Title: Computer Forensics Principles and Practices
1Computer ForensicsPrinciples and Practices
- by Volonino, Anzaldua, and Godwin
Chapter 2 Computer Forensics and Digital
Detective Work
2Objectives
- Recognize the role e-evidence plays in physical,
or violent, and computer crimes
- Describe the basic steps in a computer forensics
investigation
- Identify the legal and ethical issues affecting
evidence search and seizure
- Identify the types of challenges to the
admissibility of e-evidence
3Objectives (Cont.)
- Understand how criminals motives can help in
crime detection and investigation
- Explain chain of custody
- Explain why acceptable methods for computer
forensics investigations and e-discovery are
still emerging
4Introduction
- Computer forensics investigators are detectives
of the digital world. This chapter introduces
you to the generally accepted methods used in
computer forensics computer architecture, the
Internet, and digital devices, and the types of
evidence these trails leave behind.
5E-Evidence Trails and Hidden Files
- Computers are routinely used to plan and
coordinate many types of crimes
- Computer activities leave e-evidence trails
- File-wiping software can be used to delete data
- File-wiping process takes time and expertise
- Many e-evidence traces can be found by showing
hidden files on a computer
6Knowing What to Look For
- Technical knowledge of how data and metadata are
stored will determine what e-evidence is found
- For this reason, technical knowledge of
investigators must keep pace with evolving data
storage devices
7Knowing What to Look for (Cont.)
- Three cases illustrate importance of technical
knowledge
- Dr. Harold Shipman modified medical records to
hide evidence of murder date stamp revealed
records were fraudulent
- Employees made online purchases with customer
credit cards hidden HTML code revealed fraud
- Neil Entwhistle killed his wife and child cache
showed Internet sites that described how to kill
people
8The Five Ws
- Answering the 5 Ws helps in criminal
investigations
- Who
- What
- Where
- When
- Why
9In Practice PDA Forensics
- PDA forensics are being used frequently in
homicide investigations and white collar crimes
- Examples
- Danielle van Dam murder, February 2002
- Falsely billing for Medicaid and Medicare
patients that were never seen
10Preserving Evidence
- Preserving evidence is critical in order to use
the evidence in a legal defense or prosecution
- Scientific methods must be used in order to
preserve the integrity of the evidence collected
11Computer Forensics Science
- Consistent with other scientific research, a
computer forensics investigation is a process
- There are five stages to the process
- Intelligence
- Hypothesis or Theory Formulation
- Evidence Collection
- Testing
- Conclusion
12Admissibility of Evidence
- Goal of an investigation collect evidence using
accepted methods so that the evidence is accepted
in the courtroom and admitted as evidence in the
trial - Judges acceptance of evidence is called
admission of evidence
13Admissibility of Evidence (Cont.)
- Evidence admissibility requires legal search and
seizure and chain of custody
- Chain of custody must include
- Where the evidence was stored
- Who had access to the evidence
- What was done to the evidence
- In some cases, it may be more important to
protect operations than obtain admissible
evidence
14In Practice CD Universe Prosecution Failure
- Attempted extortion involving credit card numbers
by Maxim
- Six months after the incident, Maxim still could
not be found
- Evidence was compromised by FBI and security
firms who may have used original data rather than
a forensic copy
15Digital Signatures and Profiling
- Digital signature left by serial killer
- Dennis L. Rader revealed as BTK
- Hidden electronic code on disk led to church
where he had access to a computer
- Digital profiling of crime suspects
- E-evidence can supply patterns of behavior or
imply motives
- Evidence can include information stored on
computers, e-mail, cell phone data, and wiretaps
16Crimes Solved Using Forensics
(Continued)
17Crimes Solved Using Forensics (Cont.)
18Forensics Investigation Methods
- Methods used by investigators must achieve these
objectives
- Protect the suspect system
- Discover all files
- Recover deleted files
- Reveal contents of hidden files
- Access protected or encrypted files
- Use steganalysis to identify hidden data
- Analyze data in unallocated and slack space
- Print an analysis of the system
- Provide an opinion of the system layout
- Provide expert testimony or consultation
19Unallocated Space and File Slack
- Unallocated space space that is not currently
used to store an active file but may have stored
a file previously
- File slack space that remains if a file does not
take up an entire sector
- Unallocated space and slack space can contain
important information for an investigator
20NYS Police Forensic Procedures
(Continued)
21NYS Police Forensic Procedures (Cont.)
(Continued)
22NYS Police Forensic Procedures (Cont.)
23Challenges to Evidence
- Criminal trials may be preceded by a suppression
hearing
- This hearing determines admissibility or
suppression of evidence
- Judge determines whether Fourth Amendment has
been followed in search and seizure of evidence.
- The success of any investigation depends on
proper and ethical investigative procedures
24Search Warrants
- Investigators generally need a search warrant to
search and seize evidence
- Law officer must prepare an affidavit that
describes the basis for probable causea
reasonable belief that a person has committed a
crime - Search warrant gives an officer only a limited
right to violate a citizens privacy
25Search Warrants (Cont.)
- Two reasons a search can take place without a
search warrant
- The officer may search for and remove any weapons
that the arrested person may use to escape or
resist arrest
- The officer may seize evidence in order to
prevent its destruction or concealment
26In Practice A Terrorists Trial
- FBI agents attempted to get permission to search
Moussaouis laptop but permission was denied on
grounds they had not proved probable cause
- Events on September 11 provided enough evidence
for a search warrant, but by this time it was too
late to access e-mail accounts that might have
provided important data
27Motives for Cybercrimes
- Finding the motivethe why of the crimecan
help in an investigation
- Possible motives
- Financial gain, including extortion and
blackmail
- Cover up a crime
- Remove incriminating information or
correspondence
- Steal goods or services without having to pay for
them
- Industrial espionage
28Categories of Cybercrimes
- Computer is the crime target
- Computer is the crime instrument
- Computer is incidental to traditional crimes
- New crimes generated by the prevalence of
computers
29Chain of Custody Procedures
- Handling of e-evidence must follow the three Cs
of evidence care, control, and chain of custody
- Chain of custody procedures
- Keep an evidence log that shows when evidence was
received and seized, and where it is located
- Record dates if items are released to anyone
- Restrict access to evidence
- Place original hard drive in an evidence locker
- Perform all forensics on a mirror-image copy,
never on the original data
30Report Procedures
- All reports of the investigation should be
prepared with the understanding that they will be
read by others
- The investigator should never comment on the
guilt or innocence of a suspect or suspects or
their affiliations
- Only the facts of the investigation should be
presented opinions should be avoided
31Computer Forensics Investigators Responsibilities
- Investigate and/or review current computer and
computer-mediated crimes
- Maintain objectivity when seizing and
investigating computers, suspects, and support
staff
- Conduct all forensics investigations consistently
with generally accepted procedures and federal
rules of evidence and discovery
- Keep a log of activities undertaken to stay
current in the search, seizure, and processing of
e-evidence
32Summary
- Computers and the Internet have contributed to
traditional and computer crimes
- Effective forensic investigation requires any
technology that tracks what was done, who did it,
and when
- Images or exact copies of the digital media being
investigated need to be examined by trained
professionals
33Summary (Cont.)
- There are several legal and ethical issues of
evidence seizure, handling, and investigation
- New federal rules and laws regulate forensic
investigations
- The need for e-evidence has led to a new area of
criminal investigation, namely computer
forensics
- This field is less than 15 years old
34Summary (Cont.)
- Computer forensics depends on an understanding of
technical and legal issues
- Greatest legal issue in computer forensics is the
admissibility of evidence in criminal cases
- Computer forensics investigators identify,
gather, extract, protect, preserve, and document
computer and other e-evidence using acceptable
methods
35Summary (Cont.)
- Laws of search and seizure, as they relate to
electronic equipment, must be followed
- Failure to follow proper legal procedure will
result in evidence being ruled inadmissible in
court