View
239
Download
0
Category
Preview:
Citation preview
7/27/2019 Test Power Points
1/205
Florida Atlantic University
Information Technology and Operations Management
ISM 4324 Computer Forensics
Course Introduction
and Chapter 1
7/27/2019 Test Power Points
2/205
ISM 4324 Intro and Chapter 1
FOUNDATIONS OF DIGITALFORENSICS
Chapter 1
7/27/2019 Test Power Points
3/205
ISM 4324 Intro and Chapter 1
Crime
Nearly every crime contains a digitalcomponent
Cell Phones
Computer Files
Internet History
Digital Photos
Social Networking Facebook, Google+,Twitter, etc.
7/27/2019 Test Power Points
4/205
ISM 4324 Intro and Chapter 1
Crime
Some common crimes are especially heavyin the use of digital technologies
Child Pornography
Hacking
Financial Fraud
Embezzlement
Credit Card Fraud
Money laundering
7/27/2019 Test Power Points
5/205
ISM 4324 Intro and Chapter 1
Digital Evidence
any data stored or transmitted using a
computer that support or refute a theory ofhow an offense occurred or that address
critical elements of the offense such as intentor alibi (Page 7)
7/27/2019 Test Power Points
6/205
ISM 4324 Intro and Chapter 1
Categories of Computer Systems
Open Systems
PCs, Desktops, or Servers
Communication Systems Internet (routers/etc), telephones, wireless
access points, internet service provider
Embedded Computer Systems
DVD players, navigation systems, alarmsystem, car computers
7/27/2019 Test Power Points
7/205
ISM 4324 Intro and Chapter 1
Digital Forensics Awareness
Individuals with no formal training arebecoming aware of digital evidence and basichandling requirements
Many of these individuals make incorrectassumptions regarding the handling of
evidence and forensic techniques.
7/27/2019 Test Power Points
8/205
ISM 4324 Intro and Chapter 1
Digital Forensics
Relatively new
Constantly changing
Techniques and knowledge learned one year,may be obsolete the next
7/27/2019 Test Power Points
9/205
ISM 4324 Intro and Chapter 1
What is Forensics?
Deriving scientific meaning from events andinformation
Tying events and information together
Searching for hidden details
Investigation with a minimization of damageto evidence
7/27/2019 Test Power Points
10/205
ISM 4324 Intro and Chapter 1
Evidence Exchange
Locards Exchange Principle
Interaction between two items will createevidence of the interaction
Discussion between two people
Fingerprints on a gun
Visiting a website
Sending an email to another person
7/27/2019 Test Power Points
11/205
ISM 4324 Intro and Chapter 1
FIGURE 1.1 Evidence transfer in the physical and digital dimensions helps investigators establish
connections between victims, offenders, and crime scenes.
2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
7/27/2019 Test Power Points
12/205
ISM 4324 Intro and Chapter 1
Forensic Soundness
Preservation of evidence
Limited Possibility of alteration
Able to identify who handled it
Collected in a way generally acceptedamongst peers
Able to authenticate the evidence (See page
21)
7/27/2019 Test Power Points
13/205
ISM 4324 Intro and Chapter 1
Chain of Custody
Extremely important in digital forensics
Who handled the evidence and when?
Has the evidence been altered?
Needs to be documented whenever custodyof the evidence changes
7/27/2019 Test Power Points
14/205
ISM 4324 Intro and Chapter 1
Evidence Integrity
Proves that the evidence has not beenaltered
In digital forensics, this is usually achievedthrough the use of MD5 or SHA1 checksums(digital fingerprint)
Can be used to re-establish chain of custodyif it is broken
7/27/2019 Test Power Points
15/205
ISM 4324 Intro and Chapter 1
Objectivity
Free from bias
Evidence leads to other evidence and is notbased on a personal or gut feeling
Peer-review can be used to help ensureobjectivity
Use scientific method in writing reports.
Leave out assumptions or beliefs
7/27/2019 Test Power Points
16/205
ISM 4324 Intro and Chapter 1
Repeatability
Another important concept in digital forensics
Observations and investigations must berepeatable to arrive at the same conclusion
Requires good documentation of the stepsperformed in the investigation
7/27/2019 Test Power Points
17/205
ISM 4324 Intro and Chapter 1
Challenges with Digital Forensics
Digital Forensics practitioners oftentimeshave no formal investigative knowledge ortraining
Digital information is easily altered or deleted sometimes by accident
Altered or deleted data could lead to an
innocent person going to prison or a guiltyperson going free
Digital evidence is usually circumstantial
7/27/2019 Test Power Points
18/205
ISM 4324 Intro and Chapter 1
Challenges with Digital Forensics
Lawyers, courts, and juries oftentimes dont
understand digital evidence very well
Rules and requirements are constantly beingcreated as the legal profession learns moreabout digital evidence
Lack of standardized skillset for practitioners
7/27/2019 Test Power Points
19/205
ISM 4324 Intro and Chapter 1
Advantages of Digital Evidence
Can be copied without modification
Activities to hide digital evidence leavebehind their own digital evidence
Deleted data is often recoverable
Easy to determine if collected data has beenaltered
7/27/2019 Test Power Points
20/205
Computer Crime Investigations and the Courtroom
Florida Atlantic University
Information Technology and Operations Management
ISM 4324 Computer Forensics
Computer Crime Investigations andThe Courtroom. Ch. 2-3
7/27/2019 Test Power Points
21/205
ISM 4324 Intro and Chapter 1
Computer Forensics and the Law
The Basis of Computer Forensicsinvestigations lies in Law
Law dictates accepted procedures forinvestigation, what evidence is relevant, andwhat crime(s), if any, have been committed
The results of many computer forensics
investigations are reported to lawenforcement and/or a court
7/27/2019 Test Power Points
22/205
ISM 4324 Intro and Chapter 1
Origin of Computer Crime Law
Florida Computer Crimes Act
Late 70s
Unauthorized access is a crime, regardless
of malicious intent
Created in response to an incident at theFlagler Dog Track
Hacking under Florida Law typically fallsunder this law
7/27/2019 Test Power Points
23/205
ISM 4324 Intro and Chapter 1
Origin of Computer Crime Law (Federal) Computer Fraud and Abuse Act (CFAA)
Commonly known as the Federal Hacker
Statute Unauthorized access to a protected computer
is a crime
Mid 80s Hacking under Federal Law typically falls
under the CFAA
7/27/2019 Test Power Points
24/205
ISM 4324 Intro and Chapter 1
What is Computer Crime?
Crimes that primarily involve the use ofcomputers or digital assets
Crimes against computer systems
7/27/2019 Test Power Points
25/205
ISM 4324 Intro and Chapter 1
What is Digital Evidence?
Chapter 1 Definition
any data stored or transmitted using a
computer that support or refute a theory of
how an offense occurred or that addresscritical elements of the offense such as intentor alibi (Page 7)
E.g. Digital Pictures, computer files, emails,text messages, etc.
7/27/2019 Test Power Points
26/205
ISM 4324 Intro and Chapter 1
What is Physical Evidence?
Non-digital evidence that can be touched orseen
Hard Drives, gun, broken glass, wrecked car
Handling is different than digital evidence.
7/27/2019 Test Power Points
27/205
ISM 4324 Intro and Chapter 1
Hard Drives as Physical Evidence
The information contained on a hard drive is
usually more important than the drive itself
Physical hard drives are treated as physicalevidence in order to protect the digitalevidence from tampering, and to help ensure
that digital evidence is authentic.
7/27/2019 Test Power Points
28/205
ISM 4324 Intro and Chapter 1
Hardware versus Software
Hardware is physical can be touched. Harddrives, cell phone, monitor, Blu-ray player
Software is logical information. files,computer programs, etc.
7/27/2019 Test Power Points
29/205
ISM 4324 Intro and Chapter 1
Examination versus Analysis
Examination Looking at and reviewingcollected evidence. Some aspects of this canbe automated (searching, string lists)
Analysis Taking collected evidence andpiecing it together to find out what happenedor gain an understanding of relevant events.Requires thinking which usually precludes theuse of automation
7/27/2019 Test Power Points
30/205
ISM 4324 Intro and Chapter 1
Department of Justice Computer
Evidence Categories
1. Hardware as Contraband or Fruits of Crime
2. Hardware as an Instrumentality3. Hardware as Evidence
4. Information as Contraband or Fruits of
Crime5. Information as an Instrumentality
6. Information as Evidence
7/27/2019 Test Power Points
31/205
ISM 4324 Intro and Chapter 1
DOJ Evidence Categories
Not mutually exclusive
Evidence can fall into multiple categories
7/27/2019 Test Power Points
32/205
ISM 4324 Intro and Chapter 1
Child Pornography and The Law
Recurring theme in this course
Unlike many computer crimes, possession ofthe material itself is a violation of the law
Easy to prove as intent is not necessary forconviction
Digital fingerprints are used to track down
and find victims (National Center for Missingand Exploited Children)
7/27/2019 Test Power Points
33/205
ISM 4324 Intro and Chapter 1
Figure 1.1FIGURE 3.1 Overview of case/incident resolution process.
7/27/2019 Test Power Points
34/205
ISM 4324 Intro and Chapter 1
Expert witness versus a traditional witness
Traditionally, a witness can only give answersto questions that are asked
An expert witness, on the other hand, may
give opinions and explain answers
Expert witnesses are called upon due to theirexpert knowledge or experience within a
particular area or field
7/27/2019 Test Power Points
35/205
ISM 4324 Intro and Chapter 1
Role of Expert Witnesses in Court
Help the court come to a conclusion
Give facts and observations
Give unbiased opinion (a right that a regularwitness does not have)
Give testimony free from emotion
Give testimony free from conflict-of-interest
7/27/2019 Test Power Points
36/205
ISM 4324 Intro and Chapter 1
Preconceived Theories
Jumping to conclusions may cause theinvestigator to come to incorrect conclusions
Events that occur may not be what they
appear to be e.g. computer intrusion versusdisk corruption
Preconceived theories that are evident in
reports may display bias on the part of theinvestigator
7/27/2019 Test Power Points
37/205
ISM 4324 Intro and Chapter 1
Pre-conceived Theories (Continued)
Essentially, coming up with a theory andusing evidence to help that theory rather thanthe other way around.
7/27/2019 Test Power Points
38/205
ISM 4324 Intro and Chapter 1
Avoiding pre-conceived theories
Everyone creates theories as to what mayhave happened it is human nature
Do not rely on theories to solve a case -
follow the evidence Evidence leads to new sources of evidence
which should also be investigated.
Do not avoid investigating sources ofevidence just because they may not fit atheory.
7/27/2019 Test Power Points
39/205
ISM 4324 Intro and Chapter 1
Legal Judgment Standards
Civil (Money)Preponderance of theevidence. Is the person more likely guilty
than not guilty?
Criminal (Prison)Beyond a reasonabledoubt. Does the evidence prove that the
crime was committed by the accused, or isthere another possible reasonable
explanation?
7/27/2019 Test Power Points
40/205
ISM 4324 Intro and Chapter 1
Presenting Evidence to Court
As mentioned previously, free from bias andemotion
While technical in nature, processes and
procedures need to be explained in such away that a non-technical person canunderstand
Use techniques that are generally acceptedby the community of your peers. Note: notrequired, but helpful
7/27/2019 Test Power Points
41/205
ISM 4324 Intro and Chapter 1
Admissibility
Relevance
Authenticity
Not hearsay or admissible hearsay
Best Evidence*
Not unduly prejudicial
7/27/2019 Test Power Points
42/205
ISM 4324 Intro and Chapter 1
Relevance
Does the evidence presented have anythingto do with the case or charges?
7/27/2019 Test Power Points
43/205
ISM 4324 Intro and Chapter 1
Authenticity
Is the evidence original or an accuraterepresentation?
For communications, is someone available
that can verify that the communications areaccurate recipient of email or personactually involved in a conversation in
question
7/27/2019 Test Power Points
44/205
ISM 4324 Intro and Chapter 1
Hearsay
Evidence that is second-hand knowledge
I heard that Ms. Apple shot John with a gun
Exception: Business Records
7/27/2019 Test Power Points
45/205
ISM 4324 Intro and Chapter 1
Best Evidence Rule
The most original form of evidence availableneeds to be used unless a genuine questionabout its authenticity comes into play
E.g. original hard disks versus copies,original documents versus copies, raw format
email versus formatted email messages
7/27/2019 Test Power Points
46/205
ISM 4324 Intro and Chapter 1
Search Warrants
Discussed in Depth in Chapter 4
Fourth amendment protection againstunreasonable search and seizure.
Requires investigator to convince judge thatevidence of a crime will likely be recoveredand that a crime has been committed.
7/27/2019 Test Power Points
47/205
ISM 4324 Intro and Chapter 1
Warrantless Search and Seizure
Allowed when:
In plain view
Person gives consent
Person can withdraw consent
And exigency
7/27/2019 Test Power Points
48/205
ISM 4324 Intro and Chapter 1
Exigency
Requiring immediate action
Emergencies involving potential loss of life
Potential for destruction of evidence
Warrant is generally necessary to investigateseized evidence in this case
7/27/2019 Test Power Points
49/205
ISM 4324 Intro and Chapter 1
Questions to Consider before Seizure
Does the fourth amendment or ECPA apply?
Have fourth amendment and ECPArequirements been met?
How long can investigators remain on thescene?
What do investigators need to re-enter?
7/27/2019 Test Power Points
50/205
ISM 4324 Intro and Chapter 1
ECPA
Electronic Communications Privacy Act
Protects stored communications
Public services require a warrant to turn overinformation to law enforcement privateservices do not
7/27/2019 Test Power Points
51/205
ISM 4324 Intro and Chapter 1
Reliability of Evidence
Are systems generating evidence functioningproperly and giving expected results?
Is the evidence accurate?
Small possibility of tampering does not
affect reliability
7/27/2019 Test Power Points
52/205
ISM 4324 Intro and Chapter 1
Certainty of Evidence
Evidence may require more evidence toreach a conclusion due to evidence beingmore general than exact
Proxy servers service a lot of clients. Aperson connecting to a remote server througha proxy server is not identifiable through the
remote server logs alone
7/27/2019 Test Power Points
53/205
ISM 4324 Intro and Chapter 1
Certainty of Evidence
If clocks differ, evidence that relies on timemight not be reliable without knowing thecorrect time, and the time on the system in
question This is especially true with access logs
involving many connections per second or
minute
7/27/2019 Test Power Points
54/205
ISM 4324 Intro and Chapter 1
Circumstantial versus Direct Evidence
Direct Evidence fact
Circumstantial suggests facts. Mostcomputer forensics evidence falls into thiscategory
7/27/2019 Test Power Points
55/205
ISM 4324 Intro and Chapter 1
Scientific Evidence
Daubert rule relies on the following:
Theory or technique can be/has been tested
High known or potential rate of error
Theory or technique has been subject to peerreview and publication
Theory or technique is generally accepted.
Note: the last two bullet points are no longerrequired per se due to the Federal Rules ofCriminal Procedure
7/27/2019 Test Power Points
56/205
ISM 4324 Intro and Chapter 1
Experts Report
Walk through investigation
Steps can be repeated with the same results
Report is free from bias or opinions
All supporting evidence documented
Time/date of steps are documented
7/27/2019 Test Power Points
57/205
ISM 4324 Intro and Chapter 1
Report Sections
Introduction or Executive Summary
Evidence Summary
Examination Summary
File System Examination
Forensic Analysis and Findings
Conclusions
7/27/2019 Test Power Points
58/205
ISM 4324 Intro and Chapter 1
Testifying
voirdire approved as expert witness. E.g.court recognizes the witness credentials and
knowledge in the field.
Be honest
Be prepared to defend against attacks onyour investigative techniques and findings
Ask to review your notes if you need to referback to something
7/27/2019 Test Power Points
59/205
Florida Atlantic UniversityInformation Technology and Operations Management
ISM 4324 Computer Forensics
Computer Crime Law and Computer
Forensics Basics
7/27/2019 Test Power Points
60/205
Computer Crime Law and Computer Forensics Basics
FEDERAL CYBERCRIME LAW
Computer Crime Law
7/27/2019 Test Power Points
61/205
Computer Crime Law and Computer Forensics Basics
Computer Fraud and Abuse Act
Introduced briefly last week
18 U.S.C. 1030
Mid 80sAltered several times in light of technological
advances
7/27/2019 Test Power Points
62/205
Computer Crime Law and Computer Forensics Basics
CFAA Continued
Criminalizes:
Unauthorized access to a computer
Disseminating malicious software Launching denial of service attacks
Trafficking in passwords
Using computers to commit fraud or extortion
7/27/2019 Test Power Points
63/205
Computer Crime Law and Computer Forensics Basics
CFAA Continued
Targets conduct targeted toward protected
computers
Computers used exclusively by banks orgovernment
Computers used for interstate commerce
By definition, this applies to any computer
connected to the internet See Bullets on pages 86-87 for more info
7/27/2019 Test Power Points
64/205
Computer Crime Law and Computer Forensics Basics
Authorization
Basically Permission
Having the ability to access something is not
the same as permission In computer security, the three terms:
Access, Authentication, and Authorization aredistinct
7/27/2019 Test Power Points
65/205
Computer Crime Law and Computer Forensics Basics
Access
Capability to take, modify, or read something
Access can exist without authorization
(permission) E.g. Someone accidentally leaves their
computer logged in. You may have access tolook at files on the computer but lack thepermission to do so.
7/27/2019 Test Power Points
66/205
Computer Crime Law and Computer Forensics Basics
Authentication
Verifying the identity of a person or thing
Can be people
Can be computers Can be documents or files
Can be testimony
7/27/2019 Test Power Points
67/205
Computer Crime Law and Computer Forensics Basics
Confidentiality
Whether or not information is kept secret
Affecting the confidentiality of something
exposes its contents E.g. Hacking into a computer system and
reading files you shouldnt impairs the
confidentiality of those files.
7/27/2019 Test Power Points
68/205
Computer Crime Law and Computer Forensics Basics
Integrity
Whether or not data is accurate orunchanged
Changing the contents of a file impairs itsintegrity
7/27/2019 Test Power Points
69/205
Computer Crime Law and Computer Forensics Basics
Availability
The ability to access data or systems
Denial of service attacks impair the
availability of systems of data
7/27/2019 Test Power Points
70/205
Computer Crime Law and Computer Forensics Basics
Computer
electronic, magnetic, optical,
electrochemical, or other high speed dataprocessing device performing logical,arithmetic or storage functions
7/27/2019 Test Power Points
71/205
Computer Crime Law and Computer Forensics Basics
Crime Outsider Insider
Intentional Damage Felony Felony
Reckless Damage Felony No Crime
Other Damage Misdemeanor No Crime
Crimes
7/27/2019 Test Power Points
72/205
Computer Crime Law and Computer Forensics Basics
Intent
Mens Rea
What was the intent when causing damage?
Defines Intentional, Reckless and otherdamage
7/27/2019 Test Power Points
73/205
Computer Crime Law and Computer Forensics Basics
Intentional Damage
Causing damage that you meant to do
E.g. Take down a website. Destroy files.
Modify financial information
7/27/2019 Test Power Points
74/205
Computer Crime Law and Computer Forensics Basics
Reckless Damage
Causing damage while not meaning to do so,but as a side result. Non-negligent
E.g. Try stealing information and accidentallyknock a web site out of commission
7/27/2019 Test Power Points
75/205
Computer Crime Law and Computer Forensics Basics
Identity Theft
18 U.S.C. 1028
Crime to: knowingly transfer, possess, or use
a means of identification of another personwithout authorization and with intent tocommit, or to aid any or abet any unlawfulactivity
7/27/2019 Test Power Points
76/205
Computer Crime Law and Computer Forensics Basics
Child Pornography
Sexual depictions of minors (under the age of18)
A large portion of computer forensics involvesthis kind of crime
Computer forensics can be used to helpvictims in addition to prosecute offenders
7/27/2019 Test Power Points
77/205
Computer Crime Law and Computer Forensics Basics
Child Pornography Law Evolution
1977 Protection of Children against Sexual
Exploitation
1996 Child Pornography Protection Act
7/27/2019 Test Power Points
78/205
Computer Crime Law and Computer Forensics Basics
Protection of Children Against Sexual
Exploitation Outlawed use of real children
In the computer age, real pictures of childrencould be edited to become new pictures, orcomputers could generate fictional pictures ofchildren
7/27/2019 Test Power Points
79/205
Computer Crime Law and Computer Forensics Basics
Child Pornography Protection Act
If only pictures of real images were againstthe law, a defense arose where an offendercould claim that their pictures were notpictures of real children
A new law was passed in 1996 that made the
virtual depictions illegal as well
7/27/2019 Test Power Points
80/205
Computer Crime Law and Computer Forensics Basics
Virtual Child Porn
Originally banned depictions that appeared tobe those of children
Found unconstitutional under firstamendment because it banned material thatdid not involve real children.
7/27/2019 Test Power Points
81/205
Computer Crime Law and Computer Forensics Basics
Virtual Child Porn
Virtual depictions were re-defined as anymedia that a person would generally findindistinguishable from real children (revisionin 2003)
Did not apply to drawings, cartoons,
sculptures or paintings
7/27/2019 Test Power Points
82/205
Computer Crime Law and Computer Forensics Basics
Virtual Child Porn
Later, obscene child pornography was
banned
Visual depiction such as drawings, cartoons,sculptures and paintings that are obscene
Unconstitutional because it did not limit thecrime to images of actual minors or constitute
obscenity
7/27/2019 Test Power Points
83/205
Computer Crime Law and Computer Forensics Basics
Obscenity
What does the local community considerobscene
A work-around to the first amendment issuesexperienced in child pornography laws
7/27/2019 Test Power Points
84/205
Computer Crime Law and Computer Forensics Basics
Copyright
Original creator owns all rights to a work
Original creator may license those rights
Original creator or licensee may seekmonetary damages from those using ordistributing copyrighted works withoutpermission
Copyright exists at creation of the material. Itdoes not need to be registered.
7/27/2019 Test Power Points
85/205
Computer Crime Law and Computer Forensics Basics
Copyright
While copyright exists at creation, registrationis required to take a civil action.
Registration is not required for criminalactions
7/27/2019 Test Power Points
86/205
Computer Crime Law and Computer Forensics Basics
Criminal Copyright Infringement
Remember, Criminal = Jail Time
Used as a way for government agencies toprosecute mass-copyright infringement suchas counterfeiters
7/27/2019 Test Power Points
87/205
Computer Crime Law and Computer Forensics Basics
Criminal Copyright Infringement
Illegal if
Purpose is for commercial advantage orpersonal financial gain
- OR -
Reproducing works with a total retail value of*$2500 in a 180-day period
* Note typo in book. $2500 not $1000
7/27/2019 Test Power Points
88/205
Computer Crime Law and Computer Forensics Basics
Copyright Infringement
2005 pre-release piracy
Copying movies before release
Making movies available to public
7/27/2019 Test Power Points
89/205
Computer Crime Law and Computer Forensics Basics
First-sale Doctrine
Purchaser of a copyrighted work has the rightto transfer or sell that copy to anotherindividual.
What about copies of software versussoftware licenses?
7/27/2019 Test Power Points
90/205
Computer Crime Law and Computer Forensics Basics
DMCA
Takedown provision to make ISPs or otherservice providers remove copyrightedmaterials upon request
Banned copy-protection circumventiondevices
7/27/2019 Test Power Points
91/205
Computer Crime Law and Computer Forensics Basics
No Electronic Theft Act
Evidence of distribution is not enough toprove willful copyright infringement
7/27/2019 Test Power Points
92/205
Computer Crime Law and Computer Forensics Basics
CONSTITUTIONAL LAW
Computer Crime Law
7/27/2019 Test Power Points
93/205
Computer Crime Law and Computer Forensics Basics
Fourth Amendment
Applies to Federal agents, and to stateagents
Fourteenth amendment applied manyamendments to the states.
7/27/2019 Test Power Points
94/205
Computer Crime Law and Computer Forensics Basics
Fourth Amendment
Freedom from unreasonable search and
seizure
Search and seizure must be performed onlywith a warrant or under specific exceptions
7/27/2019 Test Power Points
95/205
Computer Crime Law and Computer Forensics Basics
Search and Seizure
Search
Intrusion into reasonable expectation of
privacy
Seizure
Interference with a persons possessions
and/or property
7/27/2019 Test Power Points
96/205
Computer Crime Law and Computer Forensics Basics
Wiretapping (4th Amendment)
Intercepting content of communications
A user often expects privacy in theircommunications. Physical intrusion is notrequired to make this an unreasonablesearch and seizure.
7/27/2019 Test Power Points
97/205
Computer Crime Law and Computer Forensics Basics
Wiretapping (Fourth Amendment)
Includes network traffic, telephonecommunications and video transmission
Exceptions:
If monitoring is to troubleshoot problems,monitor communications from an intruder, or
the monitoring is by consent
7/27/2019 Test Power Points
98/205
Computer Crime Law and Computer Forensics Basics
Wiretapping (4th Amendment)
Traffic data, not contents is also covered
Telephone calls to and from numbers Web server access logs
Network packet headers
7/27/2019 Test Power Points
99/205
Computer Crime Law and Computer Forensics Basics
Fifth Amendment
No one can be compelled as a witnessagainst themselves
Does not generally apply to electroniccommunications because individual was notforced to make statements (testimony)
7/27/2019 Test Power Points
100/205
Computer Crime Law and Computer Forensics Basics
Fifth Amendment
Regarding encryption, giving up anencryption key can be considered testimonyand can be withheld under the 5thamendment
7/27/2019 Test Power Points
101/205
Computer Crime Law and Computer Forensics Basics
In-class Discussion
Other amendments
7/27/2019 Test Power Points
102/205
Computer Crime Law and Computer Forensics Basics
BASIC COMPUTEROPERATIONS
Computer Basics for Investigators
7/27/2019 Test Power Points
103/205
Computer Crime Law and Computer Forensics Basics
Basic Computer Components
CPU Central Processing Unit. Performsmathematical calculations and runsprograms. Essentially the logic of a computer.
Information is lost when the computer is shutdown.
Hard Disk Fixed media that stores
programs or data. Most information is leftintact when the computer shuts down
7/27/2019 Test Power Points
104/205
Computer Crime Law and Computer Forensics Basics
Basic Computer Components
RAM Random Access Memory. Temporarystorage space for programs and data.Information is lost when the computer is shut
down.
NIC Network Interface Card. Sends andreceives data across a network of computers.
Information is lost unless captured in transit
7/27/2019 Test Power Points
105/205
Computer Crime Law and Computer Forensics Basics
Basic Computer Components
Monitor Displays pictures and text from acomputer. Information is lost if the computeris shut down.
Printer Outputs data on a variety of mediaincluding paper and canvas. Information islost if power is removed.
7/27/2019 Test Power Points
106/205
Computer Crime Law and Computer Forensics Basics
Computer Startup Software
BIOS Basic Input and Output System.Contains information necessary for computercomponents to communicate with one
another, and stores some basic preferences.
POST Power-on Self Test. Part of the BIOSthat checks hardware at system power on to
ensure it is operating correctly.
7/27/2019 Test Power Points
107/205
Computer Crime Law and Computer Forensics Basics
Computer Startup Software
CMOS Complementary Metal OxideSilicon. Software that allows user the user tomodify BIOS configuration information
7/27/2019 Test Power Points
108/205
Computer Crime Law and Computer Forensics Basics
Representation of Data
Binary Ones and Zeros, representing onand off. Most basic number system.Numbering starts at zero. 0001 = 1, 0011 =
3 = ( 1x21 + 1x20 )
Hexadecimal 16 possible values per digit.0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F. 1h
= 1, 10h = 16 = ( 1x161 + 0x160)
7/27/2019 Test Power Points
109/205
Computer Crime Law and Computer Forensics Basics
Binary and Hex Practice
Convert the following to Decimal:
Binary: 1101, 111, 1001, 11010111
Hexadecimal: B, 45, C3, 1D5
7/27/2019 Test Power Points
110/205
Computer Crime Law and Computer Forensics Basics
Data on Disks
Data on disks is stored based on theEndianess of the processor.
Little EndianPlaces small end of datafirst. This is used on Windows computersand the AMD64 architecture.
456 would be stored as 654 on a disk
Based on block-size
7/27/2019 Test Power Points
111/205
Computer Crime Law and Computer Forensics Basics
File Formats and Carving
Files typically have a distinctive header andsometimes footer.
These headers and footers can be used todetermine the type of file without relying onan extension
Because of this, we can recover deleted data
from a hard disk and view it regardless ofwhether we know the fielname
7/27/2019 Test Power Points
112/205
Computer Crime Law and Computer Forensics Basics
File Formats and Carving
These Headers and Footers are commonlyreferred to as the magic numbers of a file
type.
Example from book: JPEG images start withFF D8 FF E0, or FF D8 FF E1 and have afooter of FF D9.
7/27/2019 Test Power Points
113/205
Computer Crime Law and Computer Forensics Basics
Example File Contents
7/27/2019 Test Power Points
114/205
Computer Crime Law and Computer Forensics Basics
Disk Organization
Typically comprised of many Sectors of
512-bytes.
A newer common sector size is 4096-bytes tosupport larger hard drives such as 3TB disks.The larger sector organization is calledAdvanced Format
7/27/2019 Test Power Points
115/205
Computer Crime Law and Computer Forensics Basics
Disk Organization
Sectors are grouped together by the filesystem in groups called clusters (Windows)
or blocks (Unix, Linux and Mac)
File systems are the logical way that anoperating system organizes data on a disk,
while sectors are used at a physical level.
7/27/2019 Test Power Points
116/205
Computer Crime Law and Computer Forensics Basics
Data Hiding and Organization
Data can be hidden on a disk
Deleted
Partially overwritten
Corrupted
Hidden in other files
Encrypted
7/27/2019 Test Power Points
117/205
Computer Crime Law and Computer Forensics Basics
Data Carving
Magic Numbers are used by forensics tools
to recover files from deleted areas of a harddisk or image and classify data that is found.
Disk fragmentation causes issues with datacarving, but that will be covered later.
7/27/2019 Test Power Points
118/205
Computer Crime Law and Computer Forensics Basics
Storage Media
Some varieties of storage media currently inuse today include:
Hard drives Rigid material with magneticcoating
USB Flash Drives rewritable flash memory
CD/DVD/BD Recordable and sometimes
rewritable optical media read with a red orblue laser.
7/27/2019 Test Power Points
119/205
Computer Crime Law and Computer Forensics Basics
Solid State Drives
A relatively new media has come out in thelast few years called solid state drives.
These drives utilize rewritable flash memory
like USB thumb drives, and like USB thumbdrives, have a limited number of times datacan be written to the drives.
New mid-2011 drives can only write to thesame location 5000 times before the diskloses the ability to store data
7/27/2019 Test Power Points
120/205
Computer Crime Law and Computer Forensics Basics
Solid State Drives Continued
To combat this, SSDs utilize Wear-levelingwhich causes the drives to remap unusedportions of the disk for subsequent writes so
a user does not end up with the beginning ofa drive unusable, but the rest relativelyunused.
7/27/2019 Test Power Points
121/205
Computer Crime Law and Computer Forensics Basics
SSDs continued
This presents some challenges for forensicswhen trying to recover data, however, somepreviously overwritten data can sometimes
be recovered from the unmapped portions ofthe disk using utilities provided by the harddrive manufacturer. Accessing this data is
often not possible with forensics toolsbecause of the proprietary nature of the driveaccess mechanisms.
7/27/2019 Test Power Points
122/205
Computer Crime Law and Computer Forensics Basics
FIGURE 15.4 Magnetic patterns on a hard disk as seen through a magnetic force microscope.
Peaks indicate a one (1) and troughs signify a zero (0). Image from
http://www.ntmdt.ru/applicationnotes/MFM/ ( reproduced with permission) .
2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
http://www.ntmdt.ru/applicationnotes/MFM/http://www.ntmdt.ru/applicationnotes/MFM/7/27/2019 Test Power Points
123/205
Computer Crime Law and Computer Forensics Basics
Hidden Data Areas on Drives
Two areas of a disk that are generally notaccessible from disk copying tools are thedrive configuration overlay (DCO) and the
host protected area (HPA). DCO specifies the drive geometry and
accessible portions of the disk.
HPA specifies a portion of the disk that ishidden from operating systems for diagnosticor recovery purposes.
7/27/2019 Test Power Points
124/205
Computer Crime Law and Computer Forensics Basics
Track 0
The first track on a hard disk can be used toindicate bad sectors on a disk. Bad sectorscan be hiding data that may need to be
recovered. This track stores informationabout bad sectors that are identified by thedrive and not the operating system.
Disks have a number of sectors built in thatcan be remapped when necessary. Theoperating system knows nothing about this.
7/27/2019 Test Power Points
125/205
Computer Crime Law and Computer Forensics Basics
Disk Organization
Master Boot Record (MBR)
Tells the computer how to boot the system
Stores information regarding the partitions ona system
Also tells the system where the operatingsystem is located at
7/27/2019 Test Power Points
126/205
Computer Crime Law and Computer Forensics Basics
2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 15.6 Simplified depiction of disk structure with two partitions, each containing a FAT formatted
volume.
7/27/2019 Test Power Points
127/205
Computer Crime Law and Computer Forensics Basics
File Systems
In this class, we are primarily interesting inWindows file systems:
FAT32 Simple file system usually utilized by
removable devices. NTFS Used by windows. Has many features
such as permissions, encryption, and
compression Both of these use clusters as a storage
mechanism (groups of sectors)
7/27/2019 Test Power Points
128/205
Computer Crime Law and Computer Forensics Basics
Disk Partitions in Windows
7/27/2019 Test Power Points
129/205
Computer Crime Law and Computer Forensics Basics
Formatting
Formatting a drive does not delete the dataon a drive it just marks it as free so thespace can be reused. Imaging a formatted
drive can recover almost all of the informationthat was present on the drive.
7/27/2019 Test Power Points
130/205
Computer Crime Law and Computer Forensics Basics
Figure 1.1
2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 15.7 Prior folder structure recovered from a reformatted NTFS volume.
7/27/2019 Test Power Points
131/205
Computer Crime Law and Computer Forensics Basics
Boot Sector
The first portion of a volume or partition is theboot sector.
This sector stores information relating to thepartition such as where copies of fileallocation table is in the FAT file system, orwhere the Master File Table (MFT) is located
on the NTFS file system
V l Sl k
7/27/2019 Test Power Points
132/205
Computer Crime Law and Computer Forensics Basics
Volume Slack
A file system may not take up the entirepartition it is written too. The space after thefile system but still in the partition is called file
slack. This area may have information left over from
a previous installation
S P i i S Fil
7/27/2019 Test Power Points
133/205
Computer Crime Law and Computer Forensics Basics
Swap Partition or Swap File
Many operating systems utilize temporarystorage space to place contents of systemmemory on a temporary basis.
In windows, this is the swap file
The swap file may contain additional datathat is useful for forensics, but it is not stored
in a standard format it is stored similar tomemory structures.
Fil Hidi
7/27/2019 Test Power Points
134/205
Computer Crime Law and Computer Forensics Basics
File Hiding
Files can be renamed
Files can be appended to other files
Files can be encrypted Files can be contained in other files such as
zip files
Files can be stored in Alternate Data Streams(ADS)
Al D S
7/27/2019 Test Power Points
135/205
Computer Crime Law and Computer Forensics Basics
Alternate Data Streams
Alternate Data Streams is a feature of NTFS,where a separate piece of data can be storedwith an existing file name.
Example: cmd.exe has executable data. Asecond piece of data can be associated with
this file, possibly containing contraband
7/27/2019 Test Power Points
136/205
Florida Atlantic UniversityInformation Technology and Operations Management
Chapter 6 Conducting Investigations
P M d l
7/27/2019 Test Power Points
137/205
Computer Crime Law and Computer Forensics Basics
Process Models
Many different process models for performingforensics investigations exist.
These differ, but what is actually done inforensics investigations is largely the samethe difference is how different individualsdescribe the major pieces of the process.
Wh t th d f ?
7/27/2019 Test Power Points
138/205
Computer Crime Law and Computer Forensics Basics
What are these used for?
Creating or using a process model helps youto write your own procedures or focus oncertain areas to make improvements or
potential documentation changes.
A l i th S i tifi M th d
7/27/2019 Test Power Points
139/205
Computer Crime Law and Computer Forensics Basics
Applying the Scientific Method
The scientific method should be used in anymodel.
Utilizing the scientific method, an examinerlooks at and analyzes all relevant information not just information that fits with anypreconceived notions
Discipline and consistency
A l i th S i tifi M th d
7/27/2019 Test Power Points
140/205
Computer Crime Law and Computer Forensics Basics
Applying the Scientific Method
Observation
Hypothesis
Prediction Experimentation/Testing
Conclusion
Ob ti
7/27/2019 Test Power Points
141/205
Computer Crime Law and Computer Forensics Basics
Observation
An event occurs that requires investigation.
Systems administrators tell you that a systemwas hacked.
Office worker tells you they saw childpornography on a system..
Someone commits a murder, and their
computer is available.
H th i
7/27/2019 Test Power Points
142/205
Computer Crime Law and Computer Forensics Basics
Hypothesis
What happened based on current facts?
This is a working theory not a guess.
If a computer was compromising other
computers, a hypothesis may entail SystemA was compromised and was used to attackother machines
Look at middle of page 205 for hypothesis
H th i
7/27/2019 Test Power Points
143/205
Computer Crime Law and Computer Forensics Basics
Hypothesis
Create many hypothesis
Think about all of the likely events that might
have happened.
P di ti
7/27/2019 Test Power Points
144/205
Computer Crime Law and Computer Forensics Basics
Prediction
Based on the hypothesis, where is relevantevidence potentially located?
A hacker:
Intrusion prevention logs Firewall logs
Running processes
System events User profile
Testing
7/27/2019 Test Power Points
145/205
Computer Crime Law and Computer Forensics Basics
Testing
Testing of one or more hypothesis usingcollected evidence.
Does collected evidence concur with yourhypothesis, or does it show that somethingelse might have occurred (alternateexplanations)?
Conclusions
7/27/2019 Test Power Points
146/205
Computer Crime Law and Computer Forensics Basics
Conclusions
Can you determine what happened based onthe previous steps?
Does it supports hypothesis, falsifieshypothesis, or is it inconclusive?
Reporting and Testimony
7/27/2019 Test Power Points
147/205
Computer Crime Law and Computer Forensics Basics
Reporting and Testimony
Reports should contain all important details
The methods and procedures used should bedocumented and explained
Evidence should be described
Show any alternative theories that weretested
7/27/2019 Test Power Points
148/205
Chapter 8 - 9
Florida Atlantic UniversityInformation Technology and Operations Management
ISM 4324 Investigative
Reconstruction and Motive
Investigative Reconstruction
7/27/2019 Test Power Points
149/205
Computer Crime Law and Computer Forensics Basics
Investigative Reconstruction
Reconstruct the incident based on evidencecollected
What happened, when, in what order, and
why
Oftentimes, questions are still leftunanswered.
Locards Exchange Principle
7/27/2019 Test Power Points
150/205
Computer Crime Law and Computer Forensics Basics
Locard s Exchange Principle
Remember from Chapter 1
When two things come into contact, evidenceof that contact are created
Fingerprints on a gun, internet history frombrowsing a website, email in sent items whenan email is sent
Behavioral Imprints
7/27/2019 Test Power Points
151/205
Computer Crime Law and Computer Forensics Basics
Behavioral Imprints
Inference from behavior or evidence
Points to who did what and possibly when orwhy
Can be used to discover modus operandi,info about crime scene, info about victim, andmotivation
Modus Operandi
7/27/2019 Test Power Points
152/205
Computer Crime Law and Computer Forensics Basics
Modus Operandi
Method of Operation
Behavior of the criminal
E.g. Always uses Firefox. Always checksreddit, always deletes internet history, etc.
Any unique or unusual characteristics thatare indicative of a particular individual
Modus Operandi
7/27/2019 Test Power Points
153/205
Computer Crime Law and Computer Forensics Basics
Modus Operandi
Some intruders use special toolkits
E.g. customized software used for controllinga system
Investigative Reconstruction
7/27/2019 Test Power Points
154/205
Computer Crime Law and Computer Forensics Basics
Investigative Reconstruction
Can help:
Develop an understanding of case facts andrelations
Expose important features
Find hidden evidence
Anticipate intruder or attackers next actions
Link related crimesAugment case presentation in court
Investigators Duty
7/27/2019 Test Power Points
155/205
Computer Crime Law and Computer Forensics Basics
Investigators Duty
Rememberthe investigators duty is toreport scientific fact not make judgmentsbased on guilt or innocence
Judgments are left up to courts and juriesbased on circumstances and facts
Remain objective
Investigators Duty
7/27/2019 Test Power Points
156/205
Computer Crime Law and Computer Forensics Basics
Investigators Duty
Concentrate on evidence and not the suspect
this finding is consistent with..
the files found on the suspects computer
were last accessed at .
Note: Not the suspect accessed the files..
Investigators Duty
7/27/2019 Test Power Points
157/205
Computer Crime Law and Computer Forensics Basics
Investigators Duty
It is easy to become emotional and makeyour own judgments. Avoid letting thesefeelings affect your investigation,reconstruction and reporting as much as
possible.
Remember, digital evidence is usuallycircumstantial there could be anexplanation that absolves the accused
Equivocal Forensic Analysis
7/27/2019 Test Power Points
158/205
Computer Crime Law and Computer Forensics Basics
Equivocal Forensic Analysis
Evaluate all evidence objectively, andindependent of the interpretations of others tofind its true meaning.
Assume nothing
Play devils advocate to help identify other
possibilities for interpreting the evidence.
Page 259
Corpus Delicti
7/27/2019 Test Power Points
159/205
Computer Crime Law and Computer Forensics Basics
Corpus Delicti
Body of the Crime
Essential facts that show that a crime hasbeen committed
E.g. Murder Body, Computer HackingCompromised computer or security logs
Corpus Delicti
7/27/2019 Test Power Points
160/205
Computer Crime Law and Computer Forensics Basics
Corpus Delicti
Even if there is enough evidence to show thata crime occurred, there might not be enoughevidence to show who did it, or to determine
if there were any related crimes.
Equivocal Forensic Analysis
7/27/2019 Test Power Points
161/205
Computer Crime Law and Computer Forensics Basics
Equivocal Forensic Analysis
Used to ensure that conclusions are accurate
Incorrect conclusions can be detrimental tocareer for the investigator, or liberty and/or
life for an accused individual
Likewise, this can cause a guilty person to gofree.
Equivocal Forensic Analysis
7/27/2019 Test Power Points
162/205
Computer Crime Law and Computer Forensics Basics
Equivocal Forensic Analysis
Can show mistakes in processing digitalevidence
Also, allows the investigator to become more
intimate with the evidence in a case, and ableto respond to questions in court far betterthan if only a basic analysis was performed.
Equivocal Forensic Analysis
7/27/2019 Test Power Points
163/205
Computer Crime Law and Computer Forensics Basics
Equivocal Forensic Analysis
Should include more than just digitalevidence:
Statements
Crime scene photos
Police reports
Background information
Maps and drawings
Reconstruction
7/27/2019 Test Power Points
164/205
Computer Crime Law and Computer Forensics Basics
Reconstruction
Three categories of analysis:
Temporal when
Relational who, what, where
Functional how
Temporal Analysis
7/27/2019 Test Power Points
165/205
Computer Crime Law and Computer Forensics Basics
Temporal Analysis
Chronological list of when events happened
8:13 Web server was attacked
10:33 Web server started sending out spam
15:21 Investigators notified
Temporal Analysis
7/27/2019 Test Power Points
166/205
Computer Crime Law and Computer Forensics Basics
Temporal Analysis
Alternatively, a histogram can be used
Can be used to identify periods of highactivity on a system, or unusual fluctuationsthat warrant some investigation.
Relational Analysis
7/27/2019 Test Power Points
167/205
Computer Crime Law and Computer Forensics Basics
Relational Analysis
Associations between objects or people
Computer 1 was compromised. Computer 1attacked Computer 2. Malicious software
was installed on Computer 2 from Computer1.
John was logged into Computer 1 at the timeof the attack. A video camera showed Johnat the computer during time in question
7/27/2019 Test Power Points
168/205
Computer Crime Law and Computer Forensics Basics
2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 8.1 Conceptual view of timeline and relational reconstructions.
7/27/2019 Test Power Points
169/205
Computer Crime Law and Computer Forensics Basics
2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 8.2 Diagram depicting intruder gaining access to accounting server.
Relational Analysis
7/27/2019 Test Power Points
170/205
Computer Crime Law and Computer Forensics Basics
Relational Analysis
Dont go too deep in a relational analysis.
Relationships are easy to find, but some maynot be relevant to the case
Use your own judgment when deciding what
relationships to analyze
Functional Analysis
7/27/2019 Test Power Points
171/205
Computer Crime Law and Computer Forensics Basics
Functional Analysis
How?
What conditions were necessary for theaspects of this crime to be possible?
Compromised web server: connected to the
internet and has a vulnerability of some sort.
Functional Analysis
7/27/2019 Test Power Points
172/205
Computer Crime Law and Computer Forensics Basics
Functional Analysis
Child porn found on a server
Is the servers storage even accessible to
others?
If not, does the server have a monitor hookedup, or does it use a serial console only?
Functional Analysis
7/27/2019 Test Power Points
173/205
Computer Crime Law and Computer Forensics Basics
u ct o a a ys s
Consider all possible explanations that couldhave occurred given the state of the systemsor digital devices
If the obvious explanation does not makesense, are there any non-obvious
explanations that could make sense?
Victimology
7/27/2019 Test Power Points
174/205
Computer Crime Law and Computer Forensics Basics
gy
The investigation and study of victimcharacteristics
Why was the victim chosen?
What risks did the attacker have to take toaffect the victim?
What is the link between the victim and
offender?
Threshold Assessment
7/27/2019 Test Power Points
175/205
Computer Crime Law and Computer Forensics Basics
Preliminary findings
Basic analysis to provide investigativedirection
What appears to have happened and howserious is it?
Page 273
Modus Operandi
7/27/2019 Test Power Points
176/205
Computer Crime Law and Computer Forensics Basics
p
RememberMethod of Operation
MO
Serves one or more of these purposes:
Protect offenders identity
Ensures successful completion of the crime
Facilitates the offenders escape
Technology and the MO
7/27/2019 Test Power Points
177/205
Computer Crime Law and Computer Forensics Basics
gy
Technology can be used in new ways tocommit the following crimes:
Selecting a victim search
engine/facebook/google+ Keeping tabs on a victim
Contacting a potential victim
Locating illicit materials Stalking / harassing
Motive
7/27/2019 Test Power Points
178/205
Computer Crime Law and Computer Forensics Basics
Why an offender commits a crime.
7/27/2019 Test Power Points
179/205
Florida Atlantic UniversityInformation Technology and Operations Management
ISM 4324 Handling Crime Scenes
7/27/2019 Test Power Points
180/205
Computer Crime Law and Computer Forensics Basics
Figure 1.12011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 7.1 Relationship between physical and digital crime scenes.
Digital Crime Scenes
7/27/2019 Test Power Points
181/205
Computer Crime Law and Computer Forensics Basics
Many different pieces of digital evidence maybe found including:
Digital photos
Documents
Specialized software to hide data
Effective Handling of Evidence
7/27/2019 Test Power Points
182/205
Computer Crime Law and Computer Forensics Basics
g
Very Important
Every step an investigator takes, has thepotential to destroy or alter evidence
Failure to handle a scene properly can causeevidence to be missed, destroyed, or evenmisinterpreted.
Protocols and guidelines should be followedto minimize these risks
Published Guidelines
7/27/2019 Test Power Points
183/205
Computer Crime Law and Computer Forensics Basics
Department of Justice
Electronic Crime Scene Investigation: A guidefor First Responders (USDOJ, 2001)
Secret Service Best Practices for Seizing Electronic
Evidence: A Pocket Guide for First
Responders (USSS, 2006)
Published Guidelines
7/27/2019 Test Power Points
184/205
Computer Crime Law and Computer Forensics Basics
Association of Chief Police Officers (UK)
The Good Practice Guide for ComputerBased Evidence (ACPO, 2009)
This particular set of guidelines provides a lotof guidance and structure, but parts of it aremore applicable to crimes in the U.K.
Published Guidelines as SOP
7/27/2019 Test Power Points
185/205
Computer Crime Law and Computer Forensics Basics
These guidelines and others can be used tocreate a Standard Operating Procedure(SOP), or used as an SOP themselves.
There may be parts of these documents thatdo not apply to your own circumstances. In
these cases, these documents can be usedas a baseline for revision.
Curiosity and Destruction of Evidence
7/27/2019 Test Power Points
186/205
Computer Crime Law and Computer Forensics Basics
It may be tempting to try and discover exactlywhat happened before preserving evidence
This can, in itself, destroy evidence if
evidence had been deleted, or is only presentin memory.
This does not mean you should immediately
preserve before doing any verificationhowever.
Preserving Evidence High-level
7/27/2019 Test Power Points
187/205
Computer Crime Law and Computer Forensics Basics
Verify that a Crime or policy violation hasoccurred! (Note: Non law enforcementinvestigators)
Once initial verification is complete, preserveeverything based on the order of volatility ifyou have decided to pursue the case
Make copies of the evidence and begin yourexamination and analysis
ACPO Principles
7/27/2019 Test Power Points
188/205
Computer Crime Law and Computer Forensics Basics
Bottom of Page 232
Actions should not change data if evidence isto be used in court
Original data access by competent personwho can explain their actions
Audit trail of everything done to evidence
preserved Person in charge should verify law is being
followed and principles are adhered to.
ACPO Principles
7/27/2019 Test Power Points
189/205
Computer Crime Law and Computer Forensics Basics
An investigator should strive to meet theseprinciples.
However, it is not always possible to fully
comply with them Good documentation is useful for actions that
damage or destroy evidence.
Authorization
7/27/2019 Test Power Points
190/205
Computer Crime Law and Computer Forensics Basics
Remember the fourth amendment discussedpreviously dealing with search and seizure.
Be certain that searches do not violate this
constitutional law if you are a governmentinvestigator, or all evidence collected isinadmissible in court.
Authorization
7/27/2019 Test Power Points
191/205
Computer Crime Law and Computer Forensics Basics
Privacy Laws
ECPA (Electronic Communications PrivacyAct)
Be sure the search does not violate thisfederal law.
Applies to non-governmental workers as well.
Authorization
7/27/2019 Test Power Points
192/205
Computer Crime Law and Computer Forensics Basics
For internal investigations, get authorizationfrom your organizations attorneys.
Company policy may dictate whether
evidence can be collected.
Authorization
7/27/2019 Test Power Points
193/205
Computer Crime Law and Computer Forensics Basics
Law Enforcement
In general, always obtain a search warrant ifthere is any question as to whether or not it is
required under the fourth amendment unlessaction must be made quickly to preservecertain evidence
Better safe than sorry, as the consequencesare inadmissibility of evidence to determineguilt or innocence
Search Warrants
7/27/2019 Test Power Points
194/205
Computer Crime Law and Computer Forensics Basics
Must specifically describe the types ofevidence to be collected
Must establish probable cause
Specific types of evidence include: computerfiles related to X, digital pictures, electronicstorage media, mobile devices
Should not be vague
Separation of Evidence
7/27/2019 Test Power Points
195/205
Computer Crime Law and Computer Forensics Basics
Collected evidence may contain incriminatingevidence about other people or activitiesoutside of the scope of the warrant
One way to ensure impartiality and protectprivacy is to separate the evidenceexamination from the analysis and have two
separate people perform these tasks.
Preparing to Seize Evidence
7/27/2019 Test Power Points
196/205
Computer Crime Law and Computer Forensics Basics
It is advisable to obtain as much informationas possible
Details about the environment
If this is a company, what forensics softwareis in use? What operating system? What isthe network topology? Where are filesstored?
Preparing to Seize Evidence
7/27/2019 Test Power Points
197/205
Computer Crime Law and Computer Forensics Basics
Another question to answer is how advanceddoes the attack or violation appear to be?
If an attacker or suspect is more skilled thanthe investigator, it is easy for the attacker or
suspect to hide their tracks from theinvestigator
In these cases, it is advisable to seekadditional help from a more skilled
investigator
Preparing to Seize Evidence
7/27/2019 Test Power Points
198/205
Computer Crime Law and Computer Forensics Basics
You can also talk to potential witnesses orthe person that found evidence that led to aconcern.
Try to come up with some questions you maywish to ask ahead of time and keep those aspart of your SOP
Surveying the Scene
7/27/2019 Test Power Points
199/205
Computer Crime Law and Computer Forensics Basics
Some items may be hard to find phones,small memory cards, home theater PCs,unmarked CD ROM disks
Typically only allowed to preserve evidencerelated to the crime
Photograph and document everything prior toseizure.
This can help if you are asked to describe thescene in court
Preserving the Scene
7/27/2019 Test Power Points
200/205
Computer Crime Law and Computer Forensics Basics
Order of Volatility
Some evidence is more easily lost ordestroyed than other evidence. Evidence
should be preserved in order of most easilylost to the least easily lost if it may berelevant to the case
Preserving the Scene
7/27/2019 Test Power Points
201/205
Computer Crime Law and Computer Forensics Basics
Prevent others from touching the electronics
Collect network traffic
Collect memory contents
Collect process state
Collect hard disks
Document the scene in writing, pictures andsketches
Controlling Entry
7/27/2019 Test Power Points
202/205
Computer Crime Law and Computer Forensics Basics
Locked Doors
Crime scene tape
Guards or others to keep people away
Isolate wireless signals or network access ifpossible
Preserving Evidence
7/27/2019 Test Power Points
203/205
Computer Crime Law and Computer Forensics Basics
May require help from system administrator
Collect Logs
Find file shares
Access backups
Bypass encryption
Unlock computer
Preserving Hard Drive Data
7/27/2019 Test Power Points
204/205
Computer Crime Law and Computer Forensics Basics
Remove power cable from back of computer
Keeps temporary files intact
Keeps temporary memory storage intact
Keeps process related information intact
Minimizes potential for system to overwritedeleted data
7/27/2019 Test Power Points
205/205
Recommended