Docstoc

Cindy - Anatomy of a Window

Document Sample
Cindy - Anatomy of a Window Powered By Docstoc
					Computer Forensics
Principles and Practices



      by Volonino, Anzaldua, and Godwin




            Chapter 2: Computer Forensics and Digital Detective Work
Objectives

   Recognize the role e-evidence plays in
    physical, or violent, and computer crimes
   Describe the basic steps in a computer
    forensics investigation
   Identify the legal and ethical issues affecting
    evidence search and seizure
   Identify the types of challenges to the
    admissibility of e-evidence

© Pearson Education Computer Forensics: Principles and Practices   2
Objectives (Cont.)

   Understand how criminals’ motives can help
    in crime detection and investigation
   Explain chain of custody
   Explain why acceptable methods for
    computer forensics investigations and e-
    discovery are still emerging




© Pearson Education Computer Forensics: Principles and Practices   3
Introduction

Computer forensics investigators are
“detectives of the digital world.” This chapter
introduces you to the generally accepted
methods used in computer forensics; computer
architecture, the Internet, and digital devices,
and the types of evidence these trails leave
behind.



© Pearson Education Computer Forensics: Principles and Practices   4
E-Evidence Trails and Hidden Files

   Computers are routinely used to plan and
    coordinate many types of crimes
   Computer activities leave e-evidence trails
        File-wiping software can be used to delete data
        File-wiping process takes time and expertise
   Many e-evidence traces can be found by
    showing hidden files on a computer



© Pearson Education Computer Forensics: Principles and Practices   5
Knowing What to Look For

   Technical knowledge of how data and
    metadata are stored will determine what e-
    evidence is found
   For this reason, technical knowledge of
    investigators must keep pace with evolving
    data storage devices




© Pearson Education Computer Forensics: Principles and Practices   6
The Five Ws

   Answering the 5 Ws helps in criminal
    investigations:
        Who
        What
        Where
        When
        Why




© Pearson Education Computer Forensics: Principles and Practices   7
Preserving Evidence

   Preserving evidence is critical in order to use
    the evidence in a legal defense or
    prosecution
   Scientific methods must be used in order to
    preserve the integrity of the evidence
    collected




© Pearson Education Computer Forensics: Principles and Practices   8
Computer Forensics Science

   Consistent with other scientific research, a
    computer forensics investigation is a process
   There are five stages to the process:
        Intelligence
        Hypothesis or Theory Formulation
        Evidence Collection
        Testing
        Conclusion


© Pearson Education Computer Forensics: Principles and Practices   9
Forensics Investigation Methods

   Methods used by investigators must achieve
    these objectives:
        Protect the suspect system                           Analyze data in unallocated
        Discover all files                                    and slack space
        Recover deleted files                                Print an analysis of the
        Reveal contents of hidden                             system
         files                                                Provide an opinion of the
        Access protected or                                   system layout
         encrypted files                                      Provide expert testimony or
        Use steganalysis to identify                          consultation
         hidden data

© Pearson Education Computer Forensics: Principles and Practices                         10
Admissibility of Evidence

   Goal of an investigation: collect evidence
    using accepted methods so that the evidence
    is accepted in the courtroom and admitted as
    evidence in the trial
   Judge’s acceptance of evidence is called
    admission of evidence




© Pearson Education Computer Forensics: Principles and Practices   11
Admissibility of Evidence (Cont.)

   Evidence admissibility requires legal search
    and seizure and chain of custody
   Chain of custody must include:
        Where the evidence was stored
        Who had access to the evidence
        What was done to the evidence
   In some cases, it may be more important to
    protect operations than obtain admissible
    evidence
© Pearson Education Computer Forensics: Principles and Practices   12
Unallocated Space and File Slack

   Unallocated space: space that is not currently
    used to store an active file but may have
    stored a file previously
   File slack: space that remains if a file does
    not take up an entire sector
   Unallocated space and slack space can
    contain important information for an
    investigator


© Pearson Education Computer Forensics: Principles and Practices   13
Challenges to Evidence

   Criminal trials may be preceded by a
    suppression hearing
        This hearing determines admissibility or
         suppression of evidence
        Judge determines whether Fourth Amendment
         has been followed in search and seizure of
         evidence.
   The success of any investigation depends on
    proper and ethical investigative procedures

© Pearson Education Computer Forensics: Principles and Practices   14
Search Warrants

   Investigators generally need a search warrant
    to search and seize evidence
   Law officer must prepare an affidavit that
    describes the basis for probable cause—a
    reasonable belief that a person has
    committed a crime
   Search warrant gives an officer only a limited
    right to violate a citizen’s privacy


© Pearson Education Computer Forensics: Principles and Practices   15
Search Warrants (Cont.)

   Two reasons a search can take place without
    a search warrant:
        The officer may search for and remove any
         weapons that the arrested person may use to
         escape or resist arrest
        The officer may seize evidence in order to prevent
         its destruction or concealment




© Pearson Education Computer Forensics: Principles and Practices   16
Chain of Custody Procedures

   Handling of e-evidence must follow the three C’s
    of evidence: care, control, and chain of custody
   Chain of custody procedures
        Keep an evidence log that shows when evidence was
         received and seized, and where it is located
        Record dates if items are released to anyone
        Restrict access to evidence
        Place original hard drive in an evidence locker
        Perform all forensics on a mirror-image copy, never on
         the original data

© Pearson Education Computer Forensics: Principles and Practices   17
Report Procedures

   All reports of the investigation should be
    prepared with the understanding that they will
    be read by others
   The investigator should never comment on
    the guilt or innocence of a suspect or
    suspects or their affiliations
   Only the facts of the investigation should be
    presented; opinions should be avoided


© Pearson Education Computer Forensics: Principles and Practices   18
Computer Forensics Investigator’s
Responsibilities
   Investigate and/or review current computer and
    computer-mediated crimes
   Maintain objectivity when seizing and investigating
    computers, suspects, and support staff
   Conduct all forensics investigations consistently with
    generally accepted procedures and federal rules of
    evidence and discovery
   Keep a log of activities undertaken to stay current in
    the search, seizure, and processing of e-evidence


© Pearson Education Computer Forensics: Principles and Practices   19
Summary

   Computers and the Internet have contributed
    to traditional and computer crimes
   Effective forensic investigation requires any
    technology that tracks what was done, who
    did it, and when
   Images or exact copies of the digital media
    being investigated need to be examined by
    trained professionals


© Pearson Education Computer Forensics: Principles and Practices   20
Summary (Cont.)

   There are several legal and ethical issues of
    evidence seizure, handling, and investigation
   New federal rules and laws regulate forensic
    investigations
   The need for e-evidence has led to a new
    area of criminal investigation, namely
    computer forensics
   This field is less than 15 years old

© Pearson Education Computer Forensics: Principles and Practices   21
Summary (Cont.)

   Computer forensics depends on an
    understanding of technical and legal issues
   Greatest legal issue in computer forensics is
    the admissibility of evidence in criminal cases
   Computer forensics investigators identify,
    gather, extract, protect, preserve, and
    document computer and other e-evidence
    using acceptable methods


© Pearson Education Computer Forensics: Principles and Practices   22
Summary (Cont.)

   Laws of search and seizure, as they relate to
    electronic equipment, must be followed
   Failure to follow proper legal procedure will
    result in evidence being ruled inadmissible in
    court




© Pearson Education Computer Forensics: Principles and Practices   23

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:6/4/2013
language:English
pages:23
wu yunyi wu yunyi
About wuyyok@163.com