Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Civil Engineering
  3. Remote Sensing

Evidence Gathering

advertisement 
Evidence Gathering
Criminal Evidence Rules
• Authentication*
– A true copy of the original
• Best evidence
– Presenting original
• Exceptions to hearsay
– Allowable exceptions
*Most common
Elements of
Authentication
• Documentation
– Condition of evidence must be documented
• Preservation
– Errors from destruction, mishandling,
contamination
– 3 possible sources of error from chain of custody:
discovery(police), collected(crime scene
technician),packaged/labeled/transported(police),
logged at lab, stored, etc.,
• Authenticity
– Scientific evidence standards
Authentication
• Evidence must demonstrate that data
recovered provides a true and accurate
reflection of the original data at the time of
collection
– Address technical issues concerning the process
used to examine the hard drive
• Ability to identify information derived from
the hard drive that links a suspect to the
recovered file(s)
– Address relevancy
– Procedures to collect, image, examine and
preserve
Best Evidence Rule
Evidence constructed is an accurate
representation of the original data
on the system.
The Legal Basis for Using
Tools
• State of Washington v. Leavell
– Using tools must meet Frye analysis
– Tools must pass test as used and accepted
within industry as valid
• Cross-validation is critical
– What is validation?
– Who validates tools?
– How is validation done?
Authentication
• Federal Rules of Evidence (901 &
1002/1003)
– Must demonstrate that the recovered
files are authentic to be considered
relevant
– Must submit original or a duplicate
– Copies are used for data recovery and
analysis
Scientific Tests
• FRE 401-403 allow anything that materially assists
the trier of fact be deemed relevant by trier of law
• Frye standard (US v Frye 1923) for the results of a
scientific technique to be admissible, the technique
must be sufficiently established to have gained
general acceptance in its particular field
• Coppolino (Copplino v State 1968) may use a new
test if an adequate foundation is laid
• Marx standard (People v Marx 1975) Common
sense understanding (the no jargon rule)
• Daubert standard ( Daubert v Merrell Dow 1993)
requires special pretrial hearings for scientific
evidence and special procedures on discovery
where the rules are laid out for validity,reliability,
benchmarking, algorithms, and error rates.
Collection
• Chain of custody demonstrates
evidence collected is authentic
• Must be documented
– Creates a sequence of steps, inventory,
preservation
Imaging
•
•
•
•
•
Combination of software tools and procedures to produce a
copy
Creates a bit stream or mirror that duplicates every sector
NIST requirements for tools
– Tool must not alter original
– If no errors, should be a bitstream duplicate
– If IO errors, then produce a qualified bitstream (except for
errors)—errors are replaced with identifiable values
– Tool should log IO errors by type and location
Results should be verified
– James Holley discovered in 2000 that some SCSI drives do
not image completely with some tools
Differences will draw “best evidence” objections
Imaging
• Using MD5 (message digest) hashes to
verify a copy is true and accurate
representation of the original
– Creates a fingerprint
• MD5 uses 128 bit hash
• SHA-1 uses a 160 bit hash
• CRC used as a double checksum
– Detects errors 32 bits or smaller
Identification
Gathering the Evidence
Stages for a Search & Seizure
(A)
Develop
plan
(B)
Approach and
Secure Crime
Scene
(C)
Document
Crime Scene
Layout
(D)
Search
for
Evidence
(E)
Retrieve
Evidence
(F)
Process
Evidence
Why Use a Methodology?
A formal methodology allows an investigator to
approach and investigate a computer crime
rationally and expeditiously, without a loss of
thoroughness. More importantly, it establishes
a protocol by which electronic evidence
(physical and logical) is gathered and handled,
to reduce the potential for this evidence to be
corrupted or tainted.
Timothy Wright
Following a Plan
• Gather evidence
• Follow a methodology & document it
• Determine relevance of data
– US v Carey and going beyond the scope
• Cautions:
–
–
–
–
Chain of custody
Expert witness
Improper use of tools
No consent
Guidelines for LEOs
• No action taken should alter data
subsequently relied upon by the court
• Competent individuals should access the
original, only
• An audit trail should be created and an
independent 3rd party should be able to
achieve same results
• Officer in charge is responsible for
adhering to principles
Evidence Dynamics
• Evidence dynamics is anything that
changes, relocates, obscures, or obliterates
evidence regardless of intent between the
time gathered and used in court
–
–
–
–
–
–
–
–
Emergency workers (fire & water)
Forensic examiners
Offender-covering behaviors (deletions)
Victim actions (deletions)
Secondary transfer (by stander)
Witnesses (network admin deletions)
Nature/weather (magnetic fields)
Decomposition (decay)
Preliminary Preparation
1.
2.
3.
4.
5.
6.
7.
Accumulate the packaging & materials
Prepare the log for documentation of the search
Ensure IRT is aware of forms of evidence &
proper handling materials
Evaluate the current legal ramifications of crime
scene searches
Discuss search with involved personnel before
arrival at the scene (victim theory of access)
Identify a person-in-charge prior to arrival at the
scene
Assess the personnel assignments normally
required to process a crime scene successfully
Employee Suspects
• Check personnel file
• Receipt of proprietary information (AUP)
 Code entry/building logs (doors, gates, rooms)
 Telephone records (corroborate remote access)
 Placement at scene (eyewitness, camera)
• Obtain court order for home equipment or
consent to search
• Cleaned out desk area (missing items)
• Calls from former employees requesting information
Sample Banner
This system is for the use of authorized users
only. Individuals using this computer system
without authority, or in excess of their authority,
are subject to having all of their activities on this
system monitored and recorded by system
personnel. In the course of monitoring
individuals improperly using this system, or in the
course of system maintenance, the activities of
authorized users may also be monitored. Anyone
using this system expressly consents to such
monitoring and is advised that if such monitoring
reveals possible evidence of criminal activity,
system personnel may provide the evidence of
such monitoring to law enforcement officials.
Exceptions to ECPA
 Consent by suspect
– Implicit if a banner at logon appears
• Must prove banner was seen
– Signature (annually) on company policies
 Screen shots verify presence of banner
 Provision for banner in policies
Reviewing The
Surroundings
•
•
•
•
•
•
•
•
•
Desktops
Monitors
Storage media
Next to telephones (note message light)
Wallets or purses
PDAs
Trash can
Inside of books and manuals
Taped underneath keyboards
Approaching a Scene
•
•
•
•
Permission to process PC
A camera to document (digital camera)
May consider video taping of access
Labels for all connections
Procedures
• Take photographs of:
– The computer screen
– The front, back and sides of the computer
– The cables attached to the computer
– Any peripherals attached to the computer
• Log whether the computer is on or off
• If on, note in the log what it appears to be doing
• Log whether or not the computer is on a network
• Decide to review as active system
• Pull plug from computer not wall
Reviewing an Active
System
• Computers change state by
–
–
–
–
User interaction
Process execution
Data transfers
Power cycles
What is Lost When you
Power Down
•
•
•
•
•
•
Registers, cache contents
Memory contents
State of network connections
State of running processes
Contents of storage media
Contents of removable and back up
media
Plan for Live Systems
Step
Windows 2000/NT
UNIX
Establish a new shell
cmd.exe
Bash
Record system date and time
Date, time
W
Who is logged on
Loggedon
W
Record open sockets
Netstat
Netstat
List processes that open sockets
Fport
Lsof
List currently running processes Pslist
Ps
List systems recently connected
Nbtstat
Netstat
Record system time
Date, time
W
Record steps taken
doskey
Script, vi, history
Acquisition Errors = Bad
Forensics
• Failure to:
–
–
–
–
–
–
–
Maintain proper documentation
Notify or provide information to decision makers
Control access to digital evidence
Report the incident to management & law enforcement
Estimate the scope of the incident
Create an incident response plan
Check peer-to-peer access for additional computers
Response Toolkits
• A forensic box
Large hard drives, SCSI card, 10/100 NIC, tape
drive
• Drivers for hardware
• Ribbon cables
• Disk write blocking utilities
• Imaging software
Media for Back-up
Images
•
•
•
•
Floppies (bring a truck)
DAT (cheap)
Zip (removable HDs)
CD ROM (as second level
backup)
• Network (secure)
• Hard drive (appropriate size)
Prepackaged Hardware
Units
• ICS –www.ics-iq.com
• Forensic Computers www.forensiccomputers.com
Using Packaged Tool
Set
• Encase uses a Windows interface
• Copies,locates and extracts files at the
same time
• Case log included
• Advanced string searching capability
• Book marking capability
• Previews hard drives
Graphic Tools
Gathering Evidence
• Freeze keyboard & devices (i.e., tool such as Seized)
• Maintain an evidence log & secure it
• Allocate a secure area for evidence
holding/examination
– You cannot seize an attorney’s computer
(See guidelines at www.ojp.usdoj.gov/nij)
• Impartiality of investigators (not friend of suspect)
• Use 2 people—one documents the other gathers
• Make sure examiner can testify
Chain of Custody
• List of people that touched or had control of
evidence
• Evidence tag
– Consent & signature
– Receipt & transfer
– Description
•
•
•
•
•
A list of office staff near evidence
State of the system when found
Serial numbers
Peripherals attached
Prevent future access after seized
Cautions
• Never allow employee to touch the computer
after decision is made to investigate
– Remove/restrict suspect under subterfuge
•
•
•
•
Remove computer or HD to secure area
Beware of magnetic devices to erase
Be aware of burn boxes to destroy diskettes
Confiscate all storage media (check keychain for
Trek)
Oops… There Goes Your
Case!
•
•
•
•
•
•
Altering time and date stamps
Terminating rogue processes
Patching the system before investigation
Not recording commands executing on the system
Using tools that require a GUI
Writing over evidence by installing software
drivers
• Writing over evidence by running programs that
store on suspect hard drive
Log for Investigations
Exam Log1 Access database
Creating a Log
The Fired CFO
• Circumstances
– The laptop was given to HR in its present
condition by the controller when he left
– The employee was hired on 9/1/2001 and left on
2/1/2002
– Position was controller
– Had remote access to company database
– On 4/11/2002 an employee at the company found
all the orders in the database deleted
• Are there any problems?
Questions
•
•
•
•
•
•
•
•
•
Should you investigate?
Can you investigate?
What policies should be in place?
What do you need prior to investigation?
Do you need a plan in order to do a search?
What steps would you follow?
What would you seize for examination?
What should you worry about?
What evidence could you find that would force
you to call the police?
Related documents
FS Unit 2 Notes Guide
FS Unit 2 Notes Guide
File - Ms. Collins forensic science
File - Ms. Collins forensic science
blood typing
blood typing
Introduction and Physical Evidence Test
Introduction and Physical Evidence Test
Jeopardy - Menifee County Schools
Jeopardy - Menifee County Schools
Complete Rules
Complete Rules
Course: National Diploma in Media, Film
Course: National Diploma in Media, Film
Crime Scene and Evidence Test Review Packet
Crime Scene and Evidence Test Review Packet
Forensic Science – Chapter 1 Worksheet
Forensic Science – Chapter 1 Worksheet
Unit 5 Lab - Dado Science
Unit 5 Lab - Dado Science
Download
advertisement