Digital Forensics for Attorneys

Similar documents
Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

COMPUTER FORENSICS THIS IS NOT CSI COLORADO SPRINGS. Frank Gearhart, ISSA Colorado Springs

DIGITAL EVIDENCE TOOL BOX

Computer Forensic Capabilities. Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice

Computer forensics Aiman Al-Refaei

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations

Certified Digital Forensics Examiner

Trends in Mobile Forensics from Cellebrite

PRESS RELEASE. Computer Forensic Investigations Explode For Chester County Law Enforcement

Certified Digital Forensics Examiner

Preservation, Retrieval & Production. Electronic Evidence: Tips, Tactics & Technology. Issues

COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9

Matt Danner Flashback Data

Mobile Devices Villanova University Department of Computing Sciences D. Justin Price Spring 2014

Applications for Preservation and Production in our Digital World

New Model for Cyber Crime Investigation Procedure

RUSSELL BOHSE.

How to Like E-Discovery, Security and Social Media. Dr. Gavin W. Manes, CEO

Electronic Surveillance & Constitutional/Legislative Protections

Federal Rules of Civil Procedure IT Obligations For

11/1/2018 Application Forensics

Digital Forensics at a University. Calvin Weeks Director, Oklahoma Digital Forensics Lab University of Oklahoma

OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE

Employee Privacy, Digital Evidence, and the CFE. Kenneth C. Citarella, M.B.A., J.D., CFE Managing Director, Investigations Guidepost Solutions LLC

Outside the Box: Networks and The Internet

Presenter Name. Date

SSDD and SSDF Handset seizure Paraben * Seizure test SE K850, SE Xperia

Inside vs. Outside. Inside the Box What the computer owner actually has possession of 1/18/2011

When Recognition Matters WHITEPAPER CLFE CERTIFIED LEAD FORENSIC EXAMINER.

# Answer Bar Response % 1 (01) Books 0 0% 2 (02) Magazines 0 0% 3 (03) Newspapers 0 0% 4 (04) Commentary 0 0% 5 (05) Drama and Literature 0 0%

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

COMPUTER FORENSICS (CFRS)

William Jacob Green, CCLO, CCPA, BLE

FORENSIC LABORATORY DEVELOPMENT AND MANAGEMENT: INTERNATIONAL BEST PRACTICES BY AGWEYE, BENEDICT HEAD OF FORENSICS, EFCC

After the Attack. Business Continuity. Planning and Testing Steps. Disaster Recovery. Business Impact Analysis (BIA) Succession Planning

USE OF TECHNOLOGY TO DISTRIBUTE CHILD PORNOGRAPHY

EXPERT WITNESS: Completion of a perfect circle

Responding to Cybercrime:

Typical Investigative Steps and Legal Framework

AccessData offers a broad array of training options.

PROVIDING INVESTIGATIVE SOLUTIONS

USE OF TECHNOLOGY TO DISTRIBUTE CHILD PORNOGRAPHY

COMPUTER HACKING Forensic Investigator

Digital Forensics UiO

Michael McCartney, President

Digital Forensics UiO. Digital Forensics in Incident Management. About Me. Outline. Incident Management. Finding Evidence.

Incident Response Data Acquisition Guidelines for Investigation Purposes 1

Android Forensics: Simplifying Cell Phone Examinations

ANALYSIS AND VALIDATION

Chapter 13: The IT Professional

Digital Evidence for the Domestic Practitioner

BIG DATA ANALYTICS IN FORENSIC AUDIT. Presented in Mombasa. Uphold public interest

25 ESI and E-Discovery Terms. (in 75 minutes!) for Mediators

Call Detail Records The Evidence 10/19/2017. Locating Cell Phones

Challenges and Opportunities for Statistics in Digital Forensics

Typical Investigative Steps and Traveler cases

MOBILE DEVICE FORENSICS

THINGS YOU NEED TO KNOW BEFORE DELVING INTO THE WORLD OF DIGITAL EVIDENCE. Roland Bastin Partner Risk Advisory Deloitte

J. A. Drew Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation Professor, Computer Science & Engineering

Global Alliance Against Child Sexual Abuse Online 2014 Reporting Form

Checklist for Rule 16(c) Pretrial Conference for Computer-Based Discovery

AUTHENTICATION OF ELECTRONICALLY STORED EVIDENCE

e-discovery Forensics Incident Response

Introduction to Computer Forensics

Forensics for Cybersecurity. Pete Dedes, CCE, GCFA, GCIH

Report For Algonquin Township Highway Department

Computer Forensics US-CERT

4 having been first duly sworn, testified as follows: 6 Q. (BY MS. REYNA) Good afternoon, Officer. 7 Could you please introduce yourself to our jury?

Digital Forensics UiO

Digital Evidence: I know it s there, how do I get it?

Digital Forensics UiO

Preparing Testimony about Cellebrite UFED in a Daubert or Frye Hearing

The Use of Technology to Enhance Investigation

Video and Audio Recordings Video and audio recordings of activities continue to

Information Security Incident Response Plan

Educating Judges, Prosecutors and Lawyers in the Use of Digital Forensic Experts

Scientific Working Groups on Digital Evidence and Imaging Technology

THE INTERNATIONAL INSTITUTE OF CERTIFIED FORENSIC ACCOUNTANTS, INC. USA. CERTIFIED IN FRAUD & FORENSIC ACCOUNTING (Cr.

Signature: Signed by GNT Date Signed: 6/15/2015. To establish the policies and procedures of the Cyber Crimes Squad.

AGENDA. 24-Aug-15 FORENSIC TECHNOLOGY: ADDING VALUE TO LITIGATION FROM THE PERSPECTIVE OF A LAWYER

OFFICE OF THE PROSECUTING ATTORNEY DANIEL R. LUTZ 215 N. GRANT STREET WOOSTER, OHIO BAD CHECK PACKET

Snap Inc. Law Enforcement Guide

- To aid in the investigation by identifying. - To identify the proper ISP, webhosting. - To use in search warrant affidavits for to

STRIPPING METADATA: WHAT EVERY ATTORNEY SHOULD KNOW-A WEBINAR

Searching Securely: Technical Issues with Warrants for Remote Search. Steven M. Bellovin June 28,

COMPUTER CRIME LAW PROFESSOR KERR

SAULT COLLEGE OF APPLIED ARTS AND TECHNOLOGY SAULT STE. MARIE, ONTARIO COURSE OUTLINE

TECHNICAL EVIDENCE IN STALKING PROSECUTIONS

INDIANA DEPARTMENT OF CORRECTIONS Credit Recommendation Guide

Global Cybercrime Certification

Certified Cyber Security Analyst VS-1160

A Road Map for Digital Forensic Research

Organization of Scientific Area Committees for Forensic Science (OSAC)

ECCouncil v9. ECCouncil Computer Hacking Forensic Investigator (V9)

Documenting a Digital Forensic Investigation - Guide

Digital Forensic Science: Ideas, Gaps and the Future. Dr. Joshua I. James

Information Security Incident Response Plan

Financial CISM. Certified Information Security Manager (CISM) Download Full Version :

Video Forensics: WHAT YOU NEED TO KNOW

Security Incident Investigation

Transcription:

Lars E. Daniel, EnCE, ACE, AME, CTNS Digital Forensics Examiner Digital Forensics for Attorneys Overview of Digital Forensics Digital Forensics For Attorneys Overview of Digital Forensics Types of Digital Evidence Acquisition (Collection) and Preservation Experts, Evidence and Analysis Understand Forensic Experts vs. Computer Experts Digital evidence: discovery and usage Analysis Challenging Digital Evidence In The Beginning 1

2

Digital Footprints Digital evidence in 80% of cases 5+ billion cell phone subscriptions By 2013 there will be over 1 trillion devices connected to the Internet Digital Forensics Not Only Computers Computer Forensics Computers and Data Storage Devices Hard drives, USB thumb drives, Backup Tapes, Media cards Social Media Forensics Facebook, Twitter, Chat, MySpace, Internet Presence on Blogs, Message Boards Email Forensics Back tracking emails Email recovery Email authentication 3

Digital Forensics The Sub-Disciplines Peer to Peer Forensics File sharing via Limewire, BitTorrent, Gigatribe, itunes, others Cell Phone Forensics Call logs, contacts, text messages, pictures, movies, geo-location Cellular Evidence Forensics Cell phone record analysis, Cell phone ping analysis, Cell tower mapping Typical Case Types: Murder, Kidnapping, Drugs Digital Forensics The Sub Disciplines Digital Video and Image Forensics Security Video, Camera Video, Pictures Audio Forensics Police Interviews, Police Radio Recordings, Wiretaps GPS (Global Positioning Systems) Data from GPS units, Logs from GPS tracking, House Arrest Some Basics 4

Common Mistakes Calling these monitors, CPUs, Hard Drives, etc. CPU CPU Central Processing Unit Only performs calculations. Stores nothing. The brain of the computer. Inside The Computer RAM Random Access Memory Only contains data while the computer is turned on. Temporary processing storage only used while operating the computer. Is cleared when the computer shuts down or re-starts. 5

Inside The Computer The Hard Drive stores the evidence... Inside The Computer Hard drives today can store millions of Pictures Music files Movies Passwords Emails Web Pages Chats These are hard drives too. 6

Digital Evidence Digital Evidence Digital Evidence 7

Digital Evidence Overview Digital Forensics Four Primary Areas of Focus Acquisition (Collection) Obtaining the original evidence items Making forensic copies of original evidence Preservation Protecting the original evidence items Analysis Finding evidence Presentation Reporting findings and testimony Digital Forensics Foundations The foundation of digital forensics is the ability to collect, preserve and recover data in a forensically sound manner. Forensic Processes and Tools must be: 1. Predictable 2. Repeatable 3. Verifiable Forensic Documentation must include: Unbroken Chain of Custody Documentation of all actions taken 8

Digital Forensics The Sub-Disciplines Computer Forensics Computers and Data Storage Devices Typical Case Types: All Social Media Forensics Facebook, Twitter, Chat, MySpace, Internet Presence on Blogs, Message Boards Typical Case Types: Infidelity, Libel and Slander, Employee Wrongdoing Email Forensics Back tracking emails Email recovery Typical Case Types: Murder, Rape, Infidelity, Sexual Harassment, Child Pornography Digital Forensics The Sub-Disciplines Peer to Peer Forensics File sharing via Limewire, BitTorrent, others Typical Case Types: Child Pornography, Copyright Violations, Data Theft Cell Phone Forensics Call logs, contacts, text messages, pictures, movies, geolocation Typical Case Types: Murder, Sexting, Infidelity, Rape, Kidnapping, Drugs Cellular Evidence Forensics Cell phone record analysis, Cell phone ping analysis, Cell tower mapping Typical Case Types: Murder, Kidnapping, Drugs Digital Forensics The Sub Disciplines Digital Video and Image Forensics Security Video, Camera Video, Pictures Typical Case Types: Murder, Theft, Employee Misconduct, Wrongful Death Audio Forensics Police Interviews, Police Radio Recordings, Wiretaps Typical Case Types: Murder, Conspiracy, Wrongful Death GPS (Global Positioning Systems) Data from GPS units, Logs from GPS tracking, House Arrest Typical Case Types: Murder, Parole Violations, Kidnapping 9

Acquiring (Collecting) and Handling Digital Evidence Digital forensics requires forensically sound acquisitions. Defensible Practices Proper Chain of Custody Verification of evidence Proper documentation Acquisition (Collection) First contact with the original evidence. Most critical time for protecting the originals. Most likely time for police or others to damage or change evidence. General rules MUST be followed to preserve and protect evidence during this critical first response period. First point in establishing chain of custody. Polices for Law Enforcement are published by the National Institute for Justice Acquisition (Collection) First responders should be trained to handle this type of evidence. Digital evidence is fragile. Digital evidence is easily altered if not handled properly. Simply turning a computer on or operating the computer changes and damages evidence. 10

What Is Forensically Sound? This is Not Forensically Sound 11

This is Forensically Sound Verification Must Be Done 12

Organization of Logical Data on a Hard Drive Physical Acquisition A complete mirror image of the physical storage media, also referred to as a bit-stream copy. Gets everything, including deleted data and unallocated space Collected in forensic format that is easily verifiable Meets the standards for original evidence Supports full chain of custody Cannot be contaminated. 13

Two Types of Deleted Data 14

Preservation Once digital evidence is seized it must be handled carefully to preserve and protect the evidence. Everything should be tagged. No one should operate or preview any evidence on writable media without proper tools and training. Forensically sound copies of all original evidence must be made before analysis. Records must be kept. Fragile Nature of Digital Evidence The simple act of turning a computer on can destroy or change critical evidence and render that evidence useless. Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit Even the normal operation of the computer can destroy computer evidence that might be lurking in unallocated space, file slack, or in the Windows swap file. Computer Forensics, Computer Crime Scene Investigation, 2nd Ed. John R. Vacca 15

Fragile Nature of Digital Evidence The next 3 slides demonstrate what happens when you operate a computer. Evidence is modified. Evidence is destroyed. Source: Preservation of Fragile - Digital Evidence by First Responders - Special Agent Jesse Kornblum -Air Force Office of Special Investigations Files In Original Condition Files After Opening and Viewing The last accessed date and time changes any time a file is opened and viewed while the computer is in operation. Exception is Windows Vista and Newer 16

Files After Saving The last written (Last modified) date and time changes any time a file is saved or copied while the computer is in operation. And for other reasons, Other Digital Evidence Global Position Systems (GPS) Units (location data) Vehicle Black Boxes (trucking industry) ipods (employee theft) Digital Cameras (sex crimes) Security Cameras (robberies, wrongful death) Audio Recordings (wrongful death, terrorism, murder, defendant interviews) Game Consoles (murder) Security Systems (murder) Back up Tapes (data recovery, fraud) Experts 17

Defendant as Expert Why a Forensics Expert? Computer Forensics Expert Should have comparable or better training and experience than the other expert. Should have specific training and experience as a digital forensics expert Should have access to the same tools as the opposing expert Must be able to qualify as a forensic expert in court 18

Technical Expertise Comparison Legal Expertise Comparison Investigative Expertise Comparison Computer Experts No training in examination or investigation Get caught up in what-ifs that have no bearing on the case Do not know where to look for evidence Digital Forensics Experts Examination is targeted to the device, operating system and type of case 19

Selecting a Digital Forensics Expert Certifications Forensic Tools Do they have appropriate forensic tools and know how to use them? - Required to perform many digital forensic functions - Computer Forensics (EnCase, FTK) - Cell Phone Forensics (CelleBrite, Paraben, Susteen) - Almost always needed to perform forensically sound acquisitions and examinations. 20

Selecting an Expert: Overview 1. Actual training in digital forensics and sub-disciplines? 2. Digital Forensics certifications? Or just computer based certifications? 3. Actual case experience? 4. Recommendation letters from other professionals, particularly attorneys? 5. Background check? 6. References? Selecting an Expert: Overview RALEIGH (WTVD) -- The defense asked for a mistrial Tuesday in the Brad Cooper murder trial. The move came as the first witness for the defense endured a withering examination by the prosecution on his qualifications to testify as an expert. James Ward of WireGhost Security told the court he was an expert in computer network security, but the prosecution questioned his qualifications to testify about Cooper's computers as a forensics expert. Defense computer expert James Ward (WTVD Photo) Selecting an Expert: Overview Arguing before Gessner Tuesday, the prosecution said Ward lacked the proper education and experience to say there was evidence of computer tampering. "He has a home lab. He borrowed his tools from Cisco. He doesn't know what software he used," said prosecutor Boz Zellinger. Zellinger said the prosecution and defense should be held to the same standards on expert witnesses, and Ward falls short. "I would be laughed out of this building," said Zellinger. Gessner ruled that Ward could testify about network security, but he could not testify about the FBI reports on Cooper's computers. 21

Spotting a Problem Expert Attitude: How does the expert interact with your team? 1. Arrogant or superior? 2. Does he or she take the time to explain to properly explain technical concepts in easy to understand language? The Bull Factor 1. If an expert does not have the answer to a question, does he or she try to convince you that they do anyway? 2. Great risk when testifying. 3. Use of jargon to cover up ignorance. Expectations of a Forensics Expert Computer Forensics Expert Expected to Anticipate testimony of opposing expert based on the forensic reports and discovery Duplicate and verify the opposing expert s work Assist the attorney in preparation for trial Advise the attorney as to the merits of the case in regards to the digital evidence presented. Write direct and cross exam questions Analysis 22

Analyzing the Case Always work the case like you are the primary examiner. Never assume anything. Check all the points in the case where mistakes are normally made: Chain of custody. Examination standard procedures. RTC verified for all evidence containing clocks. Evidence handling at the scene. Was everything examined. Claims made in the forensics report. Pay particular attention to keyword search results, internet history results, link files, etc. Placing the defendant at the computer. Performing the Analysis Step one: Verify the accuracy of their findings Did they represent their findings correctly? How thorough was the examination? Verify the completeness of their report Is everything they found in the report?» Why or why not? Was exculpatory evidence ignored or missed? Establishing a framework for analysis Reading discovery documents Reading the computer forensics reports What claims are being made? What statements were made? What facts support the claims and which do not? 23

What clues can lead to a more thorough digital analysis? Defendant's statements Witness statements Police statements and interviews Call center records Search warrants and subpoenas Other supporting documents Law Enforcement's computer forensics report Case Analysis Examples Document Metadata Example 24

Picture Metadata Example Picture Metadata Example Internet History Before Clearing 25

Internet History After Clearing Challenging the evidence What the heck is unallocated space?» Unallocated space is areas on the hard drive that are available to store data.» When a file is deleted, it is only marked as deleted, so the old data remains on the hard drive in the unallocated space.» Forensic tools can recover files from this unallocated area of the hard drive.» Files recovered from unallocated space do not contain:» Dates or times.» Original file names» Original location on the hard drive. Contact Information: Email: Lars@guardiandf.com Web: www.guardiandf.com Phone: 919-868-6281 Book: Digital Forensics for Legal Professionals Syngress Publishing Amazon.com (Print and Kindle) Larry E. Daniel and Lars E. Daniel Questions? 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback