Computer Related Evidence & - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

Computer Related Evidence &

Description:

Computer Related Evidence & What is this computer geek going to do now that I have done all the hard work? ... Work from the copy with a variety of tools. – PowerPoint PPT presentation

Number of Views:33
Avg rating:3.0/5.0
Slides: 35
Provided by: classstud
Category:

less

Transcript and Presenter's Notes

Title: Computer Related Evidence &


1
Computer Related Evidence
  • What is this computer geek going to do now that I
    have done all the hard work?

2
Rules We Live By And So Should you
  • Never Alter the Original Media!
  • Findings MUST be Verifiable!
  • Findings MUST be Reproducible!

3
PROCEDURES
  • What your examiners can do for and with you.

4
  • Assist Preparing the Search Warrant.
  • Service of the Search Warrant.
  • Gathering the Computer Related Evidence(CRE).
  • Image and Archive.
  • Store and Secure Computer Related Evidence.
  • Examine.
  • Review Findings with you.

5
  • Complete a Report in the Format You Need.
  • Prosecutor and Defense Interviews about the
    computer related evidence.
  • Testify.
  • Dispose / Clean Evidence.

6
What We Will Not Do
  • Take Over Your Investigation!

7
Gathering Evidence
  • Securing
  • Turning off
  • Documenting
  • Marking
  • Transporting

8
Imaging and Archives
  • We work from an Image of the Suspect media.
  • Copy is stored on CD-R or Tape.

9
Examine
  • See The Rule We Live By.
  • Work from the copy with a variety of tools.
  • You have to tell us what is going on.

10
Review with You
  • What is nothing to me may be everything to you.
  • You (always) know a lot more than me.

11
Report the Findings
  • A report and Examples in the format you need.
  • Written, Officers Witness Statement.
  • Spread Sheets Showing file information.
  • Information Printed, on CD-R, Power Point.
  • Do live demos work? Yes or No

12
Interviews
13
Interviews
  • 1 DO NOT LET ANYONE SHOW YOU WHERE THE EVIDENCE
    IS ON THE COMPUTER
  • Let them talk about their great computer skills
    or lack of skill.
  • Ownership and use of each computer.
  • Passwords!

14
  • Like all interviews you are attempting to gather
    information.
  • What else would you like to know.
  • Online service, when used the most, computer at
    work? AND

15
Search Warrant VS Consent
  • When you can get a search warrant.
  • Consent- knowingly, freely and voluntarily.
  • with the authority to give the consent.

16
You Found thesomethingAre We Done?
17
Computer Examinations 101
  • The Fun Stuff.
  • Proving the WHO, WHAT, WHERE, WHEN, HOW and maybe
    WHY.

18
Date and Time Stamps
  • Windows 9x and above tracks three dates and two
    times.
  • NTSF adds one date and one time
  • Other Operating Systems keep dates and time.

19
Windows gt Properties
20
EnCase view of Date and Times
21
Deleted Files
  • DOS / Windows Only overwrites the first character
    of the DOS Directory.

22
(No Transcript)
23
File Slack Unallocated Space
  • File Slack, the space between the end of the file
    and the end of the Cluster.
  • Unallocated Space, the space on the disk that is
    not assigned in the directory. (free space.
  • Both contain left over information.

24
Header Vs. File Extension
  • File Headers, what is important.
  • 4A 47 03 0E 00 00 00
  • 50 4B 03 04 14 00 00 00 00 00
  • FF D8 FF E0
  • D0 CF 11 E0 A1 B1 1A E1 00 00,0,FE FF 09
    00,29,4,0,42 00 02
  • File Extension, what we see.
  • .ART, DOC, JPG,XLS

25
(No Transcript)
26
Previewing
  • Lets talk.
  • When to to it.
  • What are you looking for.
  • Tools.
  • Where to look.

27
Previewing. Lets Talk.
  • Consent
  • Damage to evidence
  • Testifying about it in court
  • Do you stand a chance of finding something.
  • False negative.

28
Previewing. When to do it.
  • Group participation.

29
Previewing, When to do it.
  • Looking for text.
  • Easy anytime.
  • Have Examiner prepare EnCase Boot disk with
    search items.
  • Other tools. Norton disk editor, DIBS Mycroft V3
    and others.

30
Previewing. When to do it.
  • Images.
  • There are not to many DOS based images viewers.
  • EnCase on laplink.
  • Copy out possible sources.

31
Previewing. Tools.
  • EnCase Laplink or Network Card. 2K
  • Pre- Search Digit, NIS and Paul Bright. Free,
    unsupported.
  • Boot to safe DOS disk and copy out interesting
    items.

32
Previewing. Where to look.
  • C\Windows\Temporary Internet File
  • C\Windows\Recent AKA
  • Start gt Documents (right click properties)
  • C\Windows\History
  • Recycle bin
  • Internet Explorer, Recent and Favorites
  • My Documents gt My Pictures ?

33
Previewing, Where else
  • Looking for Newsgroup Programs.
  • Free Agent, NewsRover, Outlook.
  • C\Windows\Temp
  • The Directory in each Volume?
  • Folder Titled kid pict or some other obvious
    name.

34
Organizations.
  • CTIN
  • AGORA
  • HTCIA
  • IACIS
  • NWCCC
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Computer Related Evidence &" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!