SlideShare a Scribd company logo
1 of 31
eDiscovery: Forensic Challenges Introduction to Forensic Methodologies Phil Senécal Legal Counsel and Chief Technical Advisor Consulting Inc.
Agenda From Ink to Bits Electronic documents vs. paper documents Tangibles and intangibles Digital Evidence What to look for Handling the evidence Chain of Custody Definition Objectives File system structure
Electronic Document Criminal Code(R.S., 1985, c. C-46) 841 “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, print-out or other output of the data and any document, record, order, exhibit, notice or form that contains the data. Canada EvidenceAct(R.S., 1985, c. C-5) 31.8 “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data. Personal Information Protection and Electronic Documents Act (2000, c. 5) 31 “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data. Canada Business Corporations Act (R.S., 1985, c. C-44) 252.1 “electronic document” means, except in section 252.6, any form of representation of information or of concepts fixed in any medium in or by electronic, optical or other similar means and that can be read or perceived by a person or by any means.  3
Electronic Document vs. Paper 4
Locations 5
Media  Hard Drive (office, notebook, home, printer, etc.) Cellular Telephone et Digital Personal Information Manager Digital Cameras MP3 Players CDs and DVDs USB Flash Drives Voice Mail Online / Web 2.0 (Blog, Wiki) Backup Media (tapes, CDs) … 6
Digital Evidence Summary Any data that can be stored and read by an electronic device. (bits) On any type of media that can be accessed with an electronic device. (Hard drives, floppy disks, optical disks, USB flash drives, digital cameras, watches, PDAs, cellular phones, MP3 devices, etc.) No fixed location. (Office or home PC, servers, on person, internet, etc.) 7
PreliminaryConsiderations Storage of Data Cameras, MP3 players, cell phones and PDAs do not necessarily show data stored. (bits) Computers (home or office)  Who has access to files? Who has access to computers? Type of digital evidence 8
Handling the Evidence Precautions Electrostatic Discharge (ESD) Anti-static wrist strap and storage bags Handling the hard drive (fragile mechanical components) Internal and external hard drives Circuit boards Altering data on storage device Write blockers 9
Handling the Evidence Procedure Log out all computer media and machines seized and to be analyzed.  Perform a visual inspection/inventory  of the physical makeup of the seized computer.  It is most important to document the computer condition thoroughly. Photograph the system to document its condition. Open/remove the CPU case.  Examine its internal circuitry, make note of all media (hard drives, removable media drives, floppy drives, etc.).  Where appropriate, make note of all internal expansion cards (e.g., where unusual cards are located, or where the internal devices could be pertinent to the investigation). Look for alternative storage devices such as flash memory, disconnected hard drives, etc.  Verify that the system is configured to boot from floppy diskette, and record which floppy drive is the boot disk. Determine if the CPU (case itself) contains potentially valuable information that would justify analysis.  Verify that the CPU is functional, or at least contains some form of media. Record the position of all internal devices, to include hard drives, floppy drives, expansion cards, etc.  10
Handling the Evidence Procedure (continued) Check the computer's CMOS settings to be sure the computer is configured to boot from floppy diskette and boot the machine from a boot disk. Verify that the system clock reflects the actual date and time.  Record in your analysis notes the correct date, time, and time zone, the date, time and time zone reported by the computer, and log the difference. Identify all hard drives by make, model, capacity and condition. Record this information, as well as whether the device is internal or external.  Where necessary, photograph individual hard disks to document damage or other unusual condition. Power down the computer and identify the hard drive master/slave settings (if IDE). Record these settings, and change where necessary to mount into the government-owned forensic examination computer.  Be sure to note any and all changes to evidentiary media. Locate the parameters of the hard drive itself by going to the manufacturer's home page. Where necessary, manually modify the computer's CMOS settings to accurately reflect the correct settings for the particular drive being analyzed.  11
Handling the Evidence Checklists 12
Handling the Evidence Collecting the data Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands.* Source: http://www.forensicswiki.org 13
Document Preservation:Definition Digital preservation is defined as: long-term, error-free storage of digital information, with means for retrieval and interpretation, for the entire time span the information is required for.  Long-term is defined as "long enough to be concerned with the impacts of changing technologies, including support for new media and data formats, or with a changing user community. Long Term may extend indefinitely".  "Retrieval" means obtaining needed digital files from the long-term, error-free digital storage, without possibility of corrupting the continued error-free storage of the digital files.  "Interpretation" means that the retrieved digital files, files that, for example, are of texts, charts, images or sounds, are decoded and transformed into usable representations. This is often interpreted as "rendering", i.e. making it available for a human to access. However, in many cases it will mean able to be processed by computational means. Source: http://en.wikipedia.org/wiki/Digital_preservation 14
Document Preservation: Objectives Preservation: ensure that all of the bits composing an electronic document do not alter with the passage of time.  Access: continued, ongoing access to the content of a digital library (information resource) that still retains and protects all qualities of integrity, authenticity, accuracy and functionality found when the digital material was originally created and/or acquired. Steps are required to attain these goals: supervision, control and maintenance (refreshing, media migration, and backups). 15
Chain of Custody:Definition Chain of custody refers to the chronological documentation, and/or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. * * Source: http://en.wikipedia.org/wiki/Chain_of_custody 16
Chain of Evidence:Objectives Because evidence can be used in court, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct which can seriously compromise the credibility of a witness and jeopardize the outcome of a case.  Since electronic data can be easily altered, it is important to prove that the integrity of the evidence has been maintained from seizure through production in court. Chain of custody logs should document how the data was gathered, analyzed, and preserved for production. The chain of custody log must show the method used to ensure that the data was properly copied, transported and stored; that the information has not been altered in any way, and that all media has been secured throughout the process. 17
W5 Who has or has had the item What item are we referring to When did something happen to the item Where did this transaction take place Why did the transaction take place 18
Chain of Custody:Policy There should be a person (chokepoint) that is in control of all data. The more people you introduce to the mix the easier it will be to have a problem with chain of custody. There should be a policy and procedure manual for dealing with evidentiary items. There should be someone responsible for reviewing policies and procedures on evidence control. Items being taken into possession should be documented at the earliest possible time. Receipts should be left at the client location. Client should sign a copy of receipt for items being taken. Items should be tagged (labeled) to ensure proper processing. 19
Chain of Custody:Process The following must be included in a chain of custody log  A list of all media that was secured. The precise information that has been copied, transferred, and collected Date & time stamp Who processed the item Who is the owner of the item; where it was taken from All electronic evidence collected must be properly documented each time the evidence is viewed Such documentation must be made available throughout the discovery process. (If the client in the middle of the case wants to see the log, it has to be made available.)  * Source: http://en.wikipedia.org/wiki/Chain_of_custody 20
Lost of data Destruction/Alteration (Spoliation) Prejudicial presumption Uncorroborated testimony Dismissal of action Undermine credibility Etc. Risks and Consequences 21
File System Structure How is data written to a PC hard drive? Hard drive format Volume Sectors (typically 512 bytes/sector) Clusters/allocation units (for example 4096 bytes/cluster (8 sectors)) 22
File System Structure How is data written to a PC hard drive? File Allocation Table (FAT) Tracks file names Tracks the location of the data on the hard drive Directory Structure Name, Cluster, Size, Access, Written, Created 23
File System Structure How is data written to a PC hard drive? Saving one (1) 760 bytes file to the hard drive 24
File System Structure How is data written to a PC hard drive? Saving one (1) 10,240 bytes file to the hard drive (3 clusters) 25
File System Structure How is data written to a PC hard drive? Saving three (3) more 1000 bytes files to the hard drive (3 clusters) 26
File System Structure How is data written to a PC hard drive? Saving one (1) more 10,240 bytes file to the hard drive (3 clusters) 27
File System Structure Directory Structure 28
File System Structure Deleting files 29
References Dew Associates Corporation: http://www.dewassoc.com/kbase/index.html Forensics Wiki: http://www.forensicswiki.org/wiki/ Windows Seven Forums: http://www.sevenforums.com/ Computer Crime Research: http://www.crime-research.org Guidance Software: EnCaseonDemand Training 30
Questions? Phil Senécal psenecal@ledjit.com514.627.2850www.ledjit.ca

More Related Content

What's hot

Lecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemLecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file system
Alchemist095
 
Digital Forensics Overview
Digital Forensics OverviewDigital Forensics Overview
Digital Forensics Overview
Mathew Shelby
 
Total Evidence White Paper
Total Evidence White PaperTotal Evidence White Paper
Total Evidence White Paper
Kevin Featherly
 

What's hot (20)

Lecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemLecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file system
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
 
CS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT VCS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT V
 
Using Network
Using NetworkUsing Network
Using Network
 
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion Investigation
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Ediscovery 101
Ediscovery 101Ediscovery 101
Ediscovery 101
 
Digital Forensics Overview
Digital Forensics OverviewDigital Forensics Overview
Digital Forensics Overview
 
Computer Forensics Resources offers Remote Live Data Forensic Acquisition if ...
Computer Forensics Resources offers Remote Live Data Forensic Acquisition if ...Computer Forensics Resources offers Remote Live Data Forensic Acquisition if ...
Computer Forensics Resources offers Remote Live Data Forensic Acquisition if ...
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkits
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a Panacea
 
Total Evidence White Paper
Total Evidence White PaperTotal Evidence White Paper
Total Evidence White Paper
 
Diving into Digital Forensics
Diving into Digital Forensics Diving into Digital Forensics
Diving into Digital Forensics
 
F1805023942
F1805023942F1805023942
F1805023942
 
computer forensics by amritanshu kaushik
computer forensics by amritanshu kaushikcomputer forensics by amritanshu kaushik
computer forensics by amritanshu kaushik
 
The design of forensic computer workstations
The design of forensic computer workstationsThe design of forensic computer workstations
The design of forensic computer workstations
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
 
Lecture #32: Forensic Duplication
Lecture #32: Forensic DuplicationLecture #32: Forensic Duplication
Lecture #32: Forensic Duplication
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 

Similar to Introduction To Forensic Methodologies

Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
computer forensics
computer forensicscomputer forensics
computer forensics
Akhil Kumar
 
Latihan4 comp-forensic-bab3
Latihan4 comp-forensic-bab3Latihan4 comp-forensic-bab3
Latihan4 comp-forensic-bab3
sabtolinux
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
01 computer%20 forensics%20in%20todays%20world
01 computer%20 forensics%20in%20todays%20world01 computer%20 forensics%20in%20todays%20world
01 computer%20 forensics%20in%20todays%20world
Aqib Memon
 

Similar to Introduction To Forensic Methodologies (20)

Latest presentation
Latest presentationLatest presentation
Latest presentation
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
 
Evidence and data
Evidence and dataEvidence and data
Evidence and data
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Latihan4 comp-forensic-bab3
Latihan4 comp-forensic-bab3Latihan4 comp-forensic-bab3
Latihan4 comp-forensic-bab3
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
Medical Records on the Run: Protecting Patient Data with Device Control and...
Medical Records on the Run: Protecting Patient Data with Device Control and...Medical Records on the Run: Protecting Patient Data with Device Control and...
Medical Records on the Run: Protecting Patient Data with Device Control and...
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systems
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer Forensic
 
Computer forensics
Computer  forensicsComputer  forensics
Computer forensics
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
01 computer%20 forensics%20in%20todays%20world
01 computer%20 forensics%20in%20todays%20world01 computer%20 forensics%20in%20todays%20world
01 computer%20 forensics%20in%20todays%20world
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics Slides
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
IEA Presentation - Electronic Records & Electronic Evidence: Section 65B
IEA Presentation - Electronic Records & Electronic Evidence: Section 65BIEA Presentation - Electronic Records & Electronic Evidence: Section 65B
IEA Presentation - Electronic Records & Electronic Evidence: Section 65B
 

More from Ledjit

Numérisation de substitution
Numérisation de substitutionNumérisation de substitution
Numérisation de substitution
Ledjit
 
CEIC 2010 international panel
CEIC 2010 international panelCEIC 2010 international panel
CEIC 2010 international panel
Ledjit
 
Le web2.0, une mine d'information juridique et judiciaire
Le web2.0, une mine d'information juridique et judiciaireLe web2.0, une mine d'information juridique et judiciaire
Le web2.0, une mine d'information juridique et judiciaire
Ledjit
 
Le Procès Sans Papier - Objection... à toute la preuve présentée devant les t...
Le Procès Sans Papier - Objection... à toute la preuve présentée devant les t...Le Procès Sans Papier - Objection... à toute la preuve présentée devant les t...
Le Procès Sans Papier - Objection... à toute la preuve présentée devant les t...
Ledjit
 
Information Governance-a programmatic perspective on driving value through RI...
Information Governance-a programmatic perspective on driving value through RI...Information Governance-a programmatic perspective on driving value through RI...
Information Governance-a programmatic perspective on driving value through RI...
Ledjit
 
The Effective eDocument Retention Program - Policies, Processes and Solutions
The Effective eDocument Retention Program - Policies, Processes and SolutionsThe Effective eDocument Retention Program - Policies, Processes and Solutions
The Effective eDocument Retention Program - Policies, Processes and Solutions
Ledjit
 
Documents and Discovery in Government - Alberta’s Perspective
Documents and Discovery in Government - Alberta’s PerspectiveDocuments and Discovery in Government - Alberta’s Perspective
Documents and Discovery in Government - Alberta’s Perspective
Ledjit
 

More from Ledjit (20)

Rixe sur la preuve électronique
Rixe sur la preuve électroniqueRixe sur la preuve électronique
Rixe sur la preuve électronique
 
Numérisation de substitution
Numérisation de substitutionNumérisation de substitution
Numérisation de substitution
 
CEIC 2010 international panel
CEIC 2010 international panelCEIC 2010 international panel
CEIC 2010 international panel
 
The radio shack court
The radio shack courtThe radio shack court
The radio shack court
 
Le web2.0, une mine d'information juridique et judiciaire
Le web2.0, une mine d'information juridique et judiciaireLe web2.0, une mine d'information juridique et judiciaire
Le web2.0, une mine d'information juridique et judiciaire
 
Une nouvelle administration de la preuve
Une nouvelle administration de la preuveUne nouvelle administration de la preuve
Une nouvelle administration de la preuve
 
Le Procès Sans Papier - Objection... à toute la preuve présentée devant les t...
Le Procès Sans Papier - Objection... à toute la preuve présentée devant les t...Le Procès Sans Papier - Objection... à toute la preuve présentée devant les t...
Le Procès Sans Papier - Objection... à toute la preuve présentée devant les t...
 
Information Governance-a programmatic perspective on driving value through RI...
Information Governance-a programmatic perspective on driving value through RI...Information Governance-a programmatic perspective on driving value through RI...
Information Governance-a programmatic perspective on driving value through RI...
 
The Effective eDocument Retention Program - Policies, Processes and Solutions
The Effective eDocument Retention Program - Policies, Processes and SolutionsThe Effective eDocument Retention Program - Policies, Processes and Solutions
The Effective eDocument Retention Program - Policies, Processes and Solutions
 
Documents and Discovery in Government - Alberta’s Perspective
Documents and Discovery in Government - Alberta’s PerspectiveDocuments and Discovery in Government - Alberta’s Perspective
Documents and Discovery in Government - Alberta’s Perspective
 
Preuve électronique + Procédure
Preuve électronique + ProcédurePreuve électronique + Procédure
Preuve électronique + Procédure
 
Gestion De L’Information - Obligations et responsabilités du conseiller jurid...
Gestion De L’Information - Obligations et responsabilités du conseiller jurid...Gestion De L’Information - Obligations et responsabilités du conseiller jurid...
Gestion De L’Information - Obligations et responsabilités du conseiller jurid...
 
60 Trucs et astuces Word en 60 minutes
60 Trucs et astuces Word en 60 minutes60 Trucs et astuces Word en 60 minutes
60 Trucs et astuces Word en 60 minutes
 
eDiscovery without the headaches
eDiscovery without the headacheseDiscovery without the headaches
eDiscovery without the headaches
 
The Portable Courtroom
The Portable CourtroomThe Portable Courtroom
The Portable Courtroom
 
Salle d'audience portable
Salle d'audience portableSalle d'audience portable
Salle d'audience portable
 
Production of Documents, Technology and Costs
Production of Documents, Technology and CostsProduction of Documents, Technology and Costs
Production of Documents, Technology and Costs
 
Le Web2
Le Web2Le Web2
Le Web2
 
L'administration de la preuve électronique
L'administration de la preuve électroniqueL'administration de la preuve électronique
L'administration de la preuve électronique
 
eDiscovery - Advising your Clients on how to be Litigation Ready in the 21st ...
eDiscovery - Advising your Clients on how to be Litigation Ready in the 21st ...eDiscovery - Advising your Clients on how to be Litigation Ready in the 21st ...
eDiscovery - Advising your Clients on how to be Litigation Ready in the 21st ...
 

Recently uploaded

CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
Wonjun Hwang
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 

Recently uploaded (20)

The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 

Introduction To Forensic Methodologies

  • 1. eDiscovery: Forensic Challenges Introduction to Forensic Methodologies Phil Senécal Legal Counsel and Chief Technical Advisor Consulting Inc.
  • 2. Agenda From Ink to Bits Electronic documents vs. paper documents Tangibles and intangibles Digital Evidence What to look for Handling the evidence Chain of Custody Definition Objectives File system structure
  • 3. Electronic Document Criminal Code(R.S., 1985, c. C-46) 841 “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, print-out or other output of the data and any document, record, order, exhibit, notice or form that contains the data. Canada EvidenceAct(R.S., 1985, c. C-5) 31.8 “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data. Personal Information Protection and Electronic Documents Act (2000, c. 5) 31 “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data. Canada Business Corporations Act (R.S., 1985, c. C-44) 252.1 “electronic document” means, except in section 252.6, any form of representation of information or of concepts fixed in any medium in or by electronic, optical or other similar means and that can be read or perceived by a person or by any means. 3
  • 6. Media Hard Drive (office, notebook, home, printer, etc.) Cellular Telephone et Digital Personal Information Manager Digital Cameras MP3 Players CDs and DVDs USB Flash Drives Voice Mail Online / Web 2.0 (Blog, Wiki) Backup Media (tapes, CDs) … 6
  • 7. Digital Evidence Summary Any data that can be stored and read by an electronic device. (bits) On any type of media that can be accessed with an electronic device. (Hard drives, floppy disks, optical disks, USB flash drives, digital cameras, watches, PDAs, cellular phones, MP3 devices, etc.) No fixed location. (Office or home PC, servers, on person, internet, etc.) 7
  • 8. PreliminaryConsiderations Storage of Data Cameras, MP3 players, cell phones and PDAs do not necessarily show data stored. (bits) Computers (home or office) Who has access to files? Who has access to computers? Type of digital evidence 8
  • 9. Handling the Evidence Precautions Electrostatic Discharge (ESD) Anti-static wrist strap and storage bags Handling the hard drive (fragile mechanical components) Internal and external hard drives Circuit boards Altering data on storage device Write blockers 9
  • 10. Handling the Evidence Procedure Log out all computer media and machines seized and to be analyzed. Perform a visual inspection/inventory of the physical makeup of the seized computer. It is most important to document the computer condition thoroughly. Photograph the system to document its condition. Open/remove the CPU case. Examine its internal circuitry, make note of all media (hard drives, removable media drives, floppy drives, etc.). Where appropriate, make note of all internal expansion cards (e.g., where unusual cards are located, or where the internal devices could be pertinent to the investigation). Look for alternative storage devices such as flash memory, disconnected hard drives, etc. Verify that the system is configured to boot from floppy diskette, and record which floppy drive is the boot disk. Determine if the CPU (case itself) contains potentially valuable information that would justify analysis. Verify that the CPU is functional, or at least contains some form of media. Record the position of all internal devices, to include hard drives, floppy drives, expansion cards, etc. 10
  • 11. Handling the Evidence Procedure (continued) Check the computer's CMOS settings to be sure the computer is configured to boot from floppy diskette and boot the machine from a boot disk. Verify that the system clock reflects the actual date and time. Record in your analysis notes the correct date, time, and time zone, the date, time and time zone reported by the computer, and log the difference. Identify all hard drives by make, model, capacity and condition. Record this information, as well as whether the device is internal or external. Where necessary, photograph individual hard disks to document damage or other unusual condition. Power down the computer and identify the hard drive master/slave settings (if IDE). Record these settings, and change where necessary to mount into the government-owned forensic examination computer. Be sure to note any and all changes to evidentiary media. Locate the parameters of the hard drive itself by going to the manufacturer's home page. Where necessary, manually modify the computer's CMOS settings to accurately reflect the correct settings for the particular drive being analyzed. 11
  • 12. Handling the Evidence Checklists 12
  • 13. Handling the Evidence Collecting the data Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands.* Source: http://www.forensicswiki.org 13
  • 14. Document Preservation:Definition Digital preservation is defined as: long-term, error-free storage of digital information, with means for retrieval and interpretation, for the entire time span the information is required for. Long-term is defined as "long enough to be concerned with the impacts of changing technologies, including support for new media and data formats, or with a changing user community. Long Term may extend indefinitely". "Retrieval" means obtaining needed digital files from the long-term, error-free digital storage, without possibility of corrupting the continued error-free storage of the digital files. "Interpretation" means that the retrieved digital files, files that, for example, are of texts, charts, images or sounds, are decoded and transformed into usable representations. This is often interpreted as "rendering", i.e. making it available for a human to access. However, in many cases it will mean able to be processed by computational means. Source: http://en.wikipedia.org/wiki/Digital_preservation 14
  • 15. Document Preservation: Objectives Preservation: ensure that all of the bits composing an electronic document do not alter with the passage of time. Access: continued, ongoing access to the content of a digital library (information resource) that still retains and protects all qualities of integrity, authenticity, accuracy and functionality found when the digital material was originally created and/or acquired. Steps are required to attain these goals: supervision, control and maintenance (refreshing, media migration, and backups). 15
  • 16. Chain of Custody:Definition Chain of custody refers to the chronological documentation, and/or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. * * Source: http://en.wikipedia.org/wiki/Chain_of_custody 16
  • 17. Chain of Evidence:Objectives Because evidence can be used in court, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct which can seriously compromise the credibility of a witness and jeopardize the outcome of a case. Since electronic data can be easily altered, it is important to prove that the integrity of the evidence has been maintained from seizure through production in court. Chain of custody logs should document how the data was gathered, analyzed, and preserved for production. The chain of custody log must show the method used to ensure that the data was properly copied, transported and stored; that the information has not been altered in any way, and that all media has been secured throughout the process. 17
  • 18. W5 Who has or has had the item What item are we referring to When did something happen to the item Where did this transaction take place Why did the transaction take place 18
  • 19. Chain of Custody:Policy There should be a person (chokepoint) that is in control of all data. The more people you introduce to the mix the easier it will be to have a problem with chain of custody. There should be a policy and procedure manual for dealing with evidentiary items. There should be someone responsible for reviewing policies and procedures on evidence control. Items being taken into possession should be documented at the earliest possible time. Receipts should be left at the client location. Client should sign a copy of receipt for items being taken. Items should be tagged (labeled) to ensure proper processing. 19
  • 20. Chain of Custody:Process The following must be included in a chain of custody log A list of all media that was secured. The precise information that has been copied, transferred, and collected Date & time stamp Who processed the item Who is the owner of the item; where it was taken from All electronic evidence collected must be properly documented each time the evidence is viewed Such documentation must be made available throughout the discovery process. (If the client in the middle of the case wants to see the log, it has to be made available.) * Source: http://en.wikipedia.org/wiki/Chain_of_custody 20
  • 21. Lost of data Destruction/Alteration (Spoliation) Prejudicial presumption Uncorroborated testimony Dismissal of action Undermine credibility Etc. Risks and Consequences 21
  • 22. File System Structure How is data written to a PC hard drive? Hard drive format Volume Sectors (typically 512 bytes/sector) Clusters/allocation units (for example 4096 bytes/cluster (8 sectors)) 22
  • 23. File System Structure How is data written to a PC hard drive? File Allocation Table (FAT) Tracks file names Tracks the location of the data on the hard drive Directory Structure Name, Cluster, Size, Access, Written, Created 23
  • 24. File System Structure How is data written to a PC hard drive? Saving one (1) 760 bytes file to the hard drive 24
  • 25. File System Structure How is data written to a PC hard drive? Saving one (1) 10,240 bytes file to the hard drive (3 clusters) 25
  • 26. File System Structure How is data written to a PC hard drive? Saving three (3) more 1000 bytes files to the hard drive (3 clusters) 26
  • 27. File System Structure How is data written to a PC hard drive? Saving one (1) more 10,240 bytes file to the hard drive (3 clusters) 27
  • 28. File System Structure Directory Structure 28
  • 29. File System Structure Deleting files 29
  • 30. References Dew Associates Corporation: http://www.dewassoc.com/kbase/index.html Forensics Wiki: http://www.forensicswiki.org/wiki/ Windows Seven Forums: http://www.sevenforums.com/ Computer Crime Research: http://www.crime-research.org Guidance Software: EnCaseonDemand Training 30
  • 31. Questions? Phil Senécal psenecal@ledjit.com514.627.2850www.ledjit.ca