Intro to Digital Forensics - Midterm Review

3 Main concerns when seizing:

1 - Loss of power 2 - sync w cloud service 3 - remote wiping

exculpatory evidence

evidence that suggests the defendant's innocence

Private-sector investigations

focus more on policy violations

evidence custody

form helps you document what has been done with the original evidence and its forensics copies Also called Chain-of-Evidence or Chain of Custody form

Criminal Trial

guilty or not guilty

evidence bags

to secure and catalog the evidence Use computer safe products when collecting computer evidence Antistatic bags Padded wrapping Use evidence tape to seal all openings CD drive bays Insertion slots for power supply electrical cords and USB cables

Bit-stream image

File containing the bit-stream copy of all data on a disk or partition Also known as "image" or "image file"

File Allocation Table (FAT)

File structure database that Microsoft originally designed for floppy disks

Isolate device from incoming signals (4 WAYS)

Place the device in airplane mode Place the device in a paint can Use the Paraben Wireless StrongHold Bag Turn the device off

Chain of custody

Route the evidence takes from the time you find it until the case is closed or goes to court

ethics

Rules you internalize and use to measure your performance

drive slack

Unused space in a cluster between the end of an active file and the end of the cluster Drive slack includes: RAM slack and file slack

Interview

Usually conducted to collect information from a witness or suspect About specific facts related to an investigation

4th amendment

U.S. Constitution protects everyone's right to be secure from search and seizure

Deleting FAT Files IMPORTANT

Data in the file remains on the disk drive

Forensic Examiner Role

Either fact or expert witness

Data Analysis

The assessment of the information contained within the media. (SWGDE)

Direct examination

A lawyer questioning his own witnesses.

private sector purpose

A private-sector investigator's job is to minimize risk to the company

Acquisition

A process by which digital evidence is duplicated, copied or imaged. (NIJ)

Data Extraction

A process that identifies and recovers information that may not be immediately apparent. (SWGDE)

Computer Forensics

A sub-discipline of Digital & Multimedia Evidence, which involves the scientific examination, analysis and/or evaluation of digital evidence in legal matters. (SWGDE)

Production

After all essential corrections have been made the lab can go into production Implement lab operations procedures

Unallocated Space

Allocation units not assigned to active files within a file system. (NIJ) Data storage units available for use by the computer. The area may already contain previously stored information. (SWGDE)

Business-record exception

Allows "records of regularly conducted activity," such as business memos, reports, records, or data compilations

Preliminary report

Anything you write down as part of your examination for a report Subject to discovery from the opposing attorney

Digital Evidence First Responder

Arrives on an incident/crime scene, assesses the situation, and takes precautions to collect and preserve digital evidence

Implementation

As part of your business case, describe how implementation of all approved items will be processed A timeline showing expected delivery or installation dates and expected completion dates must be included Schedule inspection dates

Bit-stream copy

Bit-by-bit copy of the original storage medium Exact copy of the original disk Different from a simple backup copy Backup software only copy known files Backup software cannot copy deleted files, e-mail messages or recover file fragments

Pharming

DNS poisoning takes user to a fake site

Free Space

Data storage areas available for use by the computer. The area may already contain previously stored information. Also referred to as Unallocated Space. (SWGDE

spoliation

Destroying the report could be considered destroying or concealing evidence

Network intrusion detection & incident response

Detects intruder attacks by using automated tools and monitoring network firewall logs

Deposition banks

Examples of expert witness' previous testimonies

Budget Development

Facility cost Hardware requirements Software requirements Miscellaneous budget needs

Systematic Approach

Game Plan, staffing, resources, what do i need, and what do I need to do?

File system

Gives OS a road map to data on a disk

Digital Evidence Specialist

Has the skill to analyze collected-aquired data pursuant to investigative, forensic and legal parameters. (on scene and laboratory)

Private-sector investigations

INvolve private companies and lawyers who address company policy violations and litigation disputes E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage

Digital Evidence

Information stored or transmitted in binary form that may be relied in court. (NIJ) Information of probative value that is stored or transmitted in binary form. (SWGDE)

Acceptance testing

Inspect the facility to make sure it meets security criteria to contain and control digital evidence Test all communications Test all hardware to verify it is operational Install and start all software tools

Risk Management

Involves determining how much risk is acceptable for any process or operation Identify equipment your lab depends on so it can be periodically replaced Identify equipment you can replace when it fails Computing components last 18 to 36 months under normal conditions Schedule upgrades at least every 18 months Preferably every 12 months

Configuration Management

Keep track of software updates to your workstation

Digital investigations

Manages investigations and conducts forensics analysis of systems suspected of containing evidence

six types of mobile forensics methods:

Manual review - may not be considered "forensic" Physical extraction - hardware/software based Logical extraction - hardware/software based Hex dumping & Joint Test Action Group (JTAG) extraction - hardware based Chip-off - hardware based - most intrusive/destructive Micro read - hardware based - most intrusive/destructive

Evidence Containers/Lockers

Must be secure so that no unauthorized person can easily access your evidence Locate them in a restricted area Limited number of authorized people to access the container Maintain records on who is authorized to access each container Containers should remain locked when not in use

Expert witness

OPINION Has opinions based on observations Opinions are formed from experience and deductive reasoning Opinions make the witness an expert

Discovery deposition

Part of the discovery process for a trial Opposing attorney previews your testimony before trial

Original Evidence

Physical items and the data objects that are associated with those items at the time of the seizure.(NIJ)

investigation plan

Prepare your forensics workstation Retrieve the evidence from the secure container Make a forensic copy of the evidence Return the evidence to the secure container Process the copied evidence with computer forensics tools

Interrogation

Process of trying to get a suspect to confess

Using Evidence Lockers

Provide the same level of security for the combination as for the container's contents Destroy any previous combinations after setting up a new combination Allow only authorized personnel to change lock combinations Change the combination every six months or when required

Scientific/Technical (Fact) Witness

Provides facts found in investigation Explain what evidence is and how it was obtained Traditionally, does not offer conclusions

Testimony preservation deposition

Requested by your client Preserve your testimony in case of schedule conflicts or health problems

First Responder

Responds to an incident/crime scene, assesses the situation and takes precautions to identify and preserve physical evidence. SECURE THE SCENE

Basic Input Output System (BIOS)

Set of routines stored in read-only memory that enables the computer to start the operating system and to communicate the with the various devices in the system. (NIJ)

Bring your own device (BYOD)

Some companies state that if you connect a personal device to the business network, it falls under the same rules as company property Weigh your personal privacy before agreeing

File Slack

Space between the logical end of the file and the end of the last allocation unit for that file. (NIJ) The data between the logical end of the file and the end of the last storage unit. (SWGDE)

codes of professional conduct or responsibility

Standards that others apply to you or that you are compelled to adhere to by external forces Such as licensing bodies

Chain of Custody

The chronological documentation of the movement, location and possession of evidence.(SWGDE)

clusters

Storage allocation units of one or more sectors

FILE and Directory

THE SAME THING one is a command line, the other is windows based

Examination

Technical Review that makes the evidence visible and suitable for analysis; tests performed on the evidence to determine the presence or absence of specific data. (NIJ)

Lay witness

Testify about what he/she saw or heard

Threat assessment & risk management

Tests and verifies the integrity of stand-along workstations and network servers

digital forensics

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.

Plain View Doctrine

The legal principle that objects in plain view of a law enforcement agent who has the right to be in a position to have that view may be seized without a warrant and introduced as evidence. Three criteria must be met: Officer is where he or she has a legal right to be Ordinary senses must not be enhanced by advanced technology in any way Any discovery must be by chance

Archiving

The process of storing data in a manner that is suitable for long term availability and retrieval. (SWGDE)

Forensic

The use or application of scientific knowledge to a point of law, especially as it applies to the investigation of crime. (SWGDE)

Analysis

To look at the results of an examination for its significance and probative value to the case. (NIJ

Civil Trial

liable or not liable

Approval and Acquisition

You must present a business case with a budget to upper management for approval

Justification

You need to justify to the person controlling the budget the reason a lab is needed Requires constant efforts to market the lab's services to previous, current, and future customers and clients

conflicting out

an attempt by opposing attorneys to prevent you from serving on an important case

computer generated records

are considered authentic if the program that created the output is functioning correctly Usually considered an exception to hearsay rule

Federal Rules of Evidence (FRE)

created to ensure consistency in federal proceedings

Deposition

differs from trial testimony There is no jury or judge Opposing attorney previews your testimony before trial

Phishing

e-mails contain links to text on a Web page

Auditing

ensures proper enforcing of policies inspecting facility components and practices such as; Ceiling, floor, roof, and exterior walls of the lab Doors and doors locks Visitor logs Evidence container logs At the end of every workday, secure any evidence that's not being processed in a forensic workstation

Disaster Recovery plan

ensures that you can restore your workstation and investigation files to their original condition Recover from catastrophic situations, virus contamination, and reconfigurations Includes backup tools for single disks and RAID servers how quickly can you get up and running (workstation crashes)

Professional conduct

includes ethics, morals, and standards of behavior An investigator must exhibit the highest level of professional behavior at all times Maintain objectivity Maintain credibility by maintaining confidentiality Investigators should also attend training to stay current with the latest technical changes in computer hardware and software, networking, and forensic tools

Heresay

information heard by one person about another. Heresay is generally inadmissible as evidence in court because it's not based on personal knowledge.

Public-sector investigations

involve government agencies responsible for criminal investigations and prosecution

data recovery

involves retrieving information that was deleted by mistake or lost during a power surge or server crash

cross-examination

questioning of a witness conducted by the lawyer for the opposing side

probable cause

reasonable grounds (for making a search, pressing a charge, etc.).

computer stored records

records must be shown to be authentic and trustworthy To be admitted into evidence

Line of authority

states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence

discovery

the process of opposing attorneys seeking information from each other

line authority

the right to command immediate subordinates in the chain of command