Computer Related Evidence &
description
Transcript of Computer Related Evidence &
![Page 1: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/1.jpg)
Computer Related Evidence&
What is this computer geek going to do now that I have done all the hard
work?
![Page 2: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/2.jpg)
Rules We Live By And So Should you Never Alter the Original Media! Findings MUST be Verifiable! Findings MUST be Reproducible!
![Page 3: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/3.jpg)
PROCEDURES
What your examiners can do for and with you.
![Page 4: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/4.jpg)
Assist Preparing the Search Warrant. Service of the Search Warrant. Gathering the Computer Related
Evidence(CRE).* Image and Archive.* Store and Secure Computer Related
Evidence. Examine.* Review Findings with you.*
![Page 5: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/5.jpg)
Complete a Report in the Format You Need.*
Prosecutor and Defense Interviews about the computer related evidence.
Testify. Dispose / Clean Evidence.*
![Page 6: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/6.jpg)
What We Will Not Do
Take Over Your Investigation!
![Page 7: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/7.jpg)
Gathering Evidence
Securing Turning off Documenting Marking Transporting
![Page 8: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/8.jpg)
Imaging and Archives
We work from an Image of the Suspect media.
Copy is stored on CD-R or Tape.
![Page 9: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/9.jpg)
Examine
See The Rule We Live By. Work from the copy with a variety of tools. You have to tell us what is going on.
![Page 10: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/10.jpg)
Review with You
What is nothing to me may be everything to you.
You (always) know a lot more than me.
![Page 11: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/11.jpg)
Report the Findings
A report and Examples in the format you need.– Written, Officer’s Witness Statement.– Spread Sheets Showing file information.– Information Printed, on CD-R, Power Point.
– Do live demos’ work? Yes or No
![Page 12: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/12.jpg)
Interviews
![Page 13: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/13.jpg)
Interviews
#1 DO NOT LET ANYONE SHOW YOU WHERE THE EVIDENCE IS ON THE COMPUTER……………
Let them talk about their great computer skills or lack of skill.
Ownership and use of each computer. Passwords!
![Page 14: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/14.jpg)
Like all interviews you are attempting to gather information.
What else would you like to know.– Online service, when used the most, computer
at work? AND
![Page 15: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/15.jpg)
Search Warrant VS Consent
When you can get a search warrant.
Consent- knowingly, freely and voluntarily.
with the authority to give the consent.
![Page 16: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/16.jpg)
You Found the”something”Are We Done?
![Page 17: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/17.jpg)
Computer Examinations 101
The Fun Stuff. Proving the WHO, WHAT, WHERE,
WHEN, HOW and maybe WHY.
![Page 18: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/18.jpg)
Date and Time Stamps
Windows 9x and above tracks three dates and two times.
NTSF adds one date and one time Other Operating Systems keep dates and
time.
![Page 19: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/19.jpg)
Windows > Properties
![Page 20: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/20.jpg)
EnCase view of Date and Times
![Page 21: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/21.jpg)
Deleted Files
DOS / Windows Only overwrites the first character of the DOS Directory.
![Page 22: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/22.jpg)
![Page 23: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/23.jpg)
File Slack & Unallocated Space
File Slack, the space between the end of the file and the end of the “Cluster”.
Unallocated Space, the space on the disk that is not assigned in the directory. (free space.
Both contain left over information.
![Page 24: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/24.jpg)
Header Vs. File Extension
File Headers, what is important.
4A 47 03 0E 00 00 00 50 4B 03 04 14 00 00
00 00 00 FF D8 FF E0 D0 CF 11 E0 A1 B1
1A E1 00 00,0,FE FF 09 00,29,4,0,42 00 02
File Extension, what we see.– *.ART, DOC,
JPG,XLS
![Page 25: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/25.jpg)
![Page 26: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/26.jpg)
Previewing
Lets talk. When to to it. What are you looking for. Tools. Where to look.
![Page 27: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/27.jpg)
Previewing. Lets Talk.
Consent Damage to evidence Testifying about it in court Do you stand a chance of finding
something. False negative.
![Page 28: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/28.jpg)
Previewing. When to do it.
Group participation.
![Page 29: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/29.jpg)
Previewing, When to do it.
Looking for text. – Easy anytime.– Have Examiner prepare EnCase Boot disk with
search items.– Other tools. Norton disk editor, DIBS Mycroft
V3 and others.
![Page 30: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/30.jpg)
Previewing. When to do it.
Images. There are not to many DOS based images
viewers. EnCase on laplink. Copy out possible sources.
![Page 31: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/31.jpg)
Previewing. Tools.
EnCase Laplink or Network Card. $2K Pre- Search & Digit, NIS and Paul Bright.
Free, unsupported. Boot to “safe” DOS disk and copy out
interesting items.
![Page 32: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/32.jpg)
Previewing. Where to look.
C:\Windows\Temporary Internet File C:\Windows\Recent AKA:
– Start > Documents (right click & properties)
C:\Windows\History Recycle bin Internet Explorer, Recent and Favorites My Documents > My Pictures ?
![Page 33: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/33.jpg)
Previewing, Where else
Looking for Newsgroup Programs.– Free Agent, NewsRover, Outlook.
C:\Windows\Temp The Directory in each Volume?
– Folder Titled “kid pict” or some other obvious name.
![Page 34: Computer Related Evidence &](https://reader035.fdocuments.us/reader035/viewer/2022081511/568148ba550346895db5d5cd/html5/thumbnails/34.jpg)
Organizations.
CTIN AGORA HTCIA IACIS NWCCC