Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Related Evidence & What is this computer geek going to do now that I have done all the hard work?

Published byBeverly Hopkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Related Evidence & What is this computer geek going to do now that I have done all the hard work?"— Presentation transcript:

1

2 Computer Related Evidence & What is this computer geek going to do now that I have done all the hard work?

3 Rules We Live By And So Should you 4 Never Alter the Original Media! 4 Findings MUST be Verifiable! 4 Findings MUST be Reproducible!

4 PROCEDURES What your examiners can do for and with you.

5 4 Assist Preparing the Search Warrant. 4 Service of the Search Warrant. 4 Gathering the Computer Related Evidence(CRE).* 4 Image and Archive.* 4 Store and Secure Computer Related Evidence. 4 Examine.* 4 Review Findings with you.*

6 4 Complete a Report in the Format You Need.* 4 Prosecutor and Defense Interviews about the computer related evidence. 4 Testify. 4 Dispose / Clean Evidence.*

7 What We Will Not Do 4 Take Over Your Investigation!

8 Gathering Evidence 4 Securing 4 Turning off 4 Documenting 4 Marking 4 Transporting

9 Imaging and Archives 4 We work from an Image of the Suspect media. 4 Copy is stored on CD-R or Tape.

10 Examine 4 See The Rule We Live By. 4 Work from the copy with a variety of tools. 4 You have to tell us what is going on.

11 Review with You 4 What is nothing to me may be everything to you. 4 You (always) know a lot more than me.

12 Report the Findings 4 A report and Examples in the format you need. –Written, Officer’s Witness Statement. –Spread Sheets Showing file information. –Information Printed, on CD-R, Power Point. –Do live demos’ work? Yes or No

13 Interviews

14 4 #1 DO NOT LET ANYONE SHOW YOU WHERE THE EVIDENCE IS ON THE COMPUTER…………… 4 Let them talk about their great computer skills or lack of skill. 4 Ownership and use of each computer. 4 Passwords!

15 4 Like all interviews you are attempting to gather information. 4 What else would you like to know. –Online service, when used the most, computer at work? AND

16 Search Warrant VS Consent 4 When you can get a search warrant. 4 Consent- knowingly, freely and voluntarily. with the authority to give the consent.

17 You Found the”something” Are We Done?

18 Computer Examinations 101 4 The Fun Stuff. 4 Proving the WHO, WHAT, WHERE, WHEN, HOW and maybe WHY.

19 Date and Time Stamps 4 Windows 9x and above tracks three dates and two times. 4 NTSF adds one date and one time 4 Other Operating Systems keep dates and time.

20 Windows > Properties

21 EnCase view of Date and Times

22 Deleted Files 4 DOS / Windows Only overwrites the first character of the DOS Directory.

23

24 File Slack & Unallocated Space 4 File Slack, the space between the end of the file and the end of the “Cluster”. 4 Unallocated Space, the space on the disk that is not assigned in the directory. (free space. 4 Both contain left over information.

25 Header Vs. File Extension 4 File Headers, what is important. 4 4A 47 03 0E 00 00 00 4 50 4B 03 04 14 00 00 00 00 00 4 FF D8 FF E0 4 D0 CF 11 E0 A1 B1 1A E1 00 00,0,FE FF 09 00,29,4,0,42 00 02 4 File Extension, what we see. –*.ART, DOC, JPG,XLS

26

27 Previewing 4 Lets talk. 4 When to to it. 4 What are you looking for. 4 Tools. 4 Where to look.

28 Previewing. Lets Talk. 4 Consent 4 Damage to evidence 4 Testifying about it in court 4 Do you stand a chance of finding something. 4 False negative.

29 Previewing. When to do it. 4G4Group participation.

30 Previewing, When to do it. 4 Looking for text. –Easy anytime. –Have Examiner prepare EnCase Boot disk with search items. –Other tools. Norton disk editor, DIBS Mycroft V3 and others.

31 Previewing. When to do it. 4 Images. 4 There are not to many DOS based images viewers. 4 EnCase on laplink. 4 Copy out possible sources.

32 Previewing. Tools. 4 EnCase Laplink or Network Card. $2K 4 Pre- Search & Digit, NIS and Paul Bright. Free, unsupported. 4 Boot to “safe” DOS disk and copy out interesting items.

33 Previewing. Where to look. 4 C:\Windows\Temporary Internet File 4 C:\Windows\Recent AKA: –Start > Documents (right click & properties) 4 C:\Windows\History 4 Recycle bin 4 Internet Explorer, Recent and Favorites 4 My Documents > My Pictures ?

34 Previewing, Where else 4 Looking for Newsgroup Programs. –Free Agent, NewsRover, Outlook. 4 C:\Windows\Temp 4 The Directory in each Volume? –Folder Titled “kid pict” or some other obvious name.

35 Organizations. 4 CTIN 4 AGORA 4 HTCIA 4 IACIS 4 NWCCC

Download ppt "Computer Related Evidence & What is this computer geek going to do now that I have done all the hard work?"

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall
File Management Chapter 3

File Management Chapter 3
Text Searches Slack Space Unallocated Space

Text Searches Slack Space Unallocated Space
Windows XP Basics OVERVIEW Next.

Windows XP Basics OVERVIEW Next.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Computer Forensics 101 Essential Knowledge for 21 st Century Investigators with Case Studies Presented by Steve Abrams, M.S. Abrams Computer Forensics.

Computer Forensics 101 Essential Knowledge for 21 st Century Investigators with Case Studies Presented by Steve Abrams, M.S. Abrams Computer Forensics.
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.

X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
Windows Overview LEIT 429x Steve Builta. Where we are going… Overview of operating Systems Overview of Windows 9x Take and Edit digital Photos.

Windows Overview LEIT 429x Steve Builta. Where we are going… Overview of operating Systems Overview of Windows 9x Take and Edit digital Photos.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
The sequence of folders to a file or folder is called a(n) ________.

The sequence of folders to a file or folder is called a(n) ________.
PMI Inventory Tracker™

PMI Inventory Tracker™
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.

Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.
Project 8 Mastering Digital Media: Picture Files.

Project 8 Mastering Digital Media: Picture Files.
Microsoft Office 2010 - Illustrated Fundamentals Unit B: Understanding File Management.

Microsoft Office Illustrated Fundamentals Unit B: Understanding File Management.

Similar presentations

Ads by Google