Computer Related Evidence & What is this computer geek going to do now that I have done all the hard...
-
Upload
beverly-hopkins -
Category
Documents
-
view
217 -
download
3
Transcript of Computer Related Evidence & What is this computer geek going to do now that I have done all the hard...
Computer Related Evidence&
What is this computer geek going to do now that I have done all the hard
work?
Rules We Live By And So Should you Never Alter the Original Media! Findings MUST be Verifiable! Findings MUST be Reproducible!
PROCEDURES
What your examiners can do for and with you.
Assist Preparing the Search Warrant. Service of the Search Warrant. Gathering the Computer Related
Evidence(CRE).* Image and Archive.* Store and Secure Computer Related
Evidence. Examine.* Review Findings with you.*
Complete a Report in the Format You Need.*
Prosecutor and Defense Interviews about the computer related evidence.
Testify. Dispose / Clean Evidence.*
What We Will Not Do
Take Over Your Investigation!
Gathering Evidence
Securing Turning off Documenting Marking Transporting
Imaging and Archives
We work from an Image of the Suspect media.
Copy is stored on CD-R or Tape.
Examine
See The Rule We Live By. Work from the copy with a variety of tools. You have to tell us what is going on.
Review with You
What is nothing to me may be everything to you.
You (always) know a lot more than me.
Report the Findings
A report and Examples in the format you need.– Written, Officer’s Witness Statement.– Spread Sheets Showing file information.– Information Printed, on CD-R, Power Point.
– Do live demos’ work? Yes or No
Interviews
Interviews
#1 DO NOT LET ANYONE SHOW YOU WHERE THE EVIDENCE IS ON THE COMPUTER……………
Let them talk about their great computer skills or lack of skill.
Ownership and use of each computer. Passwords!
Like all interviews you are attempting to gather information.
What else would you like to know.– Online service, when used the most, computer
at work? AND
Search Warrant VS Consent
When you can get a search warrant.
Consent- knowingly, freely and voluntarily.
with the authority to give the consent.
You Found the”something”Are We Done?
Computer Examinations 101
The Fun Stuff. Proving the WHO, WHAT, WHERE,
WHEN, HOW and maybe WHY.
Date and Time Stamps
Windows 9x and above tracks three dates and two times.
NTSF adds one date and one time Other Operating Systems keep dates and
time.
Windows > Properties
EnCase view of Date and Times
Deleted Files
DOS / Windows Only overwrites the first character of the DOS Directory.
File Slack & Unallocated Space
File Slack, the space between the end of the file and the end of the “Cluster”.
Unallocated Space, the space on the disk that is not assigned in the directory. (free space.
Both contain left over information.
Header Vs. File Extension
File Headers, what is important.
4A 47 03 0E 00 00 00 50 4B 03 04 14 00 00
00 00 00 FF D8 FF E0 D0 CF 11 E0 A1 B1
1A E1 00 00,0,FE FF 09 00,29,4,0,42 00 02
File Extension, what we see.– *.ART, DOC,
JPG,XLS
Previewing
Lets talk. When to to it. What are you looking for. Tools. Where to look.
Previewing. Lets Talk.
Consent Damage to evidence Testifying about it in court Do you stand a chance of finding
something. False negative.
Previewing. When to do it.
Group participation.
Previewing, When to do it.
Looking for text. – Easy anytime.– Have Examiner prepare EnCase Boot disk with
search items.– Other tools. Norton disk editor, DIBS Mycroft
V3 and others.
Previewing. When to do it.
Images. There are not to many DOS based images
viewers. EnCase on laplink. Copy out possible sources.
Previewing. Tools.
EnCase Laplink or Network Card. $2K Pre- Search & Digit, NIS and Paul Bright.
Free, unsupported. Boot to “safe” DOS disk and copy out
interesting items.
Previewing. Where to look.
C:\Windows\Temporary Internet File C:\Windows\Recent AKA:
– Start > Documents (right click & properties)
C:\Windows\History Recycle bin Internet Explorer, Recent and Favorites My Documents > My Pictures ?
Previewing, Where else
Looking for Newsgroup Programs.– Free Agent, NewsRover, Outlook.
C:\Windows\Temp The Directory in each Volume?
– Folder Titled “kid pict” or some other obvious name.
Organizations.
CTIN AGORA HTCIA IACIS NWCCC