matrimonial detective agency in delhi, private detective service, detective
Digital Forensics and Digital Detective Work. 2 Objectives Recognize the role e-evidence plays in...
-
Upload
juniper-stafford -
Category
Documents
-
view
218 -
download
0
Transcript of Digital Forensics and Digital Detective Work. 2 Objectives Recognize the role e-evidence plays in...
Digital Forensics and Digital Detective Work
2
Objectives
Recognize the role e-evidence plays in physical, or violent, and digital item crimes
Describe the basic steps in a digital forensics investigation
Identify the legal and ethical issues affecting evidence search and seizure
Identify the types of challenges to the admissibility of e-evidence
3
Objectives (Cont.)
Understand how criminals’ motives can help in crime detection and investigation
Explain chain of custody Explain why acceptable methods for
computer forensics investigations and e-discovery are still emerging
4
Introduction
Digital forensics investigators are “detectives of the digital world.” This ppt introduces you to the generally accepted methods used in digital forensics; computer architecture, the Internet, other digital devices, and the types of evidence these trails leave behind.
5
E-Evidence Trails and Hidden Files
Computers are routinely used to plan and coordinate many types of crimes
Computer activities leave e-evidence trails File-wiping software can be used to delete and
overwrite data (i.e. Privacy Suite from CyberScrub) File-wiping process takes time and expertise
Many e-evidence traces can be found by showing hidden files on a computer
6
Knowing What to Look For
Technical knowledge of how data and metadata are stored will determine what e-evidence is found
For this reason, technical knowledge of investigators must keep pace with evolving data storage devices
7
Knowing What to Look for (Cont.)
Three cases illustrate importance of technical knowledge: Dr. Harold Shipman (serial killer responsible for at
least 236 murders from 75 to 98) modified medical records to hide evidence of murder; date stamp revealed records were fraudulent
Employees made online purchases with customer credit cards; hidden HTML code revealed fraud
Neil Entwhistle killed his wife and child; cache showed Internet sites that described how to kill people
8
The Five Ws
Answering the 5 Ws helps in criminal investigations: Who What Where When Why
9
In Practice: PDA Forensics
PDA forensics are being used frequently in homicide investigations and white collar crimes
Examples: Danielle van Dam murder, February 2002 (police
examined four hard drives and a Palm Pilot PDA of a person who was then convicted)
Doctors found to be falsely billing for Medicaid and Medicare patients that were never seen
10
Preserving Evidence
Preserving evidence is critical in order to use the evidence in a legal defense or prosecution
Scientific methods must be used in order to preserve the integrity of the evidence collected
11
Digital Forensics Process
Consistent with other scientific research, a digital forensics investigation is a process
There are five stages to the process: Preparation (investigator and tools, not the
data) Collection (the data) Examination Analysis Reporting
12
Admissibility of Evidence
Goal of an investigation: collect evidence using accepted methods so that the evidence is accepted in the courtroom and admitted as evidence in the trial
Judge’s acceptance of evidence is called admission of evidence
13
Admissibility of Evidence (Cont.)
Evidence admissibility requires legal search and seizure and chain of custody
Chain of custody must include: Where the evidence was stored Who had access to the evidence What was done to the evidence
In some cases, it may be more important to protect operations than obtain admissible evidence
© Pearson Education Computer Forensics: Principles and Practices 14
In Practice: CD Universe Prosecution Failure Attempted extortion involving credit card
numbers by “Maxim” Six months after the incident, Maxim still
could not be found Evidence was compromised by FBI and
security firms who may have used original data rather than a forensic copy (changed the last-access dates)
15
Digital Signatures and Profiling
Digital signature left by serial killer Dennis L. Rader revealed as “BTK” Hidden electronic code on disk led to church
where he had access to a computer Digital profiling of crime suspects
E-evidence can supply patterns of behavior or imply motives
Evidence can include information stored on computers, e-mail, cell phone data, and wiretaps
16
Crimes Solved Using Forensics
Criminal Type of Crime Type of E-Evidence
Dennis Rader Serial killer Deleted files on a floppy disk used by the criminal at his church’s computer
Lee Boyd Malvo, John Allen Muhammad
Snipers Digital recordings on a device in suspects’ car
Lisa Montgomery Murder and fetus-kidnapping
E-mail communication between the victim and criminal—tracing an IP address to a computer at criminal’s home
(Continued)
17
Crimes Solved Using Forensics (Cont.)
Criminal Type of Crime Type of E-Evidence
David A. Westerfield Murder Files on four computer hard drives and a PDA
Scott Peterson Double murder GPS data from his car and cell phone; Internet history
Alejandro Avila Rape and murder E-evidence of child pornography on his computer
Zacarias Moussaoui Terrorism E-mail, files from his computers
18
Forensics Investigation Methods
Protect the suspect system from any possible alteration, damage, data corruption, or virus introduction
Discover all files Recover deleted files Reveal contents of hidden files Access protected or encrypted
files Use steganalysis to identify
hidden data
Analyze data in unallocated and slack space
Print an analysis of the system Provide an opinion of the
system layout Provide expert testimony or
consultation
Methods used by investigators must achieve these objectives:
19
Unallocated Space and File Slack
Unallocated space: space that is not currently used to store an active file but may have stored a file previously
File slack: space that remains if a file does not take up an entire sector
Unallocated space and slack space can contain important information for an investigator
© Pearson Education Computer Forensics: Principles and Practices 20
File System Most commonly used storage device: hard disk or CD-ROM Hard disk – see next two slides File – a digital document which has a file name and metadata
File content, e.g. the text and figures in a Word document Metadata – data that describe data, e.g. size, time, user ID, access permission, etc.(useful in
DF) Directory – folder that contains sub-directories and files File systems - Is a method of storing and organizing files and data to make it easy
to find and access them FAT (for older versions of Windows), NTFS (for newer versions of Windows, ext2, ext3, ext4
(latest file system for Linux)
21
Structure of a Hard Disk(A) Track – circular path on the surface of a disk where information is magnetically recorded and read.
(B) Geometrical sector – a subdivision of tracks
22
Structure of a Hard Disk cont.(C) (Track) Sector – a sector on a track storing fixed amount of data (e.g. 512 bytes)
(D) Cluster – the unit disk space allocation for files and directories. Cluster (not sector) is the smallest unit for file/directory allocation, and it contains contiguous groups of sectors, e.g. A 4 KB cluster contains 8 512-byte sectors.
23
NYS Police Forensic Procedures
Stage Tools Discussion
Seizing the computer
None Computer and technology are seized under the rules, evidence, and the warrant that they hold. Evidence is transported and secured at the Forensic Investigation Center (FIC).
Backup Safeback, Expert Witness, Snapback
Backup is done using one of the listed tools. A case file is created on an optical disk (CD).
Evidence extraction
Expert Witness The FIC is moving much of the investigative process to Expert Witness. Traditional searches are done currently to find and extract evidence.
(Continued)
24
NYS Police Forensic Procedures (Cont.)
Stage Tools Discussion
Case creation Expert Witness The case creation process allows the extracted information to be placed in a case file, on a floppy disk, hard disk, or removable media.
Case analysis None Investigators use experience and training to search the computer evidence for documents, deleted files, images, e-mail, slack space, etc., that will help in the case.
Correlation of computer events
None Timeline, order of events, related activities, and contradictory evidence are the components of this stage.
(Continued)
25
NYS Police Forensic Procedures (Cont.)
Stage Tools Discussion
Correlation of noncomputer events
None Phone records, credit card receipts, eyewitness testimony, etc. are manually sorted and correlated.
Case presentation
Standard Office Finally, the information that has been extracted, analyzed, and correlated is put together in a form ready for presentation to a judge or jury.
26
Challenges to Evidence
Criminal trials may be preceded by a suppression hearing This hearing determines admissibility or
suppression of evidence Judge determines whether Fourth Amendment
has been followed in search and seizure of evidence.
The success of any investigation depends on proper and ethical investigative procedures
27
Search Warrants
Investigators generally need a search warrant to search and seize evidence
Law officer must prepare an affidavit that describes the basis for probable cause—a reasonable belief that a person has committed a crime
Search warrant gives an officer only a limited right to violate a citizen’s privacy
28
Search Warrants (Cont.)
Two reasons a search can take place without a search warrant: The officer may search for and remove any
weapons that the arrested person may use to escape or resist arrest
The officer may seize evidence in order to prevent its destruction or concealment
29
In Practice: A Terrorist’s Trial
FBI agents attempted to get permission to search Moussaoui’s laptop but permission was denied on grounds they had not proved probable cause
Events on September 11 provided enough evidence for a search warrant, but by this time it was too late to access e-mail accounts that might have provided important data
30
Motives for Cybercrimes
Finding the motive—the “why” of the crime—can help in an investigation
Possible motives: Financial gain, including extortion and blackmail Cover up a crime Remove incriminating information or
correspondence Steal goods or services without having to pay for
them Industrial espionage
31
Categories of Cybercrimes
Computer is the crime target Computer is the crime instrument Computer is incidental to traditional crimes New crimes generated by the prevalence of
computers
32
Chain of Custody Procedures
Handling of e-evidence must follow the three C’s of evidence: care, control, and chain of custody
Chain of custody procedures Keep an evidence log that shows when evidence was
received and seized, and where it is located Record dates if items are released to anyone Restrict access to evidence Place original hard drive in an evidence locker Perform all forensics on a mirror-image copy, never on
the original data
33
Report Procedures
All reports of the investigation should be prepared with the understanding that they will be read by others
The investigator should never comment on the guilt or innocence of a suspect or suspects or their affiliations
34
Digital Forensics Investigator’s Responsibilities Investigate and/or review current digital and digital-
mediated crimes Maintain objectivity when seizing and investigating
computers, suspects, and support staff Conduct all forensics investigations consistently with
generally accepted procedures and federal rules of evidence and discovery
Keep a log of activities undertaken to stay current in the search, seizure, and processing of e-evidence
35
Summary
Computers and the Internet have contributed to traditional and computer crimes
Effective forensic investigation requires any technology that tracks what was done, who did it, and when
Images or exact copies of the digital media being investigated need to be examined by trained professionals
36
Summary (Cont.)
There are several legal and ethical issues of evidence seizure, handling, and investigation
New federal rules and laws regulate forensic investigations
The need for e-evidence has led to a new area of criminal investigation, namely digital forensics
This field is less than 20 years old
37
Summary (Cont.)
Digital forensics depends on an understanding of technical and legal issues
Greatest legal issue in digital forensics is the admissibility of evidence in criminal cases
Digital forensics investigators identify, gather, extract, protect, preserve, and document computer and other e-evidence using acceptable methods
38
Summary (Cont.)
Laws of search and seizure, as they relate to electronic equipment, must be followed
Failure to follow proper legal procedure will result in evidence being ruled inadmissible in court