¿What is Computer Forensics or Digital Forensics?
• “Computer Forensics” is the process of identification, preservation, analysis and presentation of digital evidence in a way that will be legally acceptable in any judicial or administrative process”. To recover and analyze information showing that it was not manipulated. (algorithms use from HASH – MD5, SHA-1).
2
Digital Evidence Characteristics
• Intangible• Can be duplicated in an accurate way and the copy
can be examined as if it was the original• It is possible to determine if it has been altered• Specialized forensic procedures are required to
examine the evidence with warranties • It is more volatile than paper information• It can be easily altered or destroyed• It requires proper care
3
Why the distinction between digital and traditional evidence?
• Electronic document: It has the same validity as traditional evidence.
• Creation of Electronic documents– By people– By computers– By people and
computers• Electronic data storage.
Digital Evidence Storage
Digital Evidence Repository • Personal computers• Email, file and proxy servers• Control or access systems -Firewalls, router• Personal digital assistants - Blackberry, Palm• Mobile phones, music players• Digital cameras• Backup Tapes• Hard disks• Portable storage media –USB memories ,
CD’s, DVD’s
5
Types of Stored Documents• Emails • Financial files• Office Documents• Internet navigation history• Chat records• Address books (e.g. Outlook)• Calendars (e.g. Outlook)
Digital Evidence Admissibility
• In addition to the basic principals of admission of evidence, digital evidence should comply with– Authenticity– Reliability– Adequacy– Attachment and respect of the law and the
judicial system.
Authenticity
• Authenticity makes reference on how evidence is generated and storage in order to be admitted in court.
• Evidence is authentic when it demonstrates that the data came from the source that is supposed to be from and it has been stored without manipulation.
• Presumption of authenticity: Private
documents are considered authentic
while they are not challenged for the
opposing party. For this reason, even
though digital data has security
mechanisms like digital or biometric
signatures, this mechanism would not
need to be proven while the authenticity
of the document is not challenged.
Authenticity
• You must determine the security level being offered to
the message creator and keeper. Who should:
– Certify that the data message retains its initial
characteristics by proving the identity of the digital
certificate used to generate the digital signature,
and
– Establish that the HASH (small summary of digital
data content) corresponds to the digital data after
it has been decrypted.
Authenticity
• The creators of the message are viable
and plausible.
• This characteristic is connected with
the message creator and data keeper,
who should present warranties and be
prepared to be audited.
Reliability
It is the ability to convince,
that the digital evidence
provided is relevant to some
specific facts. It is no only
required for the exhibition of
the digital data, but it is
advisable at the moment of
presenting the evidence, to
explain what technology was
used, which processes were
implemented for the creation
and storage of the data, and
exhibit the digital certificates
if available. The intent is to
provide sufficient support to
the electronic documents
submitted to the process.
Adequacy
• By the same token, authenticity and reliability should reflect the adequacy of the digital evidence to be considered as legal issue in the process.
Adequacy
Attachment and respect of the law
• It is necessary to bring out
this element which
establishes the need that
the digital evidence has the
same procedural treatment
contained in the procedural
code without failing to
recognize that this class of
evidence is contained in a
special media that requires
special care on its
recollection, analysis and
reporting to ensure
authenticity, reliability and
adequacy.
Evidence Design
• Determine the importance of electronic records.• Electronic records have been identified, are
available and usable.• Clear identification of the author of the
electronic records.
• Date and hour of creation or modification of the electronic records.
• Possible validation of the authenticity of the electronic records.
• There is confidence in the electronic record production and storage of the information system; system reliability.
Evidence Design
Evidence Production
• That the system or the information technology produce the electronic records.
• Indentify the author of the electronic records stored.
• Identify the date and hour of creation• Verify that the application is working
correctly while generating the records – creation or modification
• Verify the completion of the generated records.
Gathering Evidence
• Establish good practices and standards to gather digital evidence.
• Prepare evidence to be used now and in the future.
• Keep and verify the chain of custody.
• Respect and validate the regulations and norms related to gathering digital evidence.
• Develop criteria to establish how to determine the relevance of the evidence.
Evidence Analysis
• Following the collection of the
evidence, it is necessary to establish
the facts to be proven in order to
define if the evidence is sufficient or if
more documents are need to convince
the judge.
Report and Presentation
• Document the procedures followed by
the experts in charge.
• Keep a journal of the technical
processes used.
• Fulfillment of the comprehensive
processes established in relation to the
chain of custody.
1. CNUDMI: This type of evidence should be submitted under documentary
evidence. This circumstance makes more flexible the procedural rules.
Nevertheless, given the specialty and technical nature of this type of
evidence, it is need it to perform additional tests, like expert evidence or
court inspection.
2. What is the ideal mechanism to gather digital evidence? Should be gather
in the same environment where it is now. If it is materialized throughout
printing, does the evidence lose its value.
3. In many countries, the opportunity to submit evidence is when presenting
the lawsuit, when replying to the lawsuit or when the judge order it sua
sponte.
Report and Presentation
• Today in many countries there is not abundant legislation about this matter and no specific law about how to value electronic evidence. This could be done in two ways
• Through an expert evidence order decreed by the judge, and
• As with simple evidence, known facts that allow inference of unknown facts, in case it does not comply with the minimum requirements that give legal security and certainty to the judge.
Report and Presentation
Determination of Relevant Evidence
• Probative value : any electronic document that has
an emblem of authorship, authenticity, and is the
result of a proper and reliable operation of the
system.
• Evidence rules: Establish that the appropriate
procedures and rules to gather and manage
evidence have been followed.
International Regulatory Framework
International Organization on
Computer Evidence(IOCE)
European Community:Conventions against
cybercrime
United States Regulation: “Forensic Examination of
Digital Evidence: a Guide for Law Enforcement”
“Electronic Crime Scene Investigation: a Guide for First
Responders”
“Computer forensics” is process of the identification, preservation, analysis and presentation of digital evidences in a way that will be legally acceptable in any judicial and administrative process. Recover and analyze information showing that there was not manipulated (algorithms use from Hash-MD5 , SHA-1).
• Actions taken to gather digital evidence should not affect the integrity of the evidence.• People in charge of handling and gathering digital evidence will be trained for it. • Activities directed to examine, maintain or transfer digital evidence should be documented and reserved for
future analysis.
International Protocols
SCENEDocument in detail every procedure perform on the evidences.
Insurescene
Identifyevidence
Captureevidence
Proper handing and documentation of the evidences in order to ensure the “chain of custody”.
Analyze evidences following a specialized forensic methodology using tools appropriates for each case.
Use forensic tools and indexing of information to analyze large amount of data.
Present the Results through a detailed report of the analyzed information and the conclusions obtained.
Writing reports that illustrate the facts clearly and concisely.
Experience ratifying experts reports.
protect the scene to avoid the modification or destruction of digital evidence.
Define the protocols to be follow in case fraud investigation.
Identify among the company information systems which ones could contain relevant information.
Experience in investigations and information systems in order to identify the appropriate data sources.
Make exact copies of the identify evidences minimizing the impact on the original evidence.
Use of the fastest and most reliable tools of the market to ensure non-intrusion and minimal alteration of the original evidence.
FORENSIC LAB
Preserve evidence
Analyzeevidence
Presentresults
• The starting point should be that all “documents” submitted to a process are presume valid until they are challenge as false by the other party. This is why when gathering the evidence must be determine if digital signature certifications, expert reports or technical reports are needed or not.
CONCLUSIONS
• All parts involved (companies,
consumers, lawyers, public entities)
should create policies for storing data
contained on data messages with the
purpose of classifying what
information require heavier or lighter
controls.
CONCLUSIONS
Top Related