Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evidence Handling If the evidence is there the case is yours to lose.

Published byMalcolm Day Modified over 8 years ago

Similar presentations

Presentation on theme: "Evidence Handling If the evidence is there the case is yours to lose."— Presentation transcript:

1 Evidence Handling If the evidence is there the case is yours to lose.

2 Evidence First do no harm. Evidence: cannot be altered. cannot be tampered with. cannot be added. reserved for LAPD only.

3 Evidence ● Admissible ● must be legally obtained and relevant ● Reliable ● has not been tainted (changed) since acquisition ● Authentic ● the real thing, not a replica ● Complete ● includes any exculpatory evidence ● Believable ● lawyers, judge & jury can understand it

4 Rule #2 Evidence must be reliable. Must be able to prove that evidence has not changed since seizure. Always accounted for.

5 MD5/File Signature MD5 – Message Digest version 5 A mathematical calculation of the data in a file If one bit is changed the MD5 is vastly different Often referred to the hash code of the file Acts as a unique signature of the file

6 Rule #2 Reliable evidence. In order to demonstrate that evidence presented in court is identical to that seized in accordance with a search warrant, it is sufficient to show the MD5 file/drive signatures match. Accepted judicial procedure.

7 File/Drive Signature MD5 hash code of a file/disk/drive is unique to that file/disk/drive The MD5 hash code calculates a number that can prove that the file/drive has not changed. Procedure: 1.Calculate the MD5 code of the seized digital evidence as soon after the seizure as possible. 2.When challenged re-calculate the MD5 code. 3.Compare, if equal then evidence has not changed. Otherwise the evidence is inadmissible.

8 WinHex The general purpose forensic analysis tool we will use for this course. Excellent professional grade tool. You can download a trial version. It has limited capability, but you can do a lot with it and complete your assignments in the lab. I the license is good for all versions before 2007.

9 WinHex File Signature Open the application File -> open Find Documents and Settings\UserData\index.dat Select Tools -> Compute Hash Select MD5 (128 bit) Note the hash code or file signature

10 WinHex

11 Open File

12 Open UserData Folder

13 Index.dat Opened

14 Calculate MD5 Hash File Signature

15 File Signature

16 Protect Your Evidence Be sure you use a write blocker of some kind You can’t trust software, Unless It has been tested and validated Usually by a third party Floppies and tapes have physical protection

17 Hash of a Floppy Be sure the write protect thingee is open Start WinHex Open floppy Be sure you select the physical device Calculate the Hash

18 Open Disk

19 Open Disk Physical Media

20 Open Floppy Media

21 Open Floppy

22 Calculate Disk Signature

23 Recover File from the Floppy Select possible file After you recover this file Select the physical device Calc hash Compare with the previous hash Have they changed?

24 Open Partition 1 Double Click

25 Explore Floppy

26 Select File

27 Not For Temp Licensed Users Only Must export to your docs to view Right click on file to recover Choose Recover/Copy … Choose Folder to restore to, click Double click on file

28 Voila

29 Re-Calc Hash Recalculate the hash of the floppy The floppy has been accessed The access time of the file should have been changed Hence the hash of the floppy should change Did it?

30 Lab – Due Be sure that the write protect hole is clear Calculate the MD5 Signature of your floppy Record it. Recover a file and view, include it in your report. Remember Alt – PrtSc and paste it where you want it. Recalculate the hash of the floppy. Are they the same?

Download ppt "Evidence Handling If the evidence is there the case is yours to lose."

Similar presentations

Electronic Evidence Joe Kashi. Todays Program Types of Electronically stored information Types of Electronically stored information Accessibility and.

Electronic Evidence Joe Kashi. Todays Program Types of Electronically stored information Types of Electronically stored information Accessibility and.
DL Windows Software “Rules” Import a CSV File From Excel

DL Windows Software “Rules” Import a CSV File From Excel
1 of 2 By observing the guidelines below and performing regular maintenance on your computer, you can help keep your computer safe and maintain optimum.

1 of 2 By observing the guidelines below and performing regular maintenance on your computer, you can help keep your computer safe and maintain optimum.
Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.

Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.
DIGITAL EVIDENCE María del Pilar Jácome August 2012.

DIGITAL EVIDENCE María del Pilar Jácome August 2012.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
1 Fourth and Fifth Amendments Police State – country where military or law enforcement are in power and abuse power Warrant – document that gives law enforcement.

1 Fourth and Fifth Amendments Police State – country where military or law enforcement are in power and abuse power Warrant – document that gives law enforcement.
Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.

Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Evidence and Argument Evidence – The asserted facts that the arbitrator will consider in making a decision – Information – What is presented at the hearing.

Evidence and Argument Evidence – The asserted facts that the arbitrator will consider in making a decision – Information – What is presented at the hearing.
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,

Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
9-1. 9-2 09 Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,

Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,
Data Recovery/Discovery Files Deleted Files Text Searches Slack Space Free Space Lab.

Data Recovery/Discovery Files Deleted Files Text Searches Slack Space Free Space Lab.

Similar presentations

Ads by Google