Your SlideShare is downloading. ×
File000117
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

File000117

154
views

Published on

Published in: Technology, Education

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
154
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Module IV - Digital Evidence
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Investigators Now Crack Crime Computers on The Spot Source: http://news.cnet.com/
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • The Definition of Digital Evidence • Characteristics of Digital Evidence • Types of Digital Data • Best Evidence Rule • Federal Rules of Evidence • International Principles for Computer Evidence • The Scientific Working Group on Digital Evidence (SWGDE) • Electronic Devices: Types and Collecting Potential Evidence • Digital Evidence Examination Process • Evidence Assessment • Evidence Acquisition • Evidence Preservation • Evidence Examination and Analysis • Evidence Documentation and Reporting • Electronic Crime and Digital Evidence Consideration by Crime Category This module will familiarize you with:
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Electronic Devices: Types and Collecting Potential Evidence Evidence Acquisition Evidence Assessment Evidence Documentation and Reporting Evidence Examination and Analysis Evidence Preservation Digital Evidence Examination Process Electronic Crime and Digital Evidence Consideration by Crime Category Characteristics of Digital Evidence Definition of Digital Evidence Scientific Working Group on Digital Evidence (SWGDE) Types of Digital Data International Principles for Computer Evidence Best Evidence RuleFederal Rules of Evidence
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Data
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Definition of Digital Evidence • Graphics files • Audio and video recording and files • Internet browser histories • Server logs • Word processing and spreadsheet files • Emails • Log files Digital evidence is found in the files such as: Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form” Digital information can be gathered while examining digital storage media, monitoring the network traffic, or making the duplicate copies of digital data found during forensics investigation
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Increasing Awareness of Digital Evidence Businesses are facing the need for gathering evidence on their networks in reply to the computer crime Many organizations are taking into account the legal remedies when attackers target their network and focus on gathering the digital evidence in a way that will hold up in court Government organizations are also paying attention in using digital evidence to identify the terrorist’s activities and prevent future attacks As a result, there is increase in the expectation that computer forensic investigators have complete knowledge of handling digital evidence
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Challenging Aspects of Digital Evidence Forensics investigators face many challenges while preserving the digital evidence as it is a chaotic form of evidence and is critical to handle During the investigation, it can be altered maliciously or unintentionally without leaving any traces Digital evidence is circumstantial that makes it difficult for a forensics investigator to attribute the system’s activity It is an abstraction of some events, when the investigator performs some task on the computer, the resulting activity creates data remnants that gives the incomplete view of the actual evidence
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The Role of Digital Evidence Role of digital evidence is to establish a credible link between the attacker, victim, and the crime scene According to Locard's Exchange Principle, “anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave” For example, at the time of crime, if any information from an victim computer is stored on the server or system itself, investigator can trace that information by examining log files, Internet browsing history etc.
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Characteristics of Digital Evidence • Evidence must be related to the fact being provedAdmissible • Evidence must be real and related to the incident in a proper way Authentic • Evidence must prove the attacker’s actions and his innocence Complete • Evidence must not cast any doubt on the authenticity and veracity of the evidence Reliable • Evidence must be clear and understandable by the judgesBelievable The digital evidence must have some characteristics to be disclosed in the court of law Characteristics of the digital evidence:
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Fragility of Digital Evidence Digital evidence is fragile in nature During the investigation of the crime scene, if the computer is turned off, the data which is not saved can be lost permanently If the computer is connected to the Internet, the person involved in the crime may delete the evidence by deleting the log files After the incident, if a user ‘writes’ any data to the system, it may overwrite the crime evidence
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Anti-Digital Forensics (ADF) ADF is an approach to manipulate, erase, or obfuscate the digital data It makes forensic examination difficult, time consuming, or impossible General categories of ADF are: • Overwriting data and metadata (wiping) • It destroys any potentially incriminating data by multiple overwrites • “0” or random numbers are used to overwrite the actual data • Exploitation of bugs in forensic tools • Forensic imaging and analysis tools are programmed to misread the files • For example, text file may be read as an executable file
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Anti-Digital Forensics (cont’d) Hiding data (Steganography, Cryptography, and Low-tech methods) • Confidential data is hidden under the images • Messages are encrypted using strong cryptographic algorithms which cannot by decrypted by analysts • Through low tech methods, data or information is hided from an examiner Obfuscation of data • Obfuscation of data is intended to confuse the forensic analysts • It is created by using anonymous remailers to strip the email header’s information • Bootable USB or CD/DVD is also used to compromise the system or network
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Digital Data • Volatile data can be modified • It contains system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, and command history Volatile data • Non-volatile data is used for the secondary storage and is long- term persisting • It contains hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions, hidden partitions, registry settings , and event logs Non-volatile data
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Digital Data (cont’d) • Transient data contains information such as open network connection, user logout, programs that reside in memory, and cache data • If the machine is turned off, all these information are lost permanently Transient data: • Fragile data is that information which is temporarily saved on the hard disk and can be changed • It contains information such as last access time stamps, access date on files etc. Fragile data: • Temporarily accessible data are stored on the hard disk and are accessible only for certain time • It contains data like encrypted file system information Temporarily accessible data:
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Digital Data (cont’d) • Active data is the presently used data by the parties for their daily operations • This data is direct and straightforward to recognize and access using the current system Active data: • Archival data manages data for long term storage and maintains records Archival data: • Backup data refers to a copy of the system data • This data can be used at any time of recovery process after disaster or system crash Backup data:
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Digital Data (cont’d) • The data which is stored on a computer when a document is deleted is called residual data • When a file is deleted, the computer tags the file space instead of cleaning the file memory • The file can be retrieved until the space is reused Residual data: • Metadata maintains a record about a particular document • The record consists of format of file, how, when, and who has created, saved, and modified the file Metadata:
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Rules of Evidence • Rules of evidence govern whether, when, how, and for what purpose proof of a case may be placed before a trier of fact for consideration • The trier of fact may be a judge or a jury, depending on the purpose of the trial and the choices of the parties Definition: Evidence that is to be present in the court must comply with the established rules of the evidence Prior to the investigation process, it is important that the investigator understands the Rules of Evidence
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Best Evidence Rule Best evidence rule is established to prevent any alternation of digital evidence either intentionally or unintentionally It states that the court only allows the original evidence of any document, photograph, or recording at the trial rather than copy but the duplicate will be allowed as an evidence under the following conditions: • Original evidence destroyed due to fire and flood • Original evidence destroyed in the normal course of business • Original evidence in possession of a third party
  • 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Federal Rules of Evidence • (a) Effect of erroneous ruling • Error may not be predicated upon a ruling which admits or excludes evidence unless a substantial right of the party is affected • (1) Objection. - In case the ruling is one admitting evidence, a timely objection or motion to strike appears of record, stating the specific ground of objection, if the specific ground was not apparent from the context; or • (2) Offer of proof. - In case the ruling is one excluding evidence, the substance of the evidence was made known to the court by offer or was apparent from the context within which questions were asked Rulings on Evidence: These rules shall be construed to secure fairness in administration, elimination of unjustifiable expense and delay, and promotion of growth and development of the law of evidence to the end that the truth may be ascertained and proceedings justly determined
  • 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Federal Rules of Evidence (cont’d) • (b) Record of offer and ruling • The court may add any other or further statement which shows the character of the evidence, the form in which it was offered, the objection made, and the ruling there on. It may direct the making of an offer in question and answer form • (c) Hearing of jury • Proceedings shall be conducted, to the extent practicable, so as to prevent inadmissible evidence from being suggested to the jury by any means, such as making statements or offers of proof or asking questions in the hearing of the jury • (d) Plain error • Nothing in this rule precludes taking notice of plain errors affecting substantial rights although they were not brought to the attention of the court Rulings on Evidence:
  • 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Federal Rules of Evidence (cont’d) • Questions of admissibility generally • Preliminary questions concerning the qualification of a person to be a witness, the existence of a privilege, or the admissibility of evidence shall be determined by the court, subject to the provisions of subdivision (b) • In making its determination, it is not bound by the rules of evidence except those with respect to privileges • Relevancy conditioned on fact • When the relevancy of evidence depends upon the fulfillment of a condition of fact, the court shall admit it upon, or subject to, the introduction of evidence sufficient to support a finding of the fulfillment of the condition • Testimony by accused • The accused does not, by testifying upon a preliminary matter, become subject to cross-examination as to other issues in the case Preliminary Questions:
  • 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Federal Rules of Evidence (cont’d) • Hearing of jury • Hearings on the admissibility of confessions shall in all cases be conducted out of the hearing of the jury • Hearings on other preliminary matters shall be conducted when the interests of justice require, or when an accused is a witness and so requests • Weight and credibility • This rule does not limit the right of a party to introduce before the jury evidence relevant to weight or credibility Preliminary Questions: • When evidence which is admissible as to one party or for one purpose but not admissible as to another party or for another purpose is admitted, the court, upon request, shall restrict the evidence to its proper scope and instruct the jury accordingly Limited Admissibility:
  • 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Federal Rules of Evidence (cont’d) Hearsay Rule: • Hearsay is a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted • It is not admissible except as provided by these rules or by other rules prescribed by the Supreme Court pursuant to statutory authority or by Act of Congress Statements which are not hearsay: • Prior statement by witness • Admission by party-opponent
  • 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Federal Rules of Evidence (cont’d) • Present sense impression • Excited utterance • Statements for purposes of medical diagnosis or treatment • Recorded recollection • Records of regularly conducted activity • Absence of entry in records kept in accordance with the provisions • Public records and reports • Records of vital statistics Even if the declarant is available as a witness, the following are not excluded by the hearsay rule: Rule 803. Hearsay Exceptions - Availability of Declarant Immaterial
  • 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Federal Rules of Evidence (cont’d) Rule 804. Hearsay Exceptions; Declarant Unavailable If the declarant is unavailable as a witness, the following are not excluded by the hearsay rule: • Former testimony • Statement under belief of impending death • Statement against interest • Statement of personal or family history
  • 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Federal Rules of Evidence (cont’d) • Writings and recordings: • Writings and recordings consist of letters, words, or numbers, or their equivalent, set down by handwriting, typewriting, printing, photostating, photographing, magnetic impulse, mechanical or electronic recording, or other form of data compilation • Photographs: • Photographs include still photographs, X-ray films, video tapes, and motion pictures • Original: • An original of a writing or recording is the writing or recording itself or any counterpart intended to have the same effect by a person executing or issuing it • Duplicate: • A duplicate is a counterpart produced by the same impression as the original, or from the same matrix, or by means of photography, including enlargements and miniatures, or by mechanical or electronic re-recording, or by chemical reproduction, or by other equivalent techniques which accurately reproduces the original Rule 1001: Definitions Content of writing, recording, and photographs
  • 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Federal Rules of Evidence (cont’d) • To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by Act of Congress Rule 1002: Requirement of Original • A duplicate is admissible to the same extent as an original unless • (1) a genuine question is raised as to the authenticity of the original or • (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original Rule 1003: Admissibility of Duplicates
  • 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Federal Rules of Evidence (cont’d) • The original is not required, and other evidence of the contents of a writing, recording, or photograph is admissible if: • (1) Originals are lost or destroyed. All originals are lost or have been destroyed, unless the proponent lost or destroyed them in bad faith • (2) Original is not obtainable. No original can be obtained by any available judicial process or procedure • (3) Original is in possession of the opponent. At a time when an original was under the control of the party against whom offered, that party was put on notice, by the pleadings or otherwise, that the contents would be a subject of proof at the hearing, and that party does not produce the original at the hearing • (4) Collateral matters. The writing, recording, or photograph is not closely related to a controlling issue Rule 1004: Admissibility of Other Evidence of Contents
  • 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited International Organization on Computer Evidence (IOCE) The International Organization on Computer Evidence (IOCE) was established in 1995 The purpose of this organization is to provide a forum to global law enforcement agencies for exchanging information regarding cyber crime investigation and other issues associated with computer forensics IOCE develops a service for direct communication between member agencies and arranges many conferences to establish a strong relationship
  • 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited http://www.ioce.org/
  • 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IOCE International Principles for Digital Evidence When dealing with digital evidence, all of the general forensic and procedural principles must be applied Upon seizing digital evidence, actions taken should not change that evidence When it is necessary for a person to access the original digital evidence, that person should be trained for the purpose All activities relating to the seizure, access, storage, or transfer of the digital evidence must be fully documented, preserved, and available for review An individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession Any agency, which is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles
  • 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scientific Working Group on Digital Evidence (SWGDE) http://www.swgde.org/
  • 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SWGDE Standards for the Exchange of Digital Evidence • In order to ensure that the digital evidence is collected, preserved, examined, or transferred in a manner safeguarding the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system. Standard Operating Procedures (SOPs) are documented quality-control guidelines that must be supported by proper case records and broadly accepted procedures, equipment, and materials Principle 1 • All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency's policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency's management authority Standards and Criteria 1.1
  • 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SWGDE Standards for the Exchange of Digital Evidence (cont’d) • Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness Standards and Criteria 1.2 • Procedures used must be generally accepted in the field or supported by data gathered and recorded in a scientific manner Standards and Criteria 1.3 • The agency must maintain written copies of appropriate technical procedures Standards and Criteria 1.4
  • 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SWGDE Standards for the Exchange of Digital Evidence (cont’d) • The agency must use hardware and software that is appropriate and effective for the seizure or examination procedure Standards and Criteria 1.5 • All activities relating to the seizure, storage, examination, or transfer of the digital evidence must be recorded in writing and be available for review and testimony Standards and Criteria 1.6 • Any action that has the potential to alter, damage, or destroy any aspect of the original evidence must be performed by qualified persons in a forensically sound manner Standards and Criteria 1.7
  • 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence
  • 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence • They are address books, database files, audio or video files, documents or text files, image or graphics files, Internet bookmarks or favorites and spreadsheet files, where you can obtain information of investigative value User-Created Files • They are compressed files, misnamed files, encrypted files, password-protected files, hidden files, and steganography User-Protected Files • They are backup files, log files, configuration files, printer spool files, cookies, swap files, hidden files, system files, history files, and temporary files Computer-Created Files Computer Systems: Evidence is found in files that are stored on servers, memory cards, hard drives, removable storage devices and media such as floppy disks, CDs, DVDs, cartridges, and tape
  • 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) Hard drive • Hard drive is an electronic storage device which stores data magnetically • It stores the data in different file formats such as text, picture, and video file etc. • To collect the evidence, check text , picture, video, multimedia, database, and computer program files Thumb drive • Thumb drive is a removable data storage device with USB connection • It is small in size and lightweight • To collect the evidence, check text, graphics, image, and picture files Memory card • Memory card is a removable electronic storage device and used in many devices such as digital camera, PDA, computer etc. • Data present in the memory card is not lost when power is turned off • To collect the evidence, check event logs, chat logs, test file, image file, picture file, and browsing history of Internet Hard drive Thumb drive Memory card
  • 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Access Control Devices: Smart card • It is a portable device that contains a microprocessor, which stores encryption key or password and digital certificate Dongle • It is a copy protection device provided with software that is plugged into a computer port Biometric scanner • It is connected to a computer system that identifies the physical characteristics of an individual Electronic Devices: Types and Collecting Potential Evidence (cont’d) Smart Cards Dongle Biometric scanner Evidence is found in recognizing or authenticating the information of the card and the user, level of access, configurations, permissions, and in the device itself
  • 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Deleted messages Last number called Memo Phone numbers Tapes Answering Machine: It is a part of a telephone or is connected between a telephone and the landline connection Evidence is found in voice recordings such as: Electronic Devices: Types and Collecting Potential Evidence (cont’d)
  • 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) • Images • Removable cartridges • Video • Sound • Time and Date stamp Evidence is found in: Digital Camera: It records images and video and transfers them to computer media with the help of conversion hardware Digital Camera
  • 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) Handheld Devices such as Personal Digital Assistants (PDAs) and Electronic Organizers • PDA is a hand held and portable device that includes computing, telephone/fax, paging, and networking • Evidence is found in Address book, appointment calendars or information, documents, e-mail, handwriting, password, phone book, text messages, and voice messages Modem: • It is used by computers to communicate over telephone lines • Evidence is found on the device itself Modem PDA
  • 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) • Evidence is found on the MAC (Media Access Control) address Local Area Network (LAN) Card/Network Interface Card (NIC) • Routers, hubs, and switches connect different computers or networks • For routers, evidence is found in the configuration files • For hubs and switches, evidence is found on the devices themselves Routers, Hubs, and Switches • Server is a central computer which gives service to other computers connected in the same network • Evidence is found in the computer system Server • Network cables consists of a variety of colors, thicknesses, shapes, and connectors depending on the components they are connected with • Evidence is found on the devices Network Cables and Connectors Network Interface Card Router Hub Switches Network Cables Connectors Network Components:
  • 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) • It is a handheld and portable electronic device for sending and receiving electronic messages that may be in numeric form or in alphanumeric form • It contains volatile evidence such as address information, text messages, e-mail, voice messages, and phone numbers Pager: • It includes thermal, laser, inkjet and impact printers, which are connected to the computer over a cable (serial, parallel and universal serial bus) or accessed over an infrared port • Some printers contain a memory buffer, which enables you to receive and store multiple documents • Evidence is found through usage logs, time and date information, and network identity information, Ink cartridges, and Time and date stamp Printer: Pager Printer
  • 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) Removable Storage Device and Media: Storage device and media such as tape, CD, DVD, floppy are used to store digital information These devices are portable and stores different files such as text, graphics, multimedia, and video files Evidence is found in the devices themselves
  • 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) Scanner: It is an optical device connected to a computer, which enables the document to pass on the scanning device and sends it to the computer as a file Evidence is found by looking at the marks on the glass of the scanner
  • 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) Telephones: • Evidence is found through: • Names • Phone numbers • Caller identification information • Appointment information • Electronic mail and pages Copiers: • They make the copies of printed or graphical documents • Evidence is found in: • Documents • User usage logs • Time and date stamps
  • 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) • They read the information that is present on the tracks of the magnetic stripe • Evidence is found through: • Card expiration date • User’s address • Credit card numbers • User’s name Credit Card Skimmers: • Evidence in found through: • Address book • Notes • Appointment calendars • Phone numbers • Email Digital Watches: Credit Card Skimmer Digital Watch
  • 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Facsimile (Fax) Machines • Evidence is found through: • Documents • Phone numbers • Film cartridge • Send or receive logs Global Positioning Systems (GPS) • Evidence is found through: • Previous destinations • Way points • Routes and • Travel Logs Electronic Devices: Types and Collecting Potential Evidence (cont’d)
  • 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Assessment
  • 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Evidence Examination Process Evidence Assessment Evidence Acquisition Evidence Preservation Evidence Examination and Analysis Evidence Documentation and Reporting
  • 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Assessment The digital evidence should be thoroughly assessed with respect to the scope of the case to determine the course of the action Conduct a thorough assessment by reviewing the search warrant or other legal authorization, case detail, nature of hardware and software, potential evidence sought, and the circumstances surrounding the acquisition of the evidence
  • 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Assessment (cont’d) Prioritize the evidence where necessary: • Location where evidence is found or • Stability of the media to be examined Determine how to document the evidence (e.g., photograph, sketch, notes) Evaluate storage locations for electromagnetic interference Determine the condition of the evidence as a result of packaging, transport, or storage Assess the need to provide continuous electric power to the battery-operated devices
  • 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Prepare for Evidence Acquisition • An initial estimate of the impact of the situation on the organization's business • A detailed network topology diagram that highlights the affected computer systems and provides details about how those systems might be affected • Summaries of interviews with users and system administrators • Outcomes of any legal and third-party interactions • Reports and logs generated by tools used during the assessment phase • A proposed course of action Documentation that helps in preparing for evidence acquisition: To prepare for the acquisition of evidence, all the actions and outcomes of the previous phases of the digital evidence examination process should be determined properly
  • 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Acquisition
  • 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Preparation for Searches Before preparing a warrant to seize all or part of a computer system and the information it contains, it is critical to determine the computer's role in the offense • A counterfeiter might use his computer, scanner, and color printer to scan U.S. currency and then print money • A drug dealer may store records pertaining to customers, prices, and quantities delivered on a personal computer • A blackmailer may type and store threatening letters in his computer • Attackers often use their computers both to attack other’s computer systems and to store the stolen files For example:
  • 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Seizing the Evidence If a computer is used to store the evidence then the storage media should be seized in addition with other devices While running programs to collect analysis information, the books found in the scene should be collected to understand the programs The suspect should be prevented from touching the system At the time of seizing process, the computer should not be powered down
  • 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Imaging Remove the subject storage device and perform the acquisition using the examiner’s system When attaching the subject device to the examiner’s system, configure the storage device so that it will be recognized Ensure that the examiner’s storage device is forensically clean when acquiring the evidence
  • 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bit-Stream Copies Bit-Stream Copy is a bit-by-bit copy of the original storage medium and exact copy of the original disk A bit-stream image is the file that contains the bit-stream copy of all the data on a disk or partition The computer should not be operated and computer evidence should not be processed until bit stream backups have been made of all hard disk drives and floppy disks
  • 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Write Protection Write protection should be initiated, if available, to preserve and protect original evidence Creating a known value for the subject evidence prior to acquiring the evidence (e.g. performing an independent cyclic redundancy check(CRC), MD5 hashing) If hardware write protection is used: • Install a write protection device • Boot the system with the examiner’s controlled operating system If software write protection is used: • Boot the system with the examiner-controlled operating system • Activate write protection
  • 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Acquisition Digital evidence is fragile and can be altered, damaged, or destroyed by improper handling or examination In case of failure, evidence may be unusable or it may lead to an inaccurate conclusion Acquire the original digital evidence in a manner that protects and preserves the evidence
  • 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Acquisition from Crime Location (cont’d) Disassemble the case of the computer to be examined to permit physical access to the storage devices Ensure that the equipment is protected from static electricity and magnetic fields Identify the storage devices that need to be acquired; these devices can be internal, external, or both
  • 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Acquisition from Crime Location (cont’d) • Drive condition (e.g. make, model, geometry, size, jumper settings, location, drive interface) • Internal components (e.g. sound card, video card, network card, including media access control (MAC) address, personal computer memory card international association (PCMCIA) cards) Document internal storage devices and hardware configuration: Disconnect storage devices (using the power connector or data cable from the back of the drive or from the motherboard) to prevent the destruction, damage, or alteration of data
  • 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Acquiring Evidence from Storage Devices Investigate the geometry of any storage devices to ensure that all space is accounted for, including host-protected data areas (e.g. non-host specific data such as the partition table matches the physical geometry of the drive) Capture the electronic serial number of the drive and other user-accessible, host- specific data Acquire the subject evidence to the examiner's storage device using the appropriate software and hardware tools such as: • Stand-alone duplication software • Forensic analysis software suite • Dedicated hardware devices Verify successful acquisition by comparing the known values of the original and the copy or by doing a sector-by-sector comparison of the original to the copy
  • 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Evidence Data on digital evidence can be collected either locally or over a network Acquiring the data locally has the advantage of greater control over the computer(s) and the data involved Other factors, such as the secrecy of the investigation, the nature of the evidence that must be gathered, and the timeframe for the investigation will ultimately determine whether the evidence is collected locally or over the network Create accurate documentation that will later allow to identify and authenticate the evidence that are collected Determine which investigation methods to use i.e., typically a combination of offline and online investigations is used In offline investigations, additional analysis is performed on a bit-wise copy of the original evidence In an online investigation, analysis is performed on the original live evidence
  • 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Evidence (cont’d) • Server information includes server role, logs (such as event logs), files, and applications • Logs from internal and external facing network devices, such as firewalls, routers, proxy servers, network access servers (NAS), and intrusion detection systems (IDS) that may be used in the possible attack path • Internal hardware components, such as network adapters (which include media access control (MAC) address information) and PCMCIA cards • Storage devices that need to be acquired (internal and external), including hard disks, network storage devices, and removable media Identify and document the potential sources of data: Note: When capturing volatile data, carefully consider the order in which the data is collected
  • 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Evidence (cont’d) • If any internal storage devices are to be removed, turn off the computer first • Before turning off the computer, verify that all volatile data has been captured • Determine whether to remove the storage device from the suspect computer and use your own system to acquire the data • Create a bit-wise copy of the evidence in a backup destination, ensuring that the original data is write-protected • Document the internal storage devices and ensure that information about their configurations is included • Verify the data collected, create checksums, and digital signatures when possible to establish that the copied data is identical to the original Use the following methods to collect data from the storage media and record storage media configuration information:
  • 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Evidence (cont’d) • Process Register • Virtual and physical memory • Network state • Running processes • Disks, floppies, tapes • CD-ROM, paper printouts Evidence can be collected from a live computer by searching: • Running processes (ps or the /proc file system) • Active network connections (netstat) • ARP cache (arp) • List of open files (lsof) • Virtual and physical memory (/dev/mem, /dev/kmem) Volatile and important sources of evidence on live systems and the commands used to capture the evidence:
  • 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Evidence (cont’d) • Guidance Software’s EnCase (www.guidancesoftware.com) • Accessdata’s Forensic Toolkit (www.accessdata.com) Computer Forensic Tools for Data Collection include:
  • 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Evidence from RAM • When an application is opened, RAM stores the files present in that application • The memory is lost when the files are closed and is used by the operating system for other file storage • Do not power down the computer which may destroy the critical information • Evidence can be present in RAM even after wiping from the hard disk, to perform this: • Wipe the file from the hard disk after opening it using a wiping tool • Use a utility dd to write the contents of RAM into hard disk which is a general purpose UNIX utility; copies files and is useful for creating forensic images Trace Evidence in RAM
  • 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Evidence from RAM (cont’d) • At the time of no RAM memory available to allocate memory for an application, the operating system transfers the content present in RAM to a temporary Swap file to use the RAM memory for new application • The contents in the swap file are overwritten frequently • The examiner can trace the swap file by searching the headers and footers associated with a particular file Trace evidence in Swap file
  • 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Evidence from a Stand- alone Network Computer Do not use the computer for evidence search Photograph all the devices connected to the computer Do not turn on the system, if it is in off state If the computer is ON, take a photograph of the screen If the computer is ON and the screen is blank, move the mouse slowly and take a photograph of the screen Unplug all the cords and devices connected to the computer and label them for later identification If the computer is connected to the router and modem, unplug the power
  • 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody Chain of Custody is a road map that tells about how the evidence is collected, analyzed, and preserved to present in front of the court It ensures auditing of the original data evidence and tracking the logs accurately In chain of custody, all the transfer of evidence from person to person should be documented
  • 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Evidence Form Date Type of Incident Case# Model# Manufacturer# Serial# Consent Required Y/N Signature of Consenting Person Tag# Description of Form Person Receiving Evidence Signature Chain of Custody Form Location Date Reason To Location From Location Date Reason To Location From Location Date Reason To Location From Location Date Reason To Location Final Disposition of Evidence Date
  • 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Preservation
  • 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Preserving Digital Evidence: Checklist Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals Verify if the monitor is in on, off, or in sleep mode Remove the power cable depending on the power state of the computer i.e., in on, off, or in sleep mode Do not turn “on” the computer if it is in “off” state Take photo of the monitor screen if the computer is in “on” state Check the connections of the telephone modem, cable, ISDN, and DSL
  • 78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Preserving Digital Evidence: Checklist (cont’d) Remove the plug from the power router or modem Remove any floppy disks that are available at the scene to safeguard the potential evidence Keep tape on drive slots and power connector Photograph the connections of the computer and the corresponding cables and label them individually Label every connector and cable that are connected to the peripheral devices
  • 79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Preserving Digital Evidence: Checklist (cont’d) Personal digital assistants (PDAs), cell phones, and digital cameras store information in the internal memory Do not turn “on” the device if it is in “off” state Leave the device “on” if it is in “on” state, only in case of PDAs or cell phones Photograph the screen display of the device Label and collect all the cables and transport them along with the device Make sure that the device is charged Hold the additional storage media such as memory sticks and compact flash
  • 80. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Preserving Digital Evidence: Checklist (cont’d) Transfer fragile data to a non-volatile medium/device without disrupting any other component of the computer Do not use the victim’s hard disk to store the fragile data Avoid the use of too much virtual memory as it may cause data overwriting Use floppy disk for a small amount of data/information Do not use USB or firewire drive to store data because they change the system’s state If the victim’s system is connected to the Internet, use the same path that is used by the intruder to extract the data from the victim’s computer Disconnect the victim’s computer from the Internet to protect it from further attack
  • 81. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Preserving Digital Evidence: Checklist (cont’d) Do not use the original digital data regularly for examination Do not run any program on the victim’s computer If any changes occur during the collection of the evidence, document all the changes accordingly Capture an accurate image of the system as possible Do not run any anti-virus program because it changes date and time of each file they scan Ensure that your actions are repeatable
  • 82. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Preserving Floppy and Other Removable Media • Tape over the notch • Mark the information such as date, time, and initials using the permanent marker • Place in static free bags 5 ¼ inch disks • Place the write protected tab in the open position • Mark the information using permanent marker • Place in static free bags 3 ½ inch disks • Remove the plastic write enable ring • Mark the information on tape up to first 10-13 feet • Place in static free bags Reel-to-reel tapes
  • 83. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Preserving Floppy and Other Removable Media (cont’d) • Remove the record tab • Mark the information on plastic surface of tape using the permanent marker • Place in static free bag Cassette tapes • Tape over the notch • Mark the information using permanent marker • Place in static free bags Disk cartridges (removable hard drives) • Align the arrow at safe mark by turning the dial • Mark the information on plastic surface using the permanent marker • Place in static free bag Cartridge tapes
  • 84. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Handling Digital Evidence Wear protective latex gloves for searching and seizing operations on the site Store the electronic evidence in a secure area and climate controlled environment Use wireless StrongHold bag to block the wireless signals from getting to the electronic device Avoid folding and scratching storage devices such as diskettes, CD–ROMs, and tape drives Pack the magnetic media in antistatic packaging Protect the electronic evidence from magnetic field, dust, vibration, and other factors that may damage the integrity of the electronic evidence
  • 85. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Store and Archive • Physically secure and store the evidence in a tamperproof location • Ensure that no unauthorized personnel has access to the evidence, over the network, or otherwise • Protect storage equipment from magnetic fields • Make at least two copies of the evidence that are collected, and store one copy in a secure offsite location • Ensure that the evidence is physically secured (for example, by placing the evidence in a safe) as well as digitally secured • Clearly document the chain of custody of the evidence • Create a check-in / check-out list that includes information such as the name of the person examining the evidence, the exact date and time they check out the evidence, and the exact date and time they return it Best practices for data storage and archival include the following: When evidence is collected and ready for analysis, it is important to store and archive the evidence in a way that ensures its safety and integrity
  • 86. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Digital Evidence Findings • Digital laboratory experts must educate the case agents, prosecutors to review the report of the evidence finding which includes: • In-service training • Legal updates • Individual conversations • Discussion on how to find report Educate the intended audience: • Finding report should include: • Investigator’s request • Detailed description of the examined items • Receipt and disposition of the founded evidence • Examiner’s identity Develop a report of findings:
  • 87. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Examination and Analysis
  • 88. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DO NOT Work on the Original Evidence
  • 89. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Examination General forensic principles apply when examining digital evidence Different types of cases and media may require different methods of examination Persons conducting an examination of digital evidence should be trained for this purpose The examination should not be conducted on the original evidence
  • 90. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Examination (cont’d) • Prepare working directory/directories on separate media to which evidentiary files and data can be recovered and/or extracted Preparation • There are two different types of extraction: physical and logical • The physical extraction phase identifies and recovers data across the entire physical drive without the file system • The logical extraction phase identifies and recovers files and data based on the installed operating system(s), file system(s), and/or application(s) Extraction
  • 91. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Physical Extraction • Keyword searching, file carving, and extraction of the partition table, and unused space on the physical drive • Performing a keyword search across the physical drive may be useful as it allows the examiner to extract data that may not be accounted for by the operating system and file system • File carving utilities processed across the physical drive may assist in recovering and extracting useable files and data that may not be accounted by the operating system and file system • Examining the partition structure may identify the file systems present and determine if the entire physical size of the hard drive is accounted for This may include the following methods: During this stage, the extraction of the data from the drive occurs at the physical level regardless of file systems present on the drive
  • 92. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logical Extraction • Extraction of the file system information to reveal characteristics such as directory structure, file attributes, file names, date and time stamps, file size, and file location • Data reduction to identify and eliminate known files through the comparison of the calculated hash values to the authenticated hash values • Extraction of files pertinent to the examination. Methods to accomplish this may be based on the file’s name and extension, file header, file content, and location on the drive • Recovery of the deleted files • Extraction of the password-protected, encrypted, and compressed data • Extraction of file slack • Extraction of the unallocated space Steps may include: During this stage, the extraction of the data from the drive is based on the file system(s) present on the drive and may include data from such areas as active files, deleted files, file slack, and unallocated file space
  • 93. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyze Host Data • Identify what you are looking for, there will be a large amount of host data, and only a portion of that data might be relevant to the incident • Examine the operating system data, including clock drift information, and any data loaded into the host computer's memory to see if you can determine whether any malicious applications or processes are running or scheduled to run • Examine the running applications, processes, and network connections • Use tools such as Windows Sysinternals ProcessExplorer, LogonSession, and PSFile to perform these tasks Procedures used to analyze host data are: Host data includes information about the operating system and application’s components
  • 94. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyze Storage Media • Perform offline analysis on a bit-wise copy of the original evidence • Determine whether data encryption was used, such as the Encrypting File System (EFS) in Microsoft Windows. Several registry keys can be examined to determine whether EFS was ever used on the computer • If necessary, uncompress any compressed files and archives • Create a diagram of the directory’s structure Procedures used to extract and analyze data from the storage media collected are: The storage media collected during the ‘Acquire the Data’ phase contains many files Analyze these files to determine their relevance to the incident, which can be a daunting task because the storage media such as hard disks and backup tapes often contain hundreds of thousands of files
  • 95. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyze Storage Media (cont’d) • Identify files of interest • Examine the registry, the database that contains Windows configuration information, for information about the computer boot process, installed applications, and login information such as username and logon domain • Search the contents of all gathered files to help identify files that may be of interest • Study the metadata of files of interest, using tools such as Encase • Use file viewers to view the content of the identified files, which allow you to scan and preview certain files without the original application that created them Procedures used to extract and analyze data from the storage media collected are:
  • 96. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyze Network Data • Examine network service logs for any events of interest • Examine firewall, proxy server, intrusion detection system (IDS), and remote access service logs • View any packet sniffer or network monitor logs for data that might help you determine the activities that took place over the network Procedure used in analyzing network data are: The investigations focus on and examine images of the data
  • 97. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analysis of Extracted Data Analysis is the process of interpreting the extracted data to determine their significance to the case Some examples of analysis that may be performed include: • Timeframe analysis • Data hiding analysis • Application and file analysis • Ownership and possession Analysis may require a review of the request for service, legal authority for the search of the digital evidence, investigative leads, and/or analytical leads
  • 98. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Timeframe Analysis • Reviewing the time and date stamps contained in the file system metadata (e.g. last modified, last accessed, created, change of status) to link files of interest to the timeframes relevant to the investigation • An example of this analysis would be using the last modified date and time to establish when the contents of a file were last changed • Reviewing the system and application logs that may be present • These may include error logs, installation logs, connection logs, security logs, etc. • For example, examination of a security log may indicate when a user name/password combination was used to log into a system Two methods used for timeframe analysis: Timeframe analysis can be useful in determining when events occurred on a computer system, which can be used as a part of associating usage of the computer to an individual(s) at the time the events occurred Take into consideration any differences in the individual’s computer date and time as reported in the BIOS
  • 99. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Hiding Analysis • Correlating the file headers to the corresponding file extensions to identify any mismatches • Presence of mismatches may indicate that the user intentionally hid data • Gaining access to all password-protected, encrypted, and compressed files, which may indicate an attempt to conceal the data from unauthorized users. A password itself may be as relevant as the contents of the file • Steganography Methods used include: Data can be concealed on a computer system. Data hiding analysis can be useful in detecting and recovering such data and may indicate knowledge, ownership, or intent
  • 100. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Application and File Analysis Many programs and files identified may contain information relevant to the investigation and provide insight into the capability of the system and the knowledge of the user Results of this analysis may indicate the additional steps that need to be taken in the extraction and analysis processes
  • 101. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Application and File Analysis (cont’d) • Reviewing file names for relevance and patterns • Examining the file’s content • Identifying the number and type of the operating system(s) • Correlating the files with the installed applications • Considering relationships between files; example, correlating Internet history to cache files and e-mail files to e-mail attachments • Identifying the unknown file types to determine their value to the investigation • Examining the users’ default storage location(s) for applications and the file structure of the drive to determine if files have been stored in their default or alternate location(s) • Examining user-configuration settings • Analyzing file metadata, the content of the user-created file containing data additional to that presented to the user, typically viewed through the application that created it Some examples include:
  • 102. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ownership and Possession • Placing the subject at the computer at a particular date and time may help to determine ownership and possession (timeframe analysis) • Files of interest may be located in non default locations (e.g., user- created directory named “child porn”) (application and file analysis) Elements of knowledgeable possession may be based on the analysis described, including one or more of the following factors: In some instances, it may be essential to identify the individual(s) who created, modified, or accessed a file. It may also be important to determine ownership and knowledgeable possession of the questioned data
  • 103. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ownership and Possession (cont’d) • The file name itself may be of evidentiary value and also may indicate the contents of the file (application and file analysis) • Hidden data may indicate a deliberate attempt to avoid detection (hidden data analysis) • If the passwords needed to gain access to the encrypted and password-protected files are recovered, the passwords themselves may indicate possession or ownership (hidden data analysis) • Contents of a file may indicate ownership or possession by containing information specific to a user (application and file analysis) Elements of knowledgeable possession may be based on the analysis described above, including one or more of the following factors:
  • 104. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Documentation and Reporting
  • 105. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documenting the Evidence Documentation of the digital evidence examination is an ongoing process, therefore it is important to correctly record each step during the examination Report should be written simultaneously with the examination and presentation of the report should be consistent with the departmental policies
  • 106. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Examiner Report The common consideration list that helps the examiner throughout the documentation process: • Take notes when discussing with the case investigator • Preserve a copy of the search authority and chain of custody documentation • Write detailed notes about each action taken • Include date, time, complete description, and result of each action taken in the documentation • Document any irregularities encountered during the examination • Include the operating system’s name, software, and installed patches
  • 107. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Final Report of Findings Disclose specific files related to the request Other files, including deleted files, that support the findings String searches, keyword searches, and text string searches Internet-related evidence, such as website traffic analysis, chat logs, cache files, e-mail, and news group activity Graphic image analysis Indicators of ownership, which could include program registration data
  • 108. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Final Report of Findings (cont’d) Descriptive Data analysis Description of the relevant programs on the examined items Techniques used to hide or mask data, such as encryption, steganography, hidden attributes, hidden partitions, and file name anomalies Supporting materials • List supporting materials that are included with the report, such as printouts of particular items of evidence, digital copies of evidence, and chain of custody documentation
  • 109. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Evidence Worksheet Case Number : ________________ Exhibit Number: ______________ Laboratory Number: ____________ Control Number: ______________ Computer Information Manufacturer: ________________ Model: ____________________ Serial Number: __________________________________________ Examiner marking: _______________________________________ Computer Type: Desktop Laptop Other: ________ Computer Condition: Good Damage Number of hard Drives: __________ 3.5’’Floppy drive 5.25’’ Floppy drive Modem Network card Tape drive Tape drive type: ________ 100 MB Zip 250 MB Zip CD Reader CD Read/write DVD Others: _____________________
  • 110. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Evidence Worksheet (cont’d) CMOS Information Not Available Password Logon Yes No Password = ________ Current Time _______ AM PM Current Date ___/___/___ COMS Time _________ AM PM Current Date ___/___/___ CMOS Hard Drive #1 Setting Capacity:______ Cylinders:_______ Heads:______ Sectors:_______ Made: LBA Normal Auto Legacy CHS Capacity:______ Cylinders:_______ Heads:______ Sectors:_______ Made: LBA Normal Auto Legacy CHS CMOS Hard Drive #2 Setting Auto Auto
  • 111. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hard Drive Evidence Worksheet Case Number : ________________ Exhibit Number: ______________ Laboratory Number: ____________ Control Number: ______________ Hard Drive #1 Label Information [Not Available ] Hard Drive #2 Label Information [Not Available ] Manufacturer: ________________ Model: _____________________ Serial Number: _______________ Capacity:_______ Cylinders:_________ Heads:_________ Sectors:__________ Controller Rev.____________________ IDE 50 Pin SCSI 68 Pin SCSI 80 Pin SCSI Other Jumper: Master Slave Cable Select Undetermined Manufacturer: ________________ Model: _____________________ Serial Number: _______________ Capacity:_______ Cylinders:_________ Heads:_________ Sectors:__________ Controller Rev.____________________ IDE 50 Pin SCSI 68 Pin SCSI 80 Pin SCSI Other Jumper: Master Slave Cable Select Undetermined
  • 112. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hard Drive Evidence Worksheet (cont’d) Hard Disk #1 Parameter Information DOS FDisk PTable PartInfo Linux Fdisk SafeBack Encase Other:___ Capacity:______ Cylinders:_______ Heads:______ Sectors:_______ LBA Address Sectors: _____________ Formatted Drive Capacity: ____________ Volume Label: __________________________________________________ Partitions: Name Bootable? Start End Type ________ _________ _________ _________ ________ _________ _________ _________ ________ _________ _________ _________
  • 113. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Removable Media Worksheet Case Number : ________________ Exhibit Number: ___________ Laboratory Number: ____________ Control Number: ___________ Media Type / Quality Diskette [ ] LS 120 [ ] 100 MB Zip [ ] 250 MB Zip [ ] 1 GB Jaz [ ] 2 GB Jaz [ ] Magneto-optical [ ] Tape [ ] CD [ ] DVD [ ] Other [ ] Examination Exhibit # Sub-Exhibit # Triage Duplicated Browse Unerase Keyword Search
  • 114. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Crime and Digital Evidence Consideration by Crime Category
  • 115. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Crime and Digital Evidence Consideration by Crime Category • Account data based on online auction sites • Accounting or bookkeeping software and related data files • Address books • Customer information or credit card data • Databases • Digital camera software • E-mail/notes/letters • Financial or asset records • Internet browser history or cache files Online auction fraud
  • 116. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Child Exploitation/Abuse: • Chat logs • Date and time stamps • Digital camera software • E-mail/notes/letters • Games • Graphic editing and viewing software • Images • Internet activity logs • Movie files • User-created directory and file names that categorize images Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
  • 117. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • Address books • Configuration files • E-mail/notes/letters • Executable programs • Internet activity logs • Internet protocol (IP) address and user name • Internet Relay Chat (IRC) logs • Source code • Text files (user names and passwords) Computer Intrusion: Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
  • 118. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Death Investigation: • Address books • Diaries • E-mail/notes/letters • Financial/asset records • Images • Internet activity logs • Legal documents and wills • Medical records • Telephone records Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
  • 119. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • Check, currency, and money order images • Credit card skimmers • Images of signatures • False financial transaction forms • False identification Economic Fraud (Including Online Fraud and Counterfeiting): • Internet activity logs • Legal documents • Telephone records • Victim’s background research • E-mail/notes/letters • Financial or asset records E-Mail Threats/Harassment/Stalking: Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
  • 120. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Extortion: • Date and time stamps • E-mail/notes/letters • History log • Internet activity logs • Temporary Internet files • User names Gambling: • Customer database and player records • Customer information or credit card data • Electronic money • Sports betting statistics • Image players Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
  • 121. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • Credit card generators • Credit card reader/writer • Digital cameras • Scanners Hardware and software tools: • Birth certificates • Check cashing cards • Digital photo images for photo identification • Driver’s license • Electronic signatures • Fictitious vehicle registrations • Scanned signatures • Social security cards Identification templates: Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d) Identity Theft:
  • 122. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d) • E-mails and newsgroup postings • Erased documents • Online orders • Online trading information • System files and file slack • World Wide Web activity at forgery sites Internet activity related to ID theft: • Business checks • Cashiers checks • Counterfeit money • Credit card numbers • Fictitious court documents • Fictitious loan documents • Fictitious sales receipts Negotiable instruments: Identity Theft:
  • 123. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Narcotics: • Address books • Calendar • Databases • Drug recipes • E-mail/notes/letters • False identification • Financial/asset records • Internet activity logs • Prescription form images Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
  • 124. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Prostitution: • Address books • Biographies • Calendar • Customer database/records • E-mail/notes/letters • False identification • Financial/asset records • Internet activity logs • Medical records • World Wide web page advertising Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
  • 125. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • Chat logs • E-mail/notes/letters • Image files of software certificates • Internet activity logs • Serial numbers • Software cracking information and utilities • User-created directory and file names that classify the copyrighted software Software Piracy: Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
  • 126. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • Cloning software • Customer database/records • Electronic Serial Number (ESN)/Mobile Identification Number (MIN) pair records • E-mail/notes/letters • Financial/asset records • “How to phreak” manuals • Internet activity • Telephone records Telecommunications Fraud: Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
  • 127. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Digital evidence is information and digital data of investigative value that is recorded or preserved on electronic devices Rules of evidence govern whether, when, how, and for what purpose proof of a case may be placed before a trier of fact for consideration The digital evidence should be thoroughly assessed with respect to the scope of the case to determine the course of action Digital evidence is fragile and can be altered, damaged, or destroyed by improper handling or examination Transfer fragile data to a non-volatile medium/device without disrupting any other component of the computer Documentation of digital evidence examination is an ongoing process, therefore it is important to correctly record each step during the examination
  • 128. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 129. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited