cos/psa 413

COS/PSA 413

Lab 4

Agenda• Lab 3 write-ups over due

– Only got 9 out of 10

• Capstone Proposals due TODAY– See guidelines in WebCT

– Only got 4 out of 10 so far

• Discussion on Digital Evidence Controls– Chap 7 in 1e Chap 6 in 2e (pretty much the same)

Lab Write –up’s

• Due Oct 12 (Lab 4 done on Oct 5)– For Project 4-1 and 4-2 provide a one page document in

which you tell what you have learned and the conclusion you drew from these projects.

– For Project 4-3 Provide the sector information the project requires you document

– For Project 4-4 Turn in the answer to part 12 • Due Oct 17 (Lab 5 to be done on Oct 6)

– For Project 4-5 Turn in the answer to Part 17 – For Project 4-6 Turn in the answer to Part 21

Digital Evidence Controls

Chapter 7

Learning Objectives

• Identify Digital Evidence• Secure Digital Evidence at an Incident

Scene• Catalog Digital Evidence• Store Digital Evidence• Obtain a Digital Signature

Identifying Digital Evidence• Evidence stored or transmitted in digital form• Courts accept digital evidence as physical• Groups

– Scientific Working Group on Digital Evidence (SWGDE)• http://ncfs.org/swgde/index.html

– International Organization on Computer Evidence (IOCE) • A group that sets standards for recovering, preserving, and

examining digital evidence.• http://www.ioce.org/

http://ncfs.org/swgde/index.html

http://www.ioce.org/



Identifying Digital Evidence (continued)

• Working with digital evidence– Identify potential digital evidence– Collect, preserve, and document the evidence– Analyze, identify, and organize the evidence– Verify results can be reproduced

• Systematic job

• Use standardized forms for documentation

Understanding Evidence Rules

• Handle all evidence consistently

• Always apply same security controls

• Evidence for a criminal case can be used on a civil litigation

• Keep current on the latest rulings and directives– Check the DoJ website – http://www.usdoj.gov/

• Check with your attorney on how to handle evidence

http://www.usdoj.gov/



Understanding Evidence Rules (continued)

• Bit-stream copies are considered physical evidence

• Other electronic evidence– It can be changed more easily

– Hard to distinguish a duplicate from the original

• Computer records are hearsay evidence– Secondhand or indirect evidence

– Not admissible in a court trial


• Business-record exception– Records must have been created by suspect– Records are original

• Computer records are admissible if they qualify as business-records– Computer-generated records– Computer-stored records


• Use known processes and tools when handling evidence

• Printouts qualify as original evidence

• Bit-stream copies also qualify as original evidence

• Use the original evidence when possible

Identify Digital Evidence

General Investigation Tasks-Identify digital information or artifacts that can be used as evidence.-Collect, preserve, and document the evidence. -Analyze, identify, and organize the evidence.-Rebuild evidence or repeat a situation to verify that you can obtain the same results every time.


Computer-Generated Records – Data that is generated by the computer such as system log files or proxy server logs.

Computer-Stored Records – Digital files that are generated by a person.

Secure Digital Evidence at an Incident Scene

Before obtaining the evidence, ask the following:

-Do you need to take the entire computer, all peripherals, and media in the immediate area? Do you need to protect the computer or media while transporting it to your lab?-Is the computer powered on when you arrive to take control of the digital evidence?-Is the suspect you are investigating in the immediate area of the computer? Is it possible that the suspect damaged or destroyed the computer and its media?


Use the following to preserve digital evidence:

-Use anti-static evidence bags for small pieces of evidence such as disks and magnetic tapes, and use adhesive seals to secure the opening on the computer cabinet.-Look for manuals and software such as the operating system and application programs at the scene. Collect these items as part of the evidence.


Use the following to preserve digital evidence:

-Determine whether the environment is safe for your evidence. If you have to take the computer outside, freezing or very hot temperatures can damage digital media. If you are transporting digital media, make sure your vehicle is heated or air conditioned as appropriate for the weather. Also determine whether electrical transformers are located near your digital evidence. They can interfere with the magnetic disk coating and damage evidence.


Guidelines to Catalog Digital Evidence1. Identify the type of computer you are

working with, such as a Windows PC or laptop, a UNIX workstation, or a Macintosh. Do not turn on a suspects computer if it is turned off. Recall that various operating systems overwrite files as a standard part of their boot process.


Guidelines to Catalog Digital Evidence2. Use a digital camera to photograph all

cable connections, and then label the cables with evidence tags. Photograph or videotape the scene, and create a detailed diagram, noting where items are located.

3. Assign one person to collect and log all evidence. Minimize the number of people handling the evidence overall to ensure its integrity


Guidelines to Catalog Digital Evidence4. Tag all the evidence you collect with the

current date and time, serial numbers, or unique features, make and model, and the name of the person who collected it.

5. Maintain two separate logs of collected evidence to use as a backup checklist to verify everything you have collected.

6. Maintain constant control of the collected evidence and the crime or incident scene.


Guidelines to Follow if a Computer is Powered On

1. If practical, copy any application data displayed on the screen, such as text or a spreadsheet document. Save this RAM data to removable media such as a floppy disk, Zip, or Jaz disk, using the Save As command. If this is not possible, take a close-up photograph of the scene. Close the application without saving the data.


Guidelines to Follow if a Computer is Powered On

2. After you copy the RAM data, you can safely shut down the computer. Use the manufacturer’s appropriate shutdown method. If you are not familiar with the method, find someone who is.

Secure Digital Evidence at an Incident SceneGuidelines to Follow if a Computer is

Powered On3. To access the suspect system, use an

alternate operating system to examine the hard disk data. On Intel computers, use a specifically configured boot disk. For UNIX workstations, remove the drive and inspect the hard drive from another UNIX or Linux system.

4. Acquire the suspect drive with bit-streaming imaging tools.

5. Verify the integrity of your bit-stream image copy of the original disk.


Processing and Handling Digital Evidence1. Copy all bit-stream image files to a

large disk drive.2. Start your desired forensic tool to

analyze the evidence.3. Run an MD5 hash check on the bit-

stream image files.4. When you finish copying bit-stream

image file to the larger disk, secure the original media in an evidence locker.


Message Digest version 5 (MD5) hash – A mathematical algorithm that translates a file into a unique hexadecimal code value.

Storing Digital Evidence

4-mm DAT – Magnetic tapes that store about 4 GB of data, but like the CD-Rs, are slow to read and write data.

Storing Digital Evidence

Documenting Evidence

Evidence forms serve the following purposes:

- Identifies the evidence. - Identifies who has handled the evidence.- List the dates and times the evidence was

handled.

Documenting Evidence

Obtaining a Digital Signature

Cyclic Redundancy Check (CRC) – A mathematical algorithm that translates a file into a unique hexadecimal code value.

Digital Signature – A unique value that identifies a file.

Secure Hash Algorithm, version 1 (SHA-1) – A new digital signature method developed by the NIST. It is slowly replacing MD5 and CRC.


Non-Keyed Hash Set – A hash set used to identify files or viruses.

Keyed Hash Set – A value created by an encryption utility’s secret key.

Obtaining a Digital Hash (continued)

• Example:– Create a file with Notepad– Obtain its hash value with DriveSpy– Modify the file– Recompute its hash value– Compare hash values

Create a File

DriveSpy

Computing Hash Value

Computing Hash Value (continued)


4. Save the file by using the file menu.5. Exit from the edit screen.

Chapter Summary

- Digital evidence is anything that is stored or transmitted on electronic or optical media. It is extremely fragile and easily altered.

- To work with digital evidence, start by identifying digital information or artifacts that can be used as evidence. Collect, preserve, document, analyze, identify, and organize the evidence.

Chapter Summary

- You must consistently handle all evidence the same way every time you handle it. Apply the same security and accountability controls for evidence in a civil lawsuit as for evidence obtained at a major crime scene to comply with your state’s rules of evidence or with the Federal Rules of Evidence.

Chapter Summary

- After you determine that an incident scene has digital evidence to collect, you visit the scene. First you need to catalog it, or to document the evidence you find. Your goal is to preserve evidence integrity, which means that you do not modify the evidence as you collect and catalog it. An incident scene should be photographed and sketched, and then each item labeled and put in an evidence bag, if possible.

Chapter Summary

- The media you use to store digital evidence usually depends on how long you need to keep the evidence. The ideal media on which to store digital data are CD-Rs or DVDs. You can also use magnetic tape to preserve evidence data, such as 4-mm DAT and DLT magnetic tapes.

- Digital evidence needs to be copied using bit-stream imaging to make sure that sector-by-sector mapping takes place.

Chapter Summary

- Digital signatures should be used to make sure that no changes have been made to the file or storage device. The current standards are CRC,MD5, and SHA-1.

cos/psa 413

Documents