Evidence Computer Forensics
Law Enforcement vs. Citizens Search must have probable cause –4 th amendment search warrant Private citizen not subject to 4 th amendment Private citizen may be a police agent
Role of Evidence Material offered to judge and jury May directly or indirectly prove or disprove the crime has been committed Evidence must be tangible –Electrical voltages are intangible –Hard to prove lack of modification
Evidence Requirements Material – relevant to case Competent – proper collection, obtained legally, and chain of custody maintained Relevant – pertains to subject’s motives and should prove or disprove a fact
Chain of Custody Who obtained it? Where and when was it obtained? Who secured it? Who had control or possession? How was it moved?
Types of Evidence Best –Primary, original documents, not oral Secondary –Copies of documents, oral, eyewitness Direct –Can prove fact by itself –Does not need corroborative information –Information from witness
More Types Conclusive –Irrefutable and cannot be contradicted Circumstantial –Assumes the existence of another fact –Cannot be used alone to prove the fact Corroborative –Supporting evidence –Supplementary tool
More Types Opinion –Experts give educated opinion Hearsay –No firsthand proof –Computer generated evidence Real –Physical evidence –Tangible objects
More Types Documentary –Records, manuals, printouts –Most evidence is documentary Demonstrative –Aids jury in the concept –Experiments, charts, animation
Hearsay Rule Exception Business record exemption to hearsay rule –Documents can be admitted if created during normal business activity –This does not include documents created for a specific court case –Regular business records have more weight –Federal rule 803(6) Records must be in custody on a regular basis Records are relied upon by normal business
Before the Crime Happens Select an Incident Response Team (IRT) Decide whether internal or external Set policies and procedures If internal, include –IT –Management –Legal –PR
Incident Handling First goal –Contain and repair damage –Prevent further damage –Collect evidence
Evidence Collection Photograph area Dump contents from memory Power down system Photograph internal system components Label each piece of evidence –Bag it –Seal –Sign
Forensics Study of technology and how it relates to law Image disk and other storage devices –Bit level copy (deleted files, slack space,etc) –Use specialized tools –Further work will be done on copy Create message digest for integrity
Thing to Look For Hidden Files Steganography Slack Space Malware Deleted Files Swap Files
Trapping the Bad Guy Enticement –Legal attempt to lure a criminal into committing a crime –Provide a honeypot in your DMZ –Pseudo flaw (software code) –Padded cell (virtual machine) Entrapment –Illegal attempt to trick a person into committing a crime
Liability Company must practice due care Management must practice due diligence Follow the prudent person rule Watch for downstream liabilities