the value of digital evidence
DESCRIPTION
The Value of Digital Evidence. Tobin Craig, MRSC, CISSP, SCERS, CCE Laboratory Chief, Computer Crimes Unit Office of Inspector General, Dept of Transportation. Overview. Key Attributes of Digital Evidence Reconnoiter Legal Perspective Preservation & Collection Planning Preservation - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/1.jpg)
The Value of Digital Evidence
Tobin Craig, MRSC, CISSP, SCERS, CCE
Laboratory Chief,Computer Crimes Unit
Office of Inspector General, Dept of Transportation
![Page 2: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/2.jpg)
Overview Key Attributes of Digital Evidence Reconnoiter Legal Perspective Preservation & Collection
Planning Preservation Monitoring
Forensic Analysis Email Search terms Other considerations
![Page 3: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/3.jpg)
Digital evidence is HIGHLY PERISHABLE
Can be adversely affected by: Normal IT Processes Any “innocent”
interaction
Key Attributes of Digital Evidence
![Page 4: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/4.jpg)
Digital evidence is HIGHLY PERISHABLE
Subject can EASILY destroy most digital evidence Hammer Toss in pool Magnets
Key Attributes of Digital Evidence
![Page 5: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/5.jpg)
Data rendered at microscopic level
Requirements: Specialized recovery
processes Trusted containers Specialized tools Trained individuals
Key Attributes of Digital Evidence
![Page 6: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/6.jpg)
Reconnoiter: Cluttered Desktop? Drawers, notepads, postits, etc.
What will they tell us?
Indented writing Authorship Investigative
leads
![Page 7: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/7.jpg)
Reconnoiter: Cluttered Desktop? File activity Running processes Software Images Deleted files Hidden data
![Page 8: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/8.jpg)
Reconnoiter: What is Electronic media? Electronic media is a storage
location for information in electronic form.
![Page 9: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/9.jpg)
Your leads could be here….
![Page 10: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/10.jpg)
Or they could be here
![Page 11: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/11.jpg)
Reconnoiter:Understanding the environment
In the real world: Where does the subject go? Who does the subject talk to? What does the subject do?
![Page 12: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/12.jpg)
Reconnoiter:Understanding the environment
In the digital world: Where does the subject go? Who does the subject talk to? What does the subject do?
SAME QUESTIONS APPLY!
![Page 13: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/13.jpg)
Reconnoiter:Understanding the environment
Two Part Strategy:Understand the EnvironmentCurrent assetsPreviously assigned assetsLearn Subject’s On-Line Behavior in
that environment
![Page 14: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/14.jpg)
Verizon, sprint, etc
WWW
![Page 15: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/15.jpg)
Reconnoiter: Looking Beyond the organization
![Page 16: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/16.jpg)
General Investigative Questions
USERS: Who?
User names How many
Competency Passwords
When? What?
What does each user use computer for
14
![Page 17: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/17.jpg)
General Investigative Questions EMAIL:
Who is email provider? What software is used? What are all the affected email addresses?
Passwords Web based, server based, or local
15
![Page 18: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/18.jpg)
Obtaining Computer Evidence
From Third Parties By Consent Search Warrants
![Page 19: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/19.jpg)
Third Parties
Getting a work computer from an employer
Not just who owns the computer Does the employee have a reasonable
expectation of privacy in the computer What are policies and practice of
organization
![Page 20: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/20.jpg)
Information from Internet Service Providers Governed by 18 USC 2703 Basic Subscriber information can be obtained with
administrative subpoena E-mails- 2703 requires search warrant for unopened
emails less than 180 days old. Statute provides for use of Grand Jury Subpoena for other emails but one circuit has held that unconstitutional
Other information- court order or search warrant
Third Parties
![Page 21: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/21.jpg)
Search Warrants
Should be able to convince a court that you can’t search on-site Traditionally analogized to traditional
cases with voluminous paper files Need to counter defense arguments
that search programs make on-site search practical
![Page 22: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/22.jpg)
Search Warrants
Court Limitations What can you search Where can you get it from How can you search How long do you have to search
![Page 23: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/23.jpg)
Consent
Sounds simple but What if computer is used by multiple
people Password protected files One user consents the other objects
What if consent is withdrawn
![Page 24: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/24.jpg)
Preservation & Collection
Golden Rules Planning Collection
3
![Page 25: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/25.jpg)
Golden Rule #1 Secure the Scene
Officer Safety Everyone step away from the
computers Observe any unusual computer
activity Locate the network administrator
4
![Page 26: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/26.jpg)
Search warrant (most preferred method) Pre-defined search and seizure
Consent Specifically document both the seizure and future
forensic examination of the hardware, software, and electronic media
Plain view Authority to seize, not search
5
Golden Rule #2 “Are you allowed to take that?”
![Page 27: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/27.jpg)
No changes after the start of search Don’t access any files, images, etc. If OFF, leave OFF If ON, Photograph the screen If ON, Look at monitor for unusual
activity
6
Golden Rule #3 Do not access any computer files
![Page 28: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/28.jpg)
First things first General guidelines
Do NOT allow anyone to touch or get near the computer
Disconnect modem or network cable ASAP Photograph computer and any electronic
media attached Label all components Locate other media Don’t be afraid to call for assistance
9
![Page 29: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/29.jpg)
Is it Evidence? Address the question early Search warrants Introduce DoJ’s recommended language
early Talk with Computer Examiners early Specialized knowledge of legal requirements CCIPS
Planning
![Page 30: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/30.jpg)
Recent hardware changes? Cooperation from internal IT department
Recent name changes? Marriage
Recent location changes? Phone numbers Office locations
9
Planning
![Page 31: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/31.jpg)
Deciding who will be conducting the forensic search of the acquired data Cooperation regarding procedures,
paperwork, jurisdiction……
9
Planning
![Page 32: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/32.jpg)
Typically a Three Part Process: Identifying the Media of potential
interest probable cause within scope
Accurate Documentation Analyzing the data on the Media
9
Collection
![Page 33: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/33.jpg)
Preservation Data within the organization
Use internal trusted contact within organizations IT department
Email preservation Hardware preservation Previously supplied equipment Network stored assets Data in volatile memory
Instant messaging
9
Step 1: Identifying the Media
![Page 34: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/34.jpg)
Preservation Data outside the organization
2703 (f) Preservation Letters speed is critical AOL Keeps transactional records for two days
Subpoenas, etc… Monitoring (authorized only, please!)
9
Step 1: Identifying the Media
![Page 35: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/35.jpg)
Think of it as an AUTHORIZED recording of activity for playback
and review at a later stage
Monitoring
![Page 36: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/36.jpg)
Step 2: Accurate Documentation Accurate documentation of each
system Extra care at the front end makes it easier
at the back end Evidence Collection Documentation should
uniquely identify anything that you recover from the scene or the computer.
No “bag o’ phone” type Evidence Collection Documentation…..
![Page 37: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/37.jpg)
Good: One (1) Dell Optiplex CPU, Service Tag
Q654321A, recovered from under desk, Room number 23, building 12 on 6/23/07.
One (1) Dell Optiplex CPU, Service Tag T123456B, recovered from top of desk, Room number 23, building 12, on 6/23/07.
Not so good: Two (2) black computers.
Step 2: Accurate Documentation
![Page 38: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/38.jpg)
PreservationZone 1
![Page 39: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/39.jpg)
PreservationZone 1
PreservationZone 2
![Page 40: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/40.jpg)
Verizon, sprint, etc
WWW
PreservationZone 1
PreservationZone 2
PreservationZone 3
![Page 41: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/41.jpg)
What is computer forensics?
Computer forensics is the scientific examination and analysis of data held on,
or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
![Page 42: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/42.jpg)
Two vital questions: What’s the Authority for the Search?
Consent Search Warrant organizational Logon Banner
Forensic Analysis:the ACTUAL Search
![Page 43: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/43.jpg)
Two vital questions: What Are You Looking For?
Need to Go Beyond Search Terms. A Reasonable Understanding of the Case Allows
Us to be More Effective for You
Affidavits for search should always be structured to address the subsequent
analysis of the data.
Forensic Analysis:the ACTUAL Search
![Page 44: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/44.jpg)
General Forensic Capability
Obtain regular or deleted files Deleted files only if not overwritten
Search for keywords or patterns May be hampered by format of information
Extraction of files from raw disk (carve) Need to understand file format & have
header Determine Internet activity Extraction of E-mail
32
![Page 45: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/45.jpg)
What are you preserving: Images Databases Documents Applications File slack
Huh?
Forensic Analysis:the ACTUAL Search
![Page 46: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/46.jpg)
File slack
“left over spaces”
![Page 47: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/47.jpg)
Date and Time stamps Files have four date/time stamps
associated with them: Date created
When the file first appeared on that particular media
Date written When the file was last opened and a change made
Date accessed When the file was last acted upon (no changes)
Date Deleted When the file was sent to the recycle bin (Windows)
![Page 48: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/48.jpg)
Email preservation Can’t I just open PST files and look
myself? Your profile will override that of the
subject’s Any printouts will have your name at the
top of the page = more explaining Anything left in the subject’s outbox
may auto-send
![Page 49: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/49.jpg)
Email preservation Can’t I just open PST files and look
myself? Read/unread status of emails will
change Calendar and task entries may auto-
update You won’t find deleted email!!
Deleted email is not the same as email in the deleted folder
![Page 50: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/50.jpg)
Search Terms Keyword
Unique word, phrase, or character string which can be found in the documents of interest
Avoid short strings May be part of a longer word
Avoid common terms or acronyms for the person being searched
Don’t search for 747 at Boeing28
![Page 51: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/51.jpg)
Search Terms Good examples
Social Security Number Contract Number Phone Number Credit Card Number Part Numbers (if long enough) Unique names
30
![Page 52: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/52.jpg)
Narrowing Search Data
Format of the information Documents, E-mail, Databases, etc. Understanding how the company or
agency operates can be invaluable Timeframes Keywords Authors or participants
31
![Page 53: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/53.jpg)
Other Forensic Capabilities Comparison of files Ownership of files Extraction/Analysis of Metadata
Show who worked on documents Tie file to a particular person or hardware Demonstrate false creation of documents
Crack passwords and encryption Probability ranges from 100% to fat-
chance
33
![Page 54: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/54.jpg)
Forensics – a trade-off Fast + Right = Expensive Cheap + Right = Slow Fast + Cheap = inaccurate
![Page 55: The Value of Digital Evidence](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d63550346895dcb6a72/html5/thumbnails/55.jpg)
Why Does This Matter to You?
The types of evidence you need goes far beyond paper trails and routine computer files…digital evidence comes in many forms
There could be valuable evidence/leads to support your case in RAM, unallocated space, pagefile
Great investigators bring all kinds of tools to the case!
“Think inside the box!”