Post on 18-Dec-2015
Guide to Computer Guide to Computer Forensics and Forensics and Investigations, Investigations, Second EditionSecond Edition
Chapter 6 Digital Evidence Controls
Guide to Computer Forensics and Investigations, 2e 2
ObjectivesObjectives
• Identify digital evidence
• Secure digital evidence at an incident scene
• Catalog digital evidence
• Store digital evidence
• Obtain a digital hash
Guide to Computer Forensics and Investigations, 2e 3
Identifying Digital EvidenceIdentifying Digital Evidence
• Evidence stored or transmitted in digital form
• Courts accept digital evidence as physical
• Groups– Scientific Working Group on Digital Evidence (
SWGDE) Active law enforcement only– International Organization on Computer Evidence (
IOCE)
Guide to Computer Forensics and Investigations, 2e 4
Identifying Digital Evidence Identifying Digital Evidence (continued)(continued)
• Working with digital evidence– Identify potential digital evidence– Collect, preserve, and document the evidence– Analyze, identify, and organize the evidence– Verify results can be reproduced
• Systematic job
• Use standardized forms for documentation
Guide to Computer Forensics and Investigations, 2e 5
Understanding Evidence RulesUnderstanding Evidence Rules
• Handle all evidence consistently
• Always apply same security controls
• Evidence for a criminal case can be used on a civil litigation
• Keep current on the latest rulings and directives– Check the DoJ website
• Check with your attorney on how to handle evidence
Guide to Computer Forensics and Investigations, 2e 6
Understanding Evidence Rules Understanding Evidence Rules (continued)(continued)
• Bit-stream copies are considered physical evidence
• Other considerations for electronic evidence– It can be changed more easily– Hard to distinguish a duplicate from the original
• Computer records are hearsay evidence– Secondhand or indirect evidence– Not admissible in a court trial
Guide to Computer Forensics and Investigations, 2e 7
Understanding Evidence Rules Understanding Evidence Rules (continued)(continued)
• Business-record exception– Records must have been created by suspect– Records are original
• Computer records are admissible if they qualify as business-records– Computer-generated records– Computer-stored records
Guide to Computer Forensics and Investigations, 2e 8
Understanding Evidence Rules Understanding Evidence Rules (continued)(continued)
• Use known processes and tools when handling evidence
• Printouts qualify as original evidence
• Bit-stream copies also qualify as original evidence
• Use the original evidence when possible
Guide to Computer Forensics and Investigations, 2e 9
Securing Digital Evidence at an Securing Digital Evidence at an Incident SceneIncident Scene
• Depends on the nature of the case
• Considerations:– Do you need to take the entire computer system?– Is the computer powered on when you arrive?– Is the suspect near the area of the computer?
Guide to Computer Forensics and Investigations, 2e 10
Securing Digital Evidence at an Securing Digital Evidence at an Incident Scene (continued)Incident Scene (continued)
• Guidelines:– Create a forensics copy– Handling a powered-on computer
• Photograph the screen contents first
• Save active data to removable media
• Shutdown the computer
– Still- and video-record the scene– Be invisible
Guide to Computer Forensics and Investigations, 2e 11
Cataloging Digital EvidenceCataloging Digital Evidence
• If the computer is turned off– Identify the type of computer– Photograph all cable connections– Label cables with evidence tags– Assign one person to collect and log evidence– Tagging
• Current date and time
• Serial numbers
• Make and model
Guide to Computer Forensics and Investigations, 2e 12
Cataloging Digital Evidence Cataloging Digital Evidence (continued)(continued)
• If the computer is turned off (continued)– Maintain two separated logs for backup purposes– Maintain constant control of the evidence collected
and the scene
Guide to Computer Forensics and Investigations, 2e 13
Cataloging Digital Evidence Cataloging Digital Evidence (continued)(continued)
• Additional steps if the computer is turned on – Copy any application data on screens– Save RAM data to removable media– Shutdown the computer– Use another OS to examine hard disk data– Create a bit-stream copy of the suspect’s hard disk– Verify integrity of the forensic copy
Guide to Computer Forensics and Investigations, 2e 14
Lab Evidence ConsiderationsLab Evidence Considerations
• Transport evidence to your lab– Ensure security and integrity of digital evidence
• Record your activities and findings
• Goal– Reproduce the same results
• Save your journal for future references– At court– Training
Guide to Computer Forensics and Investigations, 2e 15
Processing and Handling Digital Processing and Handling Digital EvidenceEvidence
• Create a bit-stream copy– Use a write-blocking device
• Preserve the image file
• Steps:– Copy all bit-stream images to a large hard disk– Start forensics tools– Check bit-stream image file integrity– Place the original media in an evidence locker
Guide to Computer Forensics and Investigations, 2e 16
Storing Digital EvidenceStoring Digital Evidence
• Considerations:– How to save– What type of media– Where to store it– For how long
• Ideal media:– CD-Rs and DVDs
Guide to Computer Forensics and Investigations, 2e 17
Storing Digital Evidence (continued) Storing Digital Evidence (continued)
• Other storage options―magnetic tapes– 4mm DAT– DLT– Super-DLT or SDLT
• Do not rely on only one method
Guide to Computer Forensics and Investigations, 2e 18
Storing Digital Evidence (continued)Storing Digital Evidence (continued)
Guide to Computer Forensics and Investigations, 2e 19
Evidence Retention and Media Evidence Retention and Media Storage NeedsStorage Needs
• Maintain the chain of custody– Evidence can be accepted in court
• Restrict access– Lab– Storage area
• When lab is opened– Supervised by authorized personnel
• When lab is closed– Protected by at least two security staff
Guide to Computer Forensics and Investigations, 2e 20
Evidence Retention and Media Evidence Retention and Media Storage Needs (continued)Storage Needs (continued)
• Sign-in log for visitors
• Manual log system for evidence storage containers– Should be kept for a period based on legal
requirements
• Child pornography material can only be stored by law enforcement agents
Guide to Computer Forensics and Investigations, 2e 21
Evidence Retention and Media Evidence Retention and Media Storage Needs (continued)Storage Needs (continued)
Guide to Computer Forensics and Investigations, 2e 22
Documenting EvidenceDocumenting Evidence
• Create or use an evidence custody form
• Update your form – Changes in technologies and methods for acquiring
data
• Evidence custody form functions– Identifies the evidence– Identifies who has handled the evidence– Lists the dates and times the evidence was handled
Guide to Computer Forensics and Investigations, 2e 23
Documenting Evidence (continued)Documenting Evidence (continued)
• Optional information– MD5 hash value– Customized information
• Use evidence bags labels– Write on the bag when it is empty
• Antistatic bag for electronic components
• Keep an electronic copy of your evidence custody forms
Guide to Computer Forensics and Investigations, 2e 24
Obtaining a Digital HashObtaining a Digital Hash
• Obtain a unique identity for file data
• Cyclic Redundancy Check (CRC)– One of the first methods– Most recent version CRC-32
• MD5– Most common algorithm– Mathematical formula translates a file into a
hexadecimal value
Guide to Computer Forensics and Investigations, 2e 25
Obtaining a Digital Hash (continued)Obtaining a Digital Hash (continued)
• Digital hash changes if a bit or byte changes
• Verification process– Create a hash value– Analyze data– Create a second hash value– Compare hash values
• Secure Hash Algorithm (SHA)– Developed by NIST
Guide to Computer Forensics and Investigations, 2e 26
Obtaining a Digital Hash (continued)Obtaining a Digital Hash (continued)
• Digital hashes are like digital fingerprints
• Non-keyed hash set can identify known programs
• Keyed hash set can produce a unique fingerprint
Guide to Computer Forensics and Investigations, 2e 27
Obtaining a Digital Hash (continued)Obtaining a Digital Hash (continued)
• Example:– Create a file with Notepad– Obtain its hash value with DriveSpy– Modify the file– Recompute its hash value– Compare hash values
Guide to Computer Forensics and Investigations, 2e 28
Create a FileCreate a File
Guide to Computer Forensics and Investigations, 2e 29
DriveSpyDriveSpy
Guide to Computer Forensics and Investigations, 2e 30
Computing Hash ValueComputing Hash Value
Guide to Computer Forensics and Investigations, 2e 31
Computing Hash Value (continued)Computing Hash Value (continued)
Guide to Computer Forensics and Investigations, 2e 32
SummarySummary
• Digital evidence– Information stored or transmitted on electronic or
optical media– Fragile and easy to alter
• Working with digital evidence– Identify potential evidence– Collect, preserve, document, analyze, and organize
the evidence
Guide to Computer Forensics and Investigations, 2e 33
Summary (continued)Summary (continued)
• Handle evidence consistently for criminal or civil investigations
• Catalog or document evidence you find on a crime scene
• Store evidence
• Create forensic copies of your evidence
• Use digital signatures to verify evidence integrity
Guide to Computer Forensics and Investigations, 2e 34
Questions & DiscussionQuestions & Discussion