1575 McKee Road (Suite 204)Dover, DE 19904

Delaware State Police

Introduction to Digital Evidence

Guide for Educators and School Administration

My Background

U of D graduate in 1992BS majors in Psychology and SociologyHired by DSP in 1992Five years as road TrooperThree years in Criminal InvestigationsAssigned to HTCU in October 1999

CFCE recognition from IACISDelaware Valley HTCIA memberApproximately 600 hours of computer forensic trainingFirst real exposure to computers in 1982.Watched a lot of Star Trek

What we do in a nutshell . . .

Provide forensic analysis of digital media and recovery of digital evidence Conduct investigations where the computer is the target of the crimeProvide technical and investigative assistance to local, state and federal law enforcement agencies

Computer Forensicsfo·ren·sic ( f … -rµn“s¹k, -z ¹k) adj. 1. Relating to, used in, or appropriate for courts of law . . . .

Computer Forensics: “The employment of a set of predefined procedures to thoroughly examine a computer system using software and tools to extract and preserve evidence of criminal activity” ¹Footnote1.)Dorothy A. Lunn – Computer Forensics “An Overview”. http://www.sans.org/infosecFAQ/incident/forensics.htm

What is Digital Evidence?

Information stored or transmitted in binary form that may be relied upon in court. ¹

Footnote

1.) NIJ Guide Electronic Crime Scene Investgation

What can be found as digital evidence?

Correspondence (e-mails, Instant Messages)Graphics files (Child porn, trophy pictures)Text files (confessions in a diary, instructions for making bombs/drugs)Sound files (voicemail or recorded messages)Spreadsheets or other bookkeeping records (financial information)Databases – (lists of contraband)

Where can digital evidence be found?Where can digital evidence be found?

Where else?Where else?

Newer devices

Locations of digital evidence

Evidence of the local crime may be found in several places.Evidence may be found on both the victims and the suspects computersEvidence may be found on the ISP servers or on a online storage area (may be in another state or country)

Operating SystemsMicrosoft Windows (XP, ME, 2000, 98, 95, NT, DOS)Apple (MacOS X, Classic)Linux (RedHat, Mandrake, SuSE)Unix LindowsNovellBeOS

Recovery from Fire

Recovery from Damaged CD/DVDs

Before After

Welcome to HTCU!

HTCU Lab

Forensic Workstation

“Freddie” Portable Forensic Workstation

How we examine digital evidence

A copy of the media is madeThe copy of media is verified as being a true exact copyThe original media is stored for evidence and the copy is examined using forensic software

Searching For Data

Files in directories in which suspect had accessInternet files (cache, history, .htm files) File types that most likely to relate to each individual case

Erased Files

The System does not really “erase” filesOnly marks space as “available”

Data is still there until it is overwrittenEven then, some data may remain in slack for years

Often fully or partially recoverableFormatting only erases the pointers or File Allocation Tables (FAT).

Allocated Vs. Unallocated Space

Allocated space – files and data recognized and used by the operating systemUnallocated space – area of the media not in use by the operating system

Allocated Space

Operating system Directories, programs and filesNames, dates and times are associated with files/directoriesEasily viewable by most usersCan contain deleted, hidden and encrypted files

Unallocated Space

Raw dataNo longer has file names, dates or timesPartial or complete files can be recovered from this area

Keyword Searches

Evidence can sometimes be located by using a keyword search.Media (eg. Hard drive) can be analogized to a file cabinet containing thousands of documents with text.Keyword searches allow the examiner to spot files or data containing the specified words (ie. Victim’s name, phone numbers, credit card numbers, social security numbers, etc.)

Computer Related Crimes most Commonly Seen in Schools

Bomb ThreatsHarassmentsTerroristic ThreateningUnauthorized AccessInterruption of Computer Services

** Digital evidence may exist for any type of crime, common or uncommon**

Ten Steps to Prevent and Preserve Evidence

1.) Have a signed computing policy in place and on file.

MandatoryOnce a yearStudentsTeachersAdministrationStaff

2.) Banner SystemReminds users of computing policiesExplains that there is no expectation of privacyNot good without signed computing policy

3.) Forced Sign-onsSign-on unique to userMandatory to use systemLoggingUser permissions setForced password changes

4.)Assigned Computers and Sign-in sheets.

Used if forced sign-ons and logging is not an option.Puts a user at the computer at a given date and time.

5.) Use Filters, Firewalls and Virus Protection

Filters weed out questionable or inappropriate content.Firewalls protect from outside intrusions.Use virus protection on every computer.Use intrusion detection software.

6.) Preview Internet Web Sites

Preview Internet Web Sites that are to be used in lesson plans or assignments.Look for potential problemsAdjust lesson plans or assignments if necessary

7.) Know where your computers are located.

Keep a current database of IP addresses know where they belongHave a current/updated map of the computers physical location.Use a naming convention that is consistent.

8.) Know your system administrator.

Have your system administrator’s contact information on hand.System administrator will most likely one of law enforcement’s first point of contact.

9.) Stop and Secure ComputerOnce problem is identified STOP use of the computer.Secure the computer in a locked room.If an E-mail is the source of the problem, preserve the entire message including the headers.

10.) Contact Law Enforcement.If present contact the SRO (School Resource Officer) first.If there is no SRO contact your local law enforcement agency.DSP-HTCU will assist the local agency if requested.

Questions?

Det. Steve Whalen, CFCE

Delaware State Police -

Steve.Whalen@state.de.us

Office: 302-739-2761Fax: 302-739-1398