COMPUTER FORENSICS Flashcards
investigations typically involve four phases:Seizure
In the seizure phase, it is important to understand who has the authority to seize the digital
equipment as well as the proper methodology to use so that evidence is not destroyed or tainted.
investigations typically involve four phases:Image Acquisition
The image-acquisition phase involves the use of decision-making processes to determine the
best method for acquiring an image of the suspect system and the proper use of software and hardware tools to facilitate the image capture. The examiner has to be sure that the image is created and preserved in a manner that will withstand a legal challenge
investigations typically involve four phases:Analysis
This phase involves the use of specialised software designed to give the examiner the means to locate and extract artefacts that will be used as evidence in the investigation. The evidence can serve to incriminate the subject of the investigation or it
can be exculpatory by disproving the subject’s involvement.
investigations typically involve four phases:Reporting and Testifying
In this phase, a qualified computer forensics expert may be asked to render an opinion about the use or misuse of a computer system.
Digital Evidence
binary data (ones and zeroes) that is interpreted by the computer
There are three types of situations in which computer evidence is generally discovered:
(1) computers as the target of crime, (2) computers as the instrument of crime, and (3) computers as the repository of evidence
Considerations when Conducting the Seizure
1 subject debriefing, when the subject is asked for passwords and whether any encrypted data exists on the target computer
2 identify any destructive processes that may be running on the machine
3 If such a process appears to be running, unplug the machine immediately
4 Before beginning to disconnect the system, make certain to isolate it from any outside
connections
5 document the scene with photographs or a diagram
6 document what is on the screen if the system is on, as well as what processes are currently running
7 look around for notes that may appear to be passwords
8 Good notes should be taken regarding to the time and date that the system was seized and
the personnel involved in the seizure.
9 The status of the system should also be noted. Was it on, off, or on standby? Was there anything unusual attached to the system? Was there any
obvious damage? Did any files have to be saved? 10 Make sure to start a chain of custody
document and note each person and storage location through which each piece of evidence
passes.
When securing a computer system, follow the two golden rules
The first rule is, if the computer is off, don’t turn it on.
The second golden rule when securing a computer is, don’t peek through the files
The admissibility of evidence obtained from computers in a court case is really no different
from the admissibility of any other type of evidence. The evidence must be:
- Relevant
- Supported by a foundation for its introduction into court
- Legally obtained
- Properly identified
- Properly preserved
In the handling of computer data in criminal investigations, the examiner or investigator
must be aware of some of the vulnerabilities of computer evidence:
• The investigator must ensure that turning off power to computer equipment will not destroy or erase evidence that is required for the investigation.
• The read/write heads of hard disk drives must be parked in a retracted position so that powering down the disk drive will not cause the read/write head to contact the surface of the disk platter.
• Be aware that magnetic storage media are vulnerable to magnetic fields. Evidence might
be erased without the investigator being aware of the erasure if the media are brought close to a magnetic field.
• Be aware that other equipment attached to the computer might be needed to complete the investigation into the data that resides in the computer.
• The investigator should write-protect all disks that are being used in the investigation so that they cannot be written upon inadvertently.
Affidavit for the search warrant
detail the probable cause or legal reasoning behind the request for the warrant
Only a ___can issue a search warrant and only ___ can seek and serve a search warrant.
judge - law enforcement
Pre-Search Preparation
- Determine the type of computer systems that will be involved in the search. What operating system is used? Are the computers networked together?
- Determine how many people will be needed to conduct the search.
- If expert witnesses with a specific expertise are required during the search, identify and clear them before the search warrant is written. Depending on the circumstances, their credentials should possibly be included in the warrant affidavit before they are approved by the magistrate issuing the search warrant. The time to discover that an “expert witness” has a criminal conviction is before the search warrant affidavit has even been written
- Determine the resources that will be required to successfully conduct the search. If a great deal of equipment is to be seized, consider how the equipment will be transported from the location. Obtain sufficient boxes, labels, bags, and other supplies at this time.
Items to be seized might contain any or all of the following, depending on the nature of the fraud case:
• Computers • Computer components • Computer peripherals • Word-processing equipment • Modems • Monitors • Printers and plotters • Optical scanners • Data storage devices − Magnetic − Laser − Optical − Tape − PCMCIA − ZIP or JAZ drives Cables, wiring, cords ∗ Storage media − Disks − Magnetic tape (reels) − PCMCIA RAM cards − CD-ROMs − Magnetic/optical disks − Digital audio tape (DAT) − Personal data managers − Flash RAM cards (consider digital-camera storage) − Computer programs − Operating systems − Application software − Utility programs − Compilers − Interpreters ∗ Documents ∗ Manuals ∗ Printouts ∗ File listings
If possible, before executing a search warrant for which computer equipment and/or magnetic storage media is to be seized, make sure that _________
someone who is familiar with computer equipment will be present to assist in the identification of the various components
It is critical that anyone not involved in the investigation , _______and ______
be kept away from any computer equipment - not be allowed to touch any of the equipment!
If the person seizing the system has the appropriate training and expertise, it might be useful to observe
the video display of the system. Information might be displayed that will be of value in the case. If this occurs, document with a close-up photograph of the video screen (take care if using a camera with a flash that the flash does not reflect back into the camera lens).
If a computer or peripheral is not covered by the respective search warrant,
leave it alone until a supplemental warrant can be obtained
If the computer is to be removed from the location, do not enter _____ or attempt ________
anything via the system keyboard to read information from the system or any associated magnetic media
Do not move the computer any more than is necessary until ______
it is properly secured
Photograph the
overall view of the computer system (wide view)
Document the state of
the computer when first observed (was it operational, what was displayed on the monitor, etc.)
Depending on the experience of the person seizing the system, it might be advisable to
unplug the power from the central processing unit (CPU) before taking any further action.