Digital evidence
� Can be any information stored or transmitted in digital form
U.S. courts accept digital evidence as
physical evidence
Most federal courts have interpreted computer records as hearsay evidence. Hearsay is __
secondhand or indirect evidence
Business-record exception
� Allows "records of regularly conducted activity," such as business memos, reports, records, or data compilations
Computer records are usually divided into:
� Computer-generated records
� Computer-stored records
To be admitted into court Computer records must be shown to be
authentic and trustworthy
Computer-generated records are considered authentic
If the program that created the output is functioning correctly
When attorneys challenge digital evidence
they raise the issue of whether computer-generated records were altered
Or damaged after they were created
One test to prove that computer-stored records are authentic is to demonstrate that
A specific person created the records.
Note:
The author of a Microsoft Word document can be identified by using file metadata
Best evidence
evidence that is written document, ordinarily the original writing
Federal Rules of Evidence
Allow duplicate instead of originals evidence, as long as it produced by the same impression as the original by mechanical or electronic re- recording
bit-stream copies of data
The copies can be admitted in court, although they aren't considered best evidence
The bit-stream copies can be admitted in court, even if they aren't considered the best evidence, as long as
data are created and maintained properly
Freedom of Information Act (FOIA)
allows citizens to request copies of public documents created by federal agencies
If a corporate investigator finds that an employee is committing or has committed a crime
Employer can file a criminal complaint with the police
If you discover evidence of a crime during a company policy investigation
Work with the corporate attorney to write an affidavit confirming your findings
probable cause
specifying whether police has the right to make an arrest or conduct search and seizure
Innocent information
data that doesn't contribute to evidence of a crime or violation
limiting phrase
Allows the police to separate innocent information from evidence
Plain view doctrine
Are subject to seizure without a warrant and may be introduced in evidence
Knock and announce
With few exceptions, warrants require that officers knock and announce their identity
When executing a warrant
HAZMAT team
Identify potential hazards materials like chemical,biological or radioactive substance that can cause harm.
Extensive-response field kit
portable kit design to process several computers and variety of OS at a crime scene involving computers
Items in Initial-response field kit
-Computer Forensic kit
-laptop
-Digital Camera
-Flashlight
Initial-response field kit
portable kit containing only the minimum tools needed to perform disk acquisition
Securing Computer Incident or Crime Scene. Their Goals:
-Preserve the evidence
-Keep information confidential
Define a secure perimeter
yellow barrier tape that keep unnecessary people out in compliance with police officers
Old rule: pull the plug
Don't cut electrical power to a running system unless it's an older Windows 9x or MS-DOS system
In Handling a Running Computer
Perform a live acquisition if possible
In Processing an Incident or Crime Scene one guidelines is to
Bag and tag the evidence
Define Bag and tag the evidence
An evidence you collect with the current date and time, serial numbers or unique features, and model, with the name of the person who collected it
In Processing an Incident or Crime Scene. Collect document and media related to the investigation like:
Hardware, software, backup media, documentation, manuals
The Drawback in Processing Data Centers with RAID system
It doesn't recover data in free or slack space
Sparse acquisition
Technique for extracting evidence from large systems
Technical advisor
Person guiding you about where to locate data and helping you extract log records
journal
serves as a reference that documents the methods you used to process digital evidence
Goal of Documenting Evidence in the Lab
to be able to reproduce the same results
What should you Run in hashing algorithm on the image files to get a digital hash
MD5 or SHA-1
The ideal media for storing digital evidence
CD-Rs or DVDs with capacity up to 17 GB
CRC (Cyclic Redundancy Check)
mathematical algorithm that determines whether a file's content have changed
MD5
translates files into a hexadecimal code value or hash value
hash value
unique hexadecimal value that identifies a file or drive
SHA 1
hashing algorithm to determine whether data in file or storage media has been modified
nonkeyed hash set
A unique hash number generated by a software tool, such as the Linux md5sum command, used to identify files
Keyed hash set
Created by an encryption utility's secret key
In order to obtain digital signature of a file, use
MD5 function in FTK Imager
Useful for validating digital evidence collected from files or storage media
MD5 & SHA-1
If collision is suspected from two different files
do a byte-by-byte comparison to verify byte identical
sniffing
tools for data transmission
Computer-generated records
data generated by a computer, such as system log files or proxy server logs
Computer-stored records
Digital files generated by a person, such as electronic spreadsheet
4-mm DAT
Magnetic tapes that store 4 GB of data and read, write data slow.
AFIS ( Automated Fingerprint Identification System )
computerized system for identifying fingerprints that is connected to a central database, used to identify criminal suspect
person of Interest
Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of provable cause for search warrant arrest
low-level investigations
Or noncriminal cases
What is the function in acquiring Evidence with AccessData FTK
Extract the image from a bit-stream image file and Analyze the image
To help maintain the chain of custody for digital evidence
Restrict access to lab and evidence storage area
In obtaining a detailed of the location
Get as much information as you can and identify potential hazards
If you can identify the computing system
Estimates the size of the drive on the suspect computer
Professional curiosity can destroy evidence because it
involves police officer and other professional who aren't part o the crime scene processing team
Advantage of nonkeyed hash set
It can identify known files such as exe. programs or viruses that is hidden in changing names
Physical Evidence
digital data that is treated as possible to touch object