Computer Related Evidence&

What is this computer geek going to do now that I have done all the hard

work?

Rules We Live By And So Should you Never Alter the Original Media! Findings MUST be Verifiable! Findings MUST be Reproducible!

PROCEDURES

What your examiners can do for and with you.

Assist Preparing the Search Warrant. Service of the Search Warrant. Gathering the Computer Related

Evidence(CRE).* Image and Archive.* Store and Secure Computer Related

Evidence. Examine.* Review Findings with you.*

Complete a Report in the Format You Need.*

Prosecutor and Defense Interviews about the computer related evidence.

Testify. Dispose / Clean Evidence.*

What We Will Not Do

Take Over Your Investigation!

Gathering Evidence

Securing Turning off Documenting Marking Transporting

Imaging and Archives

We work from an Image of the Suspect media.

Copy is stored on CD-R or Tape.

Examine

See The Rule We Live By. Work from the copy with a variety of tools. You have to tell us what is going on.

Review with You

What is nothing to me may be everything to you.

You (always) know a lot more than me.

Report the Findings

A report and Examples in the format you need.– Written, Officer’s Witness Statement.– Spread Sheets Showing file information.– Information Printed, on CD-R, Power Point.

– Do live demos’ work? Yes or No

Interviews

Interviews

#1 DO NOT LET ANYONE SHOW YOU WHERE THE EVIDENCE IS ON THE COMPUTER……………

Let them talk about their great computer skills or lack of skill.

Ownership and use of each computer. Passwords!

Like all interviews you are attempting to gather information.

What else would you like to know.– Online service, when used the most, computer

at work? AND

Search Warrant VS Consent

When you can get a search warrant.

Consent- knowingly, freely and voluntarily.

with the authority to give the consent.

You Found the”something”Are We Done?

Computer Examinations 101

The Fun Stuff. Proving the WHO, WHAT, WHERE,

WHEN, HOW and maybe WHY.

Date and Time Stamps

Windows 9x and above tracks three dates and two times.

NTSF adds one date and one time Other Operating Systems keep dates and

time.

Windows > Properties

EnCase view of Date and Times

Deleted Files

DOS / Windows Only overwrites the first character of the DOS Directory.

File Slack & Unallocated Space

File Slack, the space between the end of the file and the end of the “Cluster”.

Unallocated Space, the space on the disk that is not assigned in the directory. (free space.

Both contain left over information.

Header Vs. File Extension

File Headers, what is important.

4A 47 03 0E 00 00 00 50 4B 03 04 14 00 00

00 00 00 FF D8 FF E0 D0 CF 11 E0 A1 B1

1A E1 00 00,0,FE FF 09 00,29,4,0,42 00 02

File Extension, what we see.– *.ART, DOC,

JPG,XLS

Previewing

Lets talk. When to to it. What are you looking for. Tools. Where to look.

Previewing. Lets Talk.

Consent Damage to evidence Testifying about it in court Do you stand a chance of finding

something. False negative.

Previewing. When to do it.

Group participation.

Previewing, When to do it.

Looking for text. – Easy anytime.– Have Examiner prepare EnCase Boot disk with

search items.– Other tools. Norton disk editor, DIBS Mycroft

V3 and others.

Previewing. When to do it.

Images. There are not to many DOS based images

viewers. EnCase on laplink. Copy out possible sources.

Previewing. Tools.

EnCase Laplink or Network Card. $2K Pre- Search & Digit, NIS and Paul Bright.

Free, unsupported. Boot to “safe” DOS disk and copy out

interesting items.

Previewing. Where to look.

C:\Windows\Temporary Internet File C:\Windows\Recent AKA:

– Start > Documents (right click & properties)

C:\Windows\History Recycle bin Internet Explorer, Recent and Favorites My Documents > My Pictures ?

Previewing, Where else

Looking for Newsgroup Programs.– Free Agent, NewsRover, Outlook.

C:\Windows\Temp The Directory in each Volume?

– Folder Titled “kid pict” or some other obvious name.

Organizations.

CTIN AGORA HTCIA IACIS NWCCC