Computer Forensics Exam 1 (IS 463)

(1) Evidence Handling Workflow (slide-13 from week 2 powerpoint)

(1) 1. Identify 2. Photograph 3. Document 4. Store 5. Transport 6. Package 7. Destruction or Return

(2) Evidence Handling Workflow (slide-13 from week 2 powerpoint)

(2) 1. Identify 2. Photograph 3. Document 4. Store 5. Transport 6. Package 7. Destruction or Return

Forensic

- : relating to the use of scientific knowledge or methods in solving crimes - : relating to, used in, or suitable to a court of law

Hard Disk Geometry (after low-level format)a; Cluster

- A group of sector - Allocation unit of data in file systems

Basic Input Output System (BIOS) @ start-up process

- Check CMOS chip to find out where to check (boot sequence) for OS

Why are investigations getting more difficult and challenging?

- Criminals are getting smarter - data-hiding/security technologies (cryptography, steganography) are getting better - Computer systems are getting complex & vary.

CPU initialization @ start-up process

- First, CPU looks to the ROM BIOS for its first instruction (POST) - Power On Self Test (POST) • Checking the BIOS chip and then tests CMOS RAM • Checking video card, hard drives, floppy drives, ports, keyboard and mouse, etc. • If functioning properly, successful CPU initialization

Digital Forensics tools used for incident response and forensic analysis

- Forensics computers - Write-blocking devices - Imaging devices (disk duplicator) - Data wiping devices - Encryption hardware

Guidelines for entering technical evidence into U.S. Court:

- Has the procedure been published in Journals and generally accepted? - Had the procedure been independently tested and what is the error rate?

Computers as an INSTRUMENT of the crime

- Internet child pornography - Cyber stalking and bullying - Identity theft - Pirated computer software - Forgery or falsification of documents - Corporate fraud - Terrorism and national security

Hard Drive Duplication Method: Dedicated forensic duplication systems

- Platform specifically built and designed to accommodate numerous types of hard drive connections. - Specialized bit-level imaging software transfers an exact copy of the contents of the original hard drive (or other data source) to one or more blanks. - Typically, an investigator will make more than one copy of the suspect hard drive using this method. • If the forensic analysis is correct, the investigation should produce the same results on identical copies of the drive.

Investigation Process models: DOJ guidelines

- Preparation: prepare equipment and tools, - Collection: Search physical location for possible digital evidence and acquire (e.g., collect or copy digital media) - Examination: review the media for evidence (initial screening) - Analysis: review the results for their value in the case - Reporting: document results of investigation

Hard Disk Geometry (after low-level format)a; Sector

- The smallest addressable unit of storage - 1 sector has typically 512 Bytes

Hard Drive Duplication Method: System-to-System Disk Imaging

- This method uses two separate computer systems -the suspect and a specialized forensics imaging system. - Depending on the type of drives and connections available, both systems are booted from CD-ROM, DVD, USB drive, or floppy disk which loads the imaging software. - Data is transferred between the computers using serial, parallel, Ethernet, or USB ports. - This method can be slow, and is often not suited to on-the-scene incident response.

Identify data sources (Securing the Scene)

- USB cables attached to a computer - Owner's manuals for any unidentified digital devices (DSLR, external HDD, etc.) - Internet storage, Cloud - Clues for passwords - Interview anyone who may have useful info.

Hard Drive Duplication Method: Using the original system

- Uses the original (suspect) computer to perform the disk imaging transfer process. - A blank drive matching the original hard drive's capacity and configuration is added to the system. - A forensic boot disk is used to create a bit-level image of the original disk. - This method is typically used in on-the-scene incident response when it is impractical to transport a computer to the investigator's laboratory.

Most common interface types

-ATA/IDE (Integrated Disk Electronics) or PATA -SATA (serial ATA) - SCSI (Small Computer Systems Interface)

Digital Investigation in 4 steps

-Assess -Acquire -Analyze -Report

The 3 data unit allocation strategies:

-First available -Next available -Best fit

Everything that enters a crime scene does two things. What are they?

-Leaves part of itself behind -It takes part of the scene with it

Five areas in GPT Disk

-Protective MBR -GPT Header -Partition Table -Partition Area -Backup Area

The largest defined value is ____________________, which means that ____ byte can be used to store each character.

0x7E (127 in decimal), 1

A flag uses ____ bit.

1

GPT header starts in sector ____.

1

What are the 10 symbols in a decimal number system

1,2,3,4,5,6,7,8,9,0

What should you do If a computer is already OFF? (More detail on week2 slide-26 and 27)

1. Document devices and wires connected to the computer 2. Uniquely label all cords and drives connected 3. Photograph unique labels 4. Remove and secure the power supply card 5. Disconnect and secure all cables, wires, and USB drives 6. Place TAPE over the floppy disk slot (if present) 7. Make sure that the CD or DVD drive trays are retracted into place; note whether these drive trays are empty, contain disks, or are unchecked; and tape the drive slot closed to prevent it from opening. 8. Place tape over power switch 9. Record the make, model, serial numbers, and any user-applied markings or identifiers 10. Package all evidence

CHS Limitation: Older BIOS uses ____ bit cylinder value, ____ bit head value and ___ bit sector value

10, 8, 6

Windows limits the number of entries in the partition table to _________.

128

Hexadecimal Number: each column has a decimal value that is _____ times as much as the previous column

16

FAT entry is either _____________

16 bits (2 bytes) or 32 bits (4 bytes)

a hexadecimal number has _____ symbols (the numbers 0 to 9 followed by the letters ___ to __).

16, A, F

A binary number has only two symbols (0 and 1), and each column has a decimal value that is _____ times as much as the previous column.

2

A byte needs ______ hexadecimal symbols

2

A byte can hold only ________ values, so bytes are grouped together to store larger __________. Typical sizes include _____, ____, or ____ bytes

256, numbers 2, 4, 8

Each FAT directory entry has ________________

32 bytes in size

The first ______ values are defined as control characters and are not ________.

32, printable

A hexadecimal symbol represents ________ bits

4

Binary Number: Max value for a fixed bit size

4,294,967,295

Boot Code in MBR exists in the first ______ bytes of the first sector (512-byte)

446

Boot sector viruses or Bootkits insert themselves into the first ______ bytes of the MBR so that they are executed every time the computer is booted.

446

CHS Limitation: Can only allow a ________MB disk

504

_____________ clusters can be mapped in the FAT16

65,536

A byte is a sequence of ____________ bits.

8

CHS Limitation: Newer BIOS uses 1024c x 255h x 63s which allows _____GB

8.1

Bits are organized into groups of _______ called _________.

8; bytes

What percentage of criminals leave evidence that could be investigated through a computer forensic procedure?

95%

Digital Forensics

A discipline that combines elements of law and computer science in order to collect and analyze computer data from a variety of computer systems, networks, storage devices, and other devices using digital communications as the source and flow of information in a way that is admissible as evidence in a court of law.

CHS limitation: The original _____ specification uses a 16-bit cylinder value, a 4-bit head value, and an 8-bit sector value

ATA

IDE controller has registers that contain information about the connected hard drive that can be queried using ______________ commands.

ATA

ASCII stands for

American Standard Code for Information Interchange

DOS partitions are used with

DOS, Windows, Linux, and IA32-based FreeBSD and OpenBSD systems

Protective MBR contains a _____ partition table with one entry. The single entry is for a partition with a type of 0xEE that spans the ___________ disk.

DOS, entire

Legally obtained evidence

Different regulation applies to internal/civil/criminal investigations while criminal investigation is most restrictive in terms of legal requirements.

Relevance of Evidence

Evidence must have a bearing on the event being investigated. Information about unrelated crime cannot be used as an evidence for the case.

Authenticity of Evidence

Evidence presented came from where he/she claims

___________________ contains the name and metadata for a file or directory

FAT directory entry

T or F: Physical evidence can be wrong or wholly absent

False

T or F: You should never pull the plug to a computer to turn it off while gathering evidence.

False

T or F: A judge cannot render the evidence admissible or inadmissible. Only a jury can.

False.

FAT stands for __________

File Allocation Table

Documentary evidence

Files, log, e-mail

HPA stands for

Host Protected Area

This is a special area of the disk that can be used to save data

Host Protected Area (HPA)

Examination

Identify and extract the relevant information from the collected data, using appropriate forensic tools and techniques, while continuing to maintain integrity of the evidence.

Collection (Acquisition)

Identify, isolate, label, record, and collect the data and physical evidence related to the incident being investigated, while establishing and maintaining integrity of the evidence through chain-of-custody.

standard Microsoft boot code processes the partition table in the _______ and identifies which partition has the bootable flag set.

MBR

___________________ is in the first 512-byte sector of a disk

Master Boot Record (MBR)

FAT system is the primary file system of the ____________________

Microsoft DOS and Windows 9x OSes

The Daubert Guideline for DFI

Not well met for digital evidence due to some challenges - Procedure details of tools are not available • Intellectual Property Rights (IPR) concerns for proprietary tools • open source tools are not well documented - Some basic testing by NIST, no formal/rigorous testing result of file system tools

___________ use different data allocation strategies

OSes

Digital Investigation Process Model: Reconstruction

Physical: Develop theories Digital: Similar to physical

Digital Investigation Process Model: Search & Collection

Physical: In-depth search Digital: Analysis of system for non-obvious evidence

Digital Investigation Process Model: Documentation

Physical: Photograph, sketches, evidence/scene maps Digital: Photo & description of digital device

Digital Investigation Process Model: Preservation

Physical: Secure entrance/exit Prevent changes Digital: Prevent changes (network isolation, collecting volatile data, copy entire digital environment

Digital Investigation Process Model: Survey

Physical: Walking through scene Identify evidence Digital: Identify obvious evidence (in lab)

Reporting

Reporting the results of the analysis, including: - Findings relevant to the case - Actions that were performed - Actions left to be performed - Recommended improvements to procedures and tools

File systems use both ___________ addresses

Sector and Cluster

Reliability of Evidence

Should be no question about the truth of the investigator's conclusion. • Use standardized/verified forensics tools and methods • Investigator qualification

Evidence

Something that can establish or disprove a fact.

Real evidence

Things you can carry to court and show

The Fifth Amendment

To prevent the government from ever forcing a citizen to provide self-incriminating testimony. • No password for protected/encrypted data can be forcefully acquired (even if you have a warrant to search the computer)

The Fourth Amendment

To prohibit unreasonable searches and seizures and requires warrants to be judicially sanctioned and supported by probable cause.

Demonstrative evidence

To recreate or explain other evidence

Testimonial evidence

To support or validate other evidence types

T or F: Digital forensics is a discipline that collect and analyze data from computing devices to find court-admissible evidence.

True

T or F: Only human failure to find physical evidence, study and understand it, can diminish its value

True

T or F: Shutting down a computer will change the state of the evidence by writing entries into the system activity logs.

True

Three ways of storing a Unicode character

UTF (Unicode Transformation Formats)-32, UTF-16, UTF-8

This solves the ASCII problem by using more than 1 byte to store the numerical version of a symbol

Unicode

Digital Forensics vs. Computer Forensics

While often used interchangeably, digital forensics includes computer forensics as well as forensics on all other digital devices capable of storing digital data - Network forensics - Mobile device forensics - Cloud forensics - Smart watch, Activity tracking device forensics, etc.

Cluster 2 in FAT32 is _____________

after FAT area, which means the first sector of data area

Cluster 2 in FAT12/16 is ____________

after root directory

Slack space is considered to be ______________

allocated space

If it is the last cluster in a file or directory, its entry will have ______________________

an end-of-file marker

To update a file, ________ can create a new copy or modify the existing file

applications

Digital evidence must be _______, _____, ______, and ________ to be admissible to a court.

authentic reliable relevant integrity guaranteed legally obtained

Acquisition tools report ___________

bad sectors

A proper forensic image (copy) can be considered ____________ if the original evidence has been returned to its owner.

best evidence

Computers use ____________ format.

binary number

Each 0 or 1 is called a __________.

bit

FAT12/16 and FAT32 have different version of the ___________________, but they both have the same initial 36 bytes

boot sector

The starting and ending sectors of a partition do not have _________information

boundary

A _______ is the smallest amount of space that is typically allocated to data

byte

GPT header also contains a ___________ of the header and the partition table so that errors or modifications can be detected

checksum

There exists one FAT entry per _______

cluster

The first cluster is ___________

cluster 2

Computers as a TARGET of crime

computer network intrusion, DDOS attack, ransomware attack

Backup area

contains a backup copy of the partition table and the GPT header (in this order, meaning a backup copy of the GPT header is the last sector of the GPT). It is located in the sector following the partition area.

Well-tested/accepted mobile and lab forensic hardware tools are __________ for forensic investigation.

critical

Many file systems have ability to mark a data unit as ___________

damaged

Computers know the layout of the data because of ______________.

data structures

A user could manually add a __________ to the damaged sector list and place data in it

data unit

Computer being investigated is considered a ____________.

digital crime scene

Hard Disk Technology is one of the most common sources of _____________________.

digital evidence

These are two IMPORTANT data structures in File Allocation Table (FAT) system:

directory entries and FAT

Host Protected Area (HPA) is created at the ____________ of a hard disk.

end

In ASCII encoding, the ______________________ does NOT play a role in how the characters are stored because these are separate 1-byte values. Therefore, the ______ character in a word or sentence is always in the first allocated byte

endian ordering, first

___________ is the remaining unused sectors in the data unit.

file slack

____________ slack is the unused space in the end of a file system that is not allocated to any cluster.

file system

All data in a file system belong to one of the following categories:

file system content metadata file name application

___________ use the logical volume addresses but also assign logical file system addresses because they group consecutive sectors to form a data unit

file systems

FAT directory entries are located in the clusters allocated to the _______________

file's parent directory

The FAT File System Boot Sector is located in the

first sector of FAT file system

Protective MBR partition exists so that legacy computers can recognize the disk as being used and do not try to ____________.

format it

While allocation of consecutive data units is tried in typical cases, it is not always possible and a file can be __________

fragmented

A __________ is an example of a volume that is located in consecutive sectors

hard disk

a partition system is dependent on the operating system and not the type of _______ on the hard disk

interface - Windows: FAT, NTFS - MAC: HFS, HFS+ - Linux: Ext2

A data structure describes how data are __________.

laid out

LBA overcomes CHS Limitation by using _______ address

logical

FAT directory entry data structure supports a name that has only 8 characters in the __________ and 3 characters in the ____________

name; extension

ASCII assigns a ________________________ to the characters in American English.

numerical value

_____________ clusters can be mapped in the FAT32

over 4 billion

A ______________ is a collection of consecutive sectors in a volume.

partition

The purpose of a _________ system is to organize the layout of a volume

partition

the starting and ending locations (sectors) for each partition are essential and specified in the ________________ structure

partition data

Each entry or a ___________ contains a starting and ending address, a type value, a name, attribute flags, and a GUID value.

partition table

The 128- bit GUID is supposed to be unique for that system and is set when the _______________ is created.

partition table

The end goal of most digital investigation is to identify a person who is responsible and therefore digital investigation needs to be tied to a __________.

physical investigation.

A _________ partition is a partition whose entry is in the MBR, and the partition contains additional partitions.

primary extended

A ________ partition is a partition whose entry is in the MBR and the partition contains a file system or other structured data.

primary file system

Two slack spaces talked about in class are __________________

ram and file

__________ is between the end of the file and the end of the sector in which the file ends.

ram slack

Blindly reading the amount of data needed for the file size and _____________________________ are two approaches for choosing the remaining clusters

reading only from the unallocated clusters

The first FAT starts after the _________________

reserved sectors

A decimal number is a series of these symbols (1,2,3,4,5,6,7,8,9,0), and each symbol has a value. The symbol in the ___________ column has a value of one, and the next column to the left has a value of _____. Each column has a value that is ______ times as much as the previous column.

right-most, 10, 10

A ______________ partition is a partition that contains a partition table and a secondary file system partition.

secondary extended

A _______________ partition, also called a logical partition in Windows, is located inside the primary extended partition bounds and contains a file system or other structured data.

secondary file system

__________ can be manually added to hide data

sectors

File Allocation Table (FAT) is one of the most ___________ file systems found in common operating systems

simple

The data structure is broken up into fields, and each field has a _______________, although this information is NOT saved with the data

size and name

GPT header defines the ______ and _______ of the partition table, which are fixed when the GPT disk is created

size, location

The unused bytes in the last data unit are called ____________

slack space

File system is independent from any __________

specific computer

FAT entries are addressed _______________, and each entry corresponds to the cluster with the same address

starting with 0

ASCII: The series of bytes in a word or sentence is called a ______. Often, the string ends with the _______ symbol, which is ________.

string, NULL, 0x00

A file system consists of ________and _________ that are organized such that the computer knows where to find them.

structural, user data

If a cluster is allocated, its entry will be non-zero and will contain ___________________ in the file or directory

the address of the next cluster

Partition Area

the largest area and contains the sectors that will be allocated to partitions

Pulling the power from the back of the computer will preserve information about ______________________________________.

the last user to login and at what time the login occurred, most recently used documents, most recently used commands, and other valuable information.

If it exist, the second FAT starts in ____________________

the sector following the end of the first FAT

Even though we can find __________________ and the size of the file, we have no information about the remaining clusters in the file

the starting location (cluster)

ASCII is limited for the rest of the world because _____________________________.

their native symbols cannot be represented.

The File Allocation Table (FAT) has two purposes:

to determine the allocation status of a cluster and to find the next allocated cluster in a file directory

File systems provide a mechanism for users

to store data in a hierarchy of files and directories.

_____________ of each FAT is also given in the boot sector

total size

By definition, a partition is also a _________.

volume

______________ is the unused space between the end of file system and end of the partition where the file system resides. (unlimited in size)

volume slack

A _________ is a collection of addressable sectors that an _____________ or application can use for data storage. The sectors in a volume need NOT be consecutive on a physical storage device

volume, Operating System (OS)

Integrity of Evidence

was not altered in any way during examination, and there was no opportunity for it to have been replaced or altered in the interim

The directory entry is marked as unused and the FAT entries for the clusters are set to 0 _______________

when a file is deleted from within Windows

Search Warrant (for data held by service provider)

• 18 U.S. Code § 2703 - Required disclosure of customer communications or records • Used to search email accounts where search is performed by the service provider • Article on Search Warrant for Cloud

Chain of Custody

• A critical function of investigation that continuously records log information of each and every action that is taken on or against a piece of evidence and of every movement that evidence makes from the moment an object is identified as having evidentiary value. • Critical for evidence admissibility.

Digital Forensic Investigation

• A process that develops and tests hypotheses to answer questions about already occurred digital events. - What/who caused the event - When/why did the event occur • Driven by practical needs and available tools, not by fundamental theories

Multiple-Byte Value

• Again, one byte can hold only 256 values, • To store more than 256 different values, bytes are grouped together. These are called multibyte value. • Typical sizes include 2, 4, or 8 bytes.

Analysis

• Analyze the results of the examination to generate useful answers to the questions presented in the previous phases. • The case is typically "solved" in this phase.

Admissible Digital Evidence must have or be _____________.

• Authenticity • Integrity • Relevance • Reliability • Legally obtained

Sector Address in Hard Disk

• CHS - Cylinder address (C), Head number (H), Sector address (S) - Based on Physical address - Obsolete, older computers still use it. • LBA (logical Block address) - LBA address 0 = CHS address 0,0,1 - LBA address 1 = CHS address 0,0,2 - CHS 0,1,1 = sector 1 of the second head in the outer most cylinder

Search Warrant (Rule 41)

• Clearly state what you are searching for. • Clearly state the area in which you are authorized to search. • Be signed by a judge.

What is involved in a Forensic Investigation Process?

• Collection • Examination • Analysis • Reporting

System Start-up Process

• Computer power on • CPU initialization • Basic Input Output System (BIOS)

Writing to a Disk or Image File

• Create a duplicate copy using HDD - Must be wiped with zeros - Can be modified once mounted • Create an Image file in HDD or any storage - More common way - No automatic mount - Can be broken into smaller images to fit smaller storages than source disk

Hard Drive Duplication Methods

• Dedicated forensic duplication systems • System-to-system imaging • Imaging on the original system

First thing to do at the Scene

• Determining Who is in charge (or who do you report to) - DFI is not in charge of the scene for sure • Identify what is the crime scene • what "area" is allowed to enter

Digital Forensics (DF) vs. Computer Science

• Digital forensics investigation requires substantial knowledge of computer systems, file systems, OS, networking systems, HW, etc. • DF investigation may not need to have the deepest understanding on CS theories but must have a familiarity with a wide range of subject matter.

What you SHOULD NOT do is a computer is already ON.

• Do not disconnect immediately the power if... - Data of apparent evidentiary value is in plain view onscreen. The first responder should seek out personnel who have experience and training in capturing and preserving volatile data before proceeding. - Indications exist that any of the following are active or in use: • Chat rooms. • Open text documents. • Remote data storage. • Instant message windows. • Child pornography. • Contraband. • Financial documents. • Data encryption. • Obvious illegal activities.

Error Handling in Forensic Image

• Do not ignore any bad sector. Rather log its address and write 0s for it • This will keep other data in a correct location.

The "Best Evidence" Rule

• Evidence presented in court should be original and the actual item investigated or examined. • Federal Rules of Evidence consider a printout of computer data to be "original" if it can be read by sight and if it accurately represents the stored data. • A proper forensic image (copy) can be considered Best evidence if the original evidence has been returned to its owner.

Boot Sequence

• Follow the boot sequence of disk specified in CMOS-RAM, use the first OS available. • Ability to boot from OS not in the hard disk drive is important feature for digital investigation.

Digital Investigation in 6 Steps

• Identification/Assessment • Collection/acquisition • Preservation • Examination • Analysis • Reporting

Guideline for First Responder - When you see a computer

• If computer is on, leave it on. (for now) • If computer is off, leave it off. • No technical assist from anyone unauthorized should be allowed. • Avoid compromising physical evidence (fingerprint, blood, DNA, etc.) on computer devices (mouse, keyboard, etc.) • Protect yourself from biohazards

What SHOULD do If a computer is already ON (More detail on week2 slide-28 and 29)

• Immediately disconnect the power if... - Information or activity on screen indicates that data is being deleted or overwritten. - There is indication that a destructive process is being performed on the computer's data storage devices.

Types of Forensic Investigation

• Internal Investigations • Civil Investigations • Criminal Investigations

Incident Response - Corporate

• Large company - incident responder might be a technician-level employee in security or information technology • Small company - network administrator or security officer might also be the incident responder

Image File Format

• May include additional descriptive data about acquisition - Hash, acquisition time/date • Raw image is most flexible • Embedded image is common for proprietary solutions

Device Configuration Overlay (DCO)

• PC vendors can buy different size HDDs and configure to have same number of sectors • Forensics tools may not capture DCO. - FTK imager (4.2.0) cannot capture DCO/HPA (as of Dec. 2017) - EnCase can capture both • DEVICE_CONFIGURATION_SET: create or change a DCO • DEVICE_CONFIGURATION_RESET: remove DCO

Guideline for First Responder 2 ways to turn off a computer

• Pull the plug - Immediately halts processing but destroys data in memory and can corrupt files - Data in memory could be collected using "cold boot" attack or DMA attack. • Shut down - Writes entries into the system activity logs (change of the state of the evidence)

Incident Response

• Response to a computer crime, security policy violation, or similar event • Secure, preserve and document digital evidence • Happens BEFORE the forensic analysis begins. • Incident responder is not necessarily the forensic specialist who will conduct the analysis of the digital evidence

Securing the Scene (by first responder or DFI)

• Safety first. • Integrity second. (computer, data, network) • Then secure evidence. • Not just computers but any digital devices that can contain data (or encryption key) - Network switches, routers, servers - Mobile phone, printer, digital camera, USB, Flash memory, external HDD, activity/fitness tracking devices, MP3 players, digital audio recorder, etc. (use faraday bags) - RSA SecureID, USB dongle with encryption key • Identify data sources

No Search Warrant is required if..

• The "plain view" doctrine says that an officer can seize evidence that is in plain view as long as: - The officer is legally present at the site of the evidence. - The officer can legally access the evidence. - The officer has probable cause to believe that the evidence or contraband is related to a crime. • A device can be seized in case there is owner's written consent which acknowledges future forensic examination by trained examiner

The Daubert Test

• The Case of Daubert v. Merrill Dow Pharmaceuticals (1993) established new criteria to determine the reliability, relevancy, and admissibility of scientific evidence.

Host Protected Area (HPA)

• a special area of the disk that can be used to save data • a casual observer (including OS) might not see it. • IDE controller has registers that contain information about the connected hard drive that can be queried using ATA commands. • The size of HPA is configurable using ATA commands, and many disks have a size of 0 by default. - READ_NATIVE_MAX_ADDRESS - SET_MAX_ADDRESS - IDENTIFY_DEVICE • OS uses IDENTIFY_DEVICE to find out the size of hard drive • HPA-aware S/W or firmware (e.g., BIOS) can read HPA data

Incident Response - Criminal investigation

• a sworn law enforcement officer or "crime lab" technician can be incident responder • In a company, after corporate personnel have done their own incident response, law enforcement personnel can be called in if there is a criminal activity

Corporate/private Investigation

• not subject to the same "search and seizure" rules and Fourth Amendment issues • often involve misuse or abuse of company assets, falsification of data, discrimination, harassment, and similar matters likely to involve litigation. E.g., employees who violate the company's security policy - investigator can often trace and neutralize these threats without the involvement of law enforcement - If illegal activity is found, police involvement is necessary.