 40 to 72 GB Lifespan: 30 years

Costs: Guide to Computer Forensics Investigations drive: $400 and to $800; tape: $40 48 Evidence Retention and Media Storage Needs To help maintain the chain of custody for digital evidence

Restrict access to lab and evidence storage area Lab should have a sign-in roster for all visitors Maintain logs for a period based on legal requirements You might need to retain evidence indefinitely Check with your local prosecuting attorneys office or state laws to make sure youre in Guide to Computer Forensics and Investigations compliance 49 Documenting Evidence

Create or use an evidence custody form An evidence custody form serves the following functions: Identifies the evidence Identifies who has handled the evidence Lists dates and times the evidence was handled You can add more information to your form Such as a section listing MD5 and SHA-1 hash values Guide to Computer Forensics and Investigations 50 Documenting Evidence (continued) Include any detailed information you might

need to reference Evidence bags also include labels or evidence forms you can use to document your evidence Guide to Computer Forensics and Investigations 51 Obtaining a Digital Hash Cyclic Redundancy Check (CRC) Mathematical algorithm that determines whether a files contents have changed Most recent version is CRC-32 Not considered a forensic hashing algorithm Message Digest 5 (MD5)

Mathematical formula that translates a file into a hexadecimal code value, or a hash value If a bit or byte in the file changes, it alters the digital hash Guide to Computer Forensics and Investigations 52 Obtaining a Digital Hash (continued) Three rules for forensic hashes: You cant predict the hash value of a file or device No two hash values can be the same If anything changes in the file or device, the hash value must change

Secure Hash Algorithm version 1 (SHA-1) A newer hashing algorithm Developed by the National Institute of Standards and Technology (NIST) Guide to Computer Forensics and Investigations 53 Obtaining a Digital Hash (continued) In both MD5 and SHA-1, collisions have occurred Most computer forensics hashing needs can be satisfied with a nonkeyed hash set A unique hash number generated by a software

tool, such as the Linux md5sum command Keyed hash set Created by an encryption utilitys secret key You can use the MD5 function in FTK Imager to obtain the digital signature of a file Guide to Computer Or an entireForensics drive and Investigations 54 Reviewing a Case

General tasks you perform in any computer forensics case: Identify the case requirements Plan your investigation Conduct the investigation Complete the case report Critique the case Guide to Computer Forensics and Investigations

55 Sample Civil Investigation Most cases in the corporate environment are considered low-level investigations Or noncriminal cases Common activities and practices Recover specific evidence Suspects Outlook e-mail folder (PST file) Covert surveillance Its use must be well defined in the company policy Risk of civil or criminal liability Guide

to Computer Forensics and Investigations Sniffing tools for data transmissions 56 Sample Criminal Investigation Computer crimes examples Fraud Check fraud Homicides

Need a warrant to start seizing evidence Limit searching area Guide to Computer Forensics and Investigations 57 Reviewing Background Information for a Case Company called Superior Bicycles Specializes in creating new and inventive modes of human-driven transportation Two employees, Chris Murphy and Nau Tjeriko, have been missing for several days A USB thumb drive has been recovered from

Chriss office with evidence that he had been conducting a side business using company computers Guide to Computer Forensics and Investigations 58 Identifying the Case Requirements Identify requirements such as:

Nature of the case Suspects name Suspects activity Suspects hardware and software specifications Guide to Computer Forensics and Investigations 59 Planning Your Investigation List what you can assume or know Several incidents may or may not be related Suspects computer can contain information about the case If someone else has used suspects computer

Make an image of suspects computer disk drive Analyze forensics copy Guide to Computer Forensics and Investigations 60

Recently Viewed Presentations

  • Wiia fm, jdKsc wxYfhka Nd. iu;a jQ fKqld

    Wiia fm, jdKsc wxYfhka Nd. iu;a jQ fKqld

    1' fuuisoaosfhaioykazz.fïlfâ ZZ jHdmdrhúiskaimqrd,kq,nkuq,slñksiawjYH;dj l=ulao @ 1'wdydr. 2'weÿï . 3'ksjdi. 4'wOHdmk
  • Co-Teaching as Best Practice in Student Teaching

    Co-Teaching as Best Practice in Student Teaching

    JSU Co-Teaching Project and Timeline for 2012-2013. Initial training for JSU Faculty, LEA Administrators, Cooperating Teachers. Placement and training of initial group of selected JSU students. Initial implementation in Fall Practicum into Spring Internship. Embed co-teaching in all College of...
  • Eng. 6002 Ship Structures 1 Hull Girder Response

    Eng. 6002 Ship Structures 1 Hull Girder Response

    Eng. 6002 Ship Structures 1 Hull Girder Response Analysis Lecture 10: Review of Indeterminate Beams (Displacement method) Overview The direct displacement method is another technique that can be used to analyze indeterminate structures. This method can be generalized and is...
  • Chapter 1Computer System Overview - University of North Florida

    Chapter 1Computer System Overview - University of North Florida

    After an interrupt handler completes, control may not return to the program that was executing at the time of the interrupt. Memory Hierarchy. Faster access time, greater cost per bit. Greater capacity, smaller cost per bit. Greater capacity, slower access...
  • PASBO Conference Pittsburgh, PA March 2011 Budgeting Yesterday,

    PASBO Conference Pittsburgh, PA March 2011 Budgeting Yesterday,

    Tim Shrom, Solanco School District Budget Instructions / Forms / Timelines / Bid Recaps / Budget Summaries / Account Codes This link goes directly into a folder with all of the files:
  • Delta Sigma Theta Sorority, Inc. Cincinnati Alumnae Chapter

    Delta Sigma Theta Sorority, Inc. Cincinnati Alumnae Chapter

    Violets to all for continuing to share your unique gifts and amazing spirit to accomplish the work of CACDST. See our April updates below. Ways & Means Committee: Soror Lisa Rowell Third Annual Golf Outing - May 17, 2008 at...
  • 150429_PC21_Study_Results_Coal_Retirement

    150429_PC21_Study_Results_Coal_Retirement

    This is a summation of the annual generation by category for the PC01 (common case) and the PC21 (coal retirement case), showing the differences between the two cases.
  • RGP (Lester Sussman and David Mathews) Vendor Risk Management

    RGP (Lester Sussman and David Mathews) Vendor Risk Management

    The Impact of Risk - Failures in VRM. This document is the proprietary and confidential property of Resources Global Professionals. Global Bank- $35 million penalty plus restitution to Customers for Unfair Billing Practices and deceptive marketing by one of its...