UMUC (2012) Retrieved from http://tychousa3.umuc.edu/CSEC650/1202/csec650_05/assets/csec650_05.pdf
National Business Sytems
Poland
Introduction
Capital: Warsow
Region: Central Europe
Prime Minister: Donald Tusk
President: Bronislaw Komorowski (As in Aug 6, 2010 – 5 year term)
Government: Parliamentary Republic, Democracy
Key Relations: strong ally of US, member of EU,
IMF, NATO, WTO, Schengen
Population: 38,54 million
Currency: zloty
(1€ = between 4.20 and 4.25 Zloty)
Official Language: Polish
Strengths :
EU Membership, Eurozone Accession
Next Elections 2015- Civic party can implement austerity measures if needed
Weakness:
Political Conflict/discontment within the country
Opportunities:
Scope for integration with other Euro Atlantic institutions
Slim changes for presidential Vito
Threats :
Undertaking deep fiscal consolidation, could threaten and weaken the support of Civic platform party .
Austerity Measures
Political
Prevalent Issues
Other Political Issues
Fate of Euro
Key alliance with US, deteriorating with Russia
EU- Poland Relations
Projections
European Middle power within the EU
Ties with the EU
Faltering Economic growth
Assertive Power Player
Economic Activity
GDP growth = 1,5% in 2013
Trade balance deficit = -0,1% of GDP in 2012
Domestic demand collapse
High unemployment (14,2% in 2013)
Stagnant wage growth
Imports ↘ (in consumer goods +++)
Inflation (2,7% in 2013) and interest rate ↘
but divergence in the Monetary Policy Council
39% of imports = capital goods (raw materials, machinery, transport equipment…)
Weak external demand
Stagnant Eurozone growth
Eurozone = main trading partner (since 1995: double trade)
Threat
Exports ↘
Exports to non-EU countries still strong (↗ by 22,5% in 2013, Feb and represent 1/3 of total exports)
Fiscal policy
Budget deficit of 3,9% of GDP in 2012
Defeat: the EU’s 3,0% of GDP budget target
BUT success: reduction of the budget deficit from 7,9% in 2010 to 3,9% in 2012
Banking sector
Sufficiently robust to weather imminent trains
Limited consumer loan growth
Weak consumer mortgage growth
Domestic house prices ↘ by 1,4% in Jan 2013
Housing market = oversupplied
Number of non-performing loans ↗ (unemployment)
Corporate lending = stable
better if eurozone situation improves and business confidence increases
Business Environment
Strenghts
Implementation of pro-business reforms
In gerenal foreign businesses are permitted unrestricted owenrship of Polish assets
Weaknesses
FDI per capita remains considerably low
Inefficient court system (red tape, corruption)
Poor quality infrastructure
Business Environment
Opportunities
Low labour costs
Local capital markets are deepening
Link between Asia-Europe (Gdansk port)
Threats
"brain drain" migration
Eurozone recovery
Conclusion + Recommandations
Poland is one of the European countries that are the least affected by the economic crisis
…
1. Give an ex ...
The Story of Village Palampur Class 9 Free Study Material PDF
UMUC (2012) Retrieved from httptychousa3.umuc.eduCSEC6501202.docx
1. UMUC (2012) Retrieved from
http://tychousa3.umuc.edu/CSEC650/1202/csec650_05/assets/cs
ec650_05.pdf
National Business Sytems
Poland
Introduction
Capital: Warsow
Region: Central Europe
Prime Minister: Donald Tusk
President: Bronislaw Komorowski (As in Aug 6, 2010 – 5 year
term)
Government: Parliamentary Republic, Democracy
Key Relations: strong ally of US, member of EU,
IMF, NATO, WTO, Schengen
Population: 38,54 million
Currency: zloty
(1€ = between 4.20 and 4.25 Zloty)
2. Official Language: Polish
Strengths :
EU Membership, Eurozone Accession
Next Elections 2015- Civic party can implement austerity
measures if needed
Weakness:
Political Conflict/discontment within the country
Opportunities:
Scope for integration with other Euro Atlantic institutions
Slim changes for presidential Vito
Threats :
Undertaking deep fiscal consolidation, could threaten and
weaken the support of Civic platform party .
Austerity Measures
Political
Prevalent Issues
Other Political Issues
Fate of Euro
Key alliance with US, deteriorating with Russia
EU- Poland Relations
Projections
European Middle power within the EU
Ties with the EU
Faltering Economic growth
Assertive Power Player
3. Economic Activity
GDP growth = 1,5% in 2013
Trade balance deficit = -0,1% of GDP in 2012
Domestic demand collapse
High unemployment (14,2% in 2013)
Stagnant wage growth
Imports ↘ (in consumer goods +++)
Inflation (2,7% in 2013) and interest rate ↘
but divergence in the Monetary Policy Council
39% of imports = capital goods (raw materials, machinery,
transport equipment…)
Weak external demand
Stagnant Eurozone growth
Eurozone = main trading partner (since 1995: double trade)
Threat
Exports ↘
Exports to non-EU countries still strong (↗ by 22,5% in 2013,
Feb and represent 1/3 of total exports)
Fiscal policy
Budget deficit of 3,9% of GDP in 2012
Defeat: the EU’s 3,0% of GDP budget target
BUT success: reduction of the budget deficit from 7,9% in 2010
to 3,9% in 2012
4. Banking sector
Sufficiently robust to weather imminent trains
Limited consumer loan growth
Weak consumer mortgage growth
Domestic house prices ↘ by 1,4% in Jan 2013
Housing market = oversupplied
Number of non-performing loans ↗ (unemployment)
Corporate lending = stable
better if eurozone situation improves and business confidence
increases
Business Environment
Strenghts
Implementation of pro-business reforms
In gerenal foreign businesses are permitted unrestricted
owenrship of Polish assets
Weaknesses
FDI per capita remains considerably low
Inefficient court system (red tape, corruption)
Poor quality infrastructure
Business Environment
Opportunities
5. Low labour costs
Local capital markets are deepening
Link between Asia-Europe (Gdansk port)
Threats
"brain drain" migration
Eurozone recovery
Conclusion + Recommandations
Poland is one of the European countries that are the least
affected by the economic crisis
…
1. Give an example of terminology that could be confusing
between a digital forensic expert, a lawyer, judge, and potential
jurors.
In your opinion, how could this potential issue be
reduced? Can we ever eliminate this issue?
2. Why is testifying and/or writing a report such a critical part
of the computer forensics experts job?
In your opinion, which one is more important -- testifying or
writing a report?
9. accounting firm discovered a large embezzlement scheme. This
immediately placed
SharKapital's management at the center of civil and criminal
lawsuits. As blame shifts
from the Chief Executive Officer (CEO) to the Board of
Directors, the company's legal
department launches an urgent investigation, or electronic
discovery (e-discovery),
process. This process is used to collect and present digital
forensic evidence that can
implicate the guilty and clear the innocent.
Scenario
The Case
Headlines are breaking around the world as SharKapital's
reputation comes under
scrutiny. While most of their high-end clients are refusing to
talk to the media, billionaire
Felicia Favreau refuses to hide her contempt for the way she
claims SharKapital has
"mismanaged her funds."
Wall Street Salutes Blair Overton
Blair Overton, the CEO of SharKapital, has completed 20 years
in the industry and is
named this year's "Wall Street Czar." Wall Street's biggest and
brightest fund managers
salute this financial genius for his leadership skills and
financial acumen, which
transformed SharKapital from a small regional player into a
global conglomerate.
Overton's ability to negotiate the turbulent stock markets helped
SharKapital stay afloat
while his rivals drowned in chaos brought on by global
11. Public Relations Manager,
Linda Garnett.
A transcript of their conversation is reproduced here.
Stanley: Our CEO, Blair Overton, has been charged with
embezzling $120 million over
a 10-year period through a complex series of fraudulent
electronic financial transactions.
Markus: Overton borrowed the funds to finance his short-selling
of premier stocks. We
had no idea because he had our junior accountants on his
payroll. I never saw these
entries.
Linda: That's the same Overton whom Wall Street experts called
a "financial genius"
last year? Obviously, this means a massive financial crisis for
the company and the
markets.
Markus: Yes. Despite our years of success, it's clear we'll have
to declare bankruptcy
now.
Stanley: While Overton will face criminal charges from the
District Attorney's office,
SharKapital's board is facing a civil lawsuit from one of our top
clients—Felicia Favreau.
Linda: Felicia has filed a negligence case against the board. I've
asked our legal
department to launch an e-discovery process immediately to
obtain evidence of our
innocence.
12. Corporate Legal Department
SharKapital's corporate legal department must begin the e-
discovery process.
E-discovery is an investigation that corporations or private
organizations conduct to
obtain digital forensic evidence in cases of insider trading,
accounting fraud, or industrial
espionage.
It is mostly used for civil litigation and not for criminal cases.
Law enforcement agencies
are minimally involved, and corporate legal departments initiate
and manage the
e-discovery process by hiring private forensic investigators.
Forensic Investigators
SharKapital hires Richman and Stern, LLC, a medium-sized
digital forensic investigation
firm. This forensic firm will investigate the embezzlement
scheme over the next four
months by image-analyzing 200 or more computers and mobile
devices.
After they locate the evidence, some of the forensic experts
from Richman and Stern,
LLC will be deposed and will serve as expert scientific
witnesses. The experts will also
prepare written forensic reports to present in court to validate
the evidence they are
presenting.
15. forensic investigation" is used in criminal matters. However, the
actual forensic
processes are nearly identical in both types of investigation.
Steps
Step 1: Manage Data
Companies are required to follow the Sarbanes-Oxley Act and
Internal Revenue Service
requirements for managing their financial and tax accounting
data in digital and paper
formats. Company data must be managed in an up-to-date
inventory, and managers
must know where the data are located: on-site, at corporate
headquarters, or at an off-
site storage location. For medium-sized and large companies,
this is not a simple task
because of the large volume of data they generate and retain.
Step 2: Collect Data
Investigators must determine which company resources they
need to include in their
investigation. For example, if a company's servers are attacked,
which servers should be
examined? Investigators must consult various personnel in the
company who know how
the data are stored and transferred. Often, the data being
collected can amount to
hundreds of gigabytes, even for a small case. If the organization
manages its data
efficiently, collecting the data will be simplified.
Step 3: Process Data
Records that are duplicated, outdated, or irrelevant to a case
must be pointed out to
management. Such records can then be destroyed through
17. Forensic investigators can organize the evidence neatly and
efficiently to help make the
lawyers' arguments convincing and persuasive.
Forensic investigators might also be asked to take the stand as
expert witnesses.
Lawyers and witnesses must adequately prepare for anything
that might occur during
the course of presenting digital files to a judge or jury in
courtroom hearings.
Activity
Question: The world's largest fashion publication, F-Tonic, has
discovered that several
corporate spies are working at their subsidiary offices. F-
Tonic's CEO believes these
spies have been planted by their biggest rival, Radical Runway.
However, before
F-Tonic can fire these spies and take Radical Runway to court,
it needs solid evidence.
As part of the e-discovery process, F-Tonic's legal department
and forensic consultants
carry out these five tasks.
Arrange the tasks in the correct sequence required to carry out
an e-discovery
investigation.
a. Isolate the computers used by the spies.
b. Testify in court about Radical Runway's espionage plan.
c. Image the hard drives of the isolated computers.
d. Identify the e-mails the spies sent to Radical Runway.
e. Refer to the list of files located at the subsidiary offices.
Correct Answer: The correct sequence of tasks is e, a, c, d, b.
19. examiner draws up a
list of 50 to 300 keywords. For example, in the SharKapital
case, the possible
keywords could include the name of the CEO, as well as the
names of the CEO's
relatives, known business associates, and suspected co-
conspirators. These
keywords can be mapped to documents, e-mails, and instant
messages.
Searching E-Mails
After the forensic investigator obtains a suspected employee's
password, he or she
searches the suspect's computer for e-mails sent and received on
particular dates.
Through such a narrow but deep search, the examiner identifies
the key people with
whom the employee was communicating, such as co-
conspirators and financial
supporters. E-mail searches can also be used to identify critical
dates of activities
and appointments by acquiring calendar and contact
information.
Recovering Deleted Files
Most computer forensic tools can recover deleted files or
fragments of deleted files.
To use these tools effectively, the forensic examiner must
understand how files are
stored and deleted on a computer's hard drive. The File
Allocation Table (FAT) is a
good resource to check for files that may have been deleted.
This tells the examiner
whether the user erased critical evidence.
21. Topic 3: Electronic Discovery
Forensic Toolkits
A forensic examiner can select forensic software appropriate for
the techniques he or
she is using. Often, forensic software is bundled up in toolkits
to allow a forensic
examiner to perform various functions while collecting
evidence. While some forensic
toolkits are little more than a collection of useful utilities, most
toolkits are tightly
integrated and have advanced user interfaces.
EnCase® Forensic
EnCase® Forensic, by Guidance Software, is an industry-
standard digital forensic
tool. It captures data from a wide variety of digital machines
such as servers,
workstations, and mobile phones. This software uses an
advanced search
functionality to retrieve data from the disk level, generates
reports, and preserves the
integrity of the evidence in a court-approved format.
Forensic Toolkit®
Forensic Toolkit® (FTK) is used by companies in the private
sectors and by law
enforcement and government agencies worldwide. It runs on
Windows operating
systems and is considered the industry standard in cracking and
decrypting
22. passwords from e-mails and chats. Created by AccessData, FTK
also streamlines
keyword searches to locate data accurately.
The Sleuth Kit
The Sleuth Kit (TSK), developed by leading computer forensic
researcher Brian
Carrier, allows a forensic examiner to run a series of UNIX or
Windows commands
on a live hard drive to analyze it. By adding a Graphic User
Interface (GUI) called
Autopsy Forensic Browser to TSK, examiners can organize files
in the system by
date, type, and case. Examiners can also verify the integrity of
any media images
created for an investigation.
KazForensics
Kazeon's KazForensics has a built-in chain of custody for
Electronically Stored
Information (ESI). This feature allows examiners to maintain
the data integrity of
documents and e-mails during a forensic examination. Its
auditable workflow allows
the transparent and accurate forensic process to be verified in a
court of law.
UMUC Cybercrime
Investigation and Digital Forensics
26. computer. There were
several e-mails exchanged between Mr. Overton and
SharKapital's clients, giving
evidence of insider trading. However, all this evidence was
considered inadmissible in
court due to the fact that the search warrant was not obtained in
the proper manner.
Blair Overton's Lawyer
We were not aware of any e-mails between Mr. Overton and
SharKapital's clients, as the
search warrant issued by the court allowed forensic teams to
search only Mr. Blair
Overton's Manhattan residence, not his home on Long Island.
Therefore, we asked the
judge to declare a mistrial due to incomplete evidence. Because
the opposing counsel's
team violated the search warrant, Blair Overton has escaped
paying court costs to the
State of New York and also avoided a jail sentence.
Loopholes in the Evidence
The first problem with the evidence was the fact that the key
evidence was procured
without a proper search warrant. Besides the key evidence's
being found inadmissible,
there were other problems with the criminal investigation.
There was a significant difference between the total number of
hard drives reported by
the defendant's forensic team and the total number of hard
drives listed by the New York
Police Department's (NYPD). This discrepancy showed up on
the chain-of-custody form
attached to the best evidence. Though the forensic team claims
they used reliable
28. It has been preserved with an updated chain of custody.
If the evidence cannot be considered by a judge or jury, then the
investigator will have
wasted time and effort in preparing it. Furthermore, a guilty or
liable party might escape
punishment if incriminating evidence is inadmissible.
Sufficiency
A judge or jury deems that a piece of evidence is sufficient if
they find it to be believable
and persuasive based on lawyers' arguments and expert
witnesses' testimony. In short,
they must decide whether the evidence is authentic, accurate,
and complete.
The evidence is authentic if it is demonstrated to have come
from the claimed sources—
for instance, the suspect's computer, smartphone, or server. The
evidence is accurate if
it tells a consistent story beyond a reasonable doubt. The
evidence is complete if it tells
only one story, and there are no other stories that the evidence
could also tell that might
have a bearing on this specific hearing.
Checklist
To ensure that the evidence they present is convincing and
admissible, forensic
investigators must do the following:
1. Use computer media that are considered sterile. This means
that the media should
be new and free from malware.
2. Maintain the integrity of the original media. This ensures that
the digital evidence is
30. property can be unreasonably searched or seized. However, if a
citizen's person or
property is considered possible evidence in a case, a law
enforcement officer can
request a search warrant.
I asked Judge Zonuka for a search warrant that allows my team
to search and seize Mr.
Blair Overton's home computer at his Manhattan residence. A
search warrant can be
issued by a magistrate or judge only after he or she is convinced
of three things: a high
probability of a crime being committed; evidence related to the
crime still exists; and the
evidence most likely exists in the location that is to be
searched.
Phoebe Zonuka, Civil Court Judge
I agree that Blair Overton is a reasonable suspect in this case
and that he might have
committed a crime. I'm issuing a search warrant that allows the
police to search his
Manhattan residence for specific files and folders related to
financial transactions.
Once a search warrant is granted, law enforcement agents are
permitted to search all
places specified in the search warrant, such as an individual's
house, apartment, office,
vehicle, storage shed, or person.
Mark Shapiro, Police Officer
Despite carrying a search warrant, the evidence I procured was
considered flawed.
There were two main reasons:
1. There was a flaw in how the search warrant was executed.
33. a. The judge should not consider Tamara's DUI conviction as
evidence. However, the
judge may permit the DA to include it in opening and closing
remarks because it
relates to the legal concept of recidivism.
b. The judge should pay attention to Tamara's DUI conviction
because it attests to her
character. Prior criminal convictions are important when
judging a defendant.
Correct Answer: Option a
Feedback:
A defendant's prior criminal history is relevant only if it relates
directly to the current
charges.
Step 2
In a case involving drug trafficking, various witnesses have
been summoned to court to
testify against the accused party. A key witness for the
prosecution tells the court that
her teenage daughter told her that she had bought crystal
methamphetamine from the
defendant on three different occasions. The defense counsel
asks the judge to dismiss
this statement from the court's record, but the judge allows the
jury to consider this
testimony.
Question: Do you think the judge should admit this testimony?
a. This testimony should be regarded as inadmissible because it
is hearsay and does
35. a. If scientific testimony is given by a recognized forensic
expert, then the absence of a
chain-of-custody form will not diminish the admissibility or
weight of the evidence.
b. Information on the chain-of-custody form is critical to
proving that the evidence is
authentic, accurate, and complete. Testimony is not a substitute
for properly
managed evidence.
Correct Answer: Option b
Feedback:
Without a supporting chain-of-custody form, the admissibility
and weight of the evidence
and testimony can be considered suspect and therefore
inadmissible.
Step 4
While writing a speeding ticket, a highway patrol officer
overhears the driver confirming a
drug delivery on his cell phone. The officer orders the
defendant to drop the cell phone
outside the car and then scrolls through the phone's text
messages, where the officer
finds information on many drug deals.
Question: Should the judge consider the evidence found in the
cell phone admissible in
court?
a. Yes, the judge should consider the evidence found in the cell
phone admissible in
36. court because the officer had every right to overhear the driver's
phone conversation,
seize the cell phone in plain view, and view the text messages if
he felt the driver
was committing a felony.
b. No, the judge should not consider the evidence found in the
cell phone admissible in
court. The officer had no right to view the text messages or
search the cell phone of
a private citizen without a search warrant.
Reference: Supreme Court of Wisconsin. 2010. State of
Wisconsin v. Carroll. Supreme Court of Wisconsin.
Retrieved from
http://www.wicourts.gov/sc/opinion/DisplayDocument.pdf?cont
ent=pdf&seqNo=46694
Correct Answer: Option b
Feedback:
After listening to the driver's conversation in plain view, the
officer was justified in seizing
the cell phone. However, the officer was not justified in
viewing the text messages
without a search warrant. Therefore, the judge should dismiss
the evidence found in the
cell phone.
UMUC Cybercrime
Investigation and Digital Forensics
39. examination and report for
possible criminal charges & civil litigation.
Forensic Acquisition and Exam Preparation
1. On September 7, 2011, I began the forensic
acquisition/imaging process of the
stolen laptop. Prior to imaging the stolen laptop, I photographed
the laptop,
documenting any identifiers—such as, make, model, and serial
number, unique
markings, or visible damage while maintaining Chain of
Custody.
2. Using a sterile storage media (examination medium) that had
been previously
forensically wiped and verified by this examiner (MD5 hash
value:
ed6be165b631918f3cca01eccad378dd) using the FTK tool
version 4.0. The MD5
hash value for the examination medium yielded the same MD5
hash value as the
previous forensic wipes to sterilize this media.
3. At this point, I removed the hard drive from the stolen laptop
and connected it to my
hardware write-blocker, which is running the most recent
firmware and has been
verified by this examiner. After connecting the hardware write
blocker to the
suspect's hard drive, I connected the hardware write-blocker via
USB 2.0 to my
forensic examination machine to begin the forensic imaging
process.
41. Doe and Jane Doe. Further analysis shows that a John Doe
logged into his Google
Mail account.
4. I found two clear sets of fingerprints on the laptop and sent
them to the police
detectives so that they could identify a match for both prints.
Workspace
Question 01:
Report Excerpt
Using a sterile storage media (examination medium) that had
been previously
forensically wiped and verified by this examiner (MD5 hash
value:
ed6be165b631918f3cca01eccad378dd) using the FTK tool
version 4.0. The MD5 hash
value for the examination medium yielded the same MD5 hash
value as previous
forensic wipes to sterilize this media.
Read this excerpt from the report. Does it clearly identify and
detail the assumptions of
the case?
a. No, this excerpt deals with the gathering of evidence.
b. No, this excerpt deals with the forensic analysis.
c. Yes, this excerpt gives the reader a clear understanding of the
assumptions.
d. Yes, this is a well-prepared set of assumptions in the case.
Correct Answer: Option b
42. Feedback:
This excerpt is part of the forensic analysis section of the report
and does not have
anything to do with the identified and detailed assumptions of
the case. The assumptions
of the case are located in the report's overview.
Question 02:
Report Excerpt
On September 5, 2011, John Doe contacted my office in regards
to imaging a stolen
laptop computer running Windows® XP Professional that had
been recovered. Doe is
requesting a forensic examination to see what company
documents may have been
stolen by the suspect(s) and is requesting a full forensic
examination and report for
possible criminal charges and civil litigation.
Does this excerpt sufficiently introduce the case investigated in
this report?
a. Yes, it is sufficiently detailed.
b. Yes, but it could use more details.
c. No, it is more of a conclusion than an introduction.
d. No, it is not clearly written.
Correct Answer: Option b
Feedback:
Additional details—such the type of content stored on the
laptop or the date of the
theft—would help the reader of this report get a clearer picture
of the case more quickly.
44. computer was used and what
each tool was used for.
Question 04:
Report Excerpt
A review of the Internet browsing history using Internet
Evidence Finder allowed the
following data to be recovered from sector 117004. The data
show a Facebook email
between John Doe and Jane Doe. Further analysis shows that a
John Doe logged into
his Google Mail account.
What information could be added to this section of the report?
a. An executive summary
b. Information about the forensic examiner
c. A more detailed description of what sector 117004 is
d. A glossary of terms
Correct Answer: Option c
Feedback:
A more detailed description of the sector from which data were
acquired should be
included in every forensic examiner's report. However, more
information is needed, as
there could be multiple hard drives or partitions on the
computer.
UMUC Cybercrime
Investigation and Digital Forensics
46. of files related to a
project that John Doe was working on. Based on the forensic
procedures performed and
results of those procedures, this examiner finds that Jane Doe
was a hacker who
befriended the victim through a social networking site and
launched a cross-site scripting
(XSS) attack to learn the victim's login and password
credentials.
It can be reasonably assumed that Jane Doe stole the
confidential data from John Doe's
laptop. Thoroughness is extremely important because any
indication of bias is likely to
cause issues during legal proceedings. Therefore, it is essential
to be thorough and
objective when conducting a forensic investigation.
Further Challenges
While creating a digital forensic report for a recovered stolen
laptop, consider these
additional questions:
What other forensic tools could you use for better and faster
results?
What other evidence should you look for that will directly or
indirectly lead you to
identifying the suspect?
Would you carry out any additional forensic analysis steps that
are not mentioned in
the report?
48. Lawyer 2: Choose carefully, as these witnesses will cost you
around $500 an hour.
Witness Qualifications
Not everyone has the qualifications, expertise, or experience to
be deemed an expert
witness by the judge. Expert witnesses are expected to have
exceptional technical
knowledge and expertise that will help the judge and jury make
their decisions.
Courts recognize expert witnesses based on these criteria:
1. Years of relevant industry work experience
2. Professional qualifications
3. Academic qualifications such as a Ph.D. or other advanced
degree
4. Research experience
5. Ability to provide unbiased opinions
Daubert Guidelines
The Daubert guidelines were established as a result of the
landmark 1993 case Daubert
v. Merrell Dow Pharmaceuticals, Inc., to determine the legality
of scientific testimony
admitted into U.S. courts. These guidelines question the subject
of the evidence, the
techniques used to extract the evidence, and the view of peers in
the scientific
community. A judge has the power to dismiss expert scientific
testimony if it does not
meet the Daubert guidelines.
51. Topic 6: Legal Challenges
Presenting Evidence and Testimony in Court
Besides meeting admissibility criteria, evidence gathered
through the e-discovery
process must also follow the Federal Rules of Civil Procedure.
These rules were
amended in 2006 to include electronic evidence, and they
require all parties to pay
attention to ESI handling procedures early on or face penalties.
Forensic examiners, too, must maintain detailed and accurate
documentation as well as
Chain of Custody during the collection process. Otherwise, the
review and presentation
of evidence will be flawed and inadmissible.
The steps of the e-discovery process below will help you
understand how a forensic
examiner prepares documentation at each step.
Manage Data
This includes organizational policies and technical capabilities
about:
Record retention
Safeguarding information
Data back-ups
Data security
52. Contractual relationships with third parties
Collect Data
While collecting data, the forensic examiner notes the off-site
locations where data are
stored and backed up, and finds out how remote users access
this data.
The examiner should maintain this information:
The initial written request made for obtaining the remote
evidence
Copies of all search authorizations granted by competent
authorities
The Chain of Custody for each piece of evidence
Details on the steps taken to recover all evidence, image it, and
analyze it
Process Data
While processing data, the forensic examiner can follow these
best practices:
Include relevant additional information, such as the network
architecture, the list of
users of the systems, relevant data retention policies, and
agreements signed by the
users.
Describe the operating system, its version, and current patches
and security updates
installed on it.
List changes made to the network architecture or the system
55. up with an executive in
the company's Purchasing Department and opened fictitious
vendor accounts. Together,
they purchased imaginary items and paid the fictitious vendors
over a period of six
months. When the company was audited, a loss of $425,000 was
reported. The
company's legal counsel has retained your services to conduct
an e-discovery
investigation and find evidence to support the civil case against
Bianca and her
associate.
Question 1: E-Discovery Step 2
In Step 2 of the e-discovery process, which of these tasks will
be your focus?
a. Processing data
b. Collecting data
c. Managing data
d. Reviewing data
Correct Answer: Option b
Feedback:
As a forensic investigator, you will need to work with legal
counsel to understand the
organization's data retention policy and make a list of the types
of data you will need to
investigate this case.
Question 2: Financial Fraud
In a financial fraud investigation, what type of records will you
collect?
a. Personnel timesheets
b. Employee résumés
c. Balance sheets
57. Knowing the location of all information system files and what
digital data are stored off-
site should be your primary focus in a digital forensic
investigation.
Question 4: E-Discovery Step 3
In Step 3 of the e-discovery process, which of these tasks will
be your focus?
a. Processing data
b. Collecting data
c. Managing data
d. Reviewing data
Correct Answer: Option a
Feedback:
Processing data is Step 3 of the e-discovery process. This
includes using deadbox or
livebox tools to analyze and examine all relevant digital
devices.
Question 5: Process Data
While processing data, which of these tasks should you
perform?
a. Image important digital artifacts
b. Destroy unrelated paper documents
c. Collect digital files from multiple devices
d. Interview the main suspect
Correct Answers: Options a and c
Feedback:
First, you should collect digital files from relevant devices.
Then you will need to
immediately create an image of all the evidence you want to
examine. It is unethical for a
59. Correct Answers: Options b, c, and d
Feedback:
The expertise of the witness, the relevance of the evidence, and
the procedures used to
obtain the evidence are all factors that determine admissibility.
The defendant's prior
criminal record cannot be used to taint the evidence presented
in a new case.
Question 8: Courtroom
Besides the final forensic report, what else might you be
expected to present in the
courtroom?
a. The complete evidence
b. Courtroom testimony
c. Chain of Custody
d. Analytical tools
Correct Answers: Options b and c
Feedback:
You may be called upon by counsel to give expert scientific
testimony in court. You must
present the best evidence, not the complete evidence, updated
with a Chain of Custody
form to support your testimony. The analytical tools you use
will stay in the laboratory
and are not required in the courtroom.
Question 9: Admissibility Criteria
Which of these criteria determine whether evidence presented in
court is admissible in a
criminal case?
a. Relevancy
62. Glossary
Term Definition
Admissibility Admissibility is a legal standard applied to all
evidence
presented in a court of law. For evidence to be considered
admissible, it must be relevant, authentic, accurate, and
complete. It must also be procured either when in plain view or
under a search warrant.
Chain-of-Custody
Form
A chain-of-custody form shows how any kind of evidence has
been captured, analyzed, tracked, and protected on its way to a
court of law.
E-Discovery E-discovery, or electronic discovery, is a process
of
investigation used to locate and analyze evidence in a civil
case. The process has five steps that include managing,
collecting, processing, reviewing, and presenting data.
Electronically Stored
Information
Electronically Stored Information (ESI) is a term used for any
information that is stored in an electronic format.
Exculpatory Evidence Evidence is considered exculpatory if it
legally exonerates a
defendant of alleged criminal activities.
63. Federal Rules of Civil
Procedure
The Federal Rules of Civil Procedure (FRCP) stipulate what
evidence can be accessed and how it must be presented in a
federal district court for all civil litigation. For instance, FRCP
37
allows judges to dismiss evidence not backed by a warrant.
File Allocation Table The File Allocation Table (FAT) is a
tracking mechanism that
runs on the hard disk of a Windows operating system. It is used
to describe the various locations of a file on the hard disk.
Forensic Toolkit Forensic Toolkit (FTK) is a deadbox forensic
tool created by
AccessData that is used by government agencies to decrypt
passwords.
Hash Value A hash value is derived by using a hash algorithm
to compare
electronic files and filter out duplicates. For instance, the MD5
hash value, which has a 16-bit value, is used to check data
integrity.
Inculpatory Evidence Evidence is considered inculpatory if it
legally proves that an
alleged guilty party has committed the crime in question.
KazForensics KazForensics is a forensic toolkit that is used to
fingerprint ESI
documents, audit ESI systems, and validate ESI evidence
through a Chain of Custody.
Plain View Plain view is a legal doctrine that allows an officer
of the law to