Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis...
Transcript of Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis...
![Page 1: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/1.jpg)
1575 McKee Road (Suite 204)Dover, DE 19904
Delaware State Police
![Page 2: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/2.jpg)
Introduction to Digital Evidence
Guide for Educators and School Administration
![Page 3: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/3.jpg)
My Background
U of D graduate in 1992BS majors in Psychology and SociologyHired by DSP in 1992Five years as road TrooperThree years in Criminal InvestigationsAssigned to HTCU in October 1999
CFCE recognition from IACISDelaware Valley HTCIA memberApproximately 600 hours of computer forensic trainingFirst real exposure to computers in 1982.Watched a lot of Star Trek
![Page 4: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/4.jpg)
What we do in a nutshell . . .
Provide forensic analysis of digital media and recovery of digital evidence Conduct investigations where the computer is the target of the crimeProvide technical and investigative assistance to local, state and federal law enforcement agencies
![Page 5: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/5.jpg)
Computer Forensicsfo·ren·sic ( f … -rµn“s¹k, -z ¹k) adj. 1. Relating to, used in, or appropriate for courts of law . . . .
Computer Forensics: “The employment of a set of predefined procedures to thoroughly examine a computer system using software and tools to extract and preserve evidence of criminal activity” ¹Footnote1.)Dorothy A. Lunn – Computer Forensics “An Overview”. http://www.sans.org/infosecFAQ/incident/forensics.htm
![Page 6: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/6.jpg)
What is Digital Evidence?
Information stored or transmitted in binary form that may be relied upon in court. ¹
Footnote
1.) NIJ Guide Electronic Crime Scene Investgation
![Page 7: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/7.jpg)
What can be found as digital evidence?
Correspondence (e-mails, Instant Messages)Graphics files (Child porn, trophy pictures)Text files (confessions in a diary, instructions for making bombs/drugs)Sound files (voicemail or recorded messages)Spreadsheets or other bookkeeping records (financial information)Databases – (lists of contraband)
![Page 8: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/8.jpg)
Where can digital evidence be found?Where can digital evidence be found?
![Page 9: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/9.jpg)
Where else?Where else?
![Page 10: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/10.jpg)
Newer devices
![Page 11: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/11.jpg)
Locations of digital evidence
Evidence of the local crime may be found in several places.Evidence may be found on both the victims and the suspects computersEvidence may be found on the ISP servers or on a online storage area (may be in another state or country)
![Page 12: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/12.jpg)
Operating SystemsMicrosoft Windows (XP, ME, 2000, 98, 95, NT, DOS)Apple (MacOS X, Classic)Linux (RedHat, Mandrake, SuSE)Unix LindowsNovellBeOS
![Page 13: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/13.jpg)
Recovery from Fire
![Page 14: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/14.jpg)
Recovery from Damaged CD/DVDs
Before After
![Page 15: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/15.jpg)
Welcome to HTCU!
![Page 16: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/16.jpg)
HTCU Lab
![Page 17: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/17.jpg)
Forensic Workstation
![Page 18: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/18.jpg)
“Freddie” Portable Forensic Workstation
![Page 19: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/19.jpg)
How we examine digital evidence
A copy of the media is madeThe copy of media is verified as being a true exact copyThe original media is stored for evidence and the copy is examined using forensic software
![Page 20: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/20.jpg)
Searching For Data
Files in directories in which suspect had accessInternet files (cache, history, .htm files) File types that most likely to relate to each individual case
![Page 21: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/21.jpg)
Erased Files
The System does not really “erase” filesOnly marks space as “available”
Data is still there until it is overwrittenEven then, some data may remain in slack for years
Often fully or partially recoverableFormatting only erases the pointers or File Allocation Tables (FAT).
![Page 22: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/22.jpg)
Allocated Vs. Unallocated Space
Allocated space – files and data recognized and used by the operating systemUnallocated space – area of the media not in use by the operating system
![Page 23: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/23.jpg)
Allocated Space
Operating system Directories, programs and filesNames, dates and times are associated with files/directoriesEasily viewable by most usersCan contain deleted, hidden and encrypted files
![Page 24: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/24.jpg)
Unallocated Space
Raw dataNo longer has file names, dates or timesPartial or complete files can be recovered from this area
![Page 25: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/25.jpg)
Keyword Searches
Evidence can sometimes be located by using a keyword search.Media (eg. Hard drive) can be analogized to a file cabinet containing thousands of documents with text.Keyword searches allow the examiner to spot files or data containing the specified words (ie. Victim’s name, phone numbers, credit card numbers, social security numbers, etc.)
![Page 26: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/26.jpg)
Computer Related Crimes most Commonly Seen in Schools
Bomb ThreatsHarassmentsTerroristic ThreateningUnauthorized AccessInterruption of Computer Services
** Digital evidence may exist for any type of crime, common or uncommon**
![Page 27: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/27.jpg)
Ten Steps to Prevent and Preserve Evidence
![Page 28: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/28.jpg)
1.) Have a signed computing policy in place and on file.
MandatoryOnce a yearStudentsTeachersAdministrationStaff
![Page 29: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/29.jpg)
2.) Banner SystemReminds users of computing policiesExplains that there is no expectation of privacyNot good without signed computing policy
![Page 30: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/30.jpg)
3.) Forced Sign-onsSign-on unique to userMandatory to use systemLoggingUser permissions setForced password changes
![Page 31: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/31.jpg)
4.)Assigned Computers and Sign-in sheets.
Used if forced sign-ons and logging is not an option.Puts a user at the computer at a given date and time.
![Page 32: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/32.jpg)
5.) Use Filters, Firewalls and Virus Protection
Filters weed out questionable or inappropriate content.Firewalls protect from outside intrusions.Use virus protection on every computer.Use intrusion detection software.
![Page 33: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/33.jpg)
6.) Preview Internet Web Sites
Preview Internet Web Sites that are to be used in lesson plans or assignments.Look for potential problemsAdjust lesson plans or assignments if necessary
![Page 34: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/34.jpg)
7.) Know where your computers are located.
Keep a current database of IP addresses know where they belongHave a current/updated map of the computers physical location.Use a naming convention that is consistent.
![Page 35: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/35.jpg)
8.) Know your system administrator.
Have your system administrator’s contact information on hand.System administrator will most likely one of law enforcement’s first point of contact.
![Page 36: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/36.jpg)
9.) Stop and Secure ComputerOnce problem is identified STOP use of the computer.Secure the computer in a locked room.If an E-mail is the source of the problem, preserve the entire message including the headers.
![Page 37: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/37.jpg)
10.) Contact Law Enforcement.If present contact the SRO (School Resource Officer) first.If there is no SRO contact your local law enforcement agency.DSP-HTCU will assist the local agency if requested.
![Page 38: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/38.jpg)
Questions?
![Page 39: Delaware State Police - dcet.k12.de.us · What we do in a nutshell . . . zProvide forensic analysis of digital media and recovery of digital evidence zConduct investigations where](https://reader036.fdocuments.in/reader036/viewer/2022070706/5e9e6d98bac6021976649198/html5/thumbnails/39.jpg)
Det. Steve Whalen, CFCE
Delaware State Police -
Office: 302-739-2761Fax: 302-739-1398