1. COS/PSA 413 Day 10

2. Agenda Lab 4 Write-ups are in –Will have corrected by next class Lab 5 write-ups due Oct 19 Assignment 3 posted (due Oct 21) Capstone Proposals Over due –See guidelines in WebCT –All 10 require some modifications (emails sent) Got one back so far Exam 2 on Oct 21 –Chaps 5-9, 10 M/C (30 Points), 10 Short Answer (30 points), 5 Essays (40 points) Open Book, Open Notes, 70 min. time limit. Today we will discuss Processing Crime and Incident scenes –Chap 8 in 1e and Chap 5e in 2e (mostly the same except using different forensics tools)

3. Processing Crime and Incident Scenes Chapter 8

4. Learning Objectives Process Crime and Incident Reports Process a Law Enforcement Crime Scene Prepare for a Search Secure a Computer Incident or Crime Scene Seize Digital Evidence at the Scene Collect Digital Evidence Review a Case

5. Processing Crime and Incident Reports

6. Collecting Evidence in Private-Sector Incident Scenes Freedom of Information Act (FOIA) –States public records are open and available for inspection –Citizens can request public documents created by federal agencies Homeland Security Act Patriot Act

7. Collecting Evidence in Private-Sector Incident Scenes (continued) Corporate environment is much easier than criminal environment Employees’ expectation of privacy –Create and publish a privacy policy –Use warning banners State when an investigation can be initiated –Reasonable suspicion

8. Collecting Evidence in Private-Sector Incident Scenes (continued)

9. Avoid becoming a law enforcement agent Check with your corporate attorney on how to proceed –Commingled data –Warrants –Subpoena –Civil liability

10. Processing Law Enforcement Crime Scenes Criminal rules of search and seizure Probable cause –Specific crime was committed –Evidence exists –Place to be searched includes evidence Warrant –Probable cause –Witness

11. Processing Law Enforcement Crime Scenes (continued)

12. Understanding Concepts and Terms Used in Warrants Innocent information –Unrelated information Limiting phrase –Separate innocent information from evidence Plain view doctrine –Searched area can be extended Knock and announce

13. Preparing for a Search Most important step in computing investigations Steps: –Identifying the nature of the case –Identifying the type of computer system –Determining whether you can seize a computer –Obtaining a detailed description of the location

14. Preparing for a Search (continued) Steps (continued): –Determining who is in charge –Using additional technical expertise –Determining the tools you need –Preparing the investigation team

15. Identifying the Nature of the Case Private or public Dictates: –How you proceed –Resources needed during the investigation

16. Identifying the Type of Computing System Identify: –Size of the disk drive –Number of computers at the crime scene –OSs –Specific details about the hardware Easier to do in a controlled environment, such as a corporation

17. Determining Whether You Can Seize a Computer Ideal situation –Seize computers and take them to your lab Not always possible Need a warrant Consider using portable resources

18. Obtaining a Detailed Description of the Location Get as much information as you can Identify potential hazards –Interact with your HAZMAT team HAZMAT guidelines –Protect your target disk before using it –Check for high temperatures

19. Determining Who Is in Charge Corporate computing investigations require only one person to respond Law enforcement agencies: –Handle large-scale investigations –Designate leader investigators

20. Using Additional Technical Expertise Look for specialists –OSs –RAID servers –Databases Can be hard Educate specialists in proper investigative techniques –Prevent evidence damage

21. Determining the Tools You Need Prepare your tools using incident and crime scene information Initial-response field kit –Lightweight –Easy to transport Extensive-response field kit –Includes all tools you can afford

22. Determining the Tools You Need (continued)

24. Preparing the Investigation Team Review facts, plans, and objectives Coordinate an action plan with your team –Collect evidence –Secure evidence Slow response can cause digital evidence lost

25. Securing a Computer Incident or Crime Scene Preserve the evidence Keep information confidential Define a secure perimeter –Use yellow barrier tape –Legal authority Professional curiosity –Can destroy evidence

26. Seizing Digital Evidence at the Scene Law enforcement can seize evidence with a proper warrant Corporate investigators rarely can seize evidence U.S. DoJ standards for seizing digital data Civil investigations follow same rules –Require less documentation, though Consult with your attorney for extra guidelines

27. Processing a Major Incident or Crime Scene Guidelines –Keep a journal –Secure the scene –Be professional and courteous with onlookers –Remove people who are not part of the investigation –Video record the computer area Pay attention to details

28. Processing a Major Incident or Crime Scene (continued) Guidelines (continued) –Sketch the incident or crime scene –Check computers as soon as possible –Save data from current applications as safe as possible –Make notes of everything you do when copying data from a live suspect computer –Close applications and shutdown the computer

29. Processing a Major Incident or Crime Scene (continued) Guidelines (continued) –Look for information related to the investigation Passwords, passphrases, PINs, bank accounts –Collect documentation and media related to the investigation Hardware, software, backup media

30. Processing Data Centers with an Array of RAIDs Sparse evidence file recovery –Extracts only data related to evidence for your case from allocated files –Minimizes how much data you need to analyze –Doesn’t recover residual data in free or slack space –If you have a computer forensics tool that accesses the unallocated space on a RAID system, work it on a test system first to make sure it doesn’t corrupt the RAID computer

31. Using a Technical Advisor at an Incident or Crime Scene Technical specialists Responsibilities: –Know aspects of the seized system –Is direct investigator handling sensitive material –Help securing the scene –Help document the planning strategy –Conduct ad hoc trainings –Document activities

32. Sample Civil Investigation Recover specific evidence –Suspect’s Outlook e-mail folder (PST file) Covert surveillance –Company policy –Risk of civil or criminal liability Sniffing tools –For data transmissions

33. Sample Criminal Investigation Computer crimes examples –Fraud –Check fraud –Homicides Need a warrant to start seizing evidence –Limit searching area

34. Sample Criminal Investigation (continued)

35. Reviewing a Case Tasks to perform in a case: - Identify the case requirements - Plan your investigation - Execute the investigation - Complete the case report - Critique the case

36. Reviewing a Case

37. Identifying the Case Requirements - What is the nature of the case? Two people are missing or overdue at work. - What are their names? George Popson and Martha Heiser - What do they do? George is a supervisor in the Accounts Payable Department, and Martha is a shipping clerk.

38. Reviewing a Case Identifying the Case Requirements - What is the OS of the suspect computer? Microsoft Windows 98. - What type of media needs to be examined? One floppy disk drive.

39. Reviewing a Case Planning Your Investigation - George and Martha’s absences might or might not be related. - George’s computer might contain information explaining their absence. - No one else has used George’s computer since he disappeared. - You need to make an image of George’s computer and attempt to retrieve evidence related to the case.

40. Chapter Summary -In the private sector, an incident scene is often a place of work, such as a contained office or manufacturing area. Because everything from the computers used to violate a company policy to the surrounding facility is under a controlled authority, it is easier to investigate and control the scene than in a criminal environment.

41. Chapter Summary -Companies should publish policies stating that they reserve the right to inspect computing assets at will; otherwise, the employees’ expectation of privacy prevents an employer from legally conducting an intrusive investigation. A well-defined corporate policy states that an employer has the right to examine, inspect, or access any company- owned computing asset. If the policy statement is issued to all employees, the employer can investigate computing assets at will without any privacy right restrictions.

42. Chapter Summary -Proper procedure needs to be followed even in private-sector investigations, because civil litigations can become criminal investigations very easily. As a corporate investigator, you must ensure that sensitive company information does not become commingled with criminal evidence.

43. Chapter Summary -If an internal corporate case is turned over to law enforcement because of criminal activity, the corporate investigator must avoid becoming an agent of law enforcement because at that time, affidavits and search warrants are needed. -The plain view doctrine applies when items that are evidentiary, and not specified in a warrant under probable cause, are in plain view.

44. Chapter Summary -Criminal cases require a properly executed and well-defined search warrant. A specific crime and specific location must be spelled out in the warrant. For all criminal investigations in the United States, the Fourth Amendment to the Constitution specifies that a law enforcement officer may only search for and seize criminal evidence with probable cause, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed.

45. Chapter Summary -When preparing for a case, you need to describe the nature of the case, identify the type of Operating System (OS), determine whether you can seize the computer, and obtain a description of the location. -If dealing with a hazardous material (HAZMAT) situation, you may need to have someone else obtain the evidence from the location.

46. Chapter Summary -Always take pictures or use a digital camera to document the scene. Then methodically record what exists at the scene. Prevent professional curiosity from contaminating evidence by limiting who enters the scene.

47. Chapter Summary -As you collect digital evidence, guard against physically destroying or contaminating it. Take precautions to prevent static electricity discharge to electronic devices. If possible, bag or box digital evidence and any hardware you collect from the incident or crime scene. As you collect the hardware, sketch the equipment, including extra markings of where components were located. Tag and number each cable, port, and any other connection and record its number and description in a log.