Learning Center
Plans & pricing Sign in
Sign Out

MCS-Computer Forensic Investigation Procedure


									   Computer Forensic

Shukor Abd Razak
   Describe the basic steps in a computer
    forensics investigation
   Identify the legal and ethical issues affecting
    evidence search and seizure
   Identify the types of challenges to the
    admissibility of e-evidence
   Explain chain of custody

Computer forensics investigators are
“detectives of the digital world.” This lecture
introduces you to the generally accepted
methods used in computer forensics; discuss
how the process can be improved; discuss
challenges and ways to minimize them; and
discuss some of the legal and ethical issues that
involve during computer forensic investigation.

   Computers are routinely used to plan and
    coordinate many types of crimes
   Computer activities leave e-evidence trails
     File-wiping software can be used to delete data
   Many e-evidence traces can be found by
    showing hidden files on a computer
   Hidden = encrypted, deleted, etc.

   Preservation
   Identification
   Extraction
   Interpretation
   Documentation

… of computer evidence so that it is acceptable
 in a Court of Law.

   Preserving evidence is critical in order to use
    the evidence in a legal defense or prosecution
   Scientific methods must be used in order to
    preserve the integrity of the evidence
   The original evidence should not be modified
    or damaged

   Image or a copy of original evidence must be
   The image or copy of the evidence must be
    compared with the original evidence to
    ensure its integrity

   What is the available methods to check
    integrity of original evidence?

   First and foremost is to identify evidence and
    its location
   Evidence may be contained in hard disks, or
    in any other removable media such as
    memory card, pen drive, etc.
   Forensic investigators must carefully observe
    crime scene and identify possible digital
   Can you think of any challenges in
    identification of evidence?
   In what ways the identification process can
    be made easier? discuss

   Once identified, data need to be extracted
    from the evidence
   However, a computer forensic methodology
    need to be followed (will be discussed later)
   It is not easy to locate for information in
   Technical knowledge on how to use forensic
    tools and how data is stored in media is very
   Once extracted, the data need to be analyzed
    and interpreted
   The analysis need to be done so that any
    crime occurred can be confirmed

   Proper documentation need to be
    maintained throughout the investigation
   The documentation need to be presented
    before the court of law
   The documentation comprises the chain of
    custody form and documents related to
    evidence analysis

   Preservation, identification, extraction,
    interpretation and documentation
   … do you think the order of process is crucial?
   What is your opinion on this?

   Consistent with other scientific research, a
    computer forensics investigation is a process
   The Methodology
     Acquire
     Authenticate
     Analyze

 Acquire
 Authenticate
 Analyze

 Which of these processes involve in the
 aforementioned methodologies?
  ▪ Preservation, identification, extraction, interpretation,
    and documentation

   Goal of an investigation: collect evidence
    using accepted methods so that the evidence
    is accepted in the courtroom and admitted as
    evidence in the trial
   Judge’s acceptance of evidence is called
    admission of evidence

   Evidence admissibility requires legal search
    and seizure and chain of custody
   Chain of custody must include:
     Where the evidence was stored
     Who had access to the evidence
     What was done to the evidence
   In some cases, it may be more important to
    protect operations than obtain admissible
    evidence – any idea?
   Digital profiling of crime suspects
     E-evidence can supply patterns of behavior or
      imply motives
     Evidence can include information stored on
      computers, e-mail, cell phone data, and wiretaps

     Anyone can relate this with fb/ms?

Criminal               Type of Crime   Type of E-Evidence
Dennis Rader

Lee Boyd Malvo, John
Allen Muhammad
Lisa Montgomery


Criminal               Type of Crime   Type of E-Evidence
David A. Westerfield

Scott Peterson

Alejandro Avila

Zacarias Moussaoui

   Criminal trials may be preceded by a
    suppression hearing
     This hearing determines admissibility or
      suppression of evidence
     Judge determines whether ethical investigation
      procedures has been followed in search and
      seizure of evidence.
   The success of any investigation depends on
    proper and ethical investigative procedures
   Investigators generally need a search warrant
    to search and seize evidence
   Law officer must prepare an affidavit that
    describes the basis for probable cause—a
    reasonable belief that a person has
    committed a crime
   Search warrant gives an officer only a limited
    right to violate a citizen’s privacy

   Two reasons a search can take place without a
    search warrant:
     The officer may search for and remove any weapons
      that the arrested person may use to escape or resist
     The officer may seize evidence in order to prevent its
      destruction or concealment

   What about the admissibility of evidence here?
    What can you do to prove in the court that
    nothing unethical involved in the investigation?
   FBI agents attempted to get permission to
    search Moussaoui’s laptop but permission
    was denied on grounds they had not proved
    probable cause
   Events on September 11 provided enough
    evidence for a search warrant, but by this
    time it was too late to access e-mail accounts
    that might have provided important data

 Handling of e-evidence must follow the three C’s of
  evidence: care, control, and chain of custody
 Chain of custody procedures
    ◦ Keep an evidence log that shows when evidence was
        received and seized, and where it is located
    ◦   Record dates if items are released to anyone
    ◦   Restrict access to evidence
    ◦   Place original hard drive in an evidence locker
    ◦   Perform all forensics on a mirror-image copy, never on the
        original data
◦   Which process? Preservation? Extraction?
   All reports of the investigation should be
    prepared with the understanding that they
    will be read by others
   The investigator should never comment on
    the guilt or innocence of a suspect or
    suspects or their affiliations
   Only the facts of the investigation should be
    presented; opinions should be avoided

   Investigate and/or review current computer and
    computer-mediated crimes
   Maintain objectivity when seizing and investigating
    computers, suspects, and support staff
   Conduct all forensics investigations consistently with
    generally accepted procedures and federal rules of
    evidence and discovery
   Keep a log of activities undertaken to stay current in the
    search, seizure, and processing of e-evidence

   Computers and the Internet have contributed
    to traditional and computer crimes
   Effective forensic investigation requires any
    technology that tracks what was done, who
    did it, and when
   Images or exact copies of the digital media
    being investigated need to be examined by
    trained professionals

   There are several legal and ethical issues of
    evidence seizure, handling, and investigation
   Rules and laws regulate forensic
   The need for e-evidence has led to a new area
    of criminal investigation, namely computer
   This field is less than 15 years old

   Computer forensics depends on an
    understanding of technical and legal issues
   Greatest legal issue in computer forensics is
    the admissibility of evidence in criminal cases
   Computer forensics investigators identify,
    gather, extract, protect, preserve, and
    document computer and other e-evidence
    using acceptable methods

   Laws of search and seizure, as they relate to
    electronic equipment, must be followed
   Failure to follow proper legal procedure will
    result in evidence being ruled inadmissible in


To top