Computer Forensics Principles and Practices - PowerPoint PPT Presentation

About This Presentation
Title:

Computer Forensics Principles and Practices

Description:

National Household Survey on Drug Abuse, August 1998 ... Alcohol / drug abuse has been estimated to cost American businesses 81 billion ... – PowerPoint PPT presentation

Number of Views:1101
Avg rating:3.0/5.0
Slides: 36
Provided by: robertg9
Category:

less

Transcript and Presenter's Notes

Title: Computer Forensics Principles and Practices


1
Computer ForensicsPrinciples and Practices
  • by Volonino, Anzaldua, and Godwin

Chapter 2 Computer Forensics and Digital
Detective Work
2
Objectives
  • Recognize the role e-evidence plays in physical,
    or violent, and computer crimes
  • Describe the basic steps in a computer forensics
    investigation
  • Identify the legal and ethical issues affecting
    evidence search and seizure
  • Identify the types of challenges to the
    admissibility of e-evidence

3
Objectives (Cont.)
  • Understand how criminals motives can help in
    crime detection and investigation
  • Explain chain of custody
  • Explain why acceptable methods for computer
    forensics investigations and e-discovery are
    still emerging

4
Introduction
  • Computer forensics investigators are detectives
    of the digital world. This chapter introduces
    you to the generally accepted methods used in
    computer forensics computer architecture, the
    Internet, and digital devices, and the types of
    evidence these trails leave behind.

5
E-Evidence Trails and Hidden Files
  • Computers are routinely used to plan and
    coordinate many types of crimes
  • Computer activities leave e-evidence trails
  • File-wiping software can be used to delete data
  • File-wiping process takes time and expertise
  • Many e-evidence traces can be found by showing
    hidden files on a computer

6
Knowing What to Look For
  • Technical knowledge of how data and metadata are
    stored will determine what e-evidence is found
  • For this reason, technical knowledge of
    investigators must keep pace with evolving data
    storage devices

7
Knowing What to Look for (Cont.)
  • Three cases illustrate importance of technical
    knowledge
  • Dr. Harold Shipman modified medical records to
    hide evidence of murder date stamp revealed
    records were fraudulent
  • Employees made online purchases with customer
    credit cards hidden HTML code revealed fraud
  • Neil Entwhistle killed his wife and child cache
    showed Internet sites that described how to kill
    people

8
The Five Ws
  • Answering the 5 Ws helps in criminal
    investigations
  • Who
  • What
  • Where
  • When
  • Why

9
In Practice PDA Forensics
  • PDA forensics are being used frequently in
    homicide investigations and white collar crimes
  • Examples
  • Danielle van Dam murder, February 2002
  • Falsely billing for Medicaid and Medicare
    patients that were never seen

10
Preserving Evidence
  • Preserving evidence is critical in order to use
    the evidence in a legal defense or prosecution
  • Scientific methods must be used in order to
    preserve the integrity of the evidence collected

11
Computer Forensics Science
  • Consistent with other scientific research, a
    computer forensics investigation is a process
  • There are five stages to the process
  • Intelligence
  • Hypothesis or Theory Formulation
  • Evidence Collection
  • Testing
  • Conclusion

12
Admissibility of Evidence
  • Goal of an investigation collect evidence using
    accepted methods so that the evidence is accepted
    in the courtroom and admitted as evidence in the
    trial
  • Judges acceptance of evidence is called
    admission of evidence

13
Admissibility of Evidence (Cont.)
  • Evidence admissibility requires legal search and
    seizure and chain of custody
  • Chain of custody must include
  • Where the evidence was stored
  • Who had access to the evidence
  • What was done to the evidence
  • In some cases, it may be more important to
    protect operations than obtain admissible
    evidence

14
In Practice CD Universe Prosecution Failure
  • Attempted extortion involving credit card numbers
    by Maxim
  • Six months after the incident, Maxim still could
    not be found
  • Evidence was compromised by FBI and security
    firms who may have used original data rather than
    a forensic copy

15
Digital Signatures and Profiling
  • Digital signature left by serial killer
  • Dennis L. Rader revealed as BTK
  • Hidden electronic code on disk led to church
    where he had access to a computer
  • Digital profiling of crime suspects
  • E-evidence can supply patterns of behavior or
    imply motives
  • Evidence can include information stored on
    computers, e-mail, cell phone data, and wiretaps

16
Crimes Solved Using Forensics
(Continued)
17
Crimes Solved Using Forensics (Cont.)
18
Forensics Investigation Methods
  • Methods used by investigators must achieve these
    objectives
  • Protect the suspect system
  • Discover all files
  • Recover deleted files
  • Reveal contents of hidden files
  • Access protected or encrypted files
  • Use steganalysis to identify hidden data
  • Analyze data in unallocated and slack space
  • Print an analysis of the system
  • Provide an opinion of the system layout
  • Provide expert testimony or consultation

19
Unallocated Space and File Slack
  • Unallocated space space that is not currently
    used to store an active file but may have stored
    a file previously
  • File slack space that remains if a file does not
    take up an entire sector
  • Unallocated space and slack space can contain
    important information for an investigator

20
NYS Police Forensic Procedures
(Continued)
21
NYS Police Forensic Procedures (Cont.)
(Continued)
22
NYS Police Forensic Procedures (Cont.)
23
Challenges to Evidence
  • Criminal trials may be preceded by a suppression
    hearing
  • This hearing determines admissibility or
    suppression of evidence
  • Judge determines whether Fourth Amendment has
    been followed in search and seizure of evidence.
  • The success of any investigation depends on
    proper and ethical investigative procedures

24
Search Warrants
  • Investigators generally need a search warrant to
    search and seize evidence
  • Law officer must prepare an affidavit that
    describes the basis for probable causea
    reasonable belief that a person has committed a
    crime
  • Search warrant gives an officer only a limited
    right to violate a citizens privacy

25
Search Warrants (Cont.)
  • Two reasons a search can take place without a
    search warrant
  • The officer may search for and remove any weapons
    that the arrested person may use to escape or
    resist arrest
  • The officer may seize evidence in order to
    prevent its destruction or concealment

26
In Practice A Terrorists Trial
  • FBI agents attempted to get permission to search
    Moussaouis laptop but permission was denied on
    grounds they had not proved probable cause
  • Events on September 11 provided enough evidence
    for a search warrant, but by this time it was too
    late to access e-mail accounts that might have
    provided important data

27
Motives for Cybercrimes
  • Finding the motivethe why of the crimecan
    help in an investigation
  • Possible motives
  • Financial gain, including extortion and
    blackmail
  • Cover up a crime
  • Remove incriminating information or
    correspondence
  • Steal goods or services without having to pay for
    them
  • Industrial espionage

28
Categories of Cybercrimes
  • Computer is the crime target
  • Computer is the crime instrument
  • Computer is incidental to traditional crimes
  • New crimes generated by the prevalence of
    computers

29
Chain of Custody Procedures
  • Handling of e-evidence must follow the three Cs
    of evidence care, control, and chain of custody
  • Chain of custody procedures
  • Keep an evidence log that shows when evidence was
    received and seized, and where it is located
  • Record dates if items are released to anyone
  • Restrict access to evidence
  • Place original hard drive in an evidence locker
  • Perform all forensics on a mirror-image copy,
    never on the original data

30
Report Procedures
  • All reports of the investigation should be
    prepared with the understanding that they will be
    read by others
  • The investigator should never comment on the
    guilt or innocence of a suspect or suspects or
    their affiliations
  • Only the facts of the investigation should be
    presented opinions should be avoided

31
Computer Forensics Investigators Responsibilities
  • Investigate and/or review current computer and
    computer-mediated crimes
  • Maintain objectivity when seizing and
    investigating computers, suspects, and support
    staff
  • Conduct all forensics investigations consistently
    with generally accepted procedures and federal
    rules of evidence and discovery
  • Keep a log of activities undertaken to stay
    current in the search, seizure, and processing of
    e-evidence

32
Summary
  • Computers and the Internet have contributed to
    traditional and computer crimes
  • Effective forensic investigation requires any
    technology that tracks what was done, who did it,
    and when
  • Images or exact copies of the digital media being
    investigated need to be examined by trained
    professionals

33
Summary (Cont.)
  • There are several legal and ethical issues of
    evidence seizure, handling, and investigation
  • New federal rules and laws regulate forensic
    investigations
  • The need for e-evidence has led to a new area of
    criminal investigation, namely computer
    forensics
  • This field is less than 15 years old

34
Summary (Cont.)
  • Computer forensics depends on an understanding of
    technical and legal issues
  • Greatest legal issue in computer forensics is the
    admissibility of evidence in criminal cases
  • Computer forensics investigators identify,
    gather, extract, protect, preserve, and document
    computer and other e-evidence using acceptable
    methods

35
Summary (Cont.)
  • Laws of search and seizure, as they relate to
    electronic equipment, must be followed
  • Failure to follow proper legal procedure will
    result in evidence being ruled inadmissible in
    court
Write a Comment
User Comments (0)
About PowerShow.com