SlideShare a Scribd company logo

Cyber forensic-Evedidence collection tools

Download as PPTX, PDF
N.Jagadish Kumar , profile picture
N.Jagadish Kumar

This chapter discusses the challenges of evidence collection and handling in cyber investigations, emphasizing the importance of applying proper procedures to ensure the integrity of digital evidence. It outlines the roles and responsibilities of investigators, the varying international legal considerations regarding digital evidence, and the need for collaboration with organizations that set standards for handling this type of evidence. Key tasks include identifying, collecting, preserving, and analyzing digital data while adhering to legal principles, especially when operating in a multi-jurisdictional context.

Education
1 of 39
Downloaded 91 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
Most read
13
14
15
16
17
18
19
20
21
22
Most read
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
CS6004-Cyber forensic Chapter-IV Evidence collection and tools N. Jagadish kumar Assistant professor-IT
Processing crime and Incident scenes • As the world becomes more global or “flat” in nature, you need to be aware of how laws are interpreted in other countries. • As more countries establish e-laws and more cases go to court, the laws must be applied consistently. • Cases of fraud and money laundering are becoming more of a global or an international issue, and crimes against consumers can originate from anywhere in the world. • Computers and digital evidence seized in one U.S. jurisdiction might affect a case that’s worldwide in scope. • To address these issues, this chapter explains how to apply standard crime scene practices and rules for handling evidence to corporate and law enforcement computing investigations
Identifying Digital evidence • Digital evidence can be any information stored or transmitted in digital form. • U.S. courts accept digital evidence as physical evidence, which means that digital data is treated as a tangible object, such as a weapon, paper document, or visible injury, that’s related to a criminal or civil incident.
… • Courts in other countries are still updating their laws to take digital evidence into account. Some require that all digital evidence be printed out to be presented in court. • Groups such as the Scientific Working Group on Digital Evidence (SWGDE; www.swgde.org) and the International Organization on Computer Evidence (IOCE; www.ioce.org) set standards for recovering, preserving, and examining digital evidence.
…… Following are the general tasks that investigators perform when working with digital evidence: • Identify digital information or artifacts that can be used as evidence. • Collect, preserve, and document evidence. • Analyze, identify, and organize evidence. • Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably.
…. • Collecting computers and processing a criminal or incident scene must be done systematically. • To minimize confusion, reduce the risk of losing evidence, and avoid damaging evidence, only one person should collect and catalog digital evidence at a crime scene or lab, if practical.
…… • An important challenge investigators face today is establishing recognized standards for digital evidence. • For example, cases involving several police raids are being conducted simultaneously in several countries. • As a result, you have multiple sites where evidence was seized and hundreds of pieces of digital evidence, including hard drives, cell phones, memory sticks, PDAs, and other storage devices.
Understanding Rules of Evidence • you must handle all evidence consistently • Apply the same security and accountability controls for evidence for both state’s rules of evidence or with the Federal Rules of Evidence. • evidence admitted in a criminal case might also be used in a civil suit, and vice versa. • As part of your professional growth, keep current on the latest rulings and directives on collecting, processing, storing, and admitting digital evidence.
….. • Digital evidence is unlike other physical evidence because it can be changed more easily. The only way to detect these changes is to compare the original data with a duplicate (But still it is complicated to distinguish , so digital evidence requires special legal consideration) • Most courts have interpreted computer records as hearsay evidence.(Hearsay is any out-of-court statement presented in court to prove the truth of an assertion)
…..• Computer records are usually divided into • computer-generated records and • computer-stored records. • Computer-generated records are data the system maintains, such as system log files and proxy server logs. They are output generated from a computer process or algorithm, not usually data a person creates . Computer-stored records, however, are electronic data that a person creates and saves on a computer, such as a spreadsheet or word processing document. Some records combine computer-generated and computer-stored evidence
………… • Computer records must also be shown to be authentic and trustworthy to be admitted into evidence. • Collecting evidence according to the proper steps of evidence control helps ensure that the computer evidence is authentic, as does using established computer forensics software tools. • Courts have consistently ruled that computer forensics investigators don’t have to be subject matter experts on the tools they use.
…. • Agents and prosecutors occasionally express concern that a printout of a computer-stored electronic file might not qualify as an original document, according to the best evidence rule. • In its most fundamental form, the original file is a collection of 0s and 1s; in contrast, the printout is the result of manipulating the file through a complicated series of electronic and mechanical processes.
… • To address this concern about original evidence, the Federal Rules of Evidence state: • Instead of producing hard disks in court, attorneys can submit printed copies of files as evidence.
Collecting Evidence in Private-Sector Incident Scenes • A special category of private-sector businesses includes ISPs and other communication companies. • ISPs can investigate computer abuse committed by their employees, but not by customers. • ISPs must preserve customer privacy, especially when dealing with e-mail.
….. • Patriot Act of 2001 have redefined how ISPs and large corporate Internet users operate and maintain their records. • ISPs and other communication companies now can investigate customers’ activities that are deemed to create an emergency situation ,such as finding a bomb threat in an e-mail message.
…….. • Investigating and controlling computer incident scenes in the corporate environment is much easier than in the criminal environment. • In the private sector, the incident scene is often a workplace, such as a contained office or manufacturing area, where a policy violation is being investigated. • For example, most companies use a single Web browser, such as Microsoft Internet Explorer, Mozilla Firefox, or KDE Konqueror. Knowing which browser a suspect used to identify data downloaded to the suspect’s workstation.
….. • If a corporate investigator finds that an employee is committing or has committed a crime, the employer can file a criminal complaint with the police. • Employers are usually interested in enforcing company policy, not seeking out and prosecuting employees, so typically they approve computer investigations only to identify employees who are misusing company assets.
….. • Corporate investigators are, therefore, primarily concerned with protecting company assets. • If you discover evidence of a crime during a company policy investigation, first determine whether the incident meets the elements of criminal law. • Next inform management of the incident; they might have other concerns, such as protecting confidential business data that might be included with the criminal evidence.
…… • After you submit evidence containing sensitive information to the police, it becomes public record. • Public record laws do include exceptions for protecting sensitive corporate information; ultimately, however, a judge decides what to protect.
….. • One example of a company policy violation involves employees observing another employee accessing pornographic Web sites. • If organization need evidence , you could start by extracting log file data from the proxy server (used to connect a company LAN to the Internet) and conducting a forensic examination of the subject’s computer.
….. • Suppose that during your examination, you find adult and child pornography. Further examination of the subject’s hard disk reveals that the employee has been collecting child pornography in separate folders on his workstation’s hard drive. • In the United States, possessing child pornography is a crime under federal and state criminal statutes.
Processing Law Enforcement Crime Scenes • To process a crime scene properly, you must be familiar with criminal rules of search and seizure. • You should also understand how a search warrant works and what to do when you process one. • A law enforcement officer can search for and seize criminal evidence only with probable cause. • With probable cause, a police officer can obtain a search warrant from a judge that authorizes a search and the seizure of specific evidence related to the criminal complaint.
Understanding Concepts and Terms Used in Warrants • Many computing investigations involve large amounts of data, involved terabytes of information. Unrelated information (referred to as innocent information) is often included with the evidence you’re trying to recover. • This unrelated information might be personal and private records of innocent people or confidential business information.
….. • When you find commingled evidence, judges often issue a limiting phrase to the warrant, which allows the police to separate innocent information from evidence. The warrant must list which items can be seized. • plain view doctrine The plain view doctrine states that objects falling in the direct sight of an officer who has the right to be in a location are subject to seizure without a warrant and can be introduced into evidence.
Preparing for a Search • Preparing for a computer search and seizure is probably the most important step in computing investigations. • The better you prepare, the smoother your investigation will be. • The following sections discuss the tasks you should complete before you search for evidence.
Identifying the Nature of the Case • If you can identify the computing system, estimate the size of the drive on the suspect’s computer. • And how many computers you have to process at the scene. Also, determine which OSs and hardware might be involved and whether the evidence is located on a Microsoft, Linux, UNIX, Macintosh, or mainframe computer. • For corporate investigators, configuration management databases make this step easier.
Determining Whether You Can Seize a Computer • Law enforcement investigators need a warrant to remove computers from a crime scene and transport them to a lab. • If removing the computers will irreparably harm a business, the computers should not be taken offsite, unless you have disclosed the effect of the seizure to the judge.
…. • An additional complication is files stored offsite that are accessed remotely. You must decide whether the drives containing those files need to be examined. • Another consideration is the availability of online data storage services that rent space, which essentially can’t be located physically. • The data is stored on drives where data from many other subscribers might be stored.
Obtaining a Detailed Description of the Location • Environmental and safety issues are the primary concerns during this process. • Some computer cases involve dangerous settings, such as a drug bust of a methamphetamine lab or a terrorist attack using biological, chemical, or nuclear contaminants. • For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene.
Using Additional Technical Expertise • suppose you’re assigned to process a crime scene at a data center running Microsoft Windows servers with several RAID drives and high-end UNIX servers. • If you’re the leader of this investigation, you must identify the additional skills needed to process the crime scene, such as how to acquire data from RAID servers and how much data you can acquire..
…. • RAID servers typically process several terabytes of data, and standard imaging tools might not be able to handle these large data sets. • When working at high-end computing facilities, identify the applications the suspect uses, such as Oracle databases. You might need to recruit an Oracle specialist or site support staff to help extract data for the investigation. • Finding the right person can be an even bigger challenge than conducting the investigation.
Determining the Tools You Need • After you have gathered as much information as possible about the incident or crime scene, you can start listing what you need at the scene. • Using the right kit makes processing an incident or crime scene much easier and minimizes how much you have to carry from your vehicle to the scene.
….. • Your initial-response field kit should be lightweight and easy to transport. With this kit, you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible.
some items you might need in scene
lists the tools you might need in an initial-response field kit.
…. • Keep in mind that digital evidence is volatile. Develop the skills to assess the facts quickly, make your plan, gather the needed resources, and collect data from the incident or crime scene. • In some computing investigations, responding slowly might result in the loss of important evidence for the case.
Securing a Computer Incident or Crime Scene • If you’re in charge of securing a computer incident or crime scene, use yellow barrier tape to prevent bystanders from accidentally entering the scene. • Use police officers or security guards to prevent others from entering the scene. • Access to the scene should be restricted to only those people who have a specific reason to be there.
….. • Computers can also contain actual physical evidence, such as DNA evidence or fingerprints on keyboards. • Crime labs can use special vacuums to extract DNA residue from a keyboard to compare with other DNA samples. • Evidence is commonly lost or corrupted because of professional curiosity, which involves police officers and other professionals who aren’t part of the crime scene processing team.
……. • They just have a compelling interest in seeing what happened. • Their presence could contaminate the scene directly or indirectly. • You must protect all digital evidence, so make sure no one examines a suspect’s computer before you can capture and preserve an image of the hard disk.

More Related Content

PPTX
Digital forensics
vishnuv43
 
PPTX
Digital forensics
Roberto Ellis
 
PDF
Cloud-forensics
anupriti
 
PPTX
E-mail Investigation
edwardbel
 
PPT
Linux forensics
Santosh Khadsare
 
PPTX
Digital forensic tools
Parsons Corporation
 
PPTX
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
PPTX
Difference between Cyber and digital Forensic.pptx
Applied Forensic Research Sciences
 
Digital forensics
vishnuv43
 
Digital forensics
Roberto Ellis
 
Cloud-forensics
anupriti
 
E-mail Investigation
edwardbel
 
Linux forensics
Santosh Khadsare
 
Digital forensic tools
Parsons Corporation
 
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
Difference between Cyber and digital Forensic.pptx
Applied Forensic Research Sciences
 

What's hot (20)

PDF
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
PPTX
Virtual Machine Forensics
primeteacher32
 
PPTX
Computer Forensics ppt
OECLIB Odisha Electronics Control Library
 
PPTX
Computer forensics ppt
Nikhil Mashruwala
 
PPTX
Mobile Forensics
abdullah roomi
 
PPTX
Processing Crimes and Incident Scenes
primeteacher32
 
PPTX
Guideline for Call Data Record Analysis by Raghu Khimani
Dr Raghu Khimani
 
PPTX
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
PDF
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
PDF
Disk forensics
Chiawei Wang
 
PDF
Forensics Analysis and Validation
Jyothishmathi Institute of Technology and Science Karimnagar
 
ODP
Introduction to forensic imaging
Marco Alamanni
 
PPTX
Digital forensics
Vidoushi B-Somrah
 
PPTX
Mobile Forensics
primeteacher32
 
PDF
Digital forensic principles and procedure
newbie2019
 
PPTX
Traditional Problems Associated with Computer Crime
Dhrumil Panchal
 
PPTX
Anti forensic
Milap Oza
 
PPTX
Digital investigation
unnilala11
 
PDF
Email Forensics
Gol D Roger
 
PPTX
Incident response process
Bhupeshkumar Nanhe
 
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
Virtual Machine Forensics
primeteacher32
 
Computer Forensics ppt
OECLIB Odisha Electronics Control Library
 
Computer forensics ppt
Nikhil Mashruwala
 
Mobile Forensics
abdullah roomi
 
Processing Crimes and Incident Scenes
primeteacher32
 
Guideline for Call Data Record Analysis by Raghu Khimani
Dr Raghu Khimani
 
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Disk forensics
Chiawei Wang
 
Forensics Analysis and Validation
Jyothishmathi Institute of Technology and Science Karimnagar
 
Introduction to forensic imaging
Marco Alamanni
 
Digital forensics
Vidoushi B-Somrah
 
Mobile Forensics
primeteacher32
 
Digital forensic principles and procedure
newbie2019
 
Traditional Problems Associated with Computer Crime
Dhrumil Panchal
 
Anti forensic
Milap Oza
 
Digital investigation
unnilala11
 
Email Forensics
Gol D Roger
 
Incident response process
Bhupeshkumar Nanhe
 
Ad

Similar to Cyber forensic-Evedidence collection tools (20)

PPTX
Trade Secret Theft in the Digital Age
BoyarMiller
 
PPTX
ppt for Module 5 cybersecuirty_023501.pptx
MayuraD1
 
PPTX
Computer Forensics (1).pptx
Gautam708801
 
PPTX
Electronic Forensic Protocols and Working with Computer Forensic Examiners
BoyarMiller
 
PPTX
unit 5 understanding computer forensics.pptx
Dimple Relekar
 
PPT
Processing Crime and Incident Scenes.ppt
mcjaya2024
 
PPT
COMPUTER FORENSICS MODULE III of unit 3.ppt
ssuserec53e73
 
PPT
ch05 forensics cyber topics covers tools of forensics
DurgaDeviP2
 
PPT
Digital forensics
Nicholas Davis
 
PPT
Digital Forensics
Nicholas Davis
 
PPTX
MODULE-2 CONTD processing crime &incident scene.pptx
andrewvivan981
 
PPTX
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller
 
PDF
Computer forencis
Teja Bheemanapally
 
PPTX
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
FORnSECSolutions
 
PPTX
Most promising cyber forensic solution providers from india forn sec solut...
FORnSECSolutions
 
PPTX
Digital&computforensic
Rahul Badekar
 
PPTX
DIGITAL FORENSICS_PRESENTATION
Amina Baha
 
PPTX
Computer forensics and its role
Sudeshna Basak
 
PPTX
Unit 4 -Digital Forensic Chapter for MSBTE engineering students
gboy4529248
 
PPTX
Akcomputerforensics 130222081008-phpapp02-140809110602-phpapp02
satyabwati
 
Trade Secret Theft in the Digital Age
BoyarMiller
 
ppt for Module 5 cybersecuirty_023501.pptx
MayuraD1
 
Computer Forensics (1).pptx
Gautam708801
 
Electronic Forensic Protocols and Working with Computer Forensic Examiners
BoyarMiller
 
unit 5 understanding computer forensics.pptx
Dimple Relekar
 
Processing Crime and Incident Scenes.ppt
mcjaya2024
 
COMPUTER FORENSICS MODULE III of unit 3.ppt
ssuserec53e73
 
ch05 forensics cyber topics covers tools of forensics
DurgaDeviP2
 
Digital forensics
Nicholas Davis
 
Digital Forensics
Nicholas Davis
 
MODULE-2 CONTD processing crime &incident scene.pptx
andrewvivan981
 
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller
 
Computer forencis
Teja Bheemanapally
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
FORnSECSolutions
 
Most promising cyber forensic solution providers from india forn sec solut...
FORnSECSolutions
 
Digital&computforensic
Rahul Badekar
 
DIGITAL FORENSICS_PRESENTATION
Amina Baha
 
Computer forensics and its role
Sudeshna Basak
 
Unit 4 -Digital Forensic Chapter for MSBTE engineering students
gboy4529248
 
Akcomputerforensics 130222081008-phpapp02-140809110602-phpapp02
satyabwati
 
Ad

More from N.Jagadish Kumar (17)

PDF
Human computer interaction-web interface design and mobile eco system
N.Jagadish Kumar
 
PPTX
Human computer interaction -Design and software process
N.Jagadish Kumar
 
PPTX
Human computer interaction-Memory, Reasoning and Problem solving
N.Jagadish Kumar
 
PPTX
Human computer interaction -Input output channel with Scenario
N.Jagadish Kumar
 
PPTX
Human computer interaction -Input output channel
N.Jagadish Kumar
 
PPTX
Human Computer Interaction Introduction
N.Jagadish Kumar
 
PPTX
HDFS
N.Jagadish Kumar
 
PPTX
Big data explanation with real time use case
N.Jagadish Kumar
 
PPTX
AWS INTRODUCTION
N.Jagadish Kumar
 
PPTX
Database mangement system a simple introduction
N.Jagadish Kumar
 
PPT
Datawarehouse
N.Jagadish Kumar
 
PPT
Application layer protocols
N.Jagadish Kumar
 
PPT
Routing protocols
N.Jagadish Kumar
 
PPT
Media Access and Internetworking
N.Jagadish Kumar
 
PPT
Computer Network Fundamentals
N.Jagadish Kumar
 
PPTX
Beginers guide for oracle sql
N.Jagadish Kumar
 
PPTX
Transport layer protocol
N.Jagadish Kumar
 
Human computer interaction-web interface design and mobile eco system
N.Jagadish Kumar
 
Human computer interaction -Design and software process
N.Jagadish Kumar
 
Human computer interaction-Memory, Reasoning and Problem solving
N.Jagadish Kumar
 
Human computer interaction -Input output channel with Scenario
N.Jagadish Kumar
 
Human computer interaction -Input output channel
N.Jagadish Kumar
 
Human Computer Interaction Introduction
N.Jagadish Kumar
 
HDFS
N.Jagadish Kumar
 
Big data explanation with real time use case
N.Jagadish Kumar
 
AWS INTRODUCTION
N.Jagadish Kumar
 
Database mangement system a simple introduction
N.Jagadish Kumar
 
Datawarehouse
N.Jagadish Kumar
 
Application layer protocols
N.Jagadish Kumar
 
Routing protocols
N.Jagadish Kumar
 
Media Access and Internetworking
N.Jagadish Kumar
 
Computer Network Fundamentals
N.Jagadish Kumar
 
Beginers guide for oracle sql
N.Jagadish Kumar
 
Transport layer protocol
N.Jagadish Kumar
 

Recently uploaded (20)

PDF
What is CFA?? Complete Guide to the Chartered Financial Analyst Program
sp4989653
 
PDF
Exploring-Forces 5.pdf/8th science curiosity/by sandeep swamy notes/ppt
Sandeep Swamy
 
DOCX
SAROCES Action-Plan FOR ARAL PROGRAM IN DEPED
Levenmartlacuna1
 
PPTX
Nursing Management of Patients with Disorders of Ear, Nose, and Throat (ENT) ...
RAKESH SAJJAN
 
PPTX
HISTORY COLLECTION FOR PSYCHIATRIC PATIENTS.pptx
PoojaSen20
 
PPTX
An introduction to Dialogue writing.pptx
drsiddhantnagine
 
PDF
Arihant Class 10 All in One Maths full pdf
sajal kumar
 
PDF
7.Particulate-Nature-of-Matter.ppt/8th class science curiosity/by k sandeep s...
Sandeep Swamy
 
PPTX
How to Manage Leads in Odoo 18 CRM - Odoo Slides
Celine George
 
PPTX
NOI Hackathon - Summer Edition - GreenThumber.pptx
MartinaBurlando1
 
PDF
Review of Related Literature & Studies.pdf
Thelma Villaflores
 
PPTX
CARE OF UNCONSCIOUS PATIENTS .pptx
AneetaSharma15
 
PDF
The Minister of Tourism, Culture and Creative Arts, Abla Dzifa Gomashie has e...
nservice241
 
PDF
Types of Literary Text: Poetry and Prose
kaelandreabibit
 
PPTX
Tips Management in Odoo 18 POS - Odoo Slides
Celine George
 
DOCX
UPPER GASTRO INTESTINAL DISORDER.docx
BANDITA PATRA
 
PPT
Python Programming Unit II Control Statements.ppt
CUO VEERANAN VEERANAN
 
PPTX
Understanding operators in c language.pptx
auteharshil95
 
PPTX
vedic maths in python:unleasing ancient wisdom with modern code
mistrymuskan14
 
PDF
2.Reshaping-Indias-Political-Map.ppt/pdf/8th class social science Exploring S...
Sandeep Swamy
 
What is CFA?? Complete Guide to the Chartered Financial Analyst Program
sp4989653
 
Exploring-Forces 5.pdf/8th science curiosity/by sandeep swamy notes/ppt
Sandeep Swamy
 
SAROCES Action-Plan FOR ARAL PROGRAM IN DEPED
Levenmartlacuna1
 
Nursing Management of Patients with Disorders of Ear, Nose, and Throat (ENT) ...
RAKESH SAJJAN
 
HISTORY COLLECTION FOR PSYCHIATRIC PATIENTS.pptx
PoojaSen20
 
An introduction to Dialogue writing.pptx
drsiddhantnagine
 
Arihant Class 10 All in One Maths full pdf
sajal kumar
 
7.Particulate-Nature-of-Matter.ppt/8th class science curiosity/by k sandeep s...
Sandeep Swamy
 
How to Manage Leads in Odoo 18 CRM - Odoo Slides
Celine George
 
NOI Hackathon - Summer Edition - GreenThumber.pptx
MartinaBurlando1
 
Review of Related Literature & Studies.pdf
Thelma Villaflores
 
CARE OF UNCONSCIOUS PATIENTS .pptx
AneetaSharma15
 
The Minister of Tourism, Culture and Creative Arts, Abla Dzifa Gomashie has e...
nservice241
 
Types of Literary Text: Poetry and Prose
kaelandreabibit
 
Tips Management in Odoo 18 POS - Odoo Slides
Celine George
 
UPPER GASTRO INTESTINAL DISORDER.docx
BANDITA PATRA
 
Python Programming Unit II Control Statements.ppt
CUO VEERANAN VEERANAN
 
Understanding operators in c language.pptx
auteharshil95
 
vedic maths in python:unleasing ancient wisdom with modern code
mistrymuskan14
 
2.Reshaping-Indias-Political-Map.ppt/pdf/8th class social science Exploring S...
Sandeep Swamy
 

Cyber forensic-Evedidence collection tools

  • 1. CS6004-Cyber forensic Chapter-IV Evidence collection and tools N. Jagadish kumar Assistant professor-IT
  • 2. Processing crime and Incident scenes • As the world becomes more global or “flat” in nature, you need to be aware of how laws are interpreted in other countries. • As more countries establish e-laws and more cases go to court, the laws must be applied consistently. • Cases of fraud and money laundering are becoming more of a global or an international issue, and crimes against consumers can originate from anywhere in the world. • Computers and digital evidence seized in one U.S. jurisdiction might affect a case that’s worldwide in scope. • To address these issues, this chapter explains how to apply standard crime scene practices and rules for handling evidence to corporate and law enforcement computing investigations
  • 3. Identifying Digital evidence • Digital evidence can be any information stored or transmitted in digital form. • U.S. courts accept digital evidence as physical evidence, which means that digital data is treated as a tangible object, such as a weapon, paper document, or visible injury, that’s related to a criminal or civil incident.
  • 4. … • Courts in other countries are still updating their laws to take digital evidence into account. Some require that all digital evidence be printed out to be presented in court. • Groups such as the Scientific Working Group on Digital Evidence (SWGDE; www.swgde.org) and the International Organization on Computer Evidence (IOCE; www.ioce.org) set standards for recovering, preserving, and examining digital evidence.
  • 5. …… Following are the general tasks that investigators perform when working with digital evidence: • Identify digital information or artifacts that can be used as evidence. • Collect, preserve, and document evidence. • Analyze, identify, and organize evidence. • Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably.
  • 6. …. • Collecting computers and processing a criminal or incident scene must be done systematically. • To minimize confusion, reduce the risk of losing evidence, and avoid damaging evidence, only one person should collect and catalog digital evidence at a crime scene or lab, if practical.
  • 7. …… • An important challenge investigators face today is establishing recognized standards for digital evidence. • For example, cases involving several police raids are being conducted simultaneously in several countries. • As a result, you have multiple sites where evidence was seized and hundreds of pieces of digital evidence, including hard drives, cell phones, memory sticks, PDAs, and other storage devices.
  • 8. Understanding Rules of Evidence • you must handle all evidence consistently • Apply the same security and accountability controls for evidence for both state’s rules of evidence or with the Federal Rules of Evidence. • evidence admitted in a criminal case might also be used in a civil suit, and vice versa. • As part of your professional growth, keep current on the latest rulings and directives on collecting, processing, storing, and admitting digital evidence.
  • 9. ….. • Digital evidence is unlike other physical evidence because it can be changed more easily. The only way to detect these changes is to compare the original data with a duplicate (But still it is complicated to distinguish , so digital evidence requires special legal consideration) • Most courts have interpreted computer records as hearsay evidence.(Hearsay is any out-of-court statement presented in court to prove the truth of an assertion)
  • 10. …..• Computer records are usually divided into • computer-generated records and • computer-stored records. • Computer-generated records are data the system maintains, such as system log files and proxy server logs. They are output generated from a computer process or algorithm, not usually data a person creates . Computer-stored records, however, are electronic data that a person creates and saves on a computer, such as a spreadsheet or word processing document. Some records combine computer-generated and computer-stored evidence
  • 11. ………… • Computer records must also be shown to be authentic and trustworthy to be admitted into evidence. • Collecting evidence according to the proper steps of evidence control helps ensure that the computer evidence is authentic, as does using established computer forensics software tools. • Courts have consistently ruled that computer forensics investigators don’t have to be subject matter experts on the tools they use.
  • 12. …. • Agents and prosecutors occasionally express concern that a printout of a computer-stored electronic file might not qualify as an original document, according to the best evidence rule. • In its most fundamental form, the original file is a collection of 0s and 1s; in contrast, the printout is the result of manipulating the file through a complicated series of electronic and mechanical processes.
  • 13. … • To address this concern about original evidence, the Federal Rules of Evidence state: • Instead of producing hard disks in court, attorneys can submit printed copies of files as evidence.
  • 14. Collecting Evidence in Private-Sector Incident Scenes • A special category of private-sector businesses includes ISPs and other communication companies. • ISPs can investigate computer abuse committed by their employees, but not by customers. • ISPs must preserve customer privacy, especially when dealing with e-mail.
  • 15. ….. • Patriot Act of 2001 have redefined how ISPs and large corporate Internet users operate and maintain their records. • ISPs and other communication companies now can investigate customers’ activities that are deemed to create an emergency situation ,such as finding a bomb threat in an e-mail message.
  • 16. …….. • Investigating and controlling computer incident scenes in the corporate environment is much easier than in the criminal environment. • In the private sector, the incident scene is often a workplace, such as a contained office or manufacturing area, where a policy violation is being investigated. • For example, most companies use a single Web browser, such as Microsoft Internet Explorer, Mozilla Firefox, or KDE Konqueror. Knowing which browser a suspect used to identify data downloaded to the suspect’s workstation.
  • 17. ….. • If a corporate investigator finds that an employee is committing or has committed a crime, the employer can file a criminal complaint with the police. • Employers are usually interested in enforcing company policy, not seeking out and prosecuting employees, so typically they approve computer investigations only to identify employees who are misusing company assets.
  • 18. ….. • Corporate investigators are, therefore, primarily concerned with protecting company assets. • If you discover evidence of a crime during a company policy investigation, first determine whether the incident meets the elements of criminal law. • Next inform management of the incident; they might have other concerns, such as protecting confidential business data that might be included with the criminal evidence.
  • 19. …… • After you submit evidence containing sensitive information to the police, it becomes public record. • Public record laws do include exceptions for protecting sensitive corporate information; ultimately, however, a judge decides what to protect.
  • 20. ….. • One example of a company policy violation involves employees observing another employee accessing pornographic Web sites. • If organization need evidence , you could start by extracting log file data from the proxy server (used to connect a company LAN to the Internet) and conducting a forensic examination of the subject’s computer.
  • 21. ….. • Suppose that during your examination, you find adult and child pornography. Further examination of the subject’s hard disk reveals that the employee has been collecting child pornography in separate folders on his workstation’s hard drive. • In the United States, possessing child pornography is a crime under federal and state criminal statutes.
  • 22. Processing Law Enforcement Crime Scenes • To process a crime scene properly, you must be familiar with criminal rules of search and seizure. • You should also understand how a search warrant works and what to do when you process one. • A law enforcement officer can search for and seize criminal evidence only with probable cause. • With probable cause, a police officer can obtain a search warrant from a judge that authorizes a search and the seizure of specific evidence related to the criminal complaint.
  • 23. Understanding Concepts and Terms Used in Warrants • Many computing investigations involve large amounts of data, involved terabytes of information. Unrelated information (referred to as innocent information) is often included with the evidence you’re trying to recover. • This unrelated information might be personal and private records of innocent people or confidential business information.
  • 24. ….. • When you find commingled evidence, judges often issue a limiting phrase to the warrant, which allows the police to separate innocent information from evidence. The warrant must list which items can be seized. • plain view doctrine The plain view doctrine states that objects falling in the direct sight of an officer who has the right to be in a location are subject to seizure without a warrant and can be introduced into evidence.
  • 25. Preparing for a Search • Preparing for a computer search and seizure is probably the most important step in computing investigations. • The better you prepare, the smoother your investigation will be. • The following sections discuss the tasks you should complete before you search for evidence.
  • 26. Identifying the Nature of the Case • If you can identify the computing system, estimate the size of the drive on the suspect’s computer. • And how many computers you have to process at the scene. Also, determine which OSs and hardware might be involved and whether the evidence is located on a Microsoft, Linux, UNIX, Macintosh, or mainframe computer. • For corporate investigators, configuration management databases make this step easier.
  • 27. Determining Whether You Can Seize a Computer • Law enforcement investigators need a warrant to remove computers from a crime scene and transport them to a lab. • If removing the computers will irreparably harm a business, the computers should not be taken offsite, unless you have disclosed the effect of the seizure to the judge.
  • 28. …. • An additional complication is files stored offsite that are accessed remotely. You must decide whether the drives containing those files need to be examined. • Another consideration is the availability of online data storage services that rent space, which essentially can’t be located physically. • The data is stored on drives where data from many other subscribers might be stored.
  • 29. Obtaining a Detailed Description of the Location • Environmental and safety issues are the primary concerns during this process. • Some computer cases involve dangerous settings, such as a drug bust of a methamphetamine lab or a terrorist attack using biological, chemical, or nuclear contaminants. • For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene.
  • 30. Using Additional Technical Expertise • suppose you’re assigned to process a crime scene at a data center running Microsoft Windows servers with several RAID drives and high-end UNIX servers. • If you’re the leader of this investigation, you must identify the additional skills needed to process the crime scene, such as how to acquire data from RAID servers and how much data you can acquire..
  • 31. …. • RAID servers typically process several terabytes of data, and standard imaging tools might not be able to handle these large data sets. • When working at high-end computing facilities, identify the applications the suspect uses, such as Oracle databases. You might need to recruit an Oracle specialist or site support staff to help extract data for the investigation. • Finding the right person can be an even bigger challenge than conducting the investigation.
  • 32. Determining the Tools You Need • After you have gathered as much information as possible about the incident or crime scene, you can start listing what you need at the scene. • Using the right kit makes processing an incident or crime scene much easier and minimizes how much you have to carry from your vehicle to the scene.
  • 33. ….. • Your initial-response field kit should be lightweight and easy to transport. With this kit, you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible.
  • 34. some items you might need in scene
  • 35. lists the tools you might need in an initial-response field kit.
  • 36. …. • Keep in mind that digital evidence is volatile. Develop the skills to assess the facts quickly, make your plan, gather the needed resources, and collect data from the incident or crime scene. • In some computing investigations, responding slowly might result in the loss of important evidence for the case.
  • 37. Securing a Computer Incident or Crime Scene • If you’re in charge of securing a computer incident or crime scene, use yellow barrier tape to prevent bystanders from accidentally entering the scene. • Use police officers or security guards to prevent others from entering the scene. • Access to the scene should be restricted to only those people who have a specific reason to be there.
  • 38. ….. • Computers can also contain actual physical evidence, such as DNA evidence or fingerprints on keyboards. • Crime labs can use special vacuums to extract DNA residue from a keyboard to compare with other DNA samples. • Evidence is commonly lost or corrupted because of professional curiosity, which involves police officers and other professionals who aren’t part of the crime scene processing team.
  • 39. ……. • They just have a compelling interest in seeing what happened. • Their presence could contaminate the scene directly or indirectly. • You must protect all digital evidence, so make sure no one examines a suspect’s computer before you can capture and preserve an image of the hard disk.