Computer Forensics Principles and Practices

1
Computer ForensicsPrinciples and Practices

• by Volonino, Anzaldua, and Godwin

Chapter 2 Computer Forensics and Digital
Detective Work
2
Objectives

• Recognize the role e-evidence plays in physical,
  or violent, and computer crimes
  
• Describe the basic steps in a computer forensics
  investigation
  
• Identify the legal and ethical issues affecting
  evidence search and seizure
  
• Identify the types of challenges to the
  admissibility of e-evidence

3
Objectives (Cont.)

• Understand how criminals motives can help in
  crime detection and investigation
  
• Explain chain of custody
• Explain why acceptable methods for computer
  forensics investigations and e-discovery are
  still emerging

4
Introduction

• Computer forensics investigators are detectives
  of the digital world. This chapter introduces
  you to the generally accepted methods used in
  computer forensics computer architecture, the
  Internet, and digital devices, and the types of
  evidence these trails leave behind.

5
E-Evidence Trails and Hidden Files

• Computers are routinely used to plan and
  coordinate many types of crimes
  
• Computer activities leave e-evidence trails
• File-wiping software can be used to delete data
• File-wiping process takes time and expertise
• Many e-evidence traces can be found by showing
  hidden files on a computer

6
Knowing What to Look For

• Technical knowledge of how data and metadata are
  stored will determine what e-evidence is found
  
• For this reason, technical knowledge of
  investigators must keep pace with evolving data
  storage devices

7
Knowing What to Look for (Cont.)

• Three cases illustrate importance of technical
  knowledge
  
• Dr. Harold Shipman modified medical records to
  hide evidence of murder date stamp revealed
  records were fraudulent
  
• Employees made online purchases with customer
  credit cards hidden HTML code revealed fraud
  
• Neil Entwhistle killed his wife and child cache
  showed Internet sites that described how to kill
  people

8
The Five Ws

• Answering the 5 Ws helps in criminal
  investigations
  
• Who
• What
• Where
• When
• Why

9
In Practice PDA Forensics

• PDA forensics are being used frequently in
  homicide investigations and white collar crimes
  
• Examples
• Danielle van Dam murder, February 2002
• Falsely billing for Medicaid and Medicare
  patients that were never seen

10
Preserving Evidence

• Preserving evidence is critical in order to use
  the evidence in a legal defense or prosecution
  
• Scientific methods must be used in order to
  preserve the integrity of the evidence collected

11
Computer Forensics Science

• Consistent with other scientific research, a
  computer forensics investigation is a process
  
• There are five stages to the process
• Intelligence
• Hypothesis or Theory Formulation
• Evidence Collection
• Testing
• Conclusion

12
Admissibility of Evidence

• Goal of an investigation collect evidence using
  accepted methods so that the evidence is accepted
  in the courtroom and admitted as evidence in the
  trial
• Judges acceptance of evidence is called
  admission of evidence

13
Admissibility of Evidence (Cont.)

• Evidence admissibility requires legal search and
  seizure and chain of custody
  
• Chain of custody must include
• Where the evidence was stored
• Who had access to the evidence
• What was done to the evidence
• In some cases, it may be more important to
  protect operations than obtain admissible
  evidence
  

14
In Practice CD Universe Prosecution Failure

• Attempted extortion involving credit card numbers
  by Maxim
  
• Six months after the incident, Maxim still could
  not be found
  
• Evidence was compromised by FBI and security
  firms who may have used original data rather than
  a forensic copy

15
Digital Signatures and Profiling

• Digital signature left by serial killer
• Dennis L. Rader revealed as BTK
• Hidden electronic code on disk led to church
  where he had access to a computer
  
• Digital profiling of crime suspects
• E-evidence can supply patterns of behavior or
  imply motives
  
• Evidence can include information stored on
  computers, e-mail, cell phone data, and wiretaps

16
Crimes Solved Using Forensics
(Continued)
17
Crimes Solved Using Forensics (Cont.)
18
Forensics Investigation Methods

• Methods used by investigators must achieve these
  objectives

• Protect the suspect system
• Discover all files
• Recover deleted files
• Reveal contents of hidden files
• Access protected or encrypted files
• Use steganalysis to identify hidden data

• Analyze data in unallocated and slack space
• Print an analysis of the system
• Provide an opinion of the system layout
• Provide expert testimony or consultation

19
Unallocated Space and File Slack

• Unallocated space space that is not currently
  used to store an active file but may have stored
  a file previously
  
• File slack space that remains if a file does not
  take up an entire sector
  
• Unallocated space and slack space can contain
  important information for an investigator

20
NYS Police Forensic Procedures
(Continued)
21
NYS Police Forensic Procedures (Cont.)
(Continued)
22
NYS Police Forensic Procedures (Cont.)
23
Challenges to Evidence

• Criminal trials may be preceded by a suppression
  hearing
  
• This hearing determines admissibility or
  suppression of evidence
  
• Judge determines whether Fourth Amendment has
  been followed in search and seizure of evidence.
  
• The success of any investigation depends on
  proper and ethical investigative procedures

24
Search Warrants

• Investigators generally need a search warrant to
  search and seize evidence
  
• Law officer must prepare an affidavit that
  describes the basis for probable causea
  reasonable belief that a person has committed a
  crime
• Search warrant gives an officer only a limited
  right to violate a citizens privacy

25
Search Warrants (Cont.)

• Two reasons a search can take place without a
  search warrant
  
• The officer may search for and remove any weapons
  that the arrested person may use to escape or
  resist arrest
  
• The officer may seize evidence in order to
  prevent its destruction or concealment

26
In Practice A Terrorists Trial

• FBI agents attempted to get permission to search
  Moussaouis laptop but permission was denied on
  grounds they had not proved probable cause
  
• Events on September 11 provided enough evidence
  for a search warrant, but by this time it was too
  late to access e-mail accounts that might have
  provided important data

27
Motives for Cybercrimes

• Finding the motivethe why of the crimecan
  help in an investigation
  
• Possible motives
• Financial gain, including extortion and
  blackmail
  
• Cover up a crime
• Remove incriminating information or
  correspondence
  
• Steal goods or services without having to pay for
  them
  
• Industrial espionage

28
Categories of Cybercrimes

• Computer is the crime target
• Computer is the crime instrument
• Computer is incidental to traditional crimes
• New crimes generated by the prevalence of
  computers

29
Chain of Custody Procedures

• Handling of e-evidence must follow the three Cs
  of evidence care, control, and chain of custody
  
• Chain of custody procedures
• Keep an evidence log that shows when evidence was
  received and seized, and where it is located
  
• Record dates if items are released to anyone
• Restrict access to evidence
• Place original hard drive in an evidence locker
• Perform all forensics on a mirror-image copy,
  never on the original data

30
Report Procedures

• All reports of the investigation should be
  prepared with the understanding that they will be
  read by others
  
• The investigator should never comment on the
  guilt or innocence of a suspect or suspects or
  their affiliations
  
• Only the facts of the investigation should be
  presented opinions should be avoided

31
Computer Forensics Investigators Responsibilities

• Investigate and/or review current computer and
  computer-mediated crimes
  
• Maintain objectivity when seizing and
  investigating computers, suspects, and support
  staff
  
• Conduct all forensics investigations consistently
  with generally accepted procedures and federal
  rules of evidence and discovery
  
• Keep a log of activities undertaken to stay
  current in the search, seizure, and processing of
  e-evidence

32
Summary

• Computers and the Internet have contributed to
  traditional and computer crimes
  
• Effective forensic investigation requires any
  technology that tracks what was done, who did it,
  and when
  
• Images or exact copies of the digital media being
  investigated need to be examined by trained
  professionals

33
Summary (Cont.)

• There are several legal and ethical issues of
  evidence seizure, handling, and investigation
  
• New federal rules and laws regulate forensic
  investigations
  
• The need for e-evidence has led to a new area of
  criminal investigation, namely computer
  forensics
  
• This field is less than 15 years old

34
Summary (Cont.)

• Computer forensics depends on an understanding of
  technical and legal issues
  
• Greatest legal issue in computer forensics is the
  admissibility of evidence in criminal cases
  
• Computer forensics investigators identify,
  gather, extract, protect, preserve, and document
  computer and other e-evidence using acceptable
  methods

35
Summary (Cont.)

• Laws of search and seizure, as they relate to
  electronic equipment, must be followed
  
• Failure to follow proper legal procedure will
  result in evidence being ruled inadmissible in
  court