Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Internet The new frontier is like the Wild West of old Populated with outlaws and snake oil salesmen Therefore, rife with hacking and fraud Internet fraud does not require the level of expertise of virus/worm writing The rapid rise of Internet commerce opens up many opportunities for fraud Criminals who only preyed upon a small group of people before now have access to the entire world.
  • Internet The new frontier is like the Wild West of old Populated with outlaws and snake oil salesmen Therefore, rife with hacking and fraud Internet fraud does not require the level of expertise of virus/worm writing The rapid rise of Internet commerce opens up many opportunities for fraud Criminals who only preyed upon a small group of people before now have access to the entire world.
  • Fraudulent investment advice Many writers are not legitimate and do not disclose their interest in the stocks they write about, which is required by law. There are various methods of stock fraud, but P&D is when a perpetrator buys a large amount of an inexpensive stock. The person then pumps the stock by sending spam to the effect that this company is about to be taken over or get a new patent or discover a new something and the stock will go through the roof. Naïve and uneducated investors buy the stock, driving the stock price up. When it reaches a high price, the perpetrator sells or dumps the stock, making a profit for fraudulently manipulating the stock price.
  • Not all of these are easy to prosecute. If you engage in any auction trade, keep copies of any and all transactions, both hard and soft copies.
  • Individuals’ Social Security numbers are available online for a price, as are credit card numbers. With that information, you can create a separate identity, run up bills, buy homes, get a driver’s license, and commit crimes. For all of these offenses, the original innocent person can be prosecuted!!!
  • Many previously existing laws proscribing fraud and stalking have been redefined to focus on Internet crimes as well. ID theft is the subject of many state as well as federal laws, such as “The Identity Theft and Assumption Deterrence Act of 1998.” Many of these laws leave a lot to be desired.
  • Protecting against investment fraud Only invest with well-known, reputable brokers If it sounds too good to be true, then avoid it Ask yourself why this person is informing you of this great investment deal Remember, even legitimate investment involves risk, so never invest money that you cannot afford to lose
  • Protecting against auction fraud Only use reputable auction sites, such as eBay If it sounds too good to be true, then avoid it Some sites have buyer feedback about given sellers. Read the feedback and only work with reputable sellers When possible, use a separate credit, not debit, card with a lower limit
  • Protecting against identity theft Do not provide personal information unless it is absolutely necessary – not your age, name, job, anything Destroy documents that have personal or financial information on them Check your credit frequently, at least twice a year When signing up on the Internet for free e-mail accounts, mailing lists, or anything that requires personal information that is not required by law—LIE!! When you are through with your investment paperwork, bank statements, credit card bills, any bills, shred them in a cross-cut shredder. The practices listed in the text for privacy settings are good.
  • Discuss each element of the defensible approach to investigation.
  • Discuss the questions and considerations in collecting preliminary data.
  • Continue the discussion of the questions and considerations in collecting preliminary data.
  • Begin your discussion of the art of forensics and analyzing the data. This is where forensic science skills move to forensic art skills, or the skills relating to knowing how people use technology in order to understand how to find information.
  • Discuss the analysis of hidden data.
  • This information will allow you to begin to make a correlation between file and user. It does not establish that the suspect was actually the one sitting at the computer at the time of the crime or file creation/access/modification.
  • Discuss each element of evidence preservation.
  • Discuss the practices and objectives of acquiring and authenticating evidence.
  • Continue the discussion regarding the practices that should be followed in authenticating evidence and reporting it properly in a courtroom environment.
  • Explain each of the things that should be documented when acquiring and authenticating evidence.
  • Discuss the importance of imaging a drive with the proper software in order to make a valid forensic copy of the drive and preserve any evidence that might be found on the computer.
  • Explain what file slack is and its relationship to residual data, and why it is important. Mention the importance of being precise in the terminology used. (See the In Practice: Be Precise about Terminology in the chapter.)
  • Discuss the different data types that you might have to deal with when gathering evidence. You might mention the Smoot v. Comcast Cablevision case regarding just cause for dismissal of an employee based on instant message transcripts.
  • Discuss the In Practice activity regarding how companies should have policies in place that would help preserve e-evidence in case it is needed. There are some selected items mentioned as to what companies should do to prepare for collecting and reporting e-evidence.
  • Begin this discussion with the two general types of data files that should be reviewed: user/system data and artifacts.
  • Explain the different types of system data and artifacts that should be reviewed.
  • You may want to demonstrate how to modify the Windows settings to view the hidden files and folders.
  • Discuss some of the subfolders found in the user root folder. Explain what types of information is stored in each of your examples. There is a more comprehensive list in the book.
  • Have the students read the case in the book and discuss in groups and then as a class.
  • Discuss these additional places where valuable information can be retrieved. Discuss ways you can view the registry. Demonstrate where to find these places on the computer and how to access them.
  • Discuss these additional places where valuable information can be retrieved. .
  • If you have some of the software available you might demonstrate it. At a minimum, provide examples. (BPS Data Shredder 2.0 is one example.)
  • Discuss how file signatures can locate files that have been renamed using different file extensions, or extensions that are not the same as the data in the file.
  • Explain steganography. Students will have the chance to use steganographic software in a project at the end of the chapter.
  • Explain how these could help identify the use of steganography.
  • Begin discussing e-mail as it is used in court, and introduce the two standard methods of sending e-mail.
  • Introduce the e-mail data flow.
  • Discuss each step in the process of sending e-mail.
  • Discuss each step in the process of receiving e-mail. Make sure students understand how different protocols (POP, IMAP) interact with the server to delete or store messages.
  • Explain the benefits of working with e-mail on a local computer.
  • You may want to mention the protocols that are used both in the client/server and webmail environments (e.g. SMTP, POP3, IMAP). See Table 8.2 for a comparison.
  • Gmail uses javascript and therefore may not leave any temporary files.
  • Discuss what should be included in the final report of the investigation. Begin by emphasizing the importance of documenting each step of the investigation, from start to finish.

    1. 1. Computer Fraud <ul><li>Kevin Thomas </li></ul><ul><li>Professor </li></ul><ul><li>St. Petersburg College </li></ul>
    2. 2. Objectives <ul><li>What is Computer Fraud? </li></ul><ul><li>The computer as a tool for fraud </li></ul><ul><li>Examine the latest threats, including identity theft, spam, phishing, pharming, and other online scams </li></ul><ul><li>Legal responses to computer fraud </li></ul><ul><li>The basics of computer forensics </li></ul>
    3. 3. What is Computer Fraud? <ul><li>Computer fraud is using the computer in some way to commit dishonesty by obtaining an advantage or causing loss of something of value. </li></ul><ul><li>This could take form in a number of ways, including program fraud, hacking, e-mail hoaxes, auction and retail sales schemes, investment schemes and people claiming to be experts on subject areas. </li></ul>
    4. 4. The Rise of the Internet <ul><li>Internet </li></ul><ul><ul><li>The new “Wild West” </li></ul></ul><ul><ul><li>Populated with outlaws </li></ul></ul><ul><ul><li>Therefore, rife with hacking and fraud </li></ul></ul><ul><ul><ul><li>Internet fraud does not require expertise of virus writing </li></ul></ul></ul><ul><ul><ul><li>The rapid rise of Internet commerce opens up opportunities for fraud </li></ul></ul></ul>
    5. 5. “ Advantages” of Computer Fraud <ul><li>Fraudsters can: </li></ul><ul><ul><li>Reach more people at less expense </li></ul></ul><ul><ul><li>Reach people around the world </li></ul></ul><ul><ul><li>Cover their tracks more effectively </li></ul></ul><ul><ul><li>Remain anonymous </li></ul></ul><ul><ul><li>Investigation and prosecution is more difficult </li></ul></ul>
    6. 6. Internet Fraud Examples <ul><li>Hackers and Crackers </li></ul><ul><li>Malware (Malicious Software) </li></ul><ul><ul><li>Traditional viruses, worms, Trojan horses </li></ul></ul><ul><ul><li>Logic bombs, backdoors, root kits </li></ul></ul><ul><ul><li>The latest threat: botnets and zombies </li></ul></ul><ul><ul><li>“ Storm Worm” example </li></ul></ul>
    7. 7. Internet Fraud Examples (cont.) <ul><li>Email abuses include: </li></ul><ul><li>Spam </li></ul><ul><li>Phishing </li></ul><ul><li>Email Spoofing </li></ul><ul><li>Others: </li></ul><ul><li>Vishing </li></ul><ul><li>Pharming </li></ul><ul><li>Key Logging </li></ul>
    8. 8. Internet Fraud Examples (cont.) <ul><li>Fraudulent investment offers via e-mail and web pages </li></ul><ul><ul><li>Suggests you can make an outrageous amount of money with minimal investment </li></ul></ul><ul><ul><li>Electronic social engineering </li></ul></ul><ul><ul><li>Nigerian Fraud </li></ul></ul>
    9. 9. Internet Fraud Examples (cont.) <ul><li>Fraudulent investment advice </li></ul><ul><ul><li>Online newsletters recommend stock </li></ul></ul><ul><ul><li>Many writers are legitimate </li></ul></ul><ul><ul><li>Others are not </li></ul></ul><ul><ul><ul><li>Pump and dump </li></ul></ul></ul>
    10. 10. Internet Fraud (cont.) <ul><li>Auction frauds </li></ul><ul><ul><li>Four categories defined by the Federal Trade Commission (FTC) </li></ul></ul><ul><ul><ul><li>Failure to send merchandise </li></ul></ul></ul><ul><ul><ul><li>Sending something of lesser value than advertised </li></ul></ul></ul><ul><ul><ul><li>Failure to deliver in a timely manner </li></ul></ul></ul><ul><ul><ul><li>Failure to disclose all relevant information about a product or terms of the sale </li></ul></ul></ul>
    11. 11. Internet Fraud Examples (cont.) <ul><li>Identity theft </li></ul><ul><ul><li>One person takes on the identity of another for malicious purposes </li></ul></ul><ul><ul><li>Rapidly growing problem </li></ul></ul><ul><ul><li>DMV is online in most states </li></ul></ul><ul><ul><li>Court records online </li></ul></ul>
    12. 12. Laws Concerning Cyber Crime <ul><li>Previously existing laws redefined to apply to Internet crimes </li></ul><ul><li>Access Device Fraud (18 U.S.C. 1029) </li></ul><ul><li>Computer Fraud and Abuse Act (18 U.S.C. 1030) </li></ul><ul><li>“ The Identity Theft and Assumption Deterrence Act of 1998,” FTC </li></ul><ul><li>CAN-SPAM Act </li></ul>
    13. 13. Protecting Yourself Against Cyber Crime <ul><li>Protecting against investment fraud </li></ul><ul><ul><li>Only invest with reputable brokers </li></ul></ul><ul><ul><li>If it sounds too good to be true, avoid it </li></ul></ul><ul><ul><li>Even legitimate investment involves risk, so never invest money you cannot afford to lose </li></ul></ul>
    14. 14. Protecting Yourself Against Cyber Crime (cont.) <ul><li>Protecting against auction fraud </li></ul><ul><ul><li>Only use reputable auction sites </li></ul></ul><ul><ul><li>If it sounds too good to be true, avoid it </li></ul></ul><ul><ul><li>Read seller feedback and only work with reputable sellers </li></ul></ul><ul><ul><li>Use a separate credit card with a low limit </li></ul></ul>
    15. 15. Protecting Yourself Against Cyber Crime (cont.) <ul><li>Protecting against identity theft </li></ul><ul><ul><li>Do not provide personal information </li></ul></ul><ul><ul><li>Destroy documents that have personal or financial information on them </li></ul></ul><ul><ul><li>Check your credit frequently </li></ul></ul>
    16. 16. Computer Forensics <ul><li>Technological, systematic inspection of the computer system and its contents for evidence of a civil wrong or a criminal act. </li></ul><ul><li>More than just computers! </li></ul><ul><li>PDA’s, network devices, cell phones, etc. </li></ul>
    17. 17. Computer Forensic Life-Cycle <ul><li>A defensible (objective, unbiased) approach is: </li></ul><ul><ul><li>Performed in accordance with forensic science principles </li></ul></ul><ul><ul><li>Based on standard or current best practices </li></ul></ul><ul><ul><li>Conducted with verified tools to identify, collect, filter, tag and bag, store, and preserve e-evidence </li></ul></ul><ul><ul><li>Conducted by individuals who are certified in the use of verified tools, if such certification exists </li></ul></ul><ul><ul><li>Documented thoroughly </li></ul></ul>
    18. 18. Collect Preliminary Data (Continued) Is it an IBM-compatible computer or a Macintosh computer? What kind of hardware is involved? The more sophisticated the user, the more likely that he has the capability to alter or destroy evidence. What is the skill level of the user in question? Are you being tasked to look for photographs, documents, databases, spreadsheets, financial records, or e-mail? What types of e-evidence am I looking for? Considerations Questions
    19. 19. Collect Preliminary Data (Cont.) To a large degree, the type of software you are working with determines how you extract and eventually read the information. What kind of software is involved? Are you dealing with a network? If so, what are the physical/logical topology, OS, usernames and passwords? What is the computer environment like? Will you need to worry about fingerprints, DNA, or trace evidence? Do I need to preserve other types of evidence? Considerations Questions
    20. 20. The Art of Forensics: Analyzing the Data <ul><li>File analysis investigations include: </li></ul><ul><ul><li>File content </li></ul></ul><ul><ul><li>Metadata </li></ul></ul><ul><ul><li>Application files </li></ul></ul><ul><ul><li>Operating system file types </li></ul></ul><ul><ul><li>Directory/folder structure </li></ul></ul><ul><ul><li>Patterns </li></ul></ul><ul><ul><li>User configurations </li></ul></ul>
    21. 21. Analyzing the Data (Cont.) <ul><li>Data-hiding analyses should include: </li></ul><ul><ul><li>Password-protected files </li></ul></ul><ul><ul><ul><li>Check the Internet for password-cracking software </li></ul></ul></ul><ul><ul><ul><li>Check with the software developer of the application </li></ul></ul></ul><ul><ul><ul><li>Contact a firm that specializes in cracking passwords </li></ul></ul></ul><ul><ul><li>Compressed files </li></ul></ul><ul><ul><li>Encrypted files </li></ul></ul><ul><ul><li>Steganography </li></ul></ul>
    22. 22. Analyzing the Data (Cont.) <ul><li>Time frame analysis should examine the following file attributes: </li></ul><ul><ul><li>Creation date/time </li></ul></ul><ul><ul><li>Modified date/time </li></ul></ul><ul><ul><li>Accessed date/time </li></ul></ul>
    23. 23. Chain of Custody <ul><li>Preserving the chain of custody for e-evidence requires proving that: </li></ul><ul><ul><li>No information has been added, deleted, or altered in the copying process or during analysis </li></ul></ul><ul><ul><li>A complete copy was made and verified </li></ul></ul><ul><ul><li>A reliable copying process was used </li></ul></ul><ul><ul><li>All media were secured </li></ul></ul><ul><ul><li>All data that should have been copied have been copied </li></ul></ul>
    24. 24. Investigation Objectives and Chain of Custody Practices (Continued) Verify that the copy is identical to the original Authenticate the copy Collect and preserve the original data, and create an exact copy Acquire the evidence Document everything that is done; keep detailed records and photographs, etc. Document the scene, evidence, activities, and findings Chain of Custody Practices Investigation Objectives
    25. 25. Investigation Objectives and Chain of Custody Practices (Cont.) Interpret and report the results correctly Present the evidence/evaluation in a legally acceptable manner Ensure that the evaluation is fair and impartial to the person or people being investigated Be objective and unbiased Perform the technical analysis while retaining its integrity Analyze and filter the evidence Chain of Custody Practices Investigation Objectives
    26. 26. Document and Collect Data <ul><li>Documentation needs to be precise and organized </li></ul><ul><li>Document each of the following: </li></ul><ul><ul><li>Location, date, time, witnesses </li></ul></ul><ul><ul><li>System information, including manufacturer, serial number, model, and components </li></ul></ul><ul><ul><li>Status of the computer, such as whether it was running and what was connected to it </li></ul></ul><ul><ul><li>Physical evidence collected </li></ul></ul>
    27. 27. Create a Drive Image <ul><li>Original data must be protected from any type of alteration </li></ul><ul><li>To protect original data, work from a forensic copy of the original drive or device </li></ul><ul><li>Ways to make forensic copies </li></ul><ul><ul><li>Drive imaging or mirror imaging </li></ul></ul><ul><ul><li>Sector-by-sector or bit-stream imaging </li></ul></ul>
    28. 28. Residual Data <ul><li>Residual data is data that has been deleted but not erased </li></ul><ul><li>Residual data may be found in unallocated storage or file slack space </li></ul><ul><li>File slack consists of: </li></ul><ul><ul><li>RAM slack —area from the end of a file to the end of the sector </li></ul></ul><ul><ul><li>Drive slack —additional sectors needed to fill a cluster </li></ul></ul>
    29. 29. Identify Data Types <ul><li>Active data </li></ul><ul><li>Deleted files </li></ul><ul><li>Hidden, encrypted, and password-protected files </li></ul><ul><li>Automatically stored data </li></ul><ul><li>E-mail and instant messages </li></ul><ul><li>Background information </li></ul>
    30. 30. In Practice: Do Nothing Without Competence <ul><li>Prosecutions may be jeopardized if untrained personnel compromise data by not following correct procedures </li></ul><ul><li>Companies should have a proper incident response plan and policies in place </li></ul>
    31. 31. Investigating Windows Systems <ul><li>Activities of the user result in user data </li></ul><ul><ul><li>User profiles </li></ul></ul><ul><ul><li>Program files </li></ul></ul><ul><ul><li>Temporary files (temp files) </li></ul></ul><ul><ul><li>Special application-level files </li></ul></ul>
    32. 32. Investigating Windows Systems (Cont.) <ul><li>System data and artifacts are generated by the operating system </li></ul><ul><ul><li>Metadata </li></ul></ul><ul><ul><li>Windows system registry </li></ul></ul><ul><ul><li>Event logs or log files </li></ul></ul><ul><ul><li>Swap files </li></ul></ul><ul><ul><li>Printer spool </li></ul></ul><ul><ul><li>Recycle Bin </li></ul></ul>
    33. 33. Hidden Files <ul><li>Files that do not appear by default are hidden files </li></ul><ul><li>These can be viewed through the following steps: </li></ul><ul><ul><li>Open Windows Explorer </li></ul></ul><ul><ul><li>Go to Tools > Folder Options > View > Hidden files and folders </li></ul></ul><ul><ul><li>Select Show hidden files and folders </li></ul></ul><ul><ul><li>Click OK </li></ul></ul>
    34. 34. Finding User Data and Profiles in Windows Folders (Cont.) <ul><li>Some of the subfolders in the user root folder include: </li></ul><ul><ul><li>Application data (hidden) </li></ul></ul><ul><ul><li>Cookies </li></ul></ul><ul><ul><li>Desktop </li></ul></ul><ul><ul><li>Favorites </li></ul></ul><ul><ul><li>Local Settings (hidden) </li></ul></ul><ul><ul><li>My Documents </li></ul></ul><ul><ul><li>NetHood (hidden) </li></ul></ul>
    35. 35. In Practice: Searching for Evidence <ul><li>Do not use the suspect system itself to carry out a search for evidence </li></ul><ul><li>Using Windows to search and open files can change the file’s metadata </li></ul><ul><li>Such changes may cause evidence to be disallowed in court </li></ul>
    36. 36. Investigating System Artifacts (Cont.) <ul><li>Registry </li></ul><ul><ul><li>Can reveal current and past applications, as well as programs that start automatically at bootup </li></ul></ul><ul><ul><li>Viewing the registry requires a registry editor </li></ul></ul><ul><li>Event logs track system events </li></ul><ul><ul><li>Application log tracks application events </li></ul></ul><ul><ul><li>Security log shows logon attempts </li></ul></ul><ul><ul><li>System log tracks events such as driver failures </li></ul></ul>
    37. 37. Investigating System Artifacts (Cont.) <ul><li>Swap file/page file </li></ul><ul><ul><li>Used by the system as virtual memory </li></ul></ul><ul><ul><li>Can provide the investigator with a snapshot of volatile memory </li></ul></ul><ul><li>Print spool </li></ul><ul><ul><li>May contain enhanced metafiles of print jobs </li></ul></ul><ul><li>Recycle Bin/Recycler </li></ul><ul><ul><li>Stores files the user has deleted </li></ul></ul>
    38. 38. “Shredding” Data <ul><li>Third-party software packages can be used to delete data and actually overwrite the information, essentially shredding the data </li></ul>
    39. 39. Graphic File Forensics <ul><li>The investigator can use file signatures to determine where data starts and ends and the file type </li></ul><ul><ul><li>File extension (such as .jpg) one way to identify a graphic file </li></ul></ul><ul><ul><li>A user can easily change the file extension, but the data header does not change </li></ul></ul><ul><ul><li>Forensic tools can resolve conflicts between file extensions and file types </li></ul></ul>
    40. 40. Graphic File Forensics (Cont.) <ul><li>Steganography is a form of data hiding in which a message is hidden within another file </li></ul><ul><ul><li>Data to be hidden is the carrier medium </li></ul></ul><ul><ul><li>The file in which the data is hidden is the steganographic medium </li></ul></ul><ul><li>Both parties communicating via steganography must use the same stego application </li></ul>
    41. 41. Graphic File Forensics (Cont.) <ul><li>Steganography is difficult to detect; the following clues may indicate stego use </li></ul><ul><ul><li>Technical capabilities or sophistication of the computer’s owner </li></ul></ul><ul><ul><li>Software clues on the computer </li></ul></ul><ul><ul><li>Other program files that indicate familiarity with data-hiding methods </li></ul></ul><ul><ul><li>Multimedia files </li></ul></ul><ul><ul><li>Type of crime being investigated </li></ul></ul>
    42. 42. Working with E-Mail <ul><li>E-mail evidence typically used to corroborate or refute other testimony or evidence </li></ul><ul><li>Can be used by prosecutors or defense parties </li></ul><ul><li>Two standard methods to send and receive e-mail: </li></ul><ul><ul><li>Client/server applications </li></ul></ul><ul><ul><li>Webmail </li></ul></ul>
    43. 43. Working with E-Mail (Cont.) <ul><li>E-mail data flow </li></ul><ul><ul><li>User has a client program such as Outlook or Eudora </li></ul></ul><ul><ul><li>Client program is configured to work with one or more servers </li></ul></ul><ul><ul><li>E-mails sent by client reside on PC </li></ul></ul><ul><ul><li>A larger machine runs the server program that communicates with the Internet, where it exchanges data with other e-mail servers </li></ul></ul>
    44. 44. Working with E-Mail (Cont.) Sending E-Mail User creates e-mail on her client User issues send command Client moves e-mail to Outbox Server acknowledges client and authenticates e-mail account Client sends e-mail to the server Server sends e-mail to destination e-mail server If the client cannot connect with the server, it keeps trying
    45. 45. Working with E-Mail (Cont.) Receiving E-Mail User opens client and logs on User issues receive command Client contacts server Server acknowledges, authenticates, and contacts mail box for the account Mail downloaded to local computer Messages placed in Inbox to be read POP deletes messages from server; IMAP retains copy on server
    46. 46. Working with E-Mail (Cont.) <ul><li>Working with resident e-mail files </li></ul><ul><ul><li>Users are able to work offline with e-mail </li></ul></ul><ul><ul><li>E-mail is stored locally, a great benefit for forensic analysts because the e-mail is readily available when the computer is seized </li></ul></ul><ul><ul><li>Begin by identifying e-mail clients on system </li></ul></ul><ul><ul><li>You can also search by file extensions of common e-mail clients </li></ul></ul>
    47. 47. Working with Webmail <ul><li>Webmail data flow </li></ul><ul><ul><li>User opens a browser, logs in to the webmail interface </li></ul></ul><ul><ul><li>Webmail server has already placed mail in Inbox </li></ul></ul><ul><ul><li>User uses the compose function followed by the send function to create and send mail </li></ul></ul><ul><ul><li>Web client communicates behind the scenes to the webmail server to send the message </li></ul></ul><ul><ul><li>No e-mails are stored on the local PC; the webmail provider houses all e-mail </li></ul></ul>
    48. 48. Working with Webmail (Cont.) <ul><li>Working with webmail files </li></ul><ul><ul><li>Entails a bit more effort to locate files </li></ul></ul><ul><ul><li>Temporary files is a good place to start </li></ul></ul><ul><ul><li>Useful keywords for webmail programs include: </li></ul></ul><ul><ul><ul><li>Yahoo! mail: ShowLetter, ShowFolder Compose, “Yahoo! Mail” </li></ul></ul></ul><ul><ul><ul><li>Hotmail: HoTMail, hmhome, getmsg, doattach, compose </li></ul></ul></ul><ul><ul><ul><li>Gmail: mail[#] </li></ul></ul></ul>
    49. 49. Reporting on the Investigation <ul><li>Last step is to finish documenting the investigation and prepare a report </li></ul><ul><li>Documentation should include information such as: </li></ul><ul><ul><li>Notes taken during initial contact with the lead investigator </li></ul></ul><ul><ul><li>Any forms used to start the investigation </li></ul></ul><ul><ul><li>A copy of the search warrant </li></ul></ul><ul><ul><li>Documentation of the scene where the computer was located </li></ul></ul><ul><ul><li>Procedures used to acquire, extract, and analyze the evidence </li></ul></ul>
    50. 50. Questions?