1 / 34

Computer Related Evidence &

Computer Related Evidence &. What is this computer geek going to do now that I have done all the hard work?. Rules We Live By And So Should you. Never Alter the Original Media! Findings MUST be Verifiable! Findings MUST be Reproducible!. PROCEDURES.

oriana
Download Presentation

Computer Related Evidence &

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Related Evidence& What is this computer geek going to do now that I have done all the hard work?

  2. Rules We Live By And So Should you • Never Alter the Original Media! • Findings MUST be Verifiable! • Findings MUST be Reproducible!

  3. PROCEDURES What your examiners can do for and with you.

  4. Assist Preparing the Search Warrant. • Service of the Search Warrant. • Gathering the Computer Related Evidence(CRE).* • Image and Archive.* • Store and Secure Computer Related Evidence. • Examine.* • Review Findings with you.*

  5. Complete a Report in the Format You Need.* • Prosecutor and Defense Interviews about the computer related evidence. • Testify. • Dispose / Clean Evidence.*

  6. What We Will Not Do • Take Over Your Investigation!

  7. Gathering Evidence • Securing • Turning off • Documenting • Marking • Transporting

  8. Imaging and Archives • We work from an Image of the Suspect media. • Copy is stored on CD-R or Tape.

  9. Examine • See The Rule We Live By. • Work from the copy with a variety of tools. • You have to tell us what is going on.

  10. Review with You • What is nothing to me may be everything to you. • You (always) know a lot more than me.

  11. Report the Findings • A report and Examples in the format you need. • Written, Officer’s Witness Statement. • Spread Sheets Showing file information. • Information Printed, on CD-R, Power Point. • Do live demos’ work? Yes or No

  12. Interviews

  13. Interviews • #1 DO NOT LET ANYONE SHOW YOU WHERE THE EVIDENCE IS ON THE COMPUTER…………… • Let them talk about their great computer skills or lack of skill. • Ownership and use of each computer. • Passwords!

  14. Like all interviews you are attempting to gather information. • What else would you like to know. • Online service, when used the most, computer at work? AND

  15. Search Warrant VS Consent • When you can get a search warrant. • Consent- knowingly, freely and voluntarily. with the authority to give the consent.

  16. You Found the”something”Are We Done?

  17. Computer Examinations 101 • The Fun Stuff. • Proving the WHO, WHAT, WHERE, WHEN, HOW and maybe WHY.

  18. Date and Time Stamps • Windows 9x and above tracks three dates and two times. • NTSF adds one date and one time • Other Operating Systems keep dates and time.

  19. Windows > Properties

  20. EnCase view of Date and Times

  21. Deleted Files • DOS / Windows Only overwrites the first character of the DOS Directory.

  22. File Slack & Unallocated Space • File Slack, the space between the end of the file and the end of the “Cluster”. • Unallocated Space, the space on the disk that is not assigned in the directory. (free space. • Both contain left over information.

  23. File Headers, what is important. 4A 47 03 0E 00 00 00 50 4B 03 04 14 00 00 00 00 00 FF D8 FF E0 D0 CF 11 E0 A1 B1 1A E1 00 00,0,FE FF 09 00,29,4,0,42 00 02 File Extension, what we see. *.ART, DOC, JPG,XLS Header Vs. File Extension

  24. Previewing • Lets talk. • When to to it. • What are you looking for. • Tools. • Where to look.

  25. Previewing. Lets Talk. • Consent • Damage to evidence • Testifying about it in court • Do you stand a chance of finding something. • False negative.

  26. Previewing. When to do it. • Group participation.

  27. Previewing, When to do it. • Looking for text. • Easy anytime. • Have Examiner prepare EnCase Boot disk with search items. • Other tools. Norton disk editor, DIBS Mycroft V3 and others.

  28. Previewing. When to do it. • Images. • There are not to many DOS based images viewers. • EnCase on laplink. • Copy out possible sources.

  29. Previewing. Tools. • EnCase Laplink or Network Card. $2K • Pre- Search & Digit, NIS and Paul Bright. Free, unsupported. • Boot to “safe” DOS disk and copy out interesting items.

  30. Previewing. Where to look. • C:\Windows\Temporary Internet File • C:\Windows\Recent AKA: • Start > Documents (right click & properties) • C:\Windows\History • Recycle bin • Internet Explorer, Recent and Favorites • My Documents > My Pictures ?

  31. Previewing, Where else • Looking for Newsgroup Programs. • Free Agent, NewsRover, Outlook. • C:\Windows\Temp • The Directory in each Volume? • Folder Titled “kid pict” or some other obvious name.

  32. Organizations. • CTIN • AGORA • HTCIA • IACIS • NWCCC

More Related