Docstoc

MCS-Computer Forensic Investigation Procedure

Document Sample
MCS-Computer Forensic Investigation Procedure Powered By Docstoc
					   Computer Forensic
   Investigation
   Procedure




Shukor Abd Razak
   Describe the basic steps in a computer
    forensics investigation
   Identify the legal and ethical issues affecting
    evidence search and seizure
   Identify the types of challenges to the
    admissibility of e-evidence
   Explain chain of custody


                                                      2
Computer forensics investigators are
“detectives of the digital world.” This lecture
introduces you to the generally accepted
methods used in computer forensics; discuss
how the process can be improved; discuss
challenges and ways to minimize them; and
discuss some of the legal and ethical issues that
involve during computer forensic investigation.

                                                    3
   Computers are routinely used to plan and
    coordinate many types of crimes
   Computer activities leave e-evidence trails
     File-wiping software can be used to delete data
   Many e-evidence traces can be found by
    showing hidden files on a computer
   Hidden = encrypted, deleted, etc.


                                                        4
   Preservation
   Identification
   Extraction
   Interpretation
   Documentation

… of computer evidence so that it is acceptable
 in a Court of Law.

                                                  5
   Preserving evidence is critical in order to use
    the evidence in a legal defense or prosecution
   Scientific methods must be used in order to
    preserve the integrity of the evidence
    collected
   The original evidence should not be modified
    or damaged


                                                      6
   Image or a copy of original evidence must be
    created
   The image or copy of the evidence must be
    compared with the original evidence to
    ensure its integrity

   What is the available methods to check
    integrity of original evidence?

                                                   7
   First and foremost is to identify evidence and
    its location
   Evidence may be contained in hard disks, or
    in any other removable media such as
    memory card, pen drive, etc.
   Forensic investigators must carefully observe
    crime scene and identify possible digital
    evidence
   Can you think of any challenges in
    identification of evidence?
                                                     8
   In what ways the identification process can
    be made easier? discuss




                                                  9
   Once identified, data need to be extracted
    from the evidence
   However, a computer forensic methodology
    need to be followed (will be discussed later)
   It is not easy to locate for information in
    evidence.
   Technical knowledge on how to use forensic
    tools and how data is stored in media is very
    useful
                                                    10
   Once extracted, the data need to be analyzed
    and interpreted
   The analysis need to be done so that any
    crime occurred can be confirmed




                                                   11
   Proper documentation need to be
    maintained throughout the investigation
    procedure.
   The documentation need to be presented
    before the court of law
   The documentation comprises the chain of
    custody form and documents related to
    evidence analysis

                                               12
   Preservation, identification, extraction,
    interpretation and documentation
   … do you think the order of process is crucial?
   What is your opinion on this?




                                                      13
   Consistent with other scientific research, a
    computer forensics investigation is a process
   The Methodology
     Acquire
     Authenticate
     Analyze




                                                    14
 Acquire
 Authenticate
 Analyze


 Which of these processes involve in the
 aforementioned methodologies?
  ▪ Preservation, identification, extraction, interpretation,
    and documentation


                                                                15
   Goal of an investigation: collect evidence
    using accepted methods so that the evidence
    is accepted in the courtroom and admitted as
    evidence in the trial
   Judge’s acceptance of evidence is called
    admission of evidence



                                                   16
   Evidence admissibility requires legal search
    and seizure and chain of custody
   Chain of custody must include:
     Where the evidence was stored
     Who had access to the evidence
     What was done to the evidence
   In some cases, it may be more important to
    protect operations than obtain admissible
    evidence – any idea?
                                                   17
   Digital profiling of crime suspects
     E-evidence can supply patterns of behavior or
      imply motives
     Evidence can include information stored on
      computers, e-mail, cell phone data, and wiretaps

     Anyone can relate this with fb/ms?



                                                         18
Criminal               Type of Crime   Type of E-Evidence
Dennis Rader

Lee Boyd Malvo, John
Allen Muhammad
Lisa Montgomery




                                                      (Continued)



                                                                    19
Criminal               Type of Crime   Type of E-Evidence
David A. Westerfield



Scott Peterson

Alejandro Avila

Zacarias Moussaoui




                                                            20
   Criminal trials may be preceded by a
    suppression hearing
     This hearing determines admissibility or
      suppression of evidence
     Judge determines whether ethical investigation
      procedures has been followed in search and
      seizure of evidence.
   The success of any investigation depends on
    proper and ethical investigative procedures
                                                       21
   Investigators generally need a search warrant
    to search and seize evidence
   Law officer must prepare an affidavit that
    describes the basis for probable cause—a
    reasonable belief that a person has
    committed a crime
   Search warrant gives an officer only a limited
    right to violate a citizen’s privacy

                                                     22
   Two reasons a search can take place without a
    search warrant:
     The officer may search for and remove any weapons
      that the arrested person may use to escape or resist
      arrest
     The officer may seize evidence in order to prevent its
      destruction or concealment

   What about the admissibility of evidence here?
    What can you do to prove in the court that
    nothing unethical involved in the investigation?
                                                               23
   FBI agents attempted to get permission to
    search Moussaoui’s laptop but permission
    was denied on grounds they had not proved
    probable cause
   Events on September 11 provided enough
    evidence for a search warrant, but by this
    time it was too late to access e-mail accounts
    that might have provided important data

                                                     24
 Handling of e-evidence must follow the three C’s of
  evidence: care, control, and chain of custody
 Chain of custody procedures
    ◦ Keep an evidence log that shows when evidence was
        received and seized, and where it is located
    ◦   Record dates if items are released to anyone
    ◦   Restrict access to evidence
    ◦   Place original hard drive in an evidence locker
    ◦   Perform all forensics on a mirror-image copy, never on the
        original data
◦   Which process? Preservation? Extraction?
                                                                     25
   All reports of the investigation should be
    prepared with the understanding that they
    will be read by others
   The investigator should never comment on
    the guilt or innocence of a suspect or
    suspects or their affiliations
   Only the facts of the investigation should be
    presented; opinions should be avoided

                                                    26
   Investigate and/or review current computer and
    computer-mediated crimes
   Maintain objectivity when seizing and investigating
    computers, suspects, and support staff
   Conduct all forensics investigations consistently with
    generally accepted procedures and federal rules of
    evidence and discovery
   Keep a log of activities undertaken to stay current in the
    search, seizure, and processing of e-evidence



                                                                 27
   Computers and the Internet have contributed
    to traditional and computer crimes
   Effective forensic investigation requires any
    technology that tracks what was done, who
    did it, and when
   Images or exact copies of the digital media
    being investigated need to be examined by
    trained professionals

                                                    28
   There are several legal and ethical issues of
    evidence seizure, handling, and investigation
   Rules and laws regulate forensic
    investigations
   The need for e-evidence has led to a new area
    of criminal investigation, namely computer
    forensics
   This field is less than 15 years old

                                                    29
   Computer forensics depends on an
    understanding of technical and legal issues
   Greatest legal issue in computer forensics is
    the admissibility of evidence in criminal cases
   Computer forensics investigators identify,
    gather, extract, protect, preserve, and
    document computer and other e-evidence
    using acceptable methods

                                                      30
   Laws of search and seizure, as they relate to
    electronic equipment, must be followed
   Failure to follow proper legal procedure will
    result in evidence being ruled inadmissible in
    court




                                                     31

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:9
posted:3/6/2012
language:English
pages:31