Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.

Guide to Computer Guide to Computer Forensics and Forensics and Investigations, Investigations, Second EditionSecond Edition

Chapter 6 Digital Evidence Controls

Guide to Computer Forensics and Investigations, 2e 2

ObjectivesObjectives

• Identify digital evidence

• Secure digital evidence at an incident scene

• Catalog digital evidence

• Store digital evidence

• Obtain a digital hash


Identifying Digital EvidenceIdentifying Digital Evidence

• Evidence stored or transmitted in digital form

• Courts accept digital evidence as physical

• Groups– Scientific Working Group on Digital Evidence (

SWGDE) Active law enforcement only– International Organization on Computer Evidence (

IOCE)

http://68.156.151.124/

http://www.ioce.org/


Identifying Digital Evidence Identifying Digital Evidence (continued)(continued)

• Working with digital evidence– Identify potential digital evidence– Collect, preserve, and document the evidence– Analyze, identify, and organize the evidence– Verify results can be reproduced

• Systematic job

• Use standardized forms for documentation


Understanding Evidence RulesUnderstanding Evidence Rules

• Handle all evidence consistently

• Always apply same security controls

• Evidence for a criminal case can be used on a civil litigation

• Keep current on the latest rulings and directives– Check the DoJ website

• Check with your attorney on how to handle evidence

http://www.usdoj.gov/01whatsnew/01_1.html


Understanding Evidence Rules Understanding Evidence Rules (continued)(continued)

• Bit-stream copies are considered physical evidence

• Other considerations for electronic evidence– It can be changed more easily– Hard to distinguish a duplicate from the original

• Computer records are hearsay evidence– Secondhand or indirect evidence– Not admissible in a court trial



• Business-record exception– Records must have been created by suspect– Records are original

• Computer records are admissible if they qualify as business-records– Computer-generated records– Computer-stored records



• Use known processes and tools when handling evidence

• Printouts qualify as original evidence

• Bit-stream copies also qualify as original evidence

• Use the original evidence when possible


Securing Digital Evidence at an Securing Digital Evidence at an Incident SceneIncident Scene

• Depends on the nature of the case

• Considerations:– Do you need to take the entire computer system?– Is the computer powered on when you arrive?– Is the suspect near the area of the computer?


Securing Digital Evidence at an Securing Digital Evidence at an Incident Scene (continued)Incident Scene (continued)

• Guidelines:– Create a forensics copy– Handling a powered-on computer

• Photograph the screen contents first

• Save active data to removable media

• Shutdown the computer

– Still- and video-record the scene– Be invisible


Cataloging Digital EvidenceCataloging Digital Evidence

• If the computer is turned off– Identify the type of computer– Photograph all cable connections– Label cables with evidence tags– Assign one person to collect and log evidence– Tagging

• Current date and time

• Serial numbers

• Make and model


Cataloging Digital Evidence Cataloging Digital Evidence (continued)(continued)

• If the computer is turned off (continued)– Maintain two separated logs for backup purposes– Maintain constant control of the evidence collected

and the scene


Cataloging Digital Evidence Cataloging Digital Evidence (continued)(continued)

• Additional steps if the computer is turned on – Copy any application data on screens– Save RAM data to removable media– Shutdown the computer– Use another OS to examine hard disk data– Create a bit-stream copy of the suspect’s hard disk– Verify integrity of the forensic copy


Lab Evidence ConsiderationsLab Evidence Considerations

• Transport evidence to your lab– Ensure security and integrity of digital evidence

• Record your activities and findings

• Goal– Reproduce the same results

• Save your journal for future references– At court– Training


Processing and Handling Digital Processing and Handling Digital EvidenceEvidence

• Create a bit-stream copy– Use a write-blocking device

• Preserve the image file

• Steps:– Copy all bit-stream images to a large hard disk– Start forensics tools– Check bit-stream image file integrity– Place the original media in an evidence locker


Storing Digital EvidenceStoring Digital Evidence

• Considerations:– How to save– What type of media– Where to store it– For how long

• Ideal media:– CD-Rs and DVDs


Storing Digital Evidence (continued) Storing Digital Evidence (continued)

• Other storage options―magnetic tapes– 4mm DAT– DLT– Super-DLT or SDLT

• Do not rely on only one method


Storing Digital Evidence (continued)Storing Digital Evidence (continued)


Evidence Retention and Media Evidence Retention and Media Storage NeedsStorage Needs

• Maintain the chain of custody– Evidence can be accepted in court

• Restrict access– Lab– Storage area

• When lab is opened– Supervised by authorized personnel

• When lab is closed– Protected by at least two security staff


Evidence Retention and Media Evidence Retention and Media Storage Needs (continued)Storage Needs (continued)

• Sign-in log for visitors

• Manual log system for evidence storage containers– Should be kept for a period based on legal

requirements

• Child pornography material can only be stored by law enforcement agents


Evidence Retention and Media Evidence Retention and Media Storage Needs (continued)Storage Needs (continued)


Documenting EvidenceDocumenting Evidence

• Create or use an evidence custody form

• Update your form – Changes in technologies and methods for acquiring

data

• Evidence custody form functions– Identifies the evidence– Identifies who has handled the evidence– Lists the dates and times the evidence was handled


Documenting Evidence (continued)Documenting Evidence (continued)

• Optional information– MD5 hash value– Customized information

• Use evidence bags labels– Write on the bag when it is empty

• Antistatic bag for electronic components

• Keep an electronic copy of your evidence custody forms


Obtaining a Digital HashObtaining a Digital Hash

• Obtain a unique identity for file data

• Cyclic Redundancy Check (CRC)– One of the first methods– Most recent version CRC-32

• MD5– Most common algorithm– Mathematical formula translates a file into a

hexadecimal value


Obtaining a Digital Hash (continued)Obtaining a Digital Hash (continued)

• Digital hash changes if a bit or byte changes

• Verification process– Create a hash value– Analyze data– Create a second hash value– Compare hash values

• Secure Hash Algorithm (SHA)– Developed by NIST



• Digital hashes are like digital fingerprints

• Non-keyed hash set can identify known programs

• Keyed hash set can produce a unique fingerprint



• Example:– Create a file with Notepad– Obtain its hash value with DriveSpy– Modify the file– Recompute its hash value– Compare hash values


Create a FileCreate a File


DriveSpyDriveSpy


Computing Hash ValueComputing Hash Value


Computing Hash Value (continued)Computing Hash Value (continued)


SummarySummary

• Digital evidence– Information stored or transmitted on electronic or

optical media– Fragile and easy to alter

• Working with digital evidence– Identify potential evidence– Collect, preserve, document, analyze, and organize

the evidence


Summary (continued)Summary (continued)

• Handle evidence consistently for criminal or civil investigations

• Catalog or document evidence you find on a crime scene

• Store evidence

• Create forensic copies of your evidence

• Use digital signatures to verify evidence integrity


Questions & DiscussionQuestions & Discussion

Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.

Documents

Transcript of Guide to Computer Forensics and Investigations, Second Edition Chapter 6 Digital Evidence Controls.