Scribd
Upload
34 views

Collecting Evidence

This document discusses best practices for collecting digital evidence at a crime scene. It emphasizes the importance of properly securing the scene, documenting all evidence through notes and photographs, and maintaining chain of custody. Key steps include isolating devices to preserve data, making forensic clones of storage drives to examine copies rather than originals, and using standardized forensic image formats. Special care must be taken to avoid altering or deleting data from the original evidence sources.

Uploaded by

1.Huỳnh Ngọc Thiên An
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
34 views

Collecting Evidence

This document discusses best practices for collecting digital evidence at a crime scene. It emphasizes the importance of properly securing the scene, documenting all evidence through notes and photographs, and maintaining chain of custody. Key steps include isolating devices to preserve data, making forensic clones of storage drives to examine copies rather than originals, and using standardized forensic image formats. Special care must be taken to avoid altering or deleting data from the original evidence sources.

Uploaded by

1.Huỳnh Ngọc Thiên An
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 24

5.

Collecting Evidence
Topics

 Crime scenes
 Documenting
 Chain of Custody
 Forensic cloning
 Live and Dead Systems
 Hashing
 Final Report
Crime Scenes and
Collecting Evidence
Securing the Scene
 Unnecessary people must be kept out
 Network connections place data at risk
 Once it is assured that volatile data won't
be lost, disconnect network cables
 Isolate seized phoned from network
 Image from
crimescenecleanupdetroit.com
Removable Media

 Memory cards can be tiny


 Hidden in books, wallets, hat bands, etc.
 AlsoDVDs, external hard drives, thumb
drives, memory cards
 Examine books and manuals to determine the
skill level of the target
 Are they using encryption?
Cell Phones

 Valuable evidence
 Text messages, email, call logs, contacts
 Interacting with the phone can change
data
 Apple's "Find My iPhone" app can be used to remotely
wipe the phone
Isolating Cell Phones

 Turn the phone off


 BUT it may require a password when turned back
on
 Shielded container
 Paint can, Faraday bag
 Power
 Provide external battery pack to keep phone alive
 Seize power cables if phone is off, so it can be charged for
examination
Questions at the Scene

 Afterscene is secured, ask these


questions
 What kinds of devices are present?
 How many device?
 Are the devices running?
 What tools are needed?
 Do we have the necessary expertise?
Order of Volatility

 Gather most volatile evidence first


 CPU, cache and registers
 Routing table, ARP cache, processes
 RAM

 Temp files/swap space


 Hard disk
 Remotely logged data
 Archival media
Documenting the
Scene
If you don't write it down, it didn't happen
Types of Documentation

 Photographs
 Written notes
 Video
 Record precise details
 Type, make, model, serial number
 Whether a device is on or off
 Network connections
 Peripheral connections like printers
 Document and label cables
Photography

 Walkthrough the scene to find devices


and see what will be needed
 Thenphotograph entire scene before
anything is disturbed
 Broadperspective, then each item of
evidence in its original position
 Add a ruler in a second photo for perspective
 Photos don't replace notes
Notes

 No set standard
 Chronological is common
 Those notes will guide you in court
later
 Notescan be discoverable and may be
seen by other side
 Don't draw conclusions or speculate
Chain of Custody
Marking Evidence

 Initials, dates, case numbers


 Permanent markers
 Sealed in evidence anti-static bag
 Tamper-resistant evidence tape
Forensic cloning
Cloning

 Exact copy of a hard drive, bit for bit


 Gathers unallocated space and Master File
Table
 Time-consuming process
 Usually done at the lab, not on the scene
 Incivil cases, you may lack legal
authorization to remove the computer
 Must clone it on-scene
Purpose of Cloning

 Examine a copy, not the original


 Unless there are exigent circumstances, like a
missing child
 You can recover from mistakes
 A properlyauthenticated forensic clone is as
good as the original in court
The Cloning Process

 Copy one hard drive to another, larger hard


drive
 Sourcedrive normally removed from
computer
 Critical to use a write-blocker
 Hardware or software
 Forensically clean destination drive first
 Proof of that goes in the case file
Forensically Clean Media

 Can be proven devoid of data


 "Sterile"
 Overwrite entire drive with a pattern of
data
 Such as 00000000
Forensic Image Formats

 Proprietary
 EnCase (.E01) – Actually "Expert Witness"
 AccessData Custom Content Image (.AD1)
 Open
 Advanced Forensics Format (AFF)
Open format, see link Ch 4a
 Raw (.dd or .001)
Direct uncompressed disk image
Risks and Challenges

 Biggest Risk: Writing to the evidence drive


 Bad sectors
 Damaged or malfunctioning drives
 Corrupt boot sector
 Anti-forensic measures (theoretical, not
practical risk)
eDiscovery

 Gathering and presenting electronically


stored information (ESI) for legal cases
 Cloning preserves evidence best
 Can be expensive and impractical
 du Pont v. Kolon
 Kolon lost and was hit with
 $920 million judgement
 20-year ban from competing with du Pont
 Links Ch 4b, 4c
Spoliation

You might also like