Chp 5

Digital evidence

� Can be any information stored or transmitted in digital form

U.S. courts accept digital evidence as

physical evidence

Most federal courts have interpreted computer records as hearsay evidence. Hearsay is __

secondhand or indirect evidence

Business-record exception

� Allows "records of regularly conducted activity," such as business memos, reports, records, or data compilations

Computer records are usually divided into:

� Computer-generated records
� Computer-stored records

To be admitted into court Computer records must be shown to be

authentic and trustworthy

Computer-generated records are considered authentic

If the program that created the output is functioning correctly

When attorneys challenge digital evidence

they raise the issue of whether computer-generated records were altered
Or damaged after they were created

One test to prove that computer-stored records are authentic is to demonstrate that

A specific person created the records.
The author of a Microsoft Word document can be identified by using file metadata

Best evidence

evidence that is written document, ordinarily the original writing

Federal Rules of Evidence

Allow duplicate instead of originals evidence, as long as it produced by the same impression as the original by mechanical or electronic re- recording

bit-stream copies of data

The copies can be admitted in court, although they aren't considered best evidence

The bit-stream copies can be admitted in court, even if they aren't considered the best evidence, as long as

data are created and maintained properly

Freedom of Information Act (FOIA)

allows citizens to request copies of public documents created by federal agencies

If a corporate investigator finds that an employee is committing or has committed a crime

Employer can file a criminal complaint with the police

If you discover evidence of a crime during a company policy investigation

Work with the corporate attorney to write an affidavit confirming your findings

probable cause

specifying whether police has the right to make an arrest or conduct search and seizure

Innocent information

data that doesn't contribute to evidence of a crime or violation

limiting phrase

Allows the police to separate innocent information from evidence

Plain view doctrine

Are subject to seizure without a warrant and may be introduced in evidence

Knock and announce

With few exceptions, warrants require that officers knock and announce their identity
When executing a warrant


Identify potential hazards materials like chemical,biological or radioactive substance that can cause harm.

Extensive-response field kit

portable kit design to process several computers and variety of OS at a crime scene involving computers

Items in Initial-response field kit

-Computer Forensic kit
-Digital Camera

Initial-response field kit

portable kit containing only the minimum tools needed to perform disk acquisition

Securing Computer Incident or Crime Scene. Their Goals:

-Preserve the evidence
-Keep information confidential

Define a secure perimeter

yellow barrier tape that keep unnecessary people out in compliance with police officers

Old rule: pull the plug

Don't cut electrical power to a running system unless it's an older Windows 9x or MS-DOS system

In Handling a Running Computer

Perform a live acquisition if possible

In Processing an Incident or Crime Scene one guidelines is to

Bag and tag the evidence

Define Bag and tag the evidence

An evidence you collect with the current date and time, serial numbers or unique features, and model, with the name of the person who collected it

In Processing an Incident or Crime Scene. Collect document and media related to the investigation like:

Hardware, software, backup media, documentation, manuals

The Drawback in Processing Data Centers with RAID system

It doesn't recover data in free or slack space

Sparse acquisition

Technique for extracting evidence from large systems

Technical advisor

Person guiding you about where to locate data and helping you extract log records


serves as a reference that documents the methods you used to process digital evidence

Goal of Documenting Evidence in the Lab

to be able to reproduce the same results

What should you Run in hashing algorithm on the image files to get a digital hash

MD5 or SHA-1

The ideal media for storing digital evidence

CD-Rs or DVDs with capacity up to 17 GB

CRC (Cyclic Redundancy Check)

mathematical algorithm that determines whether a file's content have changed


translates files into a hexadecimal code value or hash value

hash value

unique hexadecimal value that identifies a file or drive


hashing algorithm to determine whether data in file or storage media has been modified

nonkeyed hash set

A unique hash number generated by a software tool, such as the Linux md5sum command, used to identify files

Keyed hash set

Created by an encryption utility's secret key

In order to obtain digital signature of a file, use

MD5 function in FTK Imager

Useful for validating digital evidence collected from files or storage media

MD5 & SHA-1

If collision is suspected from two different files

do a byte-by-byte comparison to verify byte identical


tools for data transmission

Computer-generated records

data generated by a computer, such as system log files or proxy server logs

Computer-stored records

Digital files generated by a person, such as electronic spreadsheet

4-mm DAT

Magnetic tapes that store 4 GB of data and read, write data slow.

AFIS ( Automated Fingerprint Identification System )

computerized system for identifying fingerprints that is connected to a central database, used to identify criminal suspect

person of Interest

Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of provable cause for search warrant arrest

low-level investigations

Or noncriminal cases

What is the function in acquiring Evidence with AccessData FTK

Extract the image from a bit-stream image file and Analyze the image

To help maintain the chain of custody for digital evidence

Restrict access to lab and evidence storage area

In obtaining a detailed of the location

Get as much information as you can and identify potential hazards

If you can identify the computing system

Estimates the size of the drive on the suspect computer

Professional curiosity can destroy evidence because it

involves police officer and other professional who aren't part o the crime scene processing team

Advantage of nonkeyed hash set

It can identify known files such as exe. programs or viruses that is hidden in changing names

Physical Evidence

digital data that is treated as possible to touch object