Forensics
Case Investigator/Detection
"First Responder"; instructs officers what to do or what to ask; knowledgeable in computer terminology and functions; knows what can and cannot be retrieved from digital evidence; knows that can and cannot be retrieved from digital evidence; usually assigned and manages the entire case
Describe analysis
"always" work from an image of evidence, NEVER from the original
Describe ASCII
American Standard Code for Information Interchange commonly sued for representing alphanumeric data in a computer; uses binary digits to represent the symbols typed on the keyboard
Hexadecimal uses Base _?_. What are the symbols?
Base16. 0-9, A-F
The two categories of computer crime are...
Computers used to conduct crime & where the computer is the target of the crime
A criminal case follows 3 stages. What are they?
Criminal complaint Investigation Prosecution
Computer forensics is also called __?__
Cyber forensics
Describe computer forensics vs. data recovery
Data recovery: involves recovering information from a computer that was deleted by mistake or lost (has no legal significance) computer forensics: involves analyzing hidden or deleted data with the goal of ensuring that the recovered data is valid so that it can be used as evidence
where do we find digital evidence?
PCs, laptops, storage media, digital cameras, callphones, PDAs, credit card readers, MP3 Players, watches, RAM, log files
crime
a "public offense" for which the law prescribes a punishment or sanction; offense against society
Describe investigation
a Law Enforcement Office or Agency review and investigates the compliant; files charges or submits for prosecution
Describe how a typical case usually plays out
a crime is reported to Law Enforcement Evidence is gathered-- may require search warrants interviews or interrogations are conducted suspect is charged and/or arrested case with evidence is turned over to prosecutor
what do we do with evidence?
acquire electronic evidence without altering or damaging the original data authenticate (verify) that your recovered evidence is the same as the originally seized data located on the computer analyze the data without modifying it document or report
Preliminary Investigator
acquires and seizes digital evidence, normally performed by a state police officer; preserves everything
evidence
any form of proof legally presented at trial for the purpose of establishing the existence or nonexistence of a disputed fact (criminal or civil case)
Forensics
application of scientific techniques for investigating, preserving, and examining evidence in a particular field to establish an evidentiary bases for use in court cases; an application of scientific knowledge to legal issues or problems
Hexadecimal numbers are a shorthand way of expressing __?__
binary numbers
Describe the crimes where computers are used to conduct crime
child pornography/exploitation (70%) threatening letters fraud embezzlement theft of intellectual property/trade secrets
Computer crimes are commonly called __?__
cyber crimes
When analyzing, where can you find the evidence?
existing files, mislabeled files deleted files; free space, slack space, swap space
computer forensics examiner
expert witness; a specialist trained in retrieving digital evidence; performed by computer forensics examiner, network forensics expert or internet fraud investigation specialist; a well-trained/experienced forensics examiner will typically be qualified as an expert before testifying in court in criminal or civil matters
What are some essential skills of a computer forensics examiner?
familiar w/ computer operating system and hardware applies proper forensic procedures in collecting and analyzing electronic evidence expert in using computer forensic tools
digital evidence
files that are present, deleted, encrypted, and/or/ hidden; fragments of files; bytes
Numbering systems help us to understand....
how computers function, process, and communicate data
Describe "acquire evidence"
how do we seize the computer? how do we handle computer evidence? documenting forensic investigation
Describe the crimes where the computer is the target of the crime
intruder attacks hacking/security breach/stolen data unauthorized access (curiosity)
public offense
involves the violation of a law enacted by a governmental authority
Numbering systems are used to represent different values such as _____
letters, words, symbols, and numbers
Why should you always work from an image of evidence and NEVER from the original?
prevents damage to actual evidence source; various forensic software tools can be used to create an image and analyze.
direct evidence
proof that "directly" establishes the evidence or non existence of a disputed fact without necessity of referring to any other facts
circumstantial evidence
proof that "does not" directly establish the existence or non existence of a disputed fact but gives rise to a logical inference that the fact exists-- provides some connection to the crime
describe prosecution
prosecutor collects evidence and builds a case
Describe authenticating.
proving that the evidence is indeed what the suspect computer user/owner left behind- readable text or pictures don't magically appear; calculate hash value (ID) (math algorithm, digital fingerprint) for data; protocols used: CRC, MD5, SHA
Describe a criminal complaint
someone files a complaint or charges someone with committing a crime (In MD, it's called a statement of charges)
computer forensics
the application of forensics techniques to electronic information stored or transported on computers; involves the preservation, identification, extraction, examination, documentation, and interpretation of computer media for evidentiary use in legal proceedings, administrative hearings, and business
List examples of evidence
witness testimony, documents, photos, records, concrete objects, expert witness testimony, reports, computer file records
