Ch. 1 Flashcards
Computer Forensics
The process of finding evidence related to a digital crime to find the culprits and initiate legal action against them.
Forensic readiness refers to _____________.
an organization’s ability to make optimal use of digital evidence in a limited time period and with minimal investigation costs
Computer Forensics Objectives
- Identify, gather, and preserve the evidence of a cybercrime
- Track and prosecute the perpetrators in a court of law
- Interpret, document, and present the evidence such that it is admissible during prosecution
- Estimate the potential impact of malicious activity on the victim and assess the intent of the perpetrator
- Find vulnerabilities and security loopholes that help attackers
- Understand the techniques and methods used by attackers to avert prosecution and overcome them
- Recover deleted files, hidden files, and temporary data that can be used as evidence
- Perform incident response (IR) to prevent further loss of intellectual property, finances, and reputation during an attack
- Know the laws of various regions and areas, as digital crimes are widespread and remote
- Know the process of handling multiple platforms, data types, and operating systems
- Learn to identify and use the appropriate tools for forensic investigations
Impact of Cybercrimes at the Organizational Level
- Loss of confidentiality, integrity and availability of information stored in organizational systems
- Theft of sensitive data
- Sudden disruption of business activities
- Loss of customer and stakeholder trust
- Substantial reputational damage
- Huge financial losses
- Penalties arising from the failure to comply with regulations
Criminal Cases
- Investigators must follow a set of standard forensic processes accepted by law in the respective jurisdiction
- Investigators, under a court’s warrant, have the authority to forcibly seize computing devices
- A formal investigation report is required
- Law enforcement agencies are responsible for collecting and analyzing evidence
- Punishments are harsh and include a fine, jail sentence, or both
- Standard of proof needs to be very high
- It is difficult to capture certain evidence, e.g. GPS device evidence
Civil Cases
- Investigators try to show the opposite party some proof to support the claims and induce settlement
- Searching of the devices is generally based on mutual understanding and provides a wider time window to the opposite part to hide the evidence
- The initial reporting of the evidence is generally informal
- The claimant is responsible for the collection and analysis of the evidence
- Punishments include monetary compensation
- Poorly documented or unknown chain-of-custody for evidence
- Sometimes, evidence can be in third-party control
User-Created Sources of Potential Evidence
- Address books
- Database files
- Media (images, graphics, audio, video, etc.) files
- Documents (text, spreadsheet, presentation, etc.) files
- Internet bookmarks, favorites, etc.
User-Protected Sources of Potential Evidence
- Compressed files
- Misnamed files
- Encrypted files
- Password-protected files
- Hidden files
- Steganography
Computer-Created Sources of Potential Evidence
- Backup files
- Log files
- Configuration files
- Printer spool files
- Cookies
- Swap files
- System files
- History files
- Temporary files
Rules of Evidence
- Understandable - Evidence must be clear and understandable to the judges
- Admissible - Evidence must be related to the fact being proved
- Authentic - Evidence must be real and appropriately related to the incident
- Reliable - There must be no doubt about the authenticity or veracity of the evidence
- Complete - The evidence must prove the attacker’s actions or his/her innocence
Best Evidence Rule
The court only allows the original evidence of a document, photograph, or recording at the trial and not a copy. However, the duplicate may be accepted as evidence, provided the court finds the party’s reasons for submitting the duplicate to be genuine.
Federal Rules of Evidence Rule 101: Scope
These rules apply to proceedings in United States courts. The specific courts and proceedings to which the rules apply, along with exceptions, are set out in Rule 1101.
Federal Rules of Evidence Rule 102: Purpose
These rules should be construed so as to administer every proceeding fairly, eliminate unjustifiable expense and delay, and promote the development of evidence law, to the end of ascertaining the truth and securing a just determination.
Federal Rules of Evidence Rule 103: Rulings on Evidence
a. Preserving a claim of error
b. Not needing to renew an objection or offer of proof
c. Court’s statement about the ruling; directing an offer of proof
d. Preventing the jury from hearing inadmissible evidence
e. Taking Notice of Plain Error
Federal Rules of Evidence Rule 104: Preliminary Questions
- Questions of admissibility in general
- Relevancy conditioned on a fact
- Conducting a hearing so that the jury cannot hear it
- Cross-examining a defendant in a criminal case
- Evidence relevant to weight and credibility
Federal Rules of Evidence Rule Rule 105: Limited Admissibility
If the court admits evidence that is admissible against a party or for a purpose - but not against another party or for another purpose - the court, on timely request, must restrict the evidence to its proper scope and instruct the jury accordingly.
Federal Rules of Evidence Rule 402: General Admissibility of Relevant Evidence
Relevant evidence is admissible unless any of the following provides otherwise:
- The United States Constitution;
- A federal statue;
- the rules; or
- other rules prescribed by the Supreme Court
Irrelevant evidence is not admissible
Federal Rules of Evidence Rule 502: Attorney-Client Privilege and Work Product; Limitations on Waiver
a. Disclosure made in a federal proceeding or to a federal office or agency; scope of a waiver.
b. Inadvertent disclosure
c. Disclosure made in a state proceeding
d. Controlling effect of a court order
e. Controlling effect of a party agreement
f. Controlling effect of this rule
Federal Rules of Evidence Rule 608: A Witness’s Character for Truthfulness or Untruthfulness
a. Reputation or opinion evidence.
b. Specific instances of conduct.
Federal Rules of Evidence Rule 609: Impeachment by Evidence of a Criminal Convistion
a. In general. The following rules apply to attacking a witness’s character for truthfulness by evidence of criminal conviction:
1. for a crime that, in the convicting jurisdiction, was punishable by death or by imprisonment for more than one year, the evidence:
i. must be admitted, subject to Rule 403, in a civil case or in a criminal case in which the witness is not a defendant; and
ii. must be admitted in a criminal case in which the witness is a defendant, if the probative value of the evidence outweighs its prejudicial effect to that defendant; and
2. for any crime regardless of the punishment, the evidence must be admitted if the court can readily determine that establishing the elements of the crime required proving - or the witness’s admitting - a dishonest act or false statement.
b. Limit on using the evidence after 10 years.
c. Effect of a pardon, annulment, or certificate of rehabilitation.
d. Juvenile adjudications.
e. Pendency of an appeal.
Federal Rules of Evidence Rule 614: Court’s Calling or Examining a Witness
a. Calling. The court may call a witness on its own or at a party’s request. Each party is entitled to cross-examine the witness.
b. Examining. The court may examine a witness regardless of who calls the witness.
c. Objections. A party may object to the court’s calling or examining a witness either at that time or at the next opportunity when the jury is not present.
Federal Rules of Evidence Rule 701: Opinion Testimony by Lay Witnesses
If a witness is not testifying as an expert, testimony in the form of an opinion is limited to one that is:
a. rationally based on the witness’s perception;
b. helpful to clearly understanding the witness’s testimony or to determining a fact in issue; and
c. not based on scientific, technical, or other specialized knowledge within the scope of Rule 702.
Federal Rules of Evidence Rule 705: Disclosing the Facts or Data Underlying an Expert’s Opinion
Unless the court orders otherwise, an expert may state an opinion - and give the reasons for it - without first testifying the underlying facts or data. But the expert may be required to disclose those facts or data on cross-examination.
Federal Rules of Evidence Rule 801: Definitions That Apply to This Article; Exclusions from Hearsay
“Hearsay” means a statement that
1. the declarant does not make while testifying at the current trial or hearing and
2. a party offers in evidence to prove the truth of the matter asserted in the statement.
Statements That Are Not Hearsay. A statement that meets the following conditions is not hearsay.
1. A Declarant-Witness’s Prior Statement. The declarant testifies and is subject to cross-examination about a prior statement, and the statement
A. is inconsistent with the declarant’s testimony and was given under penalty of perjury at a trial, hearing, or other proceeding or in a deposition;
B. is consistent with the declarant’s testimony and is offered:
i. to rebut an express or implied charge that the declarant recently fabricated it or acted from a recent improper influence or motive in so testifying; or
ii. to rehabilitate the declarant’s credibility as a witness when attacked on another ground; or
C. identifies a person as someone the declarant perceived earlier.
2. An Opposing Party’s Statement. The statement is offered against an opposing party and A. was made by the party in an individual or representative capacity; B. is one the party manifested that it adopted or believed to be true; C. was made by a person whom the party authorized to make a statement on the subject;
D. was made by the party’s agent or employee on a matter within the scope of that relationship and while it existed; or
E. was made by the party’s coconspirator during and in furtherance of the conspiracy.
The statement must be considered but does not by itself establish the declarant’s authority under (C); the existence or scope of the relationship under (D); or the existence of the conspiracy or participation in it under (E).
