Evidence GatheringEvidence GatheringEvidence GatheringEvidence Gathering

Criminal Evidence RulesCriminal Evidence RulesCriminal Evidence RulesCriminal Evidence Rules

• Authentication*– A true copy of the original

• Best evidence– Presenting original

• Exceptions to hearsay– Allowable exceptions

*Most common

Elements of AuthenticationElements of AuthenticationElements of AuthenticationElements of Authentication

• Documentation– Condition of evidence must be documented

• Preservation– Errors from destruction, mishandling,

contamination– 3 possible sources of error from chain of custody:

discovery(police), collected(crime scene technician),packaged/labeled/transported(police), logged at lab, stored, etc.,

• Authenticity– Scientific evidence standards

AuthenticationAuthenticationAuthenticationAuthentication

• Evidence must demonstrate that data recovered provides a true and accurate reflection of the original data at the time of collection– Address technical issues concerning the process

used to examine the hard drive• Ability to identify information derived from

the hard drive that links a suspect to the recovered file(s)– Address relevancy– Procedures to collect, image, examine and

preserve

Best Evidence RuleBest Evidence RuleBest Evidence RuleBest Evidence Rule

Evidence constructed is an accurate representation of the original data

on the system.

The Legal Basis for Using The Legal Basis for Using Tools Tools The Legal Basis for Using The Legal Basis for Using Tools Tools

• State of Washington v. Leavell– Using tools must meet Frye analysis– Tools must pass test as used and accepted

within industry as valid

• Cross-validation is critical– What is validation?– Who validates tools?– How is validation done?

AuthenticationAuthenticationAuthenticationAuthentication

• Federal Rules of Evidence (901 & 1002/1003)

– Must demonstrate that the recovered files are authentic to be considered relevant

– Must submit original or a duplicate

– Copies are used for data recovery and analysis

Scientific TestsScientific TestsScientific TestsScientific Tests

• FRE 401-403 allow anything that materially assists the trier of fact be deemed relevant by trier of law

• Frye standard (US v Frye 1923) for the results of a scientific technique to be admissible, the technique must be sufficiently established to have gained general acceptance in its particular field

• Coppolino (Copplino v State 1968) may use a new test if an adequate foundation is laid

• Marx standard (People v Marx 1975) Common sense understanding (the no jargon rule)

• Daubert standard ( Daubert v Merrell Dow 1993) requires special pretrial hearings for scientific evidence and special procedures on discovery where the rules are laid out for validity,reliability, benchmarking, algorithms, and error rates.

CollectionCollectionCollectionCollection

• Chain of custody demonstrates evidence collected is authentic

• Must be documented– Creates a sequence of steps, inventory,

preservation

ImagingImagingImagingImaging

• Combination of software tools and procedures to produce a copy

• Creates a bit stream or mirror that duplicates every sector• NIST requirements for tools

– Tool must not alter original– If no errors, should be a bitstream duplicate– If IO errors, then produce a qualified bitstream (except for

errors)—errors are replaced with identifiable values– Tool should log IO errors by type and location

• Results should be verified– James Holley discovered in 2000 that some SCSI drives do

not image completely with some tools• Differences will draw “best evidence” objections

ImagingImagingImagingImaging

• Using MD5 (message digest) hashes to verify a copy is true and accurate representation of the original– Creates a fingerprint

• MD5 uses 128 bit hash

• SHA-1 uses a 160 bit hash

• CRC used as a double checksum– Detects errors 32 bits or smaller

IdentificationIdentificationIdentificationIdentification

Gathering the Evidence

Stages for a Search & SeizureStages for a Search & Seizure

(A)Develop plan

(B)Approach and Secure Crime Scene

(C)Document Crime Scene Layout

(D)Search for Evidence

(E)Retrieve Evidence

(F)Process Evidence

Why Use a Methodology?Why Use a Methodology?Why Use a Methodology?Why Use a Methodology?A formal methodology allows an investigator to approach and investigate a computer crime rationally and expeditiously, without a loss of thoroughness. More importantly, it establishes a protocol by which electronic evidence (physical and logical) is gathered and handled, to reduce the potential for this evidence to be corrupted or tainted.

Timothy Wright

Following a PlanFollowing a PlanFollowing a PlanFollowing a Plan

• Gather evidence• Follow a methodology & document it• Determine relevance of data

– US v Carey and going beyond the scope

• Cautions:– Chain of custody– Expert witness– Improper use of tools– No consent

Guidelines for LEOsGuidelines for LEOsGuidelines for LEOsGuidelines for LEOs

• No action taken should alter data subsequently relied upon by the court

• Competent individuals should access the original, only

• An audit trail should be created and an independent 3rd party should be able to achieve same results

• Officer in charge is responsible for adhering to principles

Evidence DynamicsEvidence DynamicsEvidence DynamicsEvidence Dynamics

• Evidence dynamics is anything that changes, relocates, obscures, or obliterates evidence regardless of intent between the time gathered and used in court– Emergency workers (fire & water)– Forensic examiners – Offender-covering behaviors (deletions)– Victim actions (deletions)– Secondary transfer (by stander)– Witnesses (network admin deletions)– Nature/weather (magnetic fields)– Decomposition (decay)

Preliminary PreparationPreliminary PreparationPreliminary PreparationPreliminary Preparation

1. Accumulate the packaging & materials2. Prepare the log for documentation of the search 3. Ensure IRT is aware of forms of evidence & proper

handling materials 4. Evaluate the current legal ramifications of crime scene

searches 5. Discuss search with involved personnel before arrival at

the scene (victim theory of access)6. Identify a person-in-charge prior to arrival at the scene 7. Assess the personnel assignments normally required to

process a crime scene successfully

Employee SuspectsEmployee Suspects

• Check personnel file• Receipt of proprietary information (AUP)

Code entry/building logs (doors, gates, rooms) Telephone records (corroborate remote access) Placement at scene (eyewitness, camera)

• Obtain court order for home equipment or consent to search

• Cleaned out desk area (missing items)• Calls from former employees requesting information

Sample BannerSample BannerSample BannerSample Banner

This system is for the use of authorized users only. This system is for the use of authorized users only. Individuals using this computer system without Individuals using this computer system without authority, or in excess of their authority, are subject authority, or in excess of their authority, are subject to having all of their activities on this system to having all of their activities on this system monitored and recorded by system personnel. In the monitored and recorded by system personnel. In the course of monitoring individuals improperly using course of monitoring individuals improperly using this system, or in the course of system maintenance, this system, or in the course of system maintenance, the activities of authorized users may also be the activities of authorized users may also be monitored. Anyone using this system expressly monitored. Anyone using this system expressly consents to such monitoring and is advised that if consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence activity, system personnel may provide the evidence of such monitoring to law enforcement officials. of such monitoring to law enforcement officials.

Exceptions to ECPAExceptions to ECPAExceptions to ECPAExceptions to ECPA

Consent by suspect– Implicit if a banner at logon appears

• Must prove banner was seen

– Signature (annually) on company policies

Screen shots verify presence of banner Provision for banner in policies

Reviewing The Reviewing The SurroundingsSurroundingsReviewing The Reviewing The SurroundingsSurroundings

• Desktops• Monitors • Storage media• Next to telephones (note message light)• Wallets or purses• PDAs• Trash can • Inside of books and manuals• Taped underneath keyboards

Approaching a SceneApproaching a SceneApproaching a SceneApproaching a Scene

• Permission to process PC

• A camera to document (digital camera)

• May consider video taping of access

• Labels for all connections

ProceduresProceduresProceduresProcedures

• Take photographs of: – The computer screen– The front, back and sides of the computer– The cables attached to the computer– Any peripherals attached to the computer

• Log whether the computer is on or off• If on, note in the log what it appears to be doing• Log whether or not the computer is on a network• Decide to review as active system• Pull plug from computer not wall

Reviewing an Active SystemReviewing an Active SystemReviewing an Active SystemReviewing an Active System

• Computers change state by– User interaction– Process execution– Data transfers– Power cycles

What is Lost When you Power What is Lost When you Power DownDownWhat is Lost When you Power What is Lost When you Power DownDown

• Registers, cache contents

• Memory contents

• State of network connections

• State of running processes

• Contents of storage media

• Contents of removable and back up media

Plan for Live SystemsPlan for Live SystemsPlan for Live SystemsPlan for Live Systems

Step Windows 2000/NT UNIX

Establish a new shell cmd.exe Bash

Record system date and time Date, time W

Who is logged on Loggedon W

Record open sockets Netstat Netstat

List processes that open sockets Fport Lsof

List currently running processes Pslist Ps

List systems recently connected Nbtstat Netstat

Record system time Date, time W

Record steps taken doskey Script, vi, history

Acquisition Errors = Bad Acquisition Errors = Bad ForensicsForensics

Acquisition Errors = Bad Acquisition Errors = Bad ForensicsForensics

• Failure to:– Maintain proper documentation

– Notify or provide information to decision makers

– Control access to digital evidence

– Report the incident to management & law enforcement

– Estimate the scope of the incident

– Create an incident response plan

– Check peer-to-peer access for additional computers

Response ToolkitsResponse Toolkits

• A forensic box Large hard drives, SCSI card, 10/100 NIC, tape

drive• Drivers for hardware• Ribbon cables• Disk write blocking utilities• Imaging software

Media for Back-up ImagesMedia for Back-up ImagesMedia for Back-up ImagesMedia for Back-up Images

• Floppies (bring a truck)

• DAT (cheap)

• Zip (removable HDs)

• CD ROM (as second level backup)

• Network (secure)

• Hard drive (appropriate size)

Prepackaged Hardware Prepackaged Hardware UnitsUnitsPrepackaged Hardware Prepackaged Hardware UnitsUnits

• ICS –www.ics-iq.com

• Forensic Computers www.forensic-computers.com

Using Packaged Tool SetUsing Packaged Tool SetUsing Packaged Tool SetUsing Packaged Tool Set

• Encase uses a Windows interface

• Copies,locates and extracts files at the same time

• Case log included

• Advanced string searching capability

• Book marking capability

• Previews hard drives

Graphic ToolsGraphic Tools

Gathering EvidenceGathering EvidenceGathering EvidenceGathering Evidence

• Freeze keyboard & devices (i.e., tool such as Seized)• Maintain an evidence log & secure it• Allocate a secure area for evidence

holding/examination– You cannot seize an attorney’s computer

(See guidelines at www.ojp.usdoj.gov/nij)

• Impartiality of investigators (not friend of suspect)• Use 2 people—one documents the other gathers• Make sure examiner can testify

Chain of CustodyChain of CustodyChain of CustodyChain of Custody

• List of people that touched or had control of evidence• Evidence tag

– Consent & signature– Receipt & transfer– Description

• A list of office staff near evidence• State of the system when found• Serial numbers• Peripherals attached• Prevent future access after seized

CautionsCautionsCautionsCautions

• Never allow employee to touch the computer after decision is made to investigate– Remove/restrict suspect under subterfuge

• Remove computer or HD to secure area• Beware of magnetic devices to erase• Be aware of burn boxes to destroy diskettes• Confiscate all storage media (check keychain for

Trek)

Oops… There Goes Your Case!Oops… There Goes Your Case!Oops… There Goes Your Case!Oops… There Goes Your Case!

• Altering time and date stamps• Terminating rogue processes• Patching the system before investigation• Not recording commands executing on the system• Using tools that require a GUI• Writing over evidence by installing software

drivers• Writing over evidence by running programs that

store on suspect hard drive

Log for InvestigationsLog for InvestigationsLog for InvestigationsLog for Investigations

Exam Log1 Access database

Creating a LogCreating a LogCreating a LogCreating a Log

The Fired CFOThe Fired CFOThe Fired CFOThe Fired CFO

• Circumstances– The laptop was given to HR in its present

condition by the controller when he left– The employee was hired on 9/1/2001 and left on

2/1/2002– Position was controller – Had remote access to company database– On 4/11/2002 an employee at the company found

all the orders in the database deleted

• Are there any problems?

QuestionsQuestionsQuestionsQuestions

• Should you investigate?• Can you investigate?• What policies should be in place?• What do you need prior to investigation?• Do you need a plan in order to do a search?• What steps would you follow?• What would you seize for examination?• What should you worry about?• What evidence could you find that would force

you to call the police?