Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 2: Computer Forensics and Digital Detective Work

Objectives Recognize the role e-evidence plays in physical, or violent, and computer crimes Describe the basic steps in a computer forensics investigation Identify the legal and ethical issues affecting evidence search and seizure Identify the types of challenges to the admissibility of e-evidence © Pearson Education Computer Forensics: Principles and Practices

Objectives (Cont.) Understand how criminals’ motives can help in crime detection and investigation Explain chain of custody Explain why acceptable methods for computer forensics investigations and e-discovery are still emerging © Pearson Education Computer Forensics: Principles and Practices

Introduction Computer forensics investigators are “detectives of the digital world.” This chapter introduces you to the generally accepted methods used in computer forensics; computer architecture, the Internet, and digital devices, and the types of evidence these trails leave behind. Introduce the chapter. © Pearson Education Computer Forensics: Principles and Practices

E-Evidence Trails and Hidden Files Computers are routinely used to plan and coordinate many types of crimes Computer activities leave e-evidence trails File-wiping software can be used to delete data File-wiping process takes time and expertise Many e-evidence traces can be found by showing hidden files on a computer Explain the example of how some accountants at KPMG mentioned in e-mails how they were misleading the IRS. Explain that there are some legitimate uses for file-wiping software; however, criminals use it to erase their tracks. This is a time-consuming process and may not work as intended unless specific instructions are given to the software telling it where to wipe files from on the hard drive. © Pearson Education Computer Forensics: Principles and Practices

Knowing What to Look For Technical knowledge of how data and metadata are stored will determine what e-evidence is found For this reason, technical knowledge of investigators must keep pace with evolving data storage devices Make sure that students understand the importance of always updating their knowledge of computer hardware and software, and how information (data and metadata) is stored. © Pearson Education Computer Forensics: Principles and Practices

The Five Ws Answering the 5 Ws helps in criminal investigations: Who What Where When Why Discuss how answers to these five Ws can help solve cases such as those discussed earlier. Discuss briefly how Robert P. Hanssen was caught selling secrets to Russia and sentenced to life in prison. © Pearson Education Computer Forensics: Principles and Practices

Preserving Evidence Preserving evidence is critical in order to use the evidence in a legal defense or prosecution Scientific methods must be used in order to preserve the integrity of the evidence collected Make sure that students understand the importance of using scientific methods of data collection and preservation in order to protect the integrity of evidence. © Pearson Education Computer Forensics: Principles and Practices

Computer Forensics Science Consistent with other scientific research, a computer forensics investigation is a process There are five stages to the process: Intelligence Hypothesis or Theory Formulation Evidence Collection Testing Conclusion Intelligence: Analysis of the situation to gain a basic understanding of the case. Hypothesis formulation: Based on information gained, come up with a hypothesis of the case that fits the evidence so far. Evidence Collection: Intensive evidence gathering to test hypothesis. Be sure to collect all evidence that supports and refutes your hypothesis. Testing: See if evidence supports hypothesis. If not, reformulate hypothesis and continue. Conclusion: Based on evidence reach conclusion. It either supports or refutes hypothesis. Write report. © Pearson Education Computer Forensics: Principles and Practices

NYS Police Forensic Procedures Stage Tools Discussion Seizing the computer None Computer and technology are seized under the rules, evidence, and the warrant that they hold. Evidence is transported and secured at the Forensic Investigation Center (FIC). Backup Safeback, Expert Witness, Snapback Backup is done using one of the listed tools. A case file is created on an optical disk (CD). Evidence extraction Expert Witness The FIC is moving much of the investigative process to Expert Witness. Traditional searches are done currently to find and extract evidence. (Continued) © Pearson Education Computer Forensics: Principles and Practices

NYS Police Forensic Procedures (Cont.) Stage Tools Discussion Case creation Expert Witness The case creation process allows the extracted information to be placed in a case file, on a floppy disk, hard disk, or removable media. Case analysis None Investigators use experience and training to search the computer evidence for documents, deleted files, images, e-mail, slack space, etc., that will help in the case. Correlation of computer events Timeline, order of events, related activities, and contradictory evidence are the components of this stage. (Continued) © Pearson Education Computer Forensics: Principles and Practices

NYS Police Forensic Procedures (Cont.) Stage Tools Discussion Correlation of noncomputer events None Phone records, credit card receipts, eyewitness testimony, etc. are manually sorted and correlated. Case presentation Standard Office Finally, the information that has been extracted, analyzed, and correlated is put together in a form ready for presentation to a judge or jury. © Pearson Education Computer Forensics: Principles and Practices

Forensics Investigation Methods Methods used by investigators must achieve these objectives: Protect the suspect system Discover all files Recover deleted files Reveal contents of hidden files Access protected or encrypted files Use steganalysis to identify hidden data Analyze data in unallocated and slack space Print an analysis of the system Provide an opinion of the system layout Provide expert testimony or consultation Discuss the objectives that must be met through the methods used in computer forensic investigations. © Pearson Education Computer Forensics: Principles and Practices

Admissibility of Evidence Goal of an investigation: collect evidence using accepted methods so that the evidence is accepted in the courtroom and admitted as evidence in the trial Judge’s acceptance of evidence is called admission of evidence Explain that admissibility of evidence is part of computer forensic science. Explain the goal of collecting and preserving evidence based on generally accepted scientific methods so that it is admissible in court. © Pearson Education Computer Forensics: Principles and Practices

Admissibility of Evidence (Cont.) Evidence admissibility requires legal search and seizure and chain of custody Chain of custody must include: Where the evidence was stored Who had access to the evidence What was done to the evidence In some cases, it may be more important to protect operations than obtain admissible evidence Discuss the “chain of custody” and how it helps preserve evidence and obtain the goal of admissibility in court. Also mention that without a documented chain of custody, it is impossible to prove, after the fact, that evidence has not been altered. Discuss situations in which it would be more important to take action on a system than to preserve data for court purposes. © Pearson Education Computer Forensics: Principles and Practices

Digital Signatures and Profiling Digital signature left by serial killer Dennis L. Rader revealed as “BTK” Hidden electronic code on disk led to church where he had access to a computer Digital profiling of crime suspects E-evidence can supply patterns of behavior or imply motives Evidence can include information stored on computers, e-mail, cell phone data, and wiretaps Introduce these two areas of digital signatures and profiling. Discuss the table on the next slide that outlines various criminals, their crimes, and the e-evidence linking them to the crime. © Pearson Education Computer Forensics: Principles and Practices

Unallocated Space and File Slack Unallocated space: space that is not currently used to store an active file but may have stored a file previously File slack: space that remains if a file does not take up an entire sector Unallocated space and slack space can contain important information for an investigator Discuss unallocated space and file slack. The following table illustrates the forensics investigation procedure used by the New York State Police. Introduce this table. © Pearson Education Computer Forensics: Principles and Practices

Challenges to Evidence Criminal trials may be preceded by a suppression hearing This hearing determines admissibility or suppression of evidence Judge determines whether Fourth Amendment has been followed in search and seizure of evidence. The success of any investigation depends on proper and ethical investigative procedures Discuss the ability of defense counsel to suppress evidence if proper procedures are not followed. This includes probable cause and obtaining search warrants. © Pearson Education Computer Forensics: Principles and Practices

Search Warrants Investigators generally need a search warrant to search and seize evidence Law officer must prepare an affidavit that describes the basis for probable cause—a reasonable belief that a person has committed a crime Search warrant gives an officer only a limited right to violate a citizen’s privacy Explore the topic of search warrants. © Pearson Education Computer Forensics: Principles and Practices

Search Warrants (Cont.) Two reasons a search can take place without a search warrant: The officer may search for and remove any weapons that the arrested person may use to escape or resist arrest The officer may seize evidence in order to prevent its destruction or concealment Refer to the government online references and links that provide the guidelines for searching and seizing computers. © Pearson Education Computer Forensics: Principles and Practices

Categories of Cybercrimes Computer is the crime target Computer is the crime instrument Computer is incidental to traditional crimes New crimes generated by the prevalence of computers Discuss the use of computers in crimes and how the use of computers has generated new crimes and a new age of criminals. © Pearson Education Computer Forensics: Principles and Practices

Chain of Custody Procedures Handling of e-evidence must follow the three C’s of evidence: care, control, and chain of custody Chain of custody procedures Keep an evidence log that shows when evidence was received and seized, and where it is located Record dates if items are released to anyone Restrict access to evidence Place original hard drive in an evidence locker Perform all forensics on a mirror-image copy, never on the original data Discuss the procedures that help maintain the chain of custody. © Pearson Education Computer Forensics: Principles and Practices

Report Procedures All reports of the investigation should be prepared with the understanding that they will be read by others The investigator should never comment on the guilt or innocence of a suspect or suspects or their affiliations Only the facts of the investigation should be presented; opinions should be avoided Discuss the reporting procedures investigators should follow. © Pearson Education Computer Forensics: Principles and Practices

Computer Forensics Investigator’s Responsibilities Investigate and/or review current computer and computer-mediated crimes Maintain objectivity when seizing and investigating computers, suspects, and support staff Conduct all forensics investigations consistently with generally accepted procedures and federal rules of evidence and discovery Keep a log of activities undertaken to stay current in the search, seizure, and processing of e-evidence Discuss the responsibilities of computer forensics investigators. © Pearson Education Computer Forensics: Principles and Practices

Summary Computers and the Internet have contributed to traditional and computer crimes Effective forensic investigation requires any technology that tracks what was done, who did it, and when Images or exact copies of the digital media being investigated need to be examined by trained professionals © Pearson Education Computer Forensics: Principles and Practices

Summary (Cont.) There are several legal and ethical issues of evidence seizure, handling, and investigation New federal rules and laws regulate forensic investigations The need for e-evidence has led to a new area of criminal investigation, namely computer forensics This field is less than 15 years old © Pearson Education Computer Forensics: Principles and Practices

Summary (Cont.) Computer forensics depends on an understanding of technical and legal issues Greatest legal issue in computer forensics is the admissibility of evidence in criminal cases Computer forensics investigators identify, gather, extract, protect, preserve, and document computer and other e-evidence using acceptable methods © Pearson Education Computer Forensics: Principles and Practices

Summary (Cont.) Laws of search and seizure, as they relate to electronic equipment, must be followed Failure to follow proper legal procedure will result in evidence being ruled inadmissible in court © Pearson Education Computer Forensics: Principles and Practices