eDiscovery: Forensic Challenges<br />Introduction to Forensic Methodologies<br />Phil Senécal<br />Legal Counsel and Chief...
Agenda<br />From Ink to Bits<br />Electronic documents vs. paper documents<br />Tangibles and intangibles<br />Digital Evi...
Electronic Document<br />Criminal Code(R.S., 1985, c. C-46)<br />841 “electronic document” means data that is recorded or ...
Electronic Document vs. Paper<br />4<br />
Locations<br />5<br />
Media <br />Hard Drive (office, notebook, home, printer, etc.)<br />Cellular Telephone et Digital Personal Information Man...
Digital Evidence<br />Summary<br />Any data that can be stored and read by an electronic device. (bits)<br />On any type o...
PreliminaryConsiderations<br />Storage of Data<br />Cameras, MP3 players, cell phones and PDAs do not necessarily show dat...
Handling the Evidence<br />Precautions<br />Electrostatic Discharge (ESD)<br />Anti-static wrist strap and storage bags<br...
Handling the Evidence<br />Procedure<br />Log out all computer media and machines seized and to be analyzed. <br />Perform...
Handling the Evidence<br />Procedure (continued)<br />Check the computer&apos;s CMOS settings to be sure the computer is c...
Handling the Evidence<br />Checklists<br />12<br />
Handling the Evidence<br />Collecting the data<br />Write blockers are devices that allow acquisition of information on a ...
Document Preservation:Definition<br />Digital preservation is defined as: long-term, error-free storage of digital informa...
Document Preservation: Objectives<br />Preservation: ensure that all of the bits composing an electronic document do not a...
Chain of Custody:Definition<br />Chain of custody refers to the chronological documentation, and/or paper trail, showing t...
Chain of Evidence:Objectives<br />Because evidence can be used in court, it must be handled in a scrupulously careful mann...
W5<br />Who has or has had the item<br />What item are we referring to<br />When did something happen to the item<br />Whe...
Chain of Custody:Policy<br />There should be a person (chokepoint) that is in control of all data.<br />The more people yo...
Chain of Custody:Process<br />The following must be included in a chain of custody log <br />A list of all media that was ...
Lost of data<br />Destruction/Alteration (Spoliation)<br />Prejudicial presumption<br />Uncorroborated testimony<br />Dism...
File System Structure<br />How is data written to a PC hard drive?<br />Hard drive format<br />Volume<br />Sectors (typica...
File System Structure<br />How is data written to a PC hard drive?<br />File Allocation Table (FAT)<br />Tracks file names...
File System Structure<br />How is data written to a PC hard drive?<br />Saving one (1) 760 bytes file to the hard drive<br...
File System Structure<br />How is data written to a PC hard drive?<br />Saving one (1) 10,240 bytes file to the hard drive...
File System Structure<br />How is data written to a PC hard drive?<br />Saving three (3) more 1000 bytes files to the hard...
File System Structure<br />How is data written to a PC hard drive?<br />Saving one (1) more 10,240 bytes file to the hard ...
File System Structure<br />Directory Structure<br />28<br />
File System Structure<br />Deleting files<br />29<br />
References<br />Dew Associates Corporation: http://www.dewassoc.com/kbase/index.html<br />Forensics Wiki:<br />http://www....
Questions?<br />Phil Senécal<br />psenecal@ledjit.com514.627.2850www.ledjit.ca<br />
Upcoming SlideShare
Loading in …5
×

Introduction To Forensic Methodologies

4,100 views

Published on

Philippe Senécal's presentation at the CCCA eRecords Academy.

Published in: Technology, Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,100
On SlideShare
0
From Embeds
0
Number of Embeds
153
Actions
Shares
0
Downloads
153
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Introduction To Forensic Methodologies

  1. 1. eDiscovery: Forensic Challenges<br />Introduction to Forensic Methodologies<br />Phil Senécal<br />Legal Counsel and Chief Technical Advisor<br />Consulting Inc.<br />
  2. 2. Agenda<br />From Ink to Bits<br />Electronic documents vs. paper documents<br />Tangibles and intangibles<br />Digital Evidence<br />What to look for<br />Handling the evidence<br />Chain of Custody<br />Definition<br />Objectives<br />File system structure<br />
  3. 3. Electronic Document<br />Criminal Code(R.S., 1985, c. C-46)<br />841 “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, print-out or other output of the data and any document, record, order, exhibit, notice or form that contains the data.<br />Canada EvidenceAct(R.S., 1985, c. C-5)<br />31.8 “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data.<br />Personal Information Protection and Electronic Documents Act (2000, c. 5)<br />31 “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data.<br />Canada Business Corporations Act (R.S., 1985, c. C-44)<br />252.1 “electronic document” means, except in section 252.6, any form of representation of information or of concepts fixed in any medium in or by electronic, optical or other similar means and that can be read or perceived by a person or by any means. <br />3<br />
  4. 4. Electronic Document vs. Paper<br />4<br />
  5. 5. Locations<br />5<br />
  6. 6. Media <br />Hard Drive (office, notebook, home, printer, etc.)<br />Cellular Telephone et Digital Personal Information Manager<br />Digital Cameras<br />MP3 Players<br />CDs and DVDs<br />USB Flash Drives<br />Voice Mail<br />Online / Web 2.0 (Blog, Wiki)<br />Backup Media (tapes, CDs)<br />…<br />6<br />
  7. 7. Digital Evidence<br />Summary<br />Any data that can be stored and read by an electronic device. (bits)<br />On any type of media that can be accessed with an electronic device. (Hard drives, floppy disks, optical disks, USB flash drives, digital cameras, watches, PDAs, cellular phones, MP3 devices, etc.)<br />No fixed location. (Office or home PC, servers, on person, internet, etc.)<br />7<br />
  8. 8. PreliminaryConsiderations<br />Storage of Data<br />Cameras, MP3 players, cell phones and PDAs do not necessarily show data stored. (bits)<br />Computers (home or office) <br />Who has access to files?<br />Who has access to computers?<br />Type of digital evidence<br />8<br />
  9. 9. Handling the Evidence<br />Precautions<br />Electrostatic Discharge (ESD)<br />Anti-static wrist strap and storage bags<br />Handling the hard drive (fragile mechanical components)<br />Internal and external hard drives<br />Circuit boards<br />Altering data on storage device<br />Write blockers<br />9<br />
  10. 10. Handling the Evidence<br />Procedure<br />Log out all computer media and machines seized and to be analyzed. <br />Perform a visual inspection/inventory of the physical makeup of the seized computer. It is most important to document the computer condition thoroughly. Photograph the system to document its condition.<br />Open/remove the CPU case. Examine its internal circuitry, make note of all media (hard drives, removable media drives, floppy drives, etc.). Where appropriate, make note of all internal expansion cards (e.g., where unusual cards are located, or where the internal devices could be pertinent to the investigation). Look for alternative storage devices such as flash memory, disconnected hard drives, etc. Verify that the system is configured to boot from floppy diskette, and record which floppy drive is the boot disk.<br />Determine if the CPU (case itself) contains potentially valuable information that would justify analysis. Verify that the CPU is functional, or at least contains some form of media.<br />Record the position of all internal devices, to include hard drives, floppy drives, expansion cards, etc. <br />10<br />
  11. 11. Handling the Evidence<br />Procedure (continued)<br />Check the computer&apos;s CMOS settings to be sure the computer is configured to boot from floppy diskette and boot the machine from a boot disk.<br />Verify that the system clock reflects the actual date and time. Record in your analysis notes the correct date, time, and time zone, the date, time and time zone reported by the computer, and log the difference.<br />Identify all hard drives by make, model, capacity and condition. Record this information, as well as whether the device is internal or external. Where necessary, photograph individual hard disks to document damage or other unusual condition.<br />Power down the computer and identify the hard drive master/slave settings (if IDE). Record these settings, and change where necessary to mount into the government-owned forensic examination computer. Be sure to note any and all changes to evidentiary media.<br />Locate the parameters of the hard drive itself by going to the manufacturer&apos;s home page. Where necessary, manually modify the computer&apos;s CMOS settings to accurately reflect the correct settings for the particular drive being analyzed. <br />11<br />
  12. 12. Handling the Evidence<br />Checklists<br />12<br />
  13. 13. Handling the Evidence<br />Collecting the data<br />Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands.*<br />Source: http://www.forensicswiki.org<br />13<br />
  14. 14. Document Preservation:Definition<br />Digital preservation is defined as: long-term, error-free storage of digital information, with means for retrieval and interpretation, for the entire time span the information is required for. <br />Long-term is defined as &quot;long enough to be concerned with the impacts of changing technologies, including support for new media and data formats, or with a changing user community. Long Term may extend indefinitely&quot;. <br />&quot;Retrieval&quot; means obtaining needed digital files from the long-term, error-free digital storage, without possibility of corrupting the continued error-free storage of the digital files. <br />&quot;Interpretation&quot; means that the retrieved digital files, files that, for example, are of texts, charts, images or sounds, are decoded and transformed into usable representations. This is often interpreted as &quot;rendering&quot;, i.e. making it available for a human to access. However, in many cases it will mean able to be processed by computational means.<br />Source: http://en.wikipedia.org/wiki/Digital_preservation<br />14<br />
  15. 15. Document Preservation: Objectives<br />Preservation: ensure that all of the bits composing an electronic document do not alter with the passage of time. <br />Access: continued, ongoing access to the content of a digital library (information resource) that still retains and protects all qualities of integrity, authenticity, accuracy and functionality found when the digital material was originally created and/or acquired.<br />Steps are required to attain these goals: supervision, control and maintenance (refreshing, media migration, and backups).<br />15<br />
  16. 16. Chain of Custody:Definition<br />Chain of custody refers to the chronological documentation, and/or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. *<br />* Source: http://en.wikipedia.org/wiki/Chain_of_custody<br />16<br />
  17. 17. Chain of Evidence:Objectives<br />Because evidence can be used in court, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct which can seriously compromise the credibility of a witness and jeopardize the outcome of a case. <br />Since electronic data can be easily altered, it is important to prove that the integrity of the evidence has been maintained from seizure through production in court. Chain of custody logs should document how the data was gathered, analyzed, and preserved for production.<br />The chain of custody log must show the method used to ensure that the data was properly copied, transported and stored; that the information has not been altered in any way, and that all media has been secured throughout the process.<br />17<br />
  18. 18. W5<br />Who has or has had the item<br />What item are we referring to<br />When did something happen to the item<br />Where did this transaction take place<br />Why did the transaction take place<br />18<br />
  19. 19. Chain of Custody:Policy<br />There should be a person (chokepoint) that is in control of all data.<br />The more people you introduce to the mix the easier it will be to have a problem with chain of custody.<br />There should be a policy and procedure manual for dealing with evidentiary items.<br />There should be someone responsible for reviewing policies and procedures on evidence control.<br />Items being taken into possession should be documented at the earliest possible time.<br />Receipts should be left at the client location.<br />Client should sign a copy of receipt for items being taken.<br />Items should be tagged (labeled) to ensure proper processing.<br />19<br />
  20. 20. Chain of Custody:Process<br />The following must be included in a chain of custody log <br />A list of all media that was secured.<br />The precise information that has been copied, transferred, and collected<br />Date & time stamp<br />Who processed the item<br />Who is the owner of the item; where it was taken from<br />All electronic evidence collected must be properly documented each time the evidence is viewed<br />Such documentation must be made available throughout the discovery process. (If the client in the middle of the case wants to see the log, it has to be made available.) <br />* Source: http://en.wikipedia.org/wiki/Chain_of_custody<br />20<br />
  21. 21. Lost of data<br />Destruction/Alteration (Spoliation)<br />Prejudicial presumption<br />Uncorroborated testimony<br />Dismissal of action<br />Undermine credibility<br />Etc.<br />Risks and Consequences<br />21<br />
  22. 22. File System Structure<br />How is data written to a PC hard drive?<br />Hard drive format<br />Volume<br />Sectors (typically 512 bytes/sector)<br />Clusters/allocation units (for example 4096 bytes/cluster (8 sectors))<br />22<br />
  23. 23. File System Structure<br />How is data written to a PC hard drive?<br />File Allocation Table (FAT)<br />Tracks file names<br />Tracks the location of the data on the hard drive<br />Directory Structure<br />Name, Cluster, Size, Access, Written, Created<br />23<br />
  24. 24. File System Structure<br />How is data written to a PC hard drive?<br />Saving one (1) 760 bytes file to the hard drive<br />24<br />
  25. 25. File System Structure<br />How is data written to a PC hard drive?<br />Saving one (1) 10,240 bytes file to the hard drive (3 clusters)<br />25<br />
  26. 26. File System Structure<br />How is data written to a PC hard drive?<br />Saving three (3) more 1000 bytes files to the hard drive (3 clusters)<br />26<br />
  27. 27. File System Structure<br />How is data written to a PC hard drive?<br />Saving one (1) more 10,240 bytes file to the hard drive (3 clusters)<br />27<br />
  28. 28. File System Structure<br />Directory Structure<br />28<br />
  29. 29. File System Structure<br />Deleting files<br />29<br />
  30. 30. References<br />Dew Associates Corporation: http://www.dewassoc.com/kbase/index.html<br />Forensics Wiki:<br />http://www.forensicswiki.org/wiki/<br />Windows Seven Forums:<br />http://www.sevenforums.com/<br />Computer Crime Research:<br />http://www.crime-research.org<br />Guidance Software:<br />EnCaseonDemand Training<br />30<br />
  31. 31. Questions?<br />Phil Senécal<br />psenecal@ledjit.com514.627.2850www.ledjit.ca<br />

×