: YSECORP




                                     Importance of Digital Evidence
                                        ...
Agenda                                                                  : YSECORP




                                    ...
: YSECORP




                                     Importance of Digital Evidence
                                        ...
Defining Digital Evidence                                                       : YSECORP


       Some Definitions :

   ...
Defining Digital Evidence                                                      : YSECORP


       Some Definitions (cont’d...
Defining Digital Evidence                                      : YSECORP


       5 Rules of Evidence :

        Admissib...
Defining Digital Evidence                               : YSECORP


       The Evidence Life Cycle :

           Collecti...
Defining Digital Evidence                                                       : YSECORP


       Categories of Evidence ...
Defining Digital Evidence                                                                : YSECORP


       Categories of ...
Defining Digital Evidence                 : YSECORP


       Digital Evidence is everywhere !




IFA, 8th March 2007 - Pr...
Defining Digital Evidence                                                      : YSECORP


       Digital Evidence is elec...
Defining Digital Evidence                                 : YSECORP


       I present you, The Data Iceberg :

          ...
Agenda                                                                  : YSECORP




                                    ...
Why Important                                                        : YSECORP


       Q : Important to adequately acquir...
Why Important                        : YSECORP


       Some Examples :




IFA, 8th March 2007 - Presentation
Why Important                                                      : YSECORP


       Characteristics of Digital Evidence ...
Agenda                                                                  : YSECORP




                                    ...
Challenges                                                                     : YSECORP


        Digital/ Electronic ev...
Challenges                                                           : YSECORP


        Technical Challenges that hinder...
Challenges                                                                  : YSECORP


        Post Mortem analysis is c...
Agenda                                                                  : YSECORP




                                    ...
General Methodologies                                                : YSECORP


       Basically :

        Acquiring th...
General Methodologies                                                       : YSECORP


        Methodology in Belgium

 ...
General Methodologies                                                        : YSECORP


        Based on a specific law ...
General Methodologies                                                : YSECORP


        General principles of the IOCE –...
General Methodologies                          : YSECORP


        Definitions (IOCE) :
              –    Digital eviden...
General Methodologies                                                            : YSECORP


        General principles (...
General Methodologies                                                           : YSECORP


        Additional Framework ...
Agenda                                                                  : YSECORP




                                    ...
Seizure Practices                                                       : YSECORP


       Mere Best Practices, no strict ...
Seizure Practices                                                  : YSECORP


       Some more :

        If the compute...
Seizure Practices                                                            : YSECORP


       First Responder Interviews...
Seizure Practices                                                           : YSECORP


       Document everything and pre...
Seizure Practices                                                       : YSECORP


       Some hardware tools for your Fo...
Seizure Practices                                          : YSECORP


       Some forensic tools for your Forensic Fieldk...
Agenda                                                                  : YSECORP




                                    ...
Safe Acquisition Methods                                                        : YSECORP


        Acquisition is often ...
Safe Acquisition Methods                                                     : YSECORP


        Second most important ru...
Safe Acquisition Methods                                                        : YSECORP


        Most important Rule o...
Safe Acquisition Methods                                                                     : YSECORP


        Hint fro...
Safeguarding Digital Evidence                                       : YSECORP


        Properly inventory the system & p...
Safeguarding Digital Evidence                                        : YSECORP


       Transportation and Storage :

    ...
Safeguarding Digital Evidence                                            : YSECORP


       Transportation and Storage Too...
Questions                                : YSECORP




                                     ?
IFA, 8th March 2007 - Presen...
Upcoming SlideShare
Loading in...5
×

Digital Evidence in Computer Forensic Investigations

7,402

Published on

Digital Evidence Handling in Computer Forensic cases. Lecture provided for Institute of Forensic Auditors.

3 Comments
28 Likes
Statistics
Notes
No Downloads
Views
Total Views
7,402
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
3
Likes
28
Embeds 0
No embeds

No notes for slide

Digital Evidence in Computer Forensic Investigations

  1. 1. : YSECORP Importance of Digital Evidence IFA Presentation 2007 IFA, 8th March 2007 - Presentation
  2. 2. Agenda : YSECORP Defining Digital Evidence Why Important Challenges General Methodologies Seizure Practices Safe Acquisition Methods Safeguarding Digital Evidence IFA, 8th March 2007 - Presentation
  3. 3. : YSECORP Importance of Digital Evidence IFA Presentation 2007 IFA, 8th March 2007 - Presentation
  4. 4. Defining Digital Evidence : YSECORP Some Definitions :  Digital Evidence Information stored or transmitted in binary form that may be relied upon in court.  Original Digital Evidence Physical items and those data objects, which are associated with those items at the time of seizure.  Duplicate Digital Evidence A duplicate is an accurate digital reproduction of all data objects contained on the original physical item.  Copy A copy is an accurate reproduction of information contained in the data objects independent of the original physical item. IFA, 8th March 2007 - Presentation
  5. 5. Defining Digital Evidence : YSECORP Some Definitions (cont’d) :  Chain of Custody A means of accountability, that shows who obtained the evidence, where and when the evidence was obtained, who secured the evidence, who had control or possession of the evidence.  Rules of Evidence Evidence must be competent, relevant, and material to the issue. IFA, 8th March 2007 - Presentation
  6. 6. Defining Digital Evidence : YSECORP 5 Rules of Evidence :  Admissible Must be able to be used in court or elsewhere  Authentic Evidence relates to incident in relevant way  Complete (no tunnel vision) Exculpatory evidence for alternative suspects  Reliable No question about authenticity & veracity  Believable Clear, easy to understand, and believable by a jury IFA, 8th March 2007 - Presentation
  7. 7. Defining Digital Evidence : YSECORP The Evidence Life Cycle :  Collection & identification  Storage, preservation, and transportation  Presentation of Evidence  Return to production, owner, or court IFA, 8th March 2007 - Presentation
  8. 8. Defining Digital Evidence : YSECORP Categories of Evidence :  Best evidence  Primary evidence used in trail  Usually documentation falls into this category  Secondary evidence  Not viewed as reliable & strong in proving innocence or guilt  Oral evidence  Direct evidence  Proves a fact all by itself  Eye witness testimony IFA, 8th March 2007 - Presentation
  9. 9. Defining Digital Evidence : YSECORP Categories of Evidence (cont’d) :  Conclusive evidence  Irrefutable and cannot be contradicted  Circumstantial evidence  Proves an intermediate fact that can be used to deduce or assume the existence of another fact  Corroborative evidence  Supporting evidence used to help prove an idea or point  Opinion evidence  Pertains to witness testimony  Witness must testify to only the facts of the issue and not their opinion of the facts IFA, 8th March 2007 - Presentation
  10. 10. Defining Digital Evidence : YSECORP Digital Evidence is everywhere ! IFA, 8th March 2007 - Presentation
  11. 11. Defining Digital Evidence : YSECORP Digital Evidence is electronically data based, therefore difficult to handle :  Volatile Data  RAM memory, cache, network status, etc.  Stored Data  Fragile : May be destroyed upon startup (e.g. digital booby-trap) or MAC times may be changing  Hidden : Slack spaces, Hidden Files  Temporary : Only active when application is running  Manipulated Data  Encryption  Steganography IFA, 8th March 2007 - Presentation
  12. 12. Defining Digital Evidence : YSECORP I present you, The Data Iceberg : - Filenames - Folders - Log File Entries -… - File and Memory Slack - NTFS streams - Alien Binaries - Swap Files - Hidden Files -… IFA, 8th March 2007 - Presentation
  13. 13. Agenda : YSECORP Defining Digital Evidence Why Important Challenges General Methodologies Seizure Practices Safe Acquisition Methods Safeguarding Digital Evidence IFA, 8th March 2007 - Presentation
  14. 14. Why Important : YSECORP Q : Important to adequately acquire and investigate digital media ? A : You think about the impact of following scenarios :  The recovery of deleted files on a computer indicate Jon Doe is trading in a network of pedophiles.  Recovered numbers and cell location data on a cell phone prove Jane Doe was not around the crime scene during the night of that murder.  Using ―steganography‖ methods, seemingly harmless holiday pictures hide messages that synchronize terrorist attacks worldwide. IFA, 8th March 2007 - Presentation
  15. 15. Why Important : YSECORP Some Examples : IFA, 8th March 2007 - Presentation
  16. 16. Why Important : YSECORP Characteristics of Digital Evidence :  Evidence needs to be handled carefully to be usable in court.  Digital evidence is difficult to handle.  Special requirements to keep the chain of custody intact.  An evidence may need to be presented in court in person, yet an evidence is not a personal assumption.  Judge decides, whether evidence is good enough. IFA, 8th March 2007 - Presentation
  17. 17. Agenda : YSECORP Defining Digital Evidence Why Important Challenges General Methodologies Seizure Practices Safe Acquisition Methods Safeguarding Digital Evidence IFA, 8th March 2007 - Presentation
  18. 18. Challenges : YSECORP  Digital/ Electronic evidence is extremely volatile !  Once the evidence is contaminated it cannot be de-contaminated ! The process of manipulation is irreversible.  The courts acceptance is based on the best evidence principle.  With computer data, printouts or other output readable by sight, and bit stream copies adhere to this principle. IFA, 8th March 2007 - Presentation
  19. 19. Challenges : YSECORP  Technical Challenges that hinder law enforcement’s ability to find and prosecute criminals operating online or work organized.  Legal Challenges resulting from laws and legal frameworks required to investigate cybercrime that lag behind technological, structural and social changes (e.g. international and online investigations).  Resource Challenges to ensure we have satisfied critical investigative and prosecutorial needs at all levels of the government. IFA, 8th March 2007 - Presentation
  20. 20. Challenges : YSECORP  Post Mortem analysis is commonly growing to be an established computer forensic practice :  Knowledgeable on Operating System knowledge and Data Storage principles  Increased maturity of digital evidence handling frameworks and methods  Increasing set of forensically challenged software is available  Growing marketplace of experience professionals  Live Analysis is a problem :  Knowledgeable on Operating System knowledge, TCP/IP knowledge, Data Storage principles, cybercriminal profiling and hacking, etc.  Highly stressful situations that encourage mistakes !  Low maturity in handling procedures and professionalism when dealing with live investigations. IFA, 8th March 2007 - Presentation
  21. 21. Agenda : YSECORP Defining Digital Evidence Why Important Challenges General Methodologies Seizure Practices Safe Acquisition Methods Safeguarding Digital Evidence IFA, 8th March 2007 - Presentation
  22. 22. General Methodologies : YSECORP Basically :  Acquiring the evidence without altering or damaging the original  Authenticating the image  Analyzing the data without modifying it IFA, 8th March 2007 - Presentation
  23. 23. General Methodologies : YSECORP  Methodology in Belgium  Methodology international  Based on International Organization of Computer Evidence www.ioce.org  G8 Principles  Need for a framework and standards  Digital Forensics Research Workshop (DFRWS) Digital Investigation Framework  Two-Tier Digital Investigations Process Framework IFA, 8th March 2007 - Presentation
  24. 24. General Methodologies : YSECORP  Based on a specific law (―Wet Computercriminaliteit Wet van 28 november 2000 inzake informaticacriminaliteit (WIC), B.S. 03-02-2001, 2909‖)  Actual implementation described in circulaire (―Circulaire 01/2002 van de Procureurs-generaal bij de Hoven van Beroep inzake de wet Informaticacriminaliteit‖) – Principles are explained – Technical annex (Definitions) – It’s important to use the same vocabulary ( Law Enforcement – Private Sector)  Based on international principles. IFA, 8th March 2007 - Presentation
  25. 25. General Methodologies : YSECORP  General principles of the IOCE – International Organization on Computer Evidence (www.ioce.org) : – Definitions – General principles – evidence material handling – Special considerations IFA, 8th March 2007 - Presentation
  26. 26. General Methodologies : YSECORP  Definitions (IOCE) : – Digital evidence – Original digital evidence – Media – File system – Active file – Free or unallocated space – Slack space – Unused space – Forensic copy – File level copy IFA, 8th March 2007 - Presentation
  27. 27. General Methodologies : YSECORP  General principles (IOCE) : – When dealing with digital evidence, all of the general forensic and procedural principles must be applied. – Upon seizing digital evidence, actions taken should not change that evidence. – When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. – All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review. – An Individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession. – Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles. IFA, 8th March 2007 - Presentation
  28. 28. General Methodologies : YSECORP  Additional Framework and Standards : – Digital Forensics Research Workshop (www.dfrws.org) – European Network of Forensic Science Institutes Forensic ( www.enfsi.org) – Forensic Science Service (www.forensic.gov.uk) – International Organization of Computer Evidence (www.ioce.org) – Scientific Working Group on Digital Evidence (www.swgde.org) IFA, 8th March 2007 - Presentation
  29. 29. Agenda : YSECORP Defining Digital Evidence Why Important Challenges General Methodologies Seizure Practices Safe Acquisition Methods Safeguarding Digital Evidence IFA, 8th March 2007 - Presentation
  30. 30. Seizure Practices : YSECORP Mere Best Practices, no strict regulatory requirements : 1. Control the scene 2. Allow only authorized persons access 3. Record the names of all individuals present during the search 4. Confirm when the system was last accessed 5. Establish a chronology of access to the media 6. Photograph or video tape the entire scene including the contents on the monitor. IFA, 8th March 2007 - Presentation
  31. 31. Seizure Practices : YSECORP Some more :  If the computer is ―Off‖ do not turn it on.  Disconnect all remote access to the system (e.g., LAN cables, Modem cables etc.). Be sure to tag and label all cables and connectors.  Physically examine the system (i.e., remove covers and photograph).  Document model and serial numbers of the system and its components.  Inventory all peripherals (PDAs, Printers, Scanners, WAP’s, Fax machines etc.).  Search scene for secondary storage media (USB drives, devices, diskettes, wireless hard disks, tapes etc.) IFA, 8th March 2007 - Presentation
  32. 32. Seizure Practices : YSECORP First Responder Interviews are often overlooked :  Separate and identify all persons (witnesses, subjects, or others) at the scene and record their location at time of entry.  Passwords. Any passwords required to access the system, software, or data. (An individual may have multiple passwords, e.g., BIOS, system login, network or ISP, application files, encryption pass phrase, e-mail, access token, scheduler, or contact list.)  Determine the ―Purpose‖ of the system :  Any unique security schemes or destructive devices.  Any offsite data storage.  Any documentation explaining the hardware or software installed on the system. IFA, 8th March 2007 - Presentation
  33. 33. Seizure Practices : YSECORP Document everything and preserve the Chain of Custody :  Protects integrity of the evidence :  Effective process of documenting the complete journey of the evidence during the life of the case  Allows you to answer the following questions :  Who collected it?  How & where?  Who took possession of it?  How was it stored & protected in storage?  Who took it out of storage & why? IFA, 8th March 2007 - Presentation
  34. 34. Seizure Practices : YSECORP Some hardware tools for your Forensic Fieldkit : Documentation Tools Cable tags. Indelible felt tip markers. Stick-on labels. Disassembly and Removal Tools Flat-blade and Philips-type screwdrivers. Secure-bit drivers. Anti-static Straps Small tweezers. Hex-nut drivers. Vendor Specific screwdrivers Standard and Needle-nose pliers. Star-type nut drivers. Wire cutters. IFA, 8th March 2007 - Presentation
  35. 35. Seizure Practices : YSECORP Some forensic tools for your Forensic Fieldkit : Rubber Gloves Hand truck. Large rubber bands. List of contact telephone numbers for assistance. Magnifying glass. Printer paper. Seizure disk. Small flashlight. Unused floppy diskettes (3.5 and 5.25 inch). Blank & Zeroed Hard Drives. IFA, 8th March 2007 - Presentation
  36. 36. Agenda : YSECORP Defining Digital Evidence Why Important Challenges General Methodologies Seizure Practices Safe Acquisition Methods Safeguarding Digital Evidence IFA, 8th March 2007 - Presentation
  37. 37. Safe Acquisition Methods : YSECORP  Acquisition is often referred to as : Forensic Duplication or Bit-to-Bit Image :  It’s a 1:1 bitwise copy of a complete physical storage medium  Most important rule (1) : no changes to the original storage medium must be tolerated !  Some changes happen automatically and without notification !  Acquiring evidence into a live operating system using SCSI, (S)ATA cables may already be faulty, due to bit changes to the hard disk (Microsoft Windows).  Specialized read only equipment recommended : WriteBlocker, Tableau, etc. IFA, 8th March 2007 - Presentation
  38. 38. Safe Acquisition Methods : YSECORP  Second most important rule (2) : all acquired data must be authentic and relate in full integrity to its original evidence.  Hashing algorithms are mandatory, yet often overlooked :  Mostly used as For Your Information, yet may prove to be of utmost importance  Choose a secure Hashing algorithm; e.g. RIPEMD-160. Not MD5… IFA, 8th March 2007 - Presentation
  39. 39. Safe Acquisition Methods : YSECORP  Most important Rule of Thumb (3) : the chain of custody must be protected at all times.  Be your own picky secretary ! Note down every activity, build a credible case.  Basically, all manipulations must be recorded in time, and must allow one to redo all actions and find the same results !  Common rookie mistake : allow yourself to a structured approach in recording, labeling and storing digital evidence.  Prepare yourself !!  When dealing with multiple data sources, it is very easy to lose track of digital evidence. IFA, 8th March 2007 - Presentation
  40. 40. Safe Acquisition Methods : YSECORP  Hint from the trenches (4) : never manipulate live systems.  Uncontrolled handling may destroy critical evidence ! Common mistakes include : — Killing unknown system processes — Using the OS GUI — Browsing the Internet or File System, hereby altering timestamps — Running commands without logging — Patching systems — Installing forensic tools, etc.  Using non-intrusive methods, i.e. FireWire memory dumps, one can acquire volatile data from a live system. IFA, 8th March 2007 - Presentation
  41. 41. Safeguarding Digital Evidence : YSECORP  Properly inventory the system & peripherals  Disconnect all peripherals  Label all cables  In the case of multiple systems label and code each system  Place all magnetic media in antistatic packaging  Properly label all containers used to hold the evidence  Leave a ―Blank‖ of Forensic Boot disk in the diskette or CD-ROM drive  In the case of media only properly be properly grounded prior to removing the media (i.e., the use of a grounding wrist device is recommended).  In the case of media only record make, model, ser #, and stenciled drive geometry IFA, 8th March 2007 - Presentation
  42. 42. Safeguarding Digital Evidence : YSECORP Transportation and Storage :  Keep electronic evidence away from magnetic sources (e.g., radio transmitters, speaker magnets and heated seats)  Protect evidence from extremes in temperature  Use proper anti-shock packing material in all containers (i.e., bubble wrap, Styrofoam etc.)  Maintain the chain of custody on all evidence transported.  Warning prolonged storage can result in alteration of system evidence (dates, times etc.) as batteries have a limited life span.  Store all seized evidence in a properly secured storage area (e.g., locked cabinet, restricted access lab, etc.) IFA, 8th March 2007 - Presentation
  43. 43. Safeguarding Digital Evidence : YSECORP Transportation and Storage Tools :  Antistatic bags.  Antistatic bubble wrap.  Cable ties.  Evidence bags.  Evidence tape.  Packing materials (avoid materials that can produce static  electricity such as Styrofoam or Styrofoam peanuts).  Packing tape.  Sturdy boxes of various sizes. IFA, 8th March 2007 - Presentation
  44. 44. Questions : YSECORP ? IFA, 8th March 2007 - Presentation

×