VIEWS: 9 PAGES: 31 POSTED ON: 3/6/2012
Computer Forensic Investigation Procedure Shukor Abd Razak Describe the basic steps in a computer forensics investigation Identify the legal and ethical issues affecting evidence search and seizure Identify the types of challenges to the admissibility of e-evidence Explain chain of custody 2 Computer forensics investigators are “detectives of the digital world.” This lecture introduces you to the generally accepted methods used in computer forensics; discuss how the process can be improved; discuss challenges and ways to minimize them; and discuss some of the legal and ethical issues that involve during computer forensic investigation. 3 Computers are routinely used to plan and coordinate many types of crimes Computer activities leave e-evidence trails File-wiping software can be used to delete data Many e-evidence traces can be found by showing hidden files on a computer Hidden = encrypted, deleted, etc. 4 Preservation Identification Extraction Interpretation Documentation … of computer evidence so that it is acceptable in a Court of Law. 5 Preserving evidence is critical in order to use the evidence in a legal defense or prosecution Scientific methods must be used in order to preserve the integrity of the evidence collected The original evidence should not be modified or damaged 6 Image or a copy of original evidence must be created The image or copy of the evidence must be compared with the original evidence to ensure its integrity What is the available methods to check integrity of original evidence? 7 First and foremost is to identify evidence and its location Evidence may be contained in hard disks, or in any other removable media such as memory card, pen drive, etc. Forensic investigators must carefully observe crime scene and identify possible digital evidence Can you think of any challenges in identification of evidence? 8 In what ways the identification process can be made easier? discuss 9 Once identified, data need to be extracted from the evidence However, a computer forensic methodology need to be followed (will be discussed later) It is not easy to locate for information in evidence. Technical knowledge on how to use forensic tools and how data is stored in media is very useful 10 Once extracted, the data need to be analyzed and interpreted The analysis need to be done so that any crime occurred can be confirmed 11 Proper documentation need to be maintained throughout the investigation procedure. The documentation need to be presented before the court of law The documentation comprises the chain of custody form and documents related to evidence analysis 12 Preservation, identification, extraction, interpretation and documentation … do you think the order of process is crucial? What is your opinion on this? 13 Consistent with other scientific research, a computer forensics investigation is a process The Methodology Acquire Authenticate Analyze 14 Acquire Authenticate Analyze Which of these processes involve in the aforementioned methodologies? ▪ Preservation, identification, extraction, interpretation, and documentation 15 Goal of an investigation: collect evidence using accepted methods so that the evidence is accepted in the courtroom and admitted as evidence in the trial Judge’s acceptance of evidence is called admission of evidence 16 Evidence admissibility requires legal search and seizure and chain of custody Chain of custody must include: Where the evidence was stored Who had access to the evidence What was done to the evidence In some cases, it may be more important to protect operations than obtain admissible evidence – any idea? 17 Digital profiling of crime suspects E-evidence can supply patterns of behavior or imply motives Evidence can include information stored on computers, e-mail, cell phone data, and wiretaps Anyone can relate this with fb/ms? 18 Criminal Type of Crime Type of E-Evidence Dennis Rader Lee Boyd Malvo, John Allen Muhammad Lisa Montgomery (Continued) 19 Criminal Type of Crime Type of E-Evidence David A. Westerfield Scott Peterson Alejandro Avila Zacarias Moussaoui 20 Criminal trials may be preceded by a suppression hearing This hearing determines admissibility or suppression of evidence Judge determines whether ethical investigation procedures has been followed in search and seizure of evidence. The success of any investigation depends on proper and ethical investigative procedures 21 Investigators generally need a search warrant to search and seize evidence Law officer must prepare an affidavit that describes the basis for probable cause—a reasonable belief that a person has committed a crime Search warrant gives an officer only a limited right to violate a citizen’s privacy 22 Two reasons a search can take place without a search warrant: The officer may search for and remove any weapons that the arrested person may use to escape or resist arrest The officer may seize evidence in order to prevent its destruction or concealment What about the admissibility of evidence here? What can you do to prove in the court that nothing unethical involved in the investigation? 23 FBI agents attempted to get permission to search Moussaoui’s laptop but permission was denied on grounds they had not proved probable cause Events on September 11 provided enough evidence for a search warrant, but by this time it was too late to access e-mail accounts that might have provided important data 24 Handling of e-evidence must follow the three C’s of evidence: care, control, and chain of custody Chain of custody procedures ◦ Keep an evidence log that shows when evidence was received and seized, and where it is located ◦ Record dates if items are released to anyone ◦ Restrict access to evidence ◦ Place original hard drive in an evidence locker ◦ Perform all forensics on a mirror-image copy, never on the original data ◦ Which process? Preservation? Extraction? 25 All reports of the investigation should be prepared with the understanding that they will be read by others The investigator should never comment on the guilt or innocence of a suspect or suspects or their affiliations Only the facts of the investigation should be presented; opinions should be avoided 26 Investigate and/or review current computer and computer-mediated crimes Maintain objectivity when seizing and investigating computers, suspects, and support staff Conduct all forensics investigations consistently with generally accepted procedures and federal rules of evidence and discovery Keep a log of activities undertaken to stay current in the search, seizure, and processing of e-evidence 27 Computers and the Internet have contributed to traditional and computer crimes Effective forensic investigation requires any technology that tracks what was done, who did it, and when Images or exact copies of the digital media being investigated need to be examined by trained professionals 28 There are several legal and ethical issues of evidence seizure, handling, and investigation Rules and laws regulate forensic investigations The need for e-evidence has led to a new area of criminal investigation, namely computer forensics This field is less than 15 years old 29 Computer forensics depends on an understanding of technical and legal issues Greatest legal issue in computer forensics is the admissibility of evidence in criminal cases Computer forensics investigators identify, gather, extract, protect, preserve, and document computer and other e-evidence using acceptable methods 30 Laws of search and seizure, as they relate to electronic equipment, must be followed Failure to follow proper legal procedure will result in evidence being ruled inadmissible in court 31
"MCS-Computer Forensic Investigation Procedure"