1
FCM 760
Forensic Management of Digital Evidence
Prof. Shamik Sengupta
Office 4210N
ssengupta@jjay.cuny.edu
http://jjcweb.jjay.cuny.edu/ssengupta/
Fall 2010
2
What is Digital Forensics?
 With computers and other digital systems
increasingly being part of our lives and society,
there is an exponential growth among criminals to
use technology to facilitate their offenses and avoid
apprehension.
 “Digital forensics (also known as Digital forensic
science), a branch of forensic science, is the
discipline that aims at fighting against such
criminals and criminal activities encompassing the
recovery and investigation of material found in
digital systems.”
3
What is the aim of this course?
 This course is designed to provide you an introduction
of digital forensics (especially management of
evidence in digital form) from
– Theoretical perspective
– Practical perspective
4
What shall we learn?








What is “digital evidence”?
Who needs digital forensics?
Spectrum of computer-related crime
Legal issues (Only some of them)
Where can “things” be hidden?
Extraction of digital evidence
Analysis of digital evidence
What are the limits of recovery?
5
Text book
 Digital evidence and computer crime
– Eoghan Casey
– 2nd edition, Academic Press, 2004
– (3rd edition is on the way)
 ISBN-13: 978-0-12-163104-8
 ISBN-10:0-12-163104-4
6
Recommended reference and useful sites
 Handbook of Computer Crime Investigation
– Eoghan Casey, Elsevier
 Forensic Examination of Digital Evidence: A Guide for
Law Enforcement
– National Institute of Justice, April 2004
– Intended for use by members of the law enforcement community
who are responsible for the examination of digital evidence.
– http://www.ncjrs.org/pdffiles1/nij/199408.pdf
7
Recommended reference and useful sites (Cont.)

International Organization of Computer Evidence (IOCE)
– Established in 1995
– Providing a forum for law enforcement agencies across the world
to exchange information about computer forensics issue
– http://www.ioce.org

Scientific Working Group on Digital Evidence (SWGDE)
– U.S. component of IOCE
– http://ncfs.org/swgde/index.html

International Association of Computer Investigative Specialists
(IACIS)
– Nonprofit organization dedicated to educating law enforcement
professionals in the area of computer forensics
– www.cops.org
8
Recommended reference and useful sites (Cont.)

International Journal of Digital Evidence
– Online publication devoted to discussions of the theory and practice
of handling digital evidence (started in 2002)
– http://www.ijde.org

International Journal of Digital Forensics and Incident Response
– Digital Investigation (print journal from Elsevier that started in 2004)
– http://www.elsevier.com/locate/diin

Transactions on Information Forensics and Security
– Print journal from IEEE Signal Processing Society that started in
2005
– http://www.ieee.org/organizations/society/sp/tifs.html
9
Timing and Contact Information
 Class meeting time: Thursday
– 6:20 pm – 8:20 pm
 Office hours: North Hall, 4210
– Thursday (5:00 pm – 6:00 pm) Or By appointments
 Email: ssengupta@jjay.cuny.edu
 Office Phone: 212-237-8826
10
Grading Information
 Workload and grading:
Course work
approx %
Assignments
~ 30%
Midterm exam
~ 15%
Take Home Final part 1
~ 20%
In-class Final part 2
~ 15%
Project (Term paper) and presentation
~ 20%
Grading percentages are tentative and may change later.
11
Course Syllabus Overview (tentative)









Digital Evidence
The investigative process
Investigative reconstruction process
Computer basics for digital investigators
Forensic Examination of Windows systems
Forensic Examination on the Internet
Wireless security/ investigating Wi-Fi
Investigating computer intrusions
Steganography and covert operations
12
Comments, Suggestions…?
13
Lecture #1
Digital Evidence and Computer Crime
An Overview…
14
What is Forensics?
 Forensics : Use of scientific or technological
technique to conduct an investigation or establish
facts (evidence) in a criminal case
– From Judd Robbins, Computer Forensic Legal Standards
and Equipment
 Example of Renowned Forensic Sciences
– Forensic Pathology
– Sudden unnatural or violent deaths
– Forensic Anthropology
– Identification of human skeletal remains
– Forensic Entomology
– Insects
 Newest on the block: Digital Forensic Science
15
Digital Forensic Science
 Definition of “Digital Forensic Science”
“The use of scientifically derived and proven methods
toward the preservation, collection, validation,
identification, analysis, interpretation, documentation
and presentation of digital evidence derived from
digital sources for the purpose of facilitating or
furthering the reconstruction of events found to be
criminal, or helping to anticipate unauthorized actions
shown to be disruptive to planned operations.”
From Digital Forensic Research Workshop (DFRWS), 2001
16
Who needs digital forensics?

Law enforcement
– Prosecution of crimes which involve computers or other digital
devices
– Defend the innocent
– Prosecute the guilty
– Must follow strict guidelines during entire forensics process to
ensure evidence will be admissible in court

Military
– Prosecution of internal computer-related crimes
– Own guidelines, many normal legal issues do not apply

Security agencies (e.g., Secret Service, CIA, FBI)
– Anti-terrorism efforts
– Some provisions for this effort relax traditional privacy guards
17
Who needs digital forensics? (Cont.)
 General
– Employee misconduct in corporate cases
– What happened to this computer?
– For accidental deletion or malicious deletion of data by a user
(or a program), what can be recovered?
– Need for strict guidelines and documentation during recovery
process may or may not be necessary
Digital Forensic Science growing in
importance

Case Example #1:
“William Grace and 22-year-old Brandon Wilson were sentenced to 9 years in jail after
pleading guilty to breaking into court systems in Riverside, California, to alter records.
Wilson altered court records relating to previous charges filed against him (illegal
drugs, weapons, and driving under the influence of alcohol) to indicate that the
charges had been dismissed. Wilson also altered court documents relating to several
friends and family members. The network intrusion began when Grace obtained a
system password while working as an outside consultant to a local police department.
By the time they were apprehended, they had gained unauthorized access to
thousands of computers and had the ability to recall warrants, change court records,
dismiss cases, and read e-mail of all county employees in most departments, including
the Board of Supervisors, Sheriff, and Superior Court judges. Investigators estimate
that they seized and examined a total of 400 Gbytes of digital evidence.” (2003)

Courtesy:
– Sullivan B. (2003) "Pair who hacked court get 9 years" MSNBC 02/07/03
– Digital evidence and computer crime by Eoghan Casey (2nd edition)
18
Digital Forensic Science growing in
importance (cont.)

Case Example #2:
“A Maryland woman named Sharon Lopatka told her husband that she was leaving to
visit friends. However, she left a chilling note that caused her husband to inform
police that she was missing. During their investigation, the police found hundreds of
e-mail messages between Lopatka and a man named Robert Glass about their
torture and death fantasies. The contents of the e-mail led investigators to Glass's
trailer in North Carolina and they found Lopatka's shallow grave nearby. Her hands
and feet had been tied and she had been strangled. Glass pled guilty, claiming that
he killed Lopatka accidentally during sex.” (1996)

Courtesy:
– Digital evidence and computer crime by Eoghan Casey (2nd edition)
19
Digital Forensic Science growing in
importance (cont.)

Case Example #3:
“Robert Durall's web browser history showed that he had searched for terms such
as "kill + spouse," "accident + deaths," and "smothering" and "murder" prior to killing
his wife. These searches were used to demonstrate premeditation and increase the
charge to first-degree murder.” (2000)

Courtesy:
– http://www.seattlepi.com/local/murd21.shtml
– Digital evidence and computer crime by Eoghan Casey (2nd edition)

What was of prime importance in all three cases?
– Evidence or more specifically “Digital Evidence”
20
21
Defining Digital Evidence
 The formal definition of “Digital Evidence” is
“Any data stored or transmitted using a computer that
support or refute a theory of how an offense occurred
or that address critical element of the offense such as
intent or alibi.”
– From Chisum J. W. (1999) “Crime Reconstruction and
Evidence Dynamics”
 The data referred to in this case are essentially a
combination of numbers that represent information of
various kinds: text, images, audio, video.
22
Sources of Digital Evidence
 Categorized into three groups:
– Open computer systems (systems comprised of hard drives,
keyboards, monitors etc. such as laptops, desktops, servers)
– Communication Systems (Internet and networks in general)
– Embedded computer systems (smart phones, PDAs etc.)
Sources of Digital Evidence
Elaborated
 Computers
–
–
–
–
–
–
–
Digital images
Documents
Spreadsheets
Chat logs
Illegally copied software or other copyrighted material
Contraband (e.g., child pornography)
Various files
– Undeleted (“normal”) files
– Deleted files
– Temp files
– Swap files
– Log files
– Special system files, like the Windows registry
– Slack space
23
24
Sources of Digital Evidence (Cont.)
 Wireless telephones
–
–
–
–
Numbers called
Incoming calls
Voice mail access numbers
Call forwarding numbers
 PDAs/Smart Phones
– Above, plus contacts, maps, pictures, passwords,
documents, debit/credit card numbers, e-mail addresses …
25
Sources of Digital Evidence (Cont.)
 Landline Telephones/Answering machines
–
–
–
–
–
Incoming/outgoing messages
Numbers called
Incoming call info
Access codes for voice mail systems
Contact lists
 Copiers
– Especially digital copiers, which may store entire copy jobs
 Video game systems
– Basically computer systems
– Playstation, Xbox, etc
26
Sources of Digital Evidence (Cont.)

GPS devices
– Routes, way-points

Digital cameras
– Photos (obvious) but also video, arbitrary files on storage cards
(SD, memory stick, CF, …)




Floppies
ZIP disks
Flash memory cards (e.g., CF, SD, Smartmedia, memory stick)
Thumb drives
– 8GB flash drive under $20


Backup tapes
CDs & DVDs
27
Sources of Digital Evidence
 Can also be categorized based on other criteria:
– Live versus Dead systems
– Logical versus Physical Analysis
28
Challenges of Digital Evidence
 Messy, slippery form of digital evidence that can be
very difficult to handle
– Think about hard-disk, radio and micro waves
 In most of the cases, only pieces of the puzzles are
available, never the entire big picture
– Impossible to create a complete reconstruction of the crime
 Digital evidence can be modified accidentally
– by offenders
– during collection without leaving any obvious signs of
distortion
– Raise a question of credibility and reliability
29
Challenges of Digital Evidence (Cont.)
 Internet makes investigation much more difficult
– Following the cyber trail is not easy!
– Dynamic and distributed nature of networks
– Certain degree of anonymity make it difficult to attribute
online activities to an individual
 Use of Steganography
30
Challenges of Digital Evidence (Cont.)
 Criminals are getting smarter, many current
investigative techniques will need to be improved
 Digital evidence can be circumstantial making it
difficult to attribute computer activity to an individual
– The gap between your finger and keyboard in this game is
fairly big!
 Proliferation of new devices
31
Challenges of Digital Evidence (Cont.)
 The biggest challenge: HUGE (!!) volumes of data…
 1+TB single drives available to consumers
 Easy to build terabyte servers, even for home users
1TB
1TB
32
Legal Challenges of Digital Evidence

Under the “best-evidence rule”, the original document must be
presented as evidence
– Unless it has been destroyed or falls under other exceptions

Federal Rules of Evidence: Rule 1001-3
– “If data are stored by computer or similar device, any printout or
other output readable by sight, shown to reflect the data accurately,
is an original.”

Now the burden is on the party introducing the evidence
– To show it does indeed reflect the data accurately
– Prove the evidence what it is claimed to be and it has not been
changed since it was taken into custody
– Otherwise, the evidence will be deemed inadmissible!

Also, in US, it should be obtained “legally”
– In accordance with the laws governing search and seizure
– If obtained through illegal search, the evidence is considered to be
“tainted” by the “fruits of the poisonous tree” doctrine
Importance of Proper handling of
Computer Forensic Activity
 If evidence is not collected and handled according to
the proper standards, the judge may deem the
evidence inadmissible when presented and jury
members will never get a chance to evaluate it for
making a decision
 If the evidence is admitted, the opposing attorney will
attack its credibility during questioning or the witness
who testify regarding it and it could cause to create
doubt in jury member’s minds which might even taint
the credibility of the entire case
33
Importance of Forensic
Examination Standard

The rules of evidence regarding digital data are not clear cut yet
– But it is always safest to exceed the minimum requirements for
admissibility

Some general basic requirements among most forensic
organizations and experts
– The original evidence should be preserved in a state as close as
possible to the state it was in when found
– If at all possible, an exact copy (image) of the original should be
made to use for examination
– Avoid damaging integrity of the original
– Copies of data made for examination should be made on media that
is forensically sterile
– No pre-existing data on the media and checked for freedom from viruses and
defects
– All evidence should be properly tagged and documented and the
chain of custody preserved, and each step of the forensic
examination should be documented in detail
34
History and Effort to standardize the
Digital Evidence

1984 FBI Computer Analysis and Response Team (CART)
– http://www.fbi.gov/hq/lab/org/cart.htm

1995 International Organization of Computer Evidence (IOCE)
– Established in 1995 to ensure the harmonization of methods and
practices among nations and guarantee the ability to use digital
evidence collected by one state in the courts of another state
– It also provides a forum for law enforcement agencies across the
world to exchange information about computer forensics issues
– http://www.ioce.org

1998 Scientific Working Group on Digital Evidence (SWGDE)
– Established in 1998
– U.S. component of IOCE
– http://www.swgde.org
35
Effort to standardize the Digital
Evidence (Continued)
 2001 Digital Forensic Work Shop
– First held in 2001 to bring together knowledgeable individuals
from academia, military, and the private sector to discuss the
main challenges and research needs in the field
 International Journal of Digital Evidence
– Fruit of Digital Forensic Work Shop
– Online publication devoted to discussions of the theory and
practice of handling digital evidence
– http://www.ijde.org
 2003 International Journal of Digital Forensics and
Incident Responses
– Another place for people from academia, industry, agencies
as well as military interested in digital forensics
36
37
Strengths of digital forensics and evidence
 Despite the challenges…there are several strong
advantages…
 Digital evidence can be duplicated exactly and a copy
can be examined as if it were the original
– Always work on copies
– Actually with the copies of master copies
– Original goes to the safe place and locked
– Avoid the risk of damaging the original
 Easy to determine whether digital evidence is altered
by comparing it to an original copy using proper tools
38
Strengths of digital evidence (Continued)
 Digital evidence is very difficult to destroy completely
– It can be recovered even from formatted hard disk
 When criminals attempt to destroy digital evidence,
copies and associated remnants can remain in places
that they were not aware of
 This is exactly where we look at!