Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 2: Computer Forensics and Digital Detective Work.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 2: Computer Forensics and Digital Detective Work."— Presentation transcript:

1 Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 2: Computer Forensics and Digital Detective Work

2 © Pearson Education Computer Forensics: Principles and Practices 2 Objectives Recognize the role e-evidence plays in physical, or violent, and computer crimes Describe the basic steps in a computer forensics investigation Identify the legal and ethical issues affecting evidence search and seizure Identify the types of challenges to the admissibility of e-evidence

3 © Pearson Education Computer Forensics: Principles and Practices 3 Objectives (Cont.) Understand how criminals’ motives can help in crime detection and investigation Explain chain of custody Explain why acceptable methods for computer forensics investigations and e- discovery are still emerging

4 © Pearson Education Computer Forensics: Principles and Practices 4 Introduction Computer forensics investigators are “detectives of the digital world.” This chapter introduces you to the generally accepted methods used in computer forensics; computer architecture, the Internet, and digital devices, and the types of evidence these trails leave behind.

5 © Pearson Education Computer Forensics: Principles and Practices 5 E-Evidence Trails and Hidden Files Computers are routinely used to plan and coordinate many types of crimes Computer activities leave e-evidence trails  File-wiping software can be used to delete data  File-wiping process takes time and expertise Many e-evidence traces can be found by showing hidden files on a computer

6 © Pearson Education Computer Forensics: Principles and Practices 6 Knowing What to Look For Technical knowledge of how data and metadata are stored will determine what e- evidence is found For this reason, technical knowledge of investigators must keep pace with evolving data storage devices

7 © Pearson Education Computer Forensics: Principles and Practices 7 Knowing What to Look for (Cont.) Three cases illustrate importance of technical knowledge:  Dr. Harold Shipman modified medical records to hide evidence of murder; date stamp revealed records were fraudulent  Employees made online purchases with customer credit cards; hidden HTML code revealed fraud  Neil Entwhistle killed his wife and child; cache showed Internet sites that described how to kill people

8 © Pearson Education Computer Forensics: Principles and Practices 8 The Five Ws Answering the 5 Ws helps in criminal investigations:  Who  What  Where  When  Why

9 © Pearson Education Computer Forensics: Principles and Practices 9 In Practice: PDA Forensics PDA forensics are being used frequently in homicide investigations and white collar crimes Examples:  Danielle van Dam murder, February 2002  Falsely billing for Medicaid and Medicare patients that were never seen

10 © Pearson Education Computer Forensics: Principles and Practices 10 Preserving Evidence Preserving evidence is critical in order to use the evidence in a legal defense or prosecution Scientific methods must be used in order to preserve the integrity of the evidence collected

11 © Pearson Education Computer Forensics: Principles and Practices 11 Computer Forensics Science Consistent with other scientific research, a computer forensics investigation is a process There are five stages to the process:  Intelligence  Hypothesis or Theory Formulation  Evidence Collection  Testing  Conclusion

12 © Pearson Education Computer Forensics: Principles and Practices 12 Admissibility of Evidence Goal of an investigation: collect evidence using accepted methods so that the evidence is accepted in the courtroom and admitted as evidence in the trial Judge’s acceptance of evidence is called admission of evidence

13 © Pearson Education Computer Forensics: Principles and Practices 13 Admissibility of Evidence (Cont.) Evidence admissibility requires legal search and seizure and chain of custody Chain of custody must include:  Where the evidence was stored  Who had access to the evidence  What was done to the evidence In some cases, it may be more important to protect operations than obtain admissible evidence

14 © Pearson Education Computer Forensics: Principles and Practices 14 In Practice: CD Universe Prosecution Failure Attempted extortion involving credit card numbers by “Maxim” Six months after the incident, Maxim still could not be found Evidence was compromised by FBI and security firms who may have used original data rather than a forensic copy

15 © Pearson Education Computer Forensics: Principles and Practices 15 Digital Signatures and Profiling Digital signature left by serial killer  Dennis L. Rader revealed as “BTK”  Hidden electronic code on disk led to church where he had access to a computer Digital profiling of crime suspects  E-evidence can supply patterns of behavior or imply motives  Evidence can include information stored on computers, e-mail, cell phone data, and wiretaps

16 © Pearson Education Computer Forensics: Principles and Practices 16 Crimes Solved Using Forensics CriminalType of CrimeType of E-Evidence Dennis RaderSerial killerDeleted files on a floppy disk used by the criminal at his church’s computer Lee Boyd Malvo, John Allen Muhammad SnipersDigital recordings on a device in suspects’ car Lisa MontgomeryMurder and fetus- kidnapping E-mail communication between the victim and criminal—tracing an IP address to a computer at criminal’s home (Continued)

17 © Pearson Education Computer Forensics: Principles and Practices 17 Crimes Solved Using Forensics (Cont.) CriminalType of CrimeType of E-Evidence David A. WesterfieldMurderFiles on four computer hard drives and a PDA Scott PetersonDouble murderGPS data from his car and cell phone; Internet history Alejandro AvilaRape and murderE-evidence of child pornography on his computer Zacarias MoussaouiTerrorismE-mail, files from his computers

18 © Pearson Education Computer Forensics: Principles and Practices 18 Forensics Investigation Methods  Protect the suspect system  Discover all files  Recover deleted files  Reveal contents of hidden files  Access protected or encrypted files  Use steganalysis to identify hidden data  Analyze data in unallocated and slack space  Print an analysis of the system  Provide an opinion of the system layout  Provide expert testimony or consultation Methods used by investigators must achieve these objectives:

19 © Pearson Education Computer Forensics: Principles and Practices 19 Unallocated Space and File Slack Unallocated space: space that is not currently used to store an active file but may have stored a file previously File slack: space that remains if a file does not take up an entire sector Unallocated space and slack space can contain important information for an investigator

20 © Pearson Education Computer Forensics: Principles and Practices 20 NYS Police Forensic Procedures StageToolsDiscussion Seizing the computer NoneComputer and technology are seized under the rules, evidence, and the warrant that they hold. Evidence is transported and secured at the Forensic Investigation Center (FIC). BackupSafeback, Expert Witness, Snapback Backup is done using one of the listed tools. A case file is created on an optical disk (CD). Evidence extraction Expert WitnessThe FIC is moving much of the investigative process to Expert Witness. Traditional searches are done currently to find and extract evidence. (Continued)

21 © Pearson Education Computer Forensics: Principles and Practices 21 NYS Police Forensic Procedures (Cont.) StageToolsDiscussion Case creationExpert WitnessThe case creation process allows the extracted information to be placed in a case file, on a floppy disk, hard disk, or removable media. Case analysisNoneInvestigators use experience and training to search the computer evidence for documents, deleted files, images, e-mail, slack space, etc., that will help in the case. Correlation of computer events NoneTimeline, order of events, related activities, and contradictory evidence are the components of this stage. (Continued)

22 © Pearson Education Computer Forensics: Principles and Practices 22 NYS Police Forensic Procedures (Cont.) StageToolsDiscussion Correlation of noncomputer events NonePhone records, credit card receipts, eyewitness testimony, etc. are manually sorted and correlated. Case presentation Standard OfficeFinally, the information that has been extracted, analyzed, and correlated is put together in a form ready for presentation to a judge or jury.

23 © Pearson Education Computer Forensics: Principles and Practices 23 Challenges to Evidence Criminal trials may be preceded by a suppression hearing  This hearing determines admissibility or suppression of evidence  Judge determines whether Fourth Amendment has been followed in search and seizure of evidence. The success of any investigation depends on proper and ethical investigative procedures

24 © Pearson Education Computer Forensics: Principles and Practices 24 Search Warrants Investigators generally need a search warrant to search and seize evidence Law officer must prepare an affidavit that describes the basis for probable cause—a reasonable belief that a person has committed a crime Search warrant gives an officer only a limited right to violate a citizen’s privacy

25 © Pearson Education Computer Forensics: Principles and Practices 25 Search Warrants (Cont.) Two reasons a search can take place without a search warrant:  The officer may search for and remove any weapons that the arrested person may use to escape or resist arrest  The officer may seize evidence in order to prevent its destruction or concealment

26 © Pearson Education Computer Forensics: Principles and Practices 26 In Practice: A Terrorist’s Trial FBI agents attempted to get permission to search Moussaoui’s laptop but permission was denied on grounds they had not proved probable cause Events on September 11 provided enough evidence for a search warrant, but by this time it was too late to access e-mail accounts that might have provided important data

27 © Pearson Education Computer Forensics: Principles and Practices 27 Motives for Cybercrimes Finding the motive—the “why” of the crime— can help in an investigation Possible motives:  Financial gain, including extortion and blackmail  Cover up a crime  Remove incriminating information or correspondence  Steal goods or services without having to pay for them  Industrial espionage

28 © Pearson Education Computer Forensics: Principles and Practices 28 Categories of Cybercrimes Computer is the crime target Computer is the crime instrument Computer is incidental to traditional crimes New crimes generated by the prevalence of computers

29 © Pearson Education Computer Forensics: Principles and Practices 29 Chain of Custody Procedures Handling of e-evidence must follow the three C’s of evidence: care, control, and chain of custody Chain of custody procedures  Keep an evidence log that shows when evidence was received and seized, and where it is located  Record dates if items are released to anyone  Restrict access to evidence  Place original hard drive in an evidence locker  Perform all forensics on a mirror-image copy, never on the original data

30 © Pearson Education Computer Forensics: Principles and Practices 30 Report Procedures All reports of the investigation should be prepared with the understanding that they will be read by others The investigator should never comment on the guilt or innocence of a suspect or suspects or their affiliations Only the facts of the investigation should be presented; opinions should be avoided

31 © Pearson Education Computer Forensics: Principles and Practices 31 Computer Forensics Investigator’s Responsibilities Investigate and/or review current computer and computer-mediated crimes Maintain objectivity when seizing and investigating computers, suspects, and support staff Conduct all forensics investigations consistently with generally accepted procedures and federal rules of evidence and discovery Keep a log of activities undertaken to stay current in the search, seizure, and processing of e-evidence

32 © Pearson Education Computer Forensics: Principles and Practices 32 Summary Computers and the Internet have contributed to traditional and computer crimes Effective forensic investigation requires any technology that tracks what was done, who did it, and when Images or exact copies of the digital media being investigated need to be examined by trained professionals

33 © Pearson Education Computer Forensics: Principles and Practices 33 Summary (Cont.) There are several legal and ethical issues of evidence seizure, handling, and investigation New federal rules and laws regulate forensic investigations The need for e-evidence has led to a new area of criminal investigation, namely computer forensics This field is less than 15 years old

34 © Pearson Education Computer Forensics: Principles and Practices 34 Summary (Cont.) Computer forensics depends on an understanding of technical and legal issues Greatest legal issue in computer forensics is the admissibility of evidence in criminal cases Computer forensics investigators identify, gather, extract, protect, preserve, and document computer and other e-evidence using acceptable methods

35 © Pearson Education Computer Forensics: Principles and Practices 35 Summary (Cont.) Laws of search and seizure, as they relate to electronic equipment, must be followed Failure to follow proper legal procedure will result in evidence being ruled inadmissible in court

Download ppt "Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 2: Computer Forensics and Digital Detective Work."

Similar presentations

2 Language of Computer Crime Investigation

2 Language of Computer Crime Investigation
E-Discovery in Government Investigations and Criminal Law JOLT Symposium February 22, 2013 1.

E-Discovery in Government Investigations and Criminal Law JOLT Symposium February 22,
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona.

Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
1 Chapter 15 Search Warrants. 2 Search warrants fall under the 4 th Amendment Search warrants fall under the 4 th Amendment The police must have “probable.

1 Chapter 15 Search Warrants. 2 Search warrants fall under the 4 th Amendment Search warrants fall under the 4 th Amendment The police must have “probable.
Technology for Computer Forensics by Alicia Castro.

Technology for Computer Forensics by Alicia Castro.
9-1. 9-2 09 Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,

Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,
Computer Forensics BACS 371

Computer Forensics BACS 371
Computer Forensics BACS 371

Computer Forensics BACS 371
INTRODUCTION TO THE LAW OF EVIDENCE

INTRODUCTION TO THE LAW OF EVIDENCE
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Similar presentations

Ads by Google