CHFI v10 module 2 book notes
First Response by Laboratory Forensics Staff: The first response by laboratory forensic staff involves six stages
1. Documenting the Electronic Crime Scene 2. Collecting Incident Information 3. Planning for Search and Seizure 4. Identifying and Collecting Electronic Evidence 5. Packaging Electronic Evidence 6. Transporting Electronic Evidence
Dealing with Smartphones or Other Handheld Devices
Photograph the device and its screen display
Dealing with Powered-On Computers
RAM contains crucial vital information, which is volatile in nature. Removing or shutting down the power supply will lead to the deletion of this vital information. Investigators need to collect the volatile data from the powered-on device, photograph the screen and document the running programs, open files or data of evidentiary value, , move the mouse slowly without pressing any mouse button, then photograph the screen and document the programs,
shutdown procedures for Mac OS X:
Record the time from the menu bar ▪ Click the Apple icon located on the top left-hand side of the Mac OS taskbar ▪ Select "Shut Down" near the bottom ▪ Unplug the power cord from the wall socket
system/network administrators can take the following measures:
Record what is on-screen if the computer is switched on ▪ Transfer copies of system logs onto a clean media ▪ If an ongoing attack is detected, seek top management approval before powering down any computing systems ▪ Isolate the computing systems or other digital devices from further use or tampering ▪ Document every detail relevant to the incident
There are three ways, in which investigators can reconstruct a crime:
Temporal analysis It produces a sequential event trail, which sheds light on important factors such as what happened and who was involved ▪ Relational analysis It correlates the actions of suspect and victim ▪ Functional analysis It provides a description of the possible conditions of a crime.
ISO/IEC 17025
Testing and Calibration Laboratories
Social Media Activity Timestamps:
The timeline of the activities of the user on social networking can provide vital information for the investigation; the timestamp of user communication such as sharing data (e.g., posting photos, status updates, etc.) reveals information on any particular user activity
social media Pictures and Videos:
These are uploaded by the user and on which other people's pictures the user is tagged
If a monitor is switched OFF and the display is blank:
Turn the monitor ON, move the mouse slightly, observe the changes from a blank screen to another screen and note the changes Photograph the screen
Hardware
Two or more forensic workstations with good processing power and RAM ▪ Specialized cables ▪ Write-blockers ▪ Drive duplicators ▪ Archive and Restore devices ▪ Media sterilization systems ▪ Other equipment that allow forensic software tools to work ▪ Computer Forensic hardware toolkit, such as Paraben's First Responder Bundle, DeepSpar Disk Imager, FRED forensic workstation etc
Obtaining Witness Signatures
When the case requires two witness signatures, the investigator must seek guidance to determine the second signatory, . Whoever signs as a witness should have a clear understanding of their role and may have to provide a witness statement or attend court.
In computer forensics, opinions are based on?
based on review of several artifacts, without certainty or proof, but relies on science, and experience, e.g: you may determine when the software was installed, but its an estimate, and you may have to explain how you arrived at that opinion.
ASCLD/LAB Recommends:
certification track for digital forensics that integrates both ISO standard 17025 and supplemental ASCLD requirement that is set explicitly to the lab ops.
Operating System Shutdown Procedure
collect or wait for the collection of the volatile data from the systems, as the system deletes them after shutting down,
Acquiring the Data
collecting qualitative and quantitative data as observations and measurements, Before acquiring the data, the investigator needs to ensure that their storage device is forensically clean and then initiate write protection to secure and protect original evidence.
Pull the power cord from the back of the computer immediately if:
data is being overwritten or deleted, Destructive processes are observed, The computer screen shows a typical Microsoft Windows environment;
Search and Seizure Process Flow
design a strategic process to conduct the search and seizure activity. This will help them distribute tasks among the team members to complete the seizure
Ensuring Quality Assurance
documented Quality Assurance Manual and a Quality Manager who is responsible for all the quality assurance related issues and developments.
Physical Security considerations
maintain a log register, provide visitors with passes, intrusion alarm system, closed-circuit cameras, shield workstations from transmitting electromagnetic signals, TEMPEST labs use sheets of good metallic conductors such as copper lining, insulate power cables to prevent radiation
Dealing with Open Files and Startup Files
malware creates some files in the startup folders for Windows OSes and in the "rc.local file" folder for Linux OSes. Open any recently created documents from the startup or "system32" folder in Windows and the "rc.local file" in Linux Document the date and time of the files ▪ Examine the open files for sensitive data such as passwords or images ▪ Search for unusual modified, accessed, or changed (MAC) times on vital folders and startup files ▪ Use the dir command for Windows or the ls command for Linux to locate the actual access times on those files and folders
What kind of document is the chain of custody?
roadmap that shows how first responders and investigators collected, analyzed, and preserved the evidence. shows the technology used and the methodology adopted in the forensic phases, and should list all the people involved in the collection and preservation of evidence and their actions, with a stamp for each activity
Electronic Storage Device Search Warrant
search warrant allows the investigating team to search and seize the victim's computer components. This includes the following: o Hardware o Software o Storage devices o Documents
Guidelines for Writing a Report
should be organized in a manner such that it gets progressively complex, thus increasing its readability and allowing high-level executives to quickly grab its essence
Remember the following points while duplicating the data:
▪ Make a duplicate of the collected data in order to preserve the original ▪ The data should be duplicated bit-by-bit to represent the same original data ▪ Calculate the hash value of the original data and the forensic image generated and then check if there is a match in the result to verify its integrity ▪ Once a copy of the original data is made and verified, the investigator can use the copy for further processing ▪ Use industry-standard or licensed hardware or software tools to duplicate the data
The chain of custody form should identify the following:
▪ Sample collector ▪ Sample description, type, and number ▪ Sampling data and location ▪ Any custodians of the sample responder needs to document each step taken during the period of collecting the evidence., detailed notes of procedures performed on the evidence the first responders clarify the source, date of recovery, method of recovery, and nature of the digital evidence.
shutdown procedures for Windows OS:
▪ Take a photograph of the screen ▪ Document any running programs ▪ Unplug the power cord from the wall socket
Aspects of a good investigation report include the following:
-It should provide a detailed explanation of the approach to the problem. The examination procedures, materials or equipment used, analytical or statistical techniques implemented, and data collection of sources -it is better to record all the data and observations in a laboratory notebook. All the data presented in tabular forms should be labeled properly. -It is advisable to include all calculations and algorithms done during the investigation in a summarized form in the report such as MD5 hash, with a brief description of the standard tools used and cited sources. -It should provide a statement of uncertainty and error analysis during the observation. -It is necessary to provide the limitations of knowledge to protect integrity -the report should explain all the results in a logical order, using subheadings, tables, and figures, and be clear. -the results and conclusions should be discussed. Questions on how the case developed, what were the problems faced, and how the solutions were approached should also be answered. ▪ It should enlist all the references in alphabetical order for providing sufficient details of the information used in drafting the report. Any extra materials used in the report should be included as an appendix in the table of contents. a report can end up with an acknowledgment section.
physical/structural design considerations
-lab size(budget and type of cases to be handled), -Access to Essential Services (should be easy access to all essential services), -Space for work area + evidence storage(be large enough for workstations and evidence) -Heating, ventilation, and Air-Conditioning:(high exchange of air to maintain freshness, w/ proper cooling)
Points to consider while documenting the electronic crime scene are as follows:
-note down the site and state of computers, digital storage media, and other electronic devices -Document the physical crime scene, noting the position of the system -Document details of any related, difficult-to-find electronic components -Record the state of the computer system, digital storage media, electronic devices -a photograph of the computer monitor's screen and note down what you see
Understand the Investigation Phase
. The investigation phase includes various stages and processes that need careful and systematic execution to obtain better results. Each step in this phase is equally crucial for the acceptance of the evidence in a court of law and prosecution of the perpetrators
steps to ensure quality assurance in forensic lab operations:
1. Arrange formal, documented trainings 2. Validate equipment and document it 3. Conduct annual proficiency test for investigators 4. Follow appropriate standards and/or controls in casework 5. Have policies and procedures in place for effective forensic investigations 6. Attain ASCLD/LAB accreditation and/or ISO/IEC 17025 accreditation 7. Perform quality audits and quality management system review 8. Ensure physical plant security 9. Assure health and safety 10. Review, update, and document policy and standards annually
Securing and Evaluating the Crime Scene: A Checklist
1. Follow the standard procedures and policies of the legal authority for securing the crime scene 2. Ensure that the scene is safe for the responders 3. Isolate other persons who are present at the scene 4. Locate and help the victim 5. Do not allow any individual to access the scene or electronic devices 6. Establish a security perimeter to see if the offenders are still present at the crime scene area 7. Protect perishable data (e.g., pagers and caller ID boxes) physically and electronically 8. Transmit additional flash messages to other responding units 9. Request additional help at the scene if needed
Following are the points to consider while photographing and sketching the crime scene:
1. On arrival, the first step taken by the forensics team should be to photograph the scene 2. Photographs should be taken in a way that will not alter or damage the scene, and everything should be clearly visible 3. Take multiple photographs so that the entire crime scene is depicted 4. It is important to proceed all the way from the entire crime scene down to the smallest piece of evidence 5. Photos should also be taken of the back of the computer system to accurately show how cables are linked 6. If this cannot be done on-site, then all cables must be labeled so that the computer system can be reconnected at the forensics laboratory and photographed 7. After photographing the scene, the forensics team should prepare sketches of the scene that record minute details about the objects present and their locations
Initial Search of the Scene
1. Survey the crime scene to recognize potential sources of evidence: 2. Protect physical evidence or hidden fingerprints that may be found on keyboards, mice, and other equipment 3. Find telephone lines that are connected to devices such as modems and caller ID boxes 4. Observe the current situation at the scene and record observations 5. Maintain a search and seizure evidence log to document the details
How long are warrants valid for?
10 days
Understanding the hardware and software
A sophisticated investigation toolkit that includes both hardware and software can reduce the incident impact
Exhibit Numbering aaa/ddmmyy/nnnn/zz,
AAA - Forensic Investigator Initials dd/mm/yy is the date of seizure nnnn - Sequential number of exhibits seized starting with 001 zz - sequential number for parts of the same exhibit
Forensic licensing
ASCLD/LAb accreditation and the ISO/IEC accreditation
Court's Expert:
Advises the court on technical issues that the court fails to comprehend
Transporting and Storing Evidence
Avoid turning the computer upside down or putting it on its side during transportation ▪ Keep the electronic evidence collected from the crime scene away from magnetic sources such as radio transmitters, speaker magnets, and heated seats ▪ Store the evidence in a safe area, away from extreme heat, cold, or moisture ▪ Avoid storing electronic evidence in vehicles for a long period of time ▪ Maintain the proper chain of custody on the evidence that is to be transported Ensure that wireless or portable devices do not connect to the networks by storing them in signal blocking containers
General Ethics while Testifying
Be professional, polite, and sincere to any attorney or the court ▪ Have an open physical and psychological attitude toward the jurors ▪ Maintain a balanced stance ▪ Be aware of and prepared for any possible rebuttal questions, especially from the opposing counsel ▪ Always be enthusiastic while giving testimony ▪ Keep the jury interested in the testimony, and do not sound monotonous and dull ▪ Avoid leaning; maintain self-confidence and create personal space with a winning professional style in the courtroom ▪ Show an interest in explaining procedures, listening, and communicating objectivity
hain of custody document contains all the information about the obtained evidence. This includes the following:
Case number A case number is a unique number allocated by the forensics laboratory or agency to the crime cases ▪ Name and title from whom received This field contains information about the individual releasing or forwarding the evidence item to inquiry personnel ▪ Address and telephone number This field contains the complete address and telephone number of the individuals who handled the electronic evidence ▪ Location of the evidence This field contains information about the physical location of the evidence during its extraction or acquisition ▪ Date/time of evidence This field contains information about data and the time of acquiring the evidence ▪ Reason and process of obtaining the evidence This field contains information on why the first responders had obtained the evidence item and the process they followed for acquiring it ▪ Item number/quantity/description of items This field contains complete information about the obtained evidence, such as the following: o Name of the evidence o Color o Manufacturing company name o Marking information o Packaging information
Case analysis might help the investigators in determining future actions, such as the following:
Check if there is a possibility to follow other investigative methods like id storage devices, checking social media sites, emails, logs, getting info from ISP,
Dealing with Smartphones or Other Handheld Devices: Do not turn the device ON if it is OFF
Collect and label the power cables and package the device o Collect information on whether any security feature is enabled on the device such as pass patterns, passwords, or biometrics o Look for any computing systems that may contain device backups o Tag the evidence o Note all important details of the seized item in the search and seizure evidence log o Document the chain of custody
Tool testing procedures must follow certain standards and policies:
Computer Forensic Tool Testing Project, which establishes a "methodology for testing computer forensic software tools
Do not disconnect the power if:
Data of evidential value is visible on computer display o There are active programs or files in use such as chatrooms, open text files, financial documents, instant messages etc. • Photograph and thoroughly document all on-screen information • Perform volatile data collection and preservation process ▪ After collecting volatile data
Packaging Evidence
Ensure the gathered electronic evidence is correctly documented, labeled, and listed before packaging ▪ Pay special attention to hidden or trace evidence, and take necessary actions to safeguard it ▪ Pack magnetic media in antistatic packaging ▪ Do not use materials such as plastic bags for packaging because they may produce static electricity ▪ Avoid folding and scratching storage devices such as diskettes, DVDs, and tapes ▪ Make sure that all containers that contain evidence are labeled in the appropriate way ▪ Use antishock packing
6. Transporting Electronic Evidence
Ensuring proper handling and transportation to the forensics laboratory o Having a strict chain of custody to keep track of all the forensics processes applied
Building the Investigation Team
ID team members and Assign responsibilities appoint a technical lead keep investigation team small
Dealing with Powered-Off Computers
If the computer is switched off, leave it OFF ▪ Disassemble and package it by doing the following things: o Remove the power supply cord from the back of the computer and from the wall outlet, or battery backup device and secure it o Disconnect all wires and cables from the computer and secure them o Check for any removable media and secure them if present o Tag the evidence clearly and note all important details in the search and seizure evidence log o Document the chain of custody
If smartphone or handheld device is ON, then do the following:
Keep the device charged as evidence might be lost if the device is turned OFF
If a monitor is switched ON and the display is blank:
Move the mouse slightly • If the screen does not change on moving the mouse slightly, do not press any keys o Photograph the screen
Tools to Obtain Information from Different Common Social Media Websites
Netvizz, twecoll, divud, Digitalfootprints, Netlytic, X1 Social Discovery, Facebook Forensic Software, H&A forensics, Geo360, Navigator by LifeRaft Social, and Emotive
First Response by Non-forensics Staff
Non-forensics staff are responsible for protecting the crime scene and ensuring that it remains in a secure state until the forensics team advises otherwise. They should make notes and take photographs of the scene
Software
OSes ▪ Data discovery tools ▪ Password-cracking tools ▪ Acquisition tools ▪ Data analyzers ▪ Data recovery tools ▪ File viewers (Image and graphics) ▪ File type conversion tools ▪ Security and Utilities software ▪ Computer forensic software tools such as Wireshark, Cain and Abel, Access Data's FTK etc.
Consulting Expert:
Offers technical explanations for a complex situation during court trials
Location of Social Networking Information
Often, social media websites create footprints in RAM, browser cache, page files, unallocated clusters, and system restore point of a computer ▪ Portable devices such as smartphones also contain important social networking information in the apps
Testifying Expert:
Presents testimony whenever required during the trial
Shutdown procedures for Linux OS:
Right click on the desktop and select the "Console" option ▪ If root user's prompt is set to #sign mode, o Enter the password if available and type sync;sync;halt to shut down the system o If password is not available, unplug the power cord from the wall socket ▪ If it is set to console #sign mode, o Enter the user's ID and press Enter on the keyboard o If the user ID is root, type sync;sync;halt to shut down the system o If user's ID is not root, unplug the power cord from the wall socket
How can reports create trustworthiness for the reader with regard to digital evidence by?
Safety measures should be ensured for digital evidence by creating and recording their MD5 hashes. Such a measure can ensure data integrity and win the confidence of the audience.
Social Media User Location:
Social networking sites have a geo-tagging or location update feature where the users can mention their precise location at a certain time
Collecting Evidence from Social Networks
The information gathered from social media might help a forensic investigator to build a timeline of the attack.
Determining the Location for Evidence Examination
The time required to recover the onsite evidence ▪ Logistic and workforce concerns related to long-term deployment ▪ The business impact of a time-consuming search ▪ Any equipment, resources, and media suitable for an onsite examination
Social Media Interaction pattern:
This helps users to interact with others through messages and the interaction frequency
social media apps:
This includes the apps used by the user and their purpose and information that can be inferred in the social context
Social Media Interconnection pattern:
This includes user data such as the user's friend list, chat messages, group chats, which helps the investigator determine the user's friends, groups, connections added, etc.
social media communication pattern
This is a network used for communicating, method of communication, and with whom the user has communicated
social media Times of Activity:
This is the time when the user has connected to the social network and the exact time a specific activity of interest has taken place
Gathering Data from Social Media
Traditional forensic methods can be used to extract artifacts from the local web browser cache ▪ Passive sniffing on the network can be used (not possible if data on the communication layer is encrypted using HTTPs) Active attacks like sniffing can be used on unencrypted Wi-Fi networks or in combination with address resolution protocol spoofing on LANs ▪ The social network APIs can be used to acquire data, which extends the available data of the web interface ▪ The easiest way to obtain data is to request the victim for their login credentials to start with the investigation
Dealing with Networked Computers
Unplug the network cable from the router and modem because the Internet connection can make it vulnerable to further attacks ▪ Photograph all the devices connected to the victim's computer, especially the router and modem, and take photographs of the computer from different angles ▪ If any devices are present in the surrounding area such as a printer or scanner take photographs of those devices ▪ If the computer is turned OFF, leave it in that state and follow the procedure of disassembling and packaging it ▪ If it is ON, photograph the screen and follow the steps for powered-on computers ▪ Unplug all cords and devices connected to the computer and label them for identification ▪ Unplug the main power cord from the wall socket ▪ Pack the collected electronic evidence properly and place it in a static-free bag ▪ Keep the collected evidence away from magnets, high temperature, radio transmitters, and other elements that may damage the integrity of the evidence ▪ Document all the steps that are involved in seizing the computer in the search and seizure log for later investigation
The practices that ensure the best outcome from the forensic tools include the following:
Validate every hardware or software tool prior to using them on an actual case to ensure they work correctly, are trustworthy, and yield precise results ▪ All the software tools (ranging from the operating systems to applications) in the forensic laboratory must have licensed versions and be legal to use ▪ Updating tools to their latest version, testing them for functionality, and validating them are mandatory and should be an ongoing process ▪ Hardware instruments must be in working condition and maintained properly ▪ Investigators need to document the test methodology, results, and theory of the test design while testing the tools ▪ Investigators should maintain, audit, document, and demonstrate license compliance into the laboratory standard operating procedure in an integrated manner
First Response by System/Network Administrators
admin is responsible for the monitoring and maintenance of the system as well as network, and these activities can become the basis for the investigation during the forensic evaluation and administrative actions.
Service Provider Search Warrant
allows first responders or investigators to consult the service provider and obtain the available victim's computer information and Service records, Billing records, Subscriber information
Computer Forensics Investigation Methodology - Documenting the Electronic Crime Scene
documenting the electronic crime scene search and seizure evidence preservation data acquisition data analysis case analysis reporting testifying as an expert witness
Photographing and Sketching the Scene
images will also help the investigators recreate the scene when required. Along with photographs, the investigating team should also make multiple sketches of the scene in order to convey the measurement relationship between the crime scene and the evidence found. The sketch explains the data in the documented photos and videos. It also portrays the positions of the camera as well as the photographer
4. Identifying and Collecting Electronic Evidence
initial search of the scene o Securing and evaluating the crime scene o Seizing evidence o Dealing with powered-OFF/ON devices
Seizing Evidence at the Crime Scene
investigating team needs to collect all the electronic devices, or any other media found at the crime scene. They also need to seize storage devices like hard drives, memory cards, Handheld devices, could have valuable evidence information such Internet browsing history, emails, image files, and financial records, peripheral devices, can all act as valuable evidence.
Collecting Incident Information
investigators should gather the following information about the victim devices and connected systems while adhering to departmental policies. al holders and/or users of any electronic devices present at the crime scene ▪ Webmail and social networking website account information ▪ Usernames ▪ Internet service providers ▪ Passwords required to access the resources such as system, software, and data ▪ Purpose of using the system ▪ Automatic applications in use ▪ Documents explaining the hardware or software installed on the system ▪ Any off-site data storage ▪ Unique security schemes or destructive devices
2. Collecting Incident Information
involves the following: o Asking questions o Conducting individual interviews
Understand the Post-investigation Phase
involves the reporting and documentation of all the actions undertaken and the findings during the course of an investigation and the procedure of testifying as an expert witness in the court.
Setting up a computer forensics lab
is a designated location for CPU based investigation of collected evidence to solve a case and find culprit
Forensics Investigation Report Template
is a set of predefined styles allowing investigators to add different sections of a report such as the case number, names and social security numbers of the authors, objectives of the investigation, details of the incident, executive summary, investigation process, list of findings, and tools used.
What is evidence reconstruction?
it's when you use the evidence to create a timeline of what happened, and how it could have happened, this can help lead investigators to missing links, or figure out what those missing links are.
In computer forensics, conclusions are made based on?
judgement based on facts, e.g: installed software is confirmed by identifying artifacts found during investigation.
Human Resources considerations:
key job roles include lab cybercrime investigator, lab director, forensic technician, and forensic analyst
Obtaining Warrant for Search and Seizure
order issued by a judge, include the particulars of the objects and devices that the investigating team wants to search and seize, and can include: Entire company or part of the company's property ▪ Floor ▪ Room ▪ Car or any device ▪ House
other people involved in investigations:
photographer, incident responder, incident analyzer, evidence examiner/investigator, evidence documenter, evidence manager, expert witness, attorney
1. Documenting the Electronic Crime Scene
photographing and sketching the scene
Pre-investigation Phase in CF
planning the process, defining the mission goals, getting approval from relevant authority
Computer Forensics Investigation Methodology - Testifying as an Expert Witness
refers to an individual who has gained vast knowledge about a subject, surpassing an average person by virtue of education, profession, or experience.
Understand First Response
refers to the first action performed after the occurrence of a security incident. helps identification of victim systems and individuals
First Response Basics
refers to the person who arrives at the crime scene first to assess it and alert the management and incidence response teams. first responder is responsible for protecting and securing the crime scene. qualified forensic analysts attempt to collect or recover data from any computer system or device that holds electronic information
Seeking Consent
refers to the process of obtaining formal permission from the owner of the victim organization or an individual owning the target electronic device to perform a thorough investigation.
Importance of the Forensic investigation Process
repeatable and well documented set of steps such that every iteration of the analysis yields the same findings
Work area considerations:
requirements of forensics workstations varies according to the types and complexity of cases and processes handled in the lab, ISPN, emergency power and protection for all equip,
Testifying in the Court
should gather sufficient information on standard procedures during a trial and must never query their attorney in this regard
Documenting the Electronic Crime Scene
should include the location of the crime, status of the system, connected network devices, storage media, smartphones, mobile phones, PDAs, Internet, and network access. g also includes taking photographs, videos, notes, and sketches of the scene in order to recreate it later. The investigator needs to document the processes and activities running on the display screens
Original Evidence Should NEVER Be Used for Analysis
should make copies of the evidence and work to avoid damage to the original data in case of accidents or mishaps
Chain of Custody
the documented and unbroken transfer of evidence, a legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory.
Case analysis phase of the investigation
the investigator assesses the impact of the incident on the organization, reasons and source of the incident, steps required to tackle the incident, the investigating team required to handle the case, investigative procedures, and possible outcome of the forensic process
The social footprint:
the mark a person makes when he or she occupies digital space
3. Planning for Search and Seizure
the proper authorization and guidelines to begin the investigation process. This stage involves the following: o Seeking consent o Obtaining witness signatures o Obtaining warrant for search and seizure
Preserving Evidence
the sender and the receiver need to provide information about the date and time of transfer in the chain of custody record. logbook of the project to record observations related to the evidence ▪ A tag to uniquely identify any evidence ▪ A chain of custody record
5. Packaging Electronic Evidence
the staff must document and enlist the evidence, and all containers should be properly labeled. Filling the panel on the front of evidence bags with proper details
What kind of information can be gathered when a system administrator is present at the time of interviews?
the team gathers important information such as the number of systems involved, persons associated with a particular account, and the relevant passwords.
Conducting Preliminary Interviews
the team should conduct interviews in the presence of the witness. individual interviews and recognize all personnel (witnesses and others) available at the crime scene and note down their position at the time of entry and their reason for being there.
Validating Laboratory Software and Hardware
tools used need to undergo validity testing so as to ensure that the test results produced by them are reproducible and repeatable
what are the planning and budgeting considerations:
types of investigations(criminal, civil, corporate), number of investigators/examiners (depends on the case), equipment requirements(forensic and non-forensic workstations for investigative purposes, locker large enough for equipment) Software requirements(licensed version of things)
What Makes a Good Expert Witness?
well-prepared, good observer, and have the following good non-verbal characteristics: ▪ Self-confidence ▪ Politeness ▪ Sincerity ▪ Preparedness ▪ Awareness clearly repeat important details and descriptions for the jury.
Searches Without a Warrant
when the delay in obtaining a warrant may lead to the destruction or manipulation of evidence and hampering of the investigation. if a person with authority has consented
Duplicating the Data (Imaging)
you duplicate the data because Investigating the original evidence can damage the identity of the evidence, making it no longer useful to the case. Data duplication includes bit-by-bit copying of the original data using a software or hardware tool. The duplicated data should be an exact blueprint of the original evidence
Analyzing the Data ( for relevance) includes:
▪ Analyzing the file content for data usage ▪ Analyzing the date and time of file creation and modification ▪ Finding the users associated with file creation, access, and file modification ▪ Determining the physical storage location of the file ▪ Timeline generation ▪ Identifying the root cause of the incident
Evidence Bag Contents List The panel on the front of evidence bags must, at the very least, contain the following details:
▪ Date and time of seizure ▪ Incident responder who seized the evidence ▪ Exhibit number ▪ Where the evidence was seized from ▪ Details of the contents of the evidence bag ▪ Submitting agency and its address
ch and seizure plan should include the following details:
▪ Description, title, and location of the incident ▪ Applicable jurisdiction, relevant legislation and organizational policy ▪ Determining the extent of authority to search ▪ Creating a chain of custody document ▪ Details of equipment to be seized, such as structure type and size, location ▪ Search and seizure type (overt/covert) ▪ Approval from the local management ▪ Health and safety precautions
Following are the procedures for gathering and organizing the required documentation:
▪ Gather all notes from different phases of the investigation process ▪ Identify the facts to be included in the report for supporting the conclusions ▪ List all the evidence to submit with the report ▪ List the conclusions that need to be in the report ▪ Organize and classify the information gathered to create a concise and accurate report
Roles of an Expert Witness
▪ Investigate a specific case related to a specific field ▪ Evaluate the evidence and present it before the court of law ▪ Testify the matter related to the subject in court ▪ Assist the plaintiff or defendant's lawyers to establish and measure the facts, understand the complicated issues regarding evidence, and help in the preparation of a case ▪ Aid the attorney to find the truth ▪ Be honest and reliable in expressing their opinion effectively, without being influenced by any third party ▪ Conduct investigations on behalf of the court and report the findings back to the court ▪ Participate in court as an appointed expert witness to study any intriguing incident ▪ Educate the jury, court, and the individuals related to the case about the findings