The Digital Evidence Investigation

Question 1

What is this a definition of:
the methodological acquisition, authentication, reconstruction, and examination of digital media using computer software, hardware, and analytical techniques for the purpose of presenting digital evidence in a judicial or quasi-judicial proceeding.

Answer 1

Digital forensics

Question 2

What changes were made to the criminal code in 1983?

Answer 2

To address the use of computer to commit or aid in committing crimes.

Question 3

What type of testimony can police officers be called for in digital forensic investigations?

Answer 3

Expert or lay witness. Depends if opinion is needed.

Question 4

What key terms related to digital forensics are defined in the criminal code?

Answer 4

Computer data
Transmission data

Question 5

What is a preservation demand?

Answer 5

Requires a person to preserve computer data in their possession or control when the demand is made.

Question 6

What are the conditions for making a preservation demand?

Answer 6

Officer must have reasonable grounds that:
An offence has been or will be committed; AND
The computer data is in the person’s possession or control and will assist in the investigation of the offence.

Question 7

What is the limitation of preservation demands?

Answer 7

The demand cannot be made to a person under a criminal investigation

Question 8

What is the result of the limitation to preservation demands?

Answer 8

PD, production orders and assistance orders often go hand in hand and apply to non-accused persons who may have valuable evidence.

Question 9

What term does this define:
means representations, including signs, signals or symbols, that are in a form suitable for processing in a computer system

Answer 9

Computer data

Question 10

What term is this defining:
means representations, including signs, signals or symbols, that are capable of being understood by an individual or processed by a computer system or other device. 

Answer 10

Data

Question 11

What term is this defining:
a medium on which data is registered or marked

Answer 11

Document

Question 12

What term is this defining:
data that relates to the location of a transaction, individual or thing. 

Answer 12

Tracking data

Question 13

What is transmission data?

Answer 13

Can see what a device is sending or communicating with, does not tell use the substance of that communication

Question 14

What information can be adduced from transmission data?

Answer 14

Date and time of communication
Duration of communication
General location of device based on cell tower data

Question 15

What is a production order?

Answer 15

Order for company to produce the data.

Question 16

What is an assistance order?

Answer 16

Requires company to assist in investigation.

Question 17

Instead of digital or physical evidence, what term dose the Canada evidence act use?

Answer 17

Electronic

Question 18

What is the best evidence rule with respect to digital evidence?

Answer 18

The party submitting the evidence should submit the original unless unable to do so.

Question 19

When is the best evidence rule satisfied?

Answer 19

1. Proof of integrity of system; OR
2. If evidentiary presumption applies

Question 20

What are the two relevant assumptions related to digital evidence?

Answer 20

Presumption of integrity
Presumptions regarding secure electronic signatures

Question 21

What type of evidence is digital evidence considered to be?

Answer 21

Latent

Question 22

Does an electronic document in the form of a printout satisfy the best evidence rule?

Answer 22

Yes

Question 23

What is the digital question to answer?

Answer 23

Who is responsible for performing some digital action on the subject media and what is the resulting output?

Question 24

What is a byte?

Answer 24

Smallest collection of digits that will display on-screen in human readable format
8 digits displayed as a single character or digit

Question 25

What is the primary challenge for police early in a digital investigation?

Answer 25

Proper preservation of evidence. Must be identified before it is preserved

Question 25

What are the two components of the science of digital evidence?

Answer 25

Preservation Analysis

Question 26

What are the 5 situations that identification of digital evidence typically applies to?

Answer 26

Seizures with judicial authorization Street checks Random Canada Border Service Agency checks Prisoner processing Voluntary productions of evidence

Question 27

What evidence related to digital evidence is processed first?

Answer 27

Most volatile evidence - DNA, fingerprints

Question 28

What are examples of judicial authorizations that can result from an ITO (information to obtain)?

Answer 28

Production orders Search warrants Tracking warrants Transmission data recorder warrants Part VI authorizations (wiretaps)

Question 29

What is a tracking warrant?

Answer 29

Provides information on location

Question 30

What us a transmission data recorder warrant?

Answer 30

Captions transmission data in real time.

Question 31

Who is able to authorize a wire tap?

Answer 31

Superior court justice

Question 32

What are the two types of criminal offences involving computers?

Answer 32

Technology-as-instrument Technology-as-target

Question 33

What is technology-as-instrument?

Answer 33

Technology is instrumental in the commission of a crime.

Question 34

What is technology-as-target cybercrime?

Answer 34

Criminal offences targeting computers

Question 35

Outline the 9 steps of a digital investigation.

Answer 35

Identify potential sources of evidence Preserve evidence Collect info Analyze Investigators establish reasonable grounds based on analysis Charges laid Major crime management Disclosure Trial, etc.

Question 36

What are the two sources of data on a storage device?

Answer 36

Program or application Output generated by that application

Question 37

What is the most common form of digital evidence?

Answer 37

Output

Question 38

What are the three types of data output?

Answer 38

User-created content Application-generated content System-generated content

Question 39

Give example of non-volatile storage devices.

Answer 39

Laptop hard drives USB drives SD cards DVDs

Question 40

What are volatile storage devices? Give an example/

Answer 40

Lost when the computer is turned off. RAM

Question 41

What important information can be extracted from volatile memory?

Answer 41

Passwords Documents Pictures List of running processes

Question 42

What is an issue with mobile devices?

Answer 42

Susceptible to remote access, including phone locking and data destruction

Question 43

What are the two basic data types requiring preservation?

Answer 43

Public and private

Question 44

What are 4 types of private information that can be obtained from a service provider?

Answer 44

IP address Name, address, phone number connected to owner Cached content Information stored in private view.

Question 45

What are the three methods of obtaining the forensic copy?

Answer 45

1. Removal/connection of the subject media to a trusted system 2. Booting the subject computer with a trusted boot disk 3. Obtaining the data while the subject computer is running

Question 46

What is the traditional method of obtaining the forensic copy?

Answer 46

Removal/connection of the subject media to a trusted system

Question 47

When is the method of booting with a trusted boot disk used?

Answer 47

If source media cannot be removed.

Question 48

When is is most helpful to obtain the data when the subject computer is running?

Answer 48

When computer is connected to a network.

Question 49

What does forensic duplication software do?

Answer 49

Provides a method of validating the forensic copy against the source data

Question 50

What are the objectives of the analysis portion of a digital investigation?

Answer 50

Establish control over data Establish ownership of the data Determine how the data was produced and distributed

Question 51

What is the complicating factor during the analysis of digital evidence? What is its effect?

Answer 51

Encryption Prevents unauthorized access

Question 52

How can link charts be used in communication data analysis?

Answer 52

Can show where people were when they spoke to others.

Question 53

How can call pattern analysis be used in a digital investigation?

Answer 53

Can reveal patterns relevant to crime and involvement of parties

Question 54

How can timelines be useful in digital investigations?

Answer 54

Helpful for understanding large scale cases

Question 55

How can flow charts be used in digital investigatons?

Answer 55

Show sequence of events

Question 56

How can maps be used in digital investigations?

Answer 56

Can visualize who was talking to who when, where and in what format