Criminal evidence marjie t britz

Computer Forensics and Cyber Crime

CHAPTER

Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Computer Forensics: Terminology and Requirements

10

Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Learning Objectives

Learn some of the problems associated with computer investigation.
Gain insight on how computer disks are structured.
Be able to discuss the means in which computers store data.
Explore the types of data recovery methods which agencies use today.
Develop a working knowledge of FAT and its importance to computer investigation.
Learn the five categories of software that can be used in computer investigation.
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Computer Forensics – An Emerging Discipline

New Police Techniques and Strategies

New Patterns of Criminal Behavior

New Technology

Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Computer Forensics – An Emerging Discipline

Necessary to maintain integrity of evidence
Maintaining a chain of custody
Ensuring that viruses are not introduced to a suspect machine during analysis
Ensuring that evidence remains in an unaltered state
Goal: Protect digital evidence from possible alterations, damage, data corruption, or infection by design or carelessness
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Traditional Problems in Computer Investigations

Many echo problems with criminal investigations in general.
Inadequate resources
For local law enforcement, increased responsibilities and dwindling budgets, decreasing chances of taking advantage of limited educational opportunities
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Traditional Problems in Computer Investigations

Lack of communication and cooperation among agencies
Forced alliances may not achieve much success
Overreliance on automated programs and self-proclaimed experts
Great need equals great expectations for any efforts?
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Traditional Problems in Computer Investigations

Lack of reporting
Due to perception of incompetence of law enforcement, low rate of reporting by victims
Exacerbated by corporate advisors' self-serving, discouraging take on the process
Belief that law enforcement lacks sufficient resources
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Traditional Problems in Computer Investigations

Evidence Corruption – Cardinal Rules of Computer Investigations
Always work from an image, leaving the original hard drive unaltered.
Document, document, document.
Maintain the chain of custody.
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Disk Structure and Digital Evidence

Terms to know:

Operating systems
Hardware
Software
Firmware
Computer
Static memory
Volatile memory (cache, RAM)
Nonvolatile storage
Computer storage
Primary storage
Secondary storage
Floppy disks or diskettes
CD-ROMs
CD-RWs
Hard/fixed disks
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Disk Structure and Digital Evidence

Disk Structure and Data Storage

Drives
Physical: Devices and data at the electronic or machine level
Physical file size: Actual space that the file occupies on a disk
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Disk Structure and Digital Evidence

Logical: Allocated parts of a physical drive that are designated and managed as independent units; most important in computer forensics
Logical file size: The exact size of a file in bytes

Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Disk Structure and Digital Evidence

Terms

Bits
Tracks
Cylinder
Sectors
Shaft
Head
Actuator arm
Platters
Spindle
ASCII
Binary system
Hexadecimal system
Clusters (aka file allocation units)
Compressed files
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Disk Structure and Digital Evidence

Partition Table

File Systems
FAT: File Allocation Table (FAT16, FAT32)
NTFS (creates fragments; may involve an encrypting file system [EFS])
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Disk Structure and Digital Evidence

Firmware – Operating Instructions

Not only hardware

Terms

BIOS (Basic Input/Output System)
Initial commands about bootstrap loader (using boot sector/absolute sector 0)
POST (Power-on self-test)
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Disk Structure and Digital Evidence

Data integrity
Cyclical redundancy checksum (CRC), a tool for validation
MD5-Hash, a verification tool
Hashkeeper, software that lists known files
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Developing Computer Forensic Science Capabilities

Standard Operating Procedure (SOP) are constantly changing due to advances in technology.
Should be clearly articulated and readily available
Consisting of appropriate software, hardware, special investigating procedures
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Minimum Housing Requirements

Need to have secure, clean facilities suitable for conducting forensic analysis

Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Minimum Hardware Requirements

Lab systems

Basic: Bare-bones equipment
Better: But can handle only single-tasking workloads
Power: Capable of handling larger workloads simultaneously
Dream: The best system available
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Minimum Hardware Requirements

Evidence storage drive
Operating system
Display
Uninterruptible power supply
Write blocker
Scanner
Printer
Evidence backup
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Minimum Hardware Requirements

Considerations
Type of computer
Processor speed
Memory
Network
I/O interfaces
Optical drive
OS drive
Evidence storage drive
Operating system
Write blocker
Battery
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Minimum Software Requirements

Data Preservation, Duplication, and Verification Tools

Critical role played by imaging programs
Pick at least two that are comfortable
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Minimum Software Requirements

To comply with NIST standards, this tool ought to:
Be capable of making a bitstream duplicate or an image of an original disk or partition onto fixed or removable media
Not alter the original disk
Be able to access both IDE and SCSI disks
Be able to verify the integrity of a disk image file
Log I/O errors
Provide substantial documentation
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Minimum Software Requirements

Data Recovery Extraction Utilities

Physical involves:
Keyword-searching
File-carving
Extraction of the partition table and unused space on the physical drive
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Minimum Software Requirements

Logical involves:
Extraction of the file system information to reveal characteristics (i.e., file names, file size, file location, attributes, etc).
Data reduction to identify and eliminate known files through the comparison of calculated hash values to authenticated hash values
Extraction of pertinent files
Recovery of deleted files
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Minimum Software Requirements

Extraction of password protected, encrypted, & compressed data
Extraction of file slack
Extraction of unallocated space
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Minimum Software Requirements

General categories of data analysis software:
Indexing
Text-searching
viewers
Time frame analysis
Application analysis
Will need to use:
File viewers, often with child pornography cases
Text-searching software for words, phrases, and strings appropriate to a each case
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Minimum Software Requirements

Reporting software should generate a report containing the following, at a minimum:
Lab’s name, address, and contact information
Date of report
Name, signature, and address of the investigator and investigative agency
Case number
Case information – Suspect(s), victim(s), alleged offense
Lab case identifier
Evidence Log – Date and receipt of evidence, seizure details, etc.
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Minimum Software Requirements

Physical description of items evaluated
Methods, procedures, products, and/or software used in the analysis
Results of the examination
Conditions affecting the results, where applicable
Basis of opinions and interpretations of results, where applicable
Case-specific information requested by investigator
Statement of compliance or noncompliance with certain specifications or other requirements (as applicable to interpretations)
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Minimum Software Requirements

Miscellaneous software
Presentation applications (i.e., PowerPoint, etc.)
Word processing applications
Spreadsheet applications
Wiping software
Antivirus software
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

A Sampling of Popular Forensic Software

Guidance Software (EnCase Forensic), especially version with password crackers
Also makes an imaging/verification hardware device: FastBloc
Access Data (Ultimate Toolkit), compatible with EnCase, Snapback and Safeback
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

A Sampling of Popular Forensic Software

Other forensic utilities
Imaging & verification: ByteBack, Safeback
Wiping programs: Maresware’s DECLASFY, Access Data’s WipeDrive – both meet Department of Defense's rigorous standards
Unix: Data Dumper (dd), Grep, The Coroner’s Toolkit
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Conclusions

Guarding against poorly run investigations, due in part to administrative apathy and inadequate resources, lack of appropriate training
Need to satisfy forensic computer science capabilities
Aim for collaboration with civilian experts and corporate entities, when appropriate
Need to meet certain minimum requirements, including equipment and housing