Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.
-
Upload
byron-james -
Category
Documents
-
view
214 -
download
0
Transcript of Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.
![Page 1: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/1.jpg)
Guide to Computer Guide to Computer Forensics and Forensics and Investigations, Investigations, Second EditionSecond Edition
Chapter 6 Digital Evidence Controls
![Page 2: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/2.jpg)
Guide to Computer Forensics and Investigations, 2e 2
ObjectivesObjectives
• Identify digital evidence
• Secure digital evidence at an incident scene
• Catalog digital evidence
• Store digital evidence
• Obtain a digital hash
![Page 3: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/3.jpg)
Guide to Computer Forensics and Investigations, 2e 3
Identifying Digital EvidenceIdentifying Digital Evidence
• Evidence stored or transmitted in digital form
• Courts accept digital evidence as physical
• Groups– Scientific Working Group on Digital Evidence (
SWGDE) Active law enforcement only– International Organization on Computer Evidence (
IOCE)
![Page 4: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/4.jpg)
Guide to Computer Forensics and Investigations, 2e 4
Identifying Digital Evidence Identifying Digital Evidence (continued)(continued)
• Working with digital evidence– Identify potential digital evidence– Collect, preserve, and document the evidence– Analyze, identify, and organize the evidence– Verify results can be reproduced
• Systematic job
• Use standardized forms for documentation
![Page 5: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/5.jpg)
Guide to Computer Forensics and Investigations, 2e 5
Understanding Evidence RulesUnderstanding Evidence Rules
• Handle all evidence consistently
• Always apply same security controls
• Evidence for a criminal case can be used on a civil litigation
• Keep current on the latest rulings and directives– Check the DoJ website
• Check with your attorney on how to handle evidence
![Page 6: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/6.jpg)
Guide to Computer Forensics and Investigations, 2e 6
Understanding Evidence Rules Understanding Evidence Rules (continued)(continued)
• Bit-stream copies are considered physical evidence
• Other considerations for electronic evidence– It can be changed more easily– Hard to distinguish a duplicate from the original
• Computer records are hearsay evidence– Secondhand or indirect evidence– Not admissible in a court trial
![Page 7: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/7.jpg)
Guide to Computer Forensics and Investigations, 2e 7
Understanding Evidence Rules Understanding Evidence Rules (continued)(continued)
• Business-record exception– Records must have been created by suspect– Records are original
• Computer records are admissible if they qualify as business-records– Computer-generated records– Computer-stored records
![Page 8: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/8.jpg)
Guide to Computer Forensics and Investigations, 2e 8
Understanding Evidence Rules Understanding Evidence Rules (continued)(continued)
• Use known processes and tools when handling evidence
• Printouts qualify as original evidence
• Bit-stream copies also qualify as original evidence
• Use the original evidence when possible
![Page 9: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/9.jpg)
Guide to Computer Forensics and Investigations, 2e 9
Securing Digital Evidence at an Securing Digital Evidence at an Incident SceneIncident Scene
• Depends on the nature of the case
• Considerations:– Do you need to take the entire computer system?– Is the computer powered on when you arrive?– Is the suspect near the area of the computer?
![Page 10: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/10.jpg)
Guide to Computer Forensics and Investigations, 2e 10
Securing Digital Evidence at an Securing Digital Evidence at an Incident Scene (continued)Incident Scene (continued)
• Guidelines:– Create a forensics copy– Handling a powered-on computer
• Photograph the screen contents first
• Save active data to removable media
• Shutdown the computer
– Still- and video-record the scene– Be invisible
![Page 11: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/11.jpg)
Guide to Computer Forensics and Investigations, 2e 11
Cataloging Digital EvidenceCataloging Digital Evidence
• If the computer is turned off– Identify the type of computer– Photograph all cable connections– Label cables with evidence tags– Assign one person to collect and log evidence– Tagging
• Current date and time
• Serial numbers
• Make and model
![Page 12: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/12.jpg)
Guide to Computer Forensics and Investigations, 2e 12
Cataloging Digital Evidence Cataloging Digital Evidence (continued)(continued)
• If the computer is turned off (continued)– Maintain two separated logs for backup purposes– Maintain constant control of the evidence collected
and the scene
![Page 13: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/13.jpg)
Guide to Computer Forensics and Investigations, 2e 13
Cataloging Digital Evidence Cataloging Digital Evidence (continued)(continued)
• Additional steps if the computer is turned on – Copy any application data on screens– Save RAM data to removable media– Shutdown the computer– Use another OS to examine hard disk data– Create a bit-stream copy of the suspect’s hard disk– Verify integrity of the forensic copy
![Page 14: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/14.jpg)
Guide to Computer Forensics and Investigations, 2e 14
Lab Evidence ConsiderationsLab Evidence Considerations
• Transport evidence to your lab– Ensure security and integrity of digital evidence
• Record your activities and findings
• Goal– Reproduce the same results
• Save your journal for future references– At court– Training
![Page 15: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/15.jpg)
Guide to Computer Forensics and Investigations, 2e 15
Processing and Handling Digital Processing and Handling Digital EvidenceEvidence
• Create a bit-stream copy– Use a write-blocking device
• Preserve the image file
• Steps:– Copy all bit-stream images to a large hard disk– Start forensics tools– Check bit-stream image file integrity– Place the original media in an evidence locker
![Page 16: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/16.jpg)
Guide to Computer Forensics and Investigations, 2e 16
Storing Digital EvidenceStoring Digital Evidence
• Considerations:– How to save– What type of media– Where to store it– For how long
• Ideal media:– CD-Rs and DVDs
![Page 17: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/17.jpg)
Guide to Computer Forensics and Investigations, 2e 17
Storing Digital Evidence (continued) Storing Digital Evidence (continued)
• Other storage options―magnetic tapes– 4mm DAT– DLT– Super-DLT or SDLT
• Do not rely on only one method
![Page 18: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/18.jpg)
Guide to Computer Forensics and Investigations, 2e 18
Storing Digital Evidence (continued)Storing Digital Evidence (continued)
![Page 19: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/19.jpg)
Guide to Computer Forensics and Investigations, 2e 19
Evidence Retention and Media Evidence Retention and Media Storage NeedsStorage Needs
• Maintain the chain of custody– Evidence can be accepted in court
• Restrict access– Lab– Storage area
• When lab is opened– Supervised by authorized personnel
• When lab is closed– Protected by at least two security staff
![Page 20: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/20.jpg)
Guide to Computer Forensics and Investigations, 2e 20
Evidence Retention and Media Evidence Retention and Media Storage Needs (continued)Storage Needs (continued)
• Sign-in log for visitors
• Manual log system for evidence storage containers– Should be kept for a period based on legal
requirements
• Child pornography material can only be stored by law enforcement agents
![Page 21: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/21.jpg)
Guide to Computer Forensics and Investigations, 2e 21
Evidence Retention and Media Evidence Retention and Media Storage Needs (continued)Storage Needs (continued)
![Page 22: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/22.jpg)
Guide to Computer Forensics and Investigations, 2e 22
Documenting EvidenceDocumenting Evidence
• Create or use an evidence custody form
• Update your form – Changes in technologies and methods for acquiring
data
• Evidence custody form functions– Identifies the evidence– Identifies who has handled the evidence– Lists the dates and times the evidence was handled
![Page 23: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/23.jpg)
Guide to Computer Forensics and Investigations, 2e 23
Documenting Evidence (continued)Documenting Evidence (continued)
• Optional information– MD5 hash value– Customized information
• Use evidence bags labels– Write on the bag when it is empty
• Antistatic bag for electronic components
• Keep an electronic copy of your evidence custody forms
![Page 24: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/24.jpg)
Guide to Computer Forensics and Investigations, 2e 24
Obtaining a Digital HashObtaining a Digital Hash
• Obtain a unique identity for file data
• Cyclic Redundancy Check (CRC)– One of the first methods– Most recent version CRC-32
• MD5– Most common algorithm– Mathematical formula translates a file into a
hexadecimal value
![Page 25: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/25.jpg)
Guide to Computer Forensics and Investigations, 2e 25
Obtaining a Digital Hash (continued)Obtaining a Digital Hash (continued)
• Digital hash changes if a bit or byte changes
• Verification process– Create a hash value– Analyze data– Create a second hash value– Compare hash values
• Secure Hash Algorithm (SHA)– Developed by NIST
![Page 26: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/26.jpg)
Guide to Computer Forensics and Investigations, 2e 26
Obtaining a Digital Hash (continued)Obtaining a Digital Hash (continued)
• Digital hashes are like digital fingerprints
• Non-keyed hash set can identify known programs
• Keyed hash set can produce a unique fingerprint
![Page 27: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/27.jpg)
Guide to Computer Forensics and Investigations, 2e 27
Obtaining a Digital Hash (continued)Obtaining a Digital Hash (continued)
• Example:– Create a file with Notepad– Obtain its hash value with DriveSpy– Modify the file– Recompute its hash value– Compare hash values
![Page 28: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/28.jpg)
Guide to Computer Forensics and Investigations, 2e 28
Create a FileCreate a File
![Page 29: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/29.jpg)
Guide to Computer Forensics and Investigations, 2e 29
DriveSpyDriveSpy
![Page 30: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/30.jpg)
Guide to Computer Forensics and Investigations, 2e 30
Computing Hash ValueComputing Hash Value
![Page 31: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/31.jpg)
Guide to Computer Forensics and Investigations, 2e 31
Computing Hash Value (continued)Computing Hash Value (continued)
![Page 32: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/32.jpg)
Guide to Computer Forensics and Investigations, 2e 32
SummarySummary
• Digital evidence– Information stored or transmitted on electronic or
optical media– Fragile and easy to alter
• Working with digital evidence– Identify potential evidence– Collect, preserve, document, analyze, and organize
the evidence
![Page 33: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/33.jpg)
Guide to Computer Forensics and Investigations, 2e 33
Summary (continued)Summary (continued)
• Handle evidence consistently for criminal or civil investigations
• Catalog or document evidence you find on a crime scene
• Store evidence
• Create forensic copies of your evidence
• Use digital signatures to verify evidence integrity
![Page 34: Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.](https://reader030.fdocuments.us/reader030/viewer/2022032723/56649d0c5503460f949e0fc6/html5/thumbnails/34.jpg)
Guide to Computer Forensics and Investigations, 2e 34
Questions & DiscussionQuestions & Discussion