IST 454 - Chapter 4: Processing Crime and Incident Scenes
Steps to create image files:
1. Copy all image files to a large drive. 2. Start your forensics tool to analyze the evidence. 3. Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital hash 4. Secure the original media in an evidence locker
Innocent information
- unrelated information - often included with the evidence you're trying to recover.
Keyed hash set
Created by an encryption utility's secret key
How to define a secure perimeter:
- use a yellow barrier tape - legal authority for a corporate incident includes trespassing violations. - for a crime scene, it includes obstructing justice or failing to comply with a police officer.
To ___________ computer forensics data, learn to use more than one vendor tool
analyze
Plain view doctrine:
Objects falling in plain view of an officer who has the right to be in position to have that view are subject to seizure without a warrant and may be introduced in evidence
Digital Evidence
can be any information stored or transmitted in digital form.
Save __________ from current applications as safely as possible.
data
Corporate investigators might have the authority only to make an image of the suspect's __________.
drive
The only way to detect these changes is to compare the original data with a _____________.
duplicate.
The author of a Microsoft Word document can be identified by using :
file Metadata.
Need a warrant to start seizing evidence
limit searching area
Most digital forensics hashing needs can be satisfied with a:
nonkeyed hash set
criminal cases require
warrants
Automated Fingerprint Identification System (AFIS)
- A computerized system for identifying fingerprints that's connected to a central database - Used to identify criminal suspects and review thousands of fingerprint samples at high speed
Secure Hash Algorithm version 1 (SHA-1)
- A newer hashing algorithm - Developed by the National Institute of Standards and Technology (NIST)
Non-government organizations must comply with state public disclosure and federal Freedom of Information Act (FOIA) laws:
- And make certain documents available as public records - FOIA allows citizens to request copies of public documents created by Federal agencies.
Cyclic Redundancy Check (CRC)
- Mathematical algorithm that determines whether a file's contents have changed - Not considered a forensic hashing algorithm
Message Digest 5 (MD5)
- Mathematical formula that translates a file into a hexadecimal code value, or a hash value - If a bit or byte in the file changes, it alters the hash value, which can be used to verify a file or drive has not been tampered with
Common activities and practices:
- Recover specific evidence - Covert surveillance - Sniffing tools for data transmissions.
Sparse acquisition
- Technique for extracting evidence from large systems - Extracts only data related to evidence for your case from allocated files And minimizes how much data you need to analyze
Private-sector organizations include:
- businesses and government agencies that aren't involved in law enforcement
Example of not being able to use original evidence:
- investigations involving network servers - removing a server from the network to acquire evidence data could cause harm to a business or its owner, who might be an innocent bystander to a crime or civil wrong.
Throughout the book, you use data files from the hypothetical M57 Patents case
1. A new startup company doing art patent searches 2. A computer sold on Craigslist was discovered to contain "kitty" porn 3. It was traced back to M57 Patents 4. An employee is suspected of downloading the porn
Bag and tag the evidence, following these steps:
1. Assign one person to collect and log all evidence 2. Tag all evidence you collect with the current date and time, serial numbers or unique features, make and model, and the name of the person who collected it 3. Maintain two separate logs of collected evidence 4. Maintain constant control of the collected evidence and the crime or incident scene
Computer records are usually divided into:
1. Computer-generated records 2. Computer-stored records
If you aren't allowed to take the computers to your lab:
determine the resources you need to acquire digital evidence and which tools can speed data acquisition.
Identifying the type of OS or Digital Device for law enforcement may be _____________ because the crime scene isn't controlled.
difficult
As you collect __________ evidence, guard against physically destroying or contaminating it
digital
Maintain the _________________ of digital evidence in the lab
integrity
Determining the tools you need:
prepare tools using incident and crime scene information.
As long as bit-stream copies of data are created and maintained properly:
the copies can be admitted in court, although they aren't considered best evidence.
Goal of scene processing:
to collect and secure digital evidence.
A nonkeyed hash set:
A unique hash number generated by a software tool, such as the Linux md5sum command
- The ideal media - Capacity: up to 17 GB - Lifespan: 2 to 5 years
CDs, DVDs, DVD-Rs, DVD+Rs, or DVD-RWs
anything stored or transmitted on electronic or optical media
Digital evidence
Civil investigations follow same rules, but require less ________________.
Documentation
The plain view doctrine's applicability in the digital forensics world is being rejected:
Example - In a case where police were searching a computer for evidence related to illegal drug trafficking: If an examiner observes an .avi file and find child pornography, he must get an additional warrant or an expansion of the existing warrant to continue the search for child pornography
Data you discover from a forensic examination falls under your state's rules of evidence or the
FRE.
Collect documentation and media related to the investigation:
Hardware, software, backup media, documentation, manuals
secondhand or indirect evidence
Hearsay
Probable Cause
Refers to the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest
Smaller external SDLT drives can connect to a workstation through a _____________ card
SCSI
Groups such as the ____________________ set standards for recovering, preserving, and examining digital evidence.
Scientific Working Group on Digital Evidence
This type of response can cause digital evidence to be lost.
Slow
Best evidence rule states:
To prove the content of a written document, recording, or photograph, ordinarily the original writing, recording, or photograph is required.
Federal Rules of Evidence:
allow a duplicate instead of originals when it is produced by the same impression as the original.
Corporate investigators should know under what circumstances they can examine:
an employee's computer
Use ______________ bags for electronic components
antistatic
Close ____________ and shut down the computer
applications
The nature of the case dictates how you proceed and what types of _________ or ________ you need to use in the investigation.
assets or resources
Consult with your ______________ for extra guidelines.
attorney
Computer and digitally stored records must be shown to be :
authentic and trustworthy to be admitted into evidence.
Collecting evidence according to the proper steps of evidence control helps ensure that the computer evidence is
authentic.
You might need to retain evidence indefinitely:
check with your local prosecuting attorney's office or state laws to make sure you're in compliance.
Evidence admitted in a criminal case can be used in a _______ suit, and vice versa.
civil
Anyone assigned to the scene should cooperate with the designated leader to ensure the team addresses all details when ________________________ .
collecting evidence.
Keep current on the latest rulings and directives on:
collecting, processing, storing, and admitting digital evidence.
In both MD5 and SHA-1, ________________ have occurred
collisions
Corporate policy statement about misuse of digital assets allows
corporate investigators to conduct covert surveillance with little or no cause, and accesss company systems without a warrant.
Police can take elimination prints of everyone who:
had access to the crime scene.
Law enforcement agencies typically
handle large-scale investigations
When identifying the type of OS or digital device determine which OSs and __________ are involved.
hardware
Typically, businesses have inventory databases of computer _____________ and ______________.
hardware, software
After you determine that an incident scene has digital evidence, __________ the digital information or artifacts that can be used as evidence
identify
When you're assigned a digital investigation case, start by identifying the nature of the case:
including whether it involves the private or public sector.
Digital evidence is unlike other physical evidence because:
it can be changed more easily.
Drawback of sparse acquisition:
it does not recover data in free or slack space.
Evidence bags also include:
labels or evidence forms you can use to document your evidence
When creating an initial-response field kit, it should be:
lightweight and easy to transport
Judges often issue a ______________ _______________ to the warrant.
limiting phrase
Make notes of everything you do when copying data from a ________ suspect computer.
live
Most cases in the corporate environment are considered:
low-level investigations
Lab should have a sign-in roster for all visitors to:
maintain logs for a period based on legal requirements.
Corporate computing investigations usually require:
only one person to respond to an incident
U.S. courts accept digital evidence as ____________ evidence.
physical
Probably the most important step in computing investigations:
preparing for a computer search and seizure
In the __________ sector, incident scene is often in a contained and controlled area
private
Corporate investigators are, therefore, primarily concerned with:
protecting company assets.
A journal serves as a ___________________ that documents the methods you used to process digital evidence.
reference
To help maintain the chain of custody for digital evidence:
restrict access to lab and evidence storage area
Before initiating the search:
review facts, plans, and objectives with the investigation team you have assembled.
If removing the computers will irreparably harm a business
the computers should not be taken offsite.
Computer-generated records are considered authentic if:
the program that created the output is functioning correctly. - usually considered an exception to hearsay rule.
Companies should publish:
the right to inspect computer assets policy
Companies should display a warning banner and publish a policy stating that
they reserve the right to inspect computing assets at will.
Law enforcement investigators need a warrant to remove computers from a crime scene and to:
transport them to a lab.
Consistent practices help with:
verifying your work and enhancing your credibility.
Digital evidence is ______________.
volatile
When attorneys challenge digital evidence, they often raise the following issue:
whether computer generated records were altered or damaged.
The type of case and location of the evidence determines
whether you can remove digital evidence
Record all ________________ windows or shell sessions.
active
If you discover evidence of a crime during a company policy investigation:
1. Determine whether the incident meets the elements of criminal law 2. Inform management of the incident 3. Stop your investigation to make sure you don't violate Fourth Amendment restrictions on obtaining evidence 4. Work with the corporate attorney on how to respond to a police request for more information
Ask your supervisor or senior forensics examiner in your organization the following questions:
1. Do you need to take the entire computer and all peripherals and media in the immediate area? 2. How are you going to protect the computer and media while transporting them to your lab? 3. Is the computer powered on when you arrive? 4. Is the suspect you're investigating in the immediate area of the computer? 5. Is it possible the suspect damaged or destroyed the computer, peripherals, or media? 6. Will you have to separate the suspect from the computer?
Additional complications when determining whether you can seize computers and digital devices:
1. Files stored offsite that are accessed remotely 2. Availability of cloud storage, which can't be located physically -Stored on drives where data from many other subscribers might be stored
To perform the tasks of preparing for a computer search and seizure you must complete the following tasks:
1. Get answers from the victim and an informant - Who could be a police detective assigned to the case, a law enforcement witness, or a manager or coworker of the person of interest to the investigation
Getting a detailed description of the location:
1. Get as much information as you can about the location of a digital crime. 2. Interact with your HAZMAT team
An evidence custody form serves the following functions:
1. Identifies the evidence 2. Identifies who has handled the evidence 3. Lists dates and times the evidence was handled
General tasks investigators perform when working with digital evidence:
1. Identify digital information or artifacts that can be used as evidence 2. Collect, preserve, and document evidence 3. Analyze, identify, and organize evidence 4. Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably
Processing an Incident or Crime scene guidelines:
1. Keep a journal to document your activities. 2. Secure the scene 3. Take video and still recordings of the area around the computer. 4. Sketch the incident or crime scene. 5. Check the state of computers as soon as possible.
Using a Technical Advisors- Responsibilities:
1. Know all aspects of the seized system 2. Direct investigator handling sensitive material 3. Help secure the scene 4. Help document the planning strategy 5. Conduct ad hoc trainings 6. Document activities 7. Help conduct the search and seizure
A technical advisor can help:
1. List the tools you need to process the incident or crime scene 2. Guide you about where to locate data and helping you extract log records or other evidence from large RAID servers. 3. Create the search warrant by itemizing what you need for the warrant
Don't rely on one media storage method to preserve your evidence:
1. Make two copies of every image to prevent data loss 2. Use different tools to create the two images
Determine whether you need specialized help to access the incident or crime scene. You may need to look for specialists in:
1. OSs 2. RAID servers 3. Databases
For the plain view doctrine to apply, three criteria must be met:
1. Officer is where he or she has a legal right to be 2. Ordinary senses must not be enhanced by advanced technology in any way 3. Any discovery must be by chance
HAZMAT guidelines:
1. Put the target drive in a special HAZMAT bag 2. HAZMAT technician can decontaminate the bag 3. Check for high temperatures.
Documenting evidence in the lab:
1. Record your activities and findings as you work - maintain a journal to record the steps you take as you process evidence. 2. Your goal is to be able to reproduce the same results.
Follow guidelines when processing an incident or crime scene
1. Security perimeter 2. Video recording
Super Digital Linear Tape (Super-DLT or SDLT)
1. Specifically designed for large RAID data backups 2. Can store more than 1 TB of data
Three rules for forensic hashes:
1. You can't predict the hash value of a file or device 2. No two hash values can be the same 3. If anything changes in the file or device, the hash value must change
If you can identify the OS or device:
1. estimate the size of the drive on the suspect's computer. 2. How much devices to process at the scene.
Business-record exception
Allows "records of regularly conducted activity," such as business memos, reports, records, or data compilations
Comply with your state's rules of evidence or with the ___________________.
Federal Rules of Evidence
FRE stands for:
Federal Rules of Evidence
When seizing digital evidence in a criminal investigations,
Follow U.S. DoJ standards for seizing digital data.
_____________ hash values verify that data or storage media have not been altered
Forensic
The ___________ Amendment states that only warrants "particularly describing the place to be searched, and the persons or things to be seized" can be issued
Fourth
Computer crimes examples
Fraud Check fraud Homicides
Extensive-response field kit
Includes all tools you can afford to take to the field, and when at the scene, extract only those items you need to acquire evidence.
Professional curiosity can destroy evidence:
Involves police officers and other professionals who aren't part of the crime scene processing team
- Capacity: 40 to 72 GB - Lifespan: 30 years - Costs: drive: $400 to $800; tape: $40
Magnetic tapes - 4-mm DAT
Look for the following information related to the investigation
Passwords, passphrases, PINs, bank accounts.
Securing a Computer Incident or Crime Scene goals:
Preserve the evidence and keep the information confidential.
Seizing Digital Evidence at the Scene: Law enforcement can seize evidence with:
a proper warrant
You can add more information to your evidence custody form such as:
a section listing MD5 and SHA-1 hash values
digital records are considered admissible if they qualify as a _________________ _____________.
business record
Covert surveillance use must be well defined in:
the company policy.
Don't cut _____________________ to a running system unless it's an older Windows 9x or MS-DOS system
electrical power
If a corporate investigator finds than an employee is committing or has committed a crime:
employer can file a criminal complaint with the police.
You can use the MD5 function in FTK Imager to obtain the digital signature of a file or an:
entire drive
Protect your ___________ and health as well as the integrity of the evidence
safety
You must handle all evidence the __________ way every time you handle it
same
Private and public sectors follow:
same computing investigation rules
Limiting phase allows the police to:
separate innocent information from evidence.
Collecting digital devices and processing a criminal or incident scene must be done ________________________.
systematically
Digital data is treated as a ________ object.
tangible
One test to prove that computer stored records are authentic is to demonstrate:
that a specific person created the records.
The evidence you acquire at the scene depends on the nature of the case and ____________________________.
the alleged crime or violation