File000117
-
Upload
desmond-devendran -
Category
Technology
-
view
166 -
download
0
description
Transcript of File000117
Module IV - Digital Evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Investigators Now Crack Crime Computers on The Spot
Source: http://news.cnet.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• The Definition of Digital Evidence• Characteristics of Digital Evidence• Types of Digital Data• Best Evidence Rule• Federal Rules of Evidence• International Principles for Computer Evidence• The Scientific Working Group on Digital Evidence (SWGDE)• Electronic Devices: Types and Collecting Potential Evidence• Digital Evidence Examination Process
• Evidence Assessment• Evidence Acquisition • Evidence Preservation• Evidence Examination and Analysis• Evidence Documentation and Reporting
• Electronic Crime and Digital Evidence Consideration by Crime Category
This module will familiarize you with:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Electronic Devices: Types and
Collecting Potential Evidence
Evidence Acquisition Evidence Assessment
Evidence Documentation and Reporting
Evidence Examination and Analysis
Evidence Preservation
Digital Evidence Examination Process
Electronic Crime and Digital Evidence Consideration
by Crime Category
Characteristics of Digital Evidence
Definition of Digital Evidence
Scientific Working Group on Digital Evidence
(SWGDE)
Types of Digital Data
International Principles for Computer Evidence
Best Evidence RuleFederal Rules of Evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Digital Data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Definition of Digital Evidence
• Graphics files• Audio and video recording and files• Internet browser histories• Server logs• Word processing and spreadsheet files• Emails• Log files
Digital evidence is found in the files such as:
Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form”
Digital information can be gathered while examining digital storage media, monitoring the network traffic, or making the duplicate copies of digital data found during forensics investigation
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Increasing Awareness of Digital Evidence
Businesses are facing the need for gathering evidence on their networks in reply to the computer crime
Many organizations are taking into account the legal remedies when attackers target their network and focus on gathering the digital evidence in a way that will hold up in court
Government organizations are also paying attention in using digital evidence to identify the terrorist’s activities and prevent future attacks
As a result, there is increase in the expectation that computer forensic investigators have complete knowledge of handling digital evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Challenging Aspects of Digital Evidence
Forensics investigators face many challenges while preserving the digital evidence as it is a chaotic form of evidence and is critical to handle
During the investigation, it can be altered maliciously or unintentionally without leaving any traces
Digital evidence is circumstantial that makes it difficult for a forensics investigator to attribute the system’s activity
It is an abstraction of some events, when the investigator performs some task on the computer, the resulting activity creates data remnants that gives the incomplete view of the actual evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The Role of Digital Evidence
Role of digital evidence is to establish a credible link between the attacker, victim, and the crime scene
According to Locard's Exchange Principle, “anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave”
For example, at the time of crime, if any information from an victim computer is stored on the server or system itself, investigator can trace that information by examining log files, Internet browsing history etc.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Characteristics of Digital Evidence
• Evidence must be related to the fact being proved Admissible
• Evidence must be real and related to the incident in a proper way Authentic
• Evidence must prove the attacker’s actions and his innocence Complete
• Evidence must not cast any doubt on the authenticity and veracity of the evidenceReliable
• Evidence must be clear and understandable by the judgesBelievable
The digital evidence must have some characteristics to be disclosed in the court of law
Characteristics of the digital evidence:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Fragility of Digital Evidence
Digital evidence is fragile in nature
During the investigation of the crime scene, if the computer is turned off, the data which is not saved can be lost permanently
If the computer is connected to the Internet, the person involved in the crime may delete the evidence by deleting the log files
After the incident, if a user ‘writes’ any data to the system, it may overwrite the crime evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Anti-Digital Forensics (ADF)
ADF is an approach to manipulate, erase, or obfuscate the digital data
It makes forensic examination difficult, time consuming, or impossible
General categories of ADF are:
• Overwriting data and metadata (wiping)• It destroys any potentially incriminating data by multiple overwrites• “0” or random numbers are used to overwrite the actual data
• Exploitation of bugs in forensic tools• Forensic imaging and analysis tools are programmed to misread the files• For example, text file may be read as an executable file
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Anti-Digital Forensics (cont’d)
Hiding data (Steganography, Cryptography, and Low-tech methods)
• Confidential data is hidden under the images• Messages are encrypted using strong cryptographic algorithms which
cannot by decrypted by analysts• Through low tech methods, data or information is hided from an
examiner
Obfuscation of data
• Obfuscation of data is intended to confuse the forensic analysts• It is created by using anonymous remailers to strip the email header’s
information • Bootable USB or CD/DVD is also used to compromise the system or
network
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Digital Data
• Volatile data can be modified• It contains system time, logged-on user(s), open files, network
information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, and command history
Volatile data
• Non-volatile data is used for the secondary storage and is long-term persisting
• It contains hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions, hidden partitions, registry settings , and event logs
Non-volatile data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Digital Data (cont’d)
• Transient data contains information such as open network connection, user logout, programs that reside in memory, and cache data
• If the machine is turned off, all these information are lost permanently
Transient data:
• Fragile data is that information which is temporarily saved on the hard disk and can be changed
• It contains information such as last access time stamps, access date on files etc.
Fragile data:
• Temporarily accessible data are stored on the hard disk and are accessible only for certain time
• It contains data like encrypted file system information
Temporarily accessible data:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Digital Data (cont’d)
• Active data is the presently used data by the parties for their daily operations
• This data is direct and straightforward to recognize and access using the current system
Active data:
• Archival data manages data for long term storage and maintains records
Archival data:
• Backup data refers to a copy of the system data• This data can be used at any time of recovery process after disaster or
system crash
Backup data:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Digital Data (cont’d)
• The data which is stored on a computer when a document is deleted is called residual data
• When a file is deleted, the computer tags the file space instead of cleaning the file memory
• The file can be retrieved until the space is reused
Residual data:
• Metadata maintains a record about a particular document
• The record consists of format of file, how, when, and who has created, saved, and modified the file
Metadata:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Rules of Evidence
• Rules of evidence govern whether, when, how, and for what purpose proof of a case may be placed before a trier of fact for consideration
• The trier of fact may be a judge or a jury, depending on the purpose of the trial and the choices of the parties
Definition:
Evidence that is to be present in the court must comply with the established rules of the evidence
Prior to the investigation process, it is important that the investigator understands the Rules of Evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Best Evidence Rule
Best evidence rule is established to prevent any alternation of digital evidence either intentionally or unintentionally
It states that the court only allows the original evidence of any document, photograph, or recording at the trial rather than copy but the duplicate will be allowed as an evidence under the following conditions:
• Original evidence destroyed due to fire and flood• Original evidence destroyed in the normal course of business• Original evidence in possession of a third party
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Federal Rules of Evidence
• (a) Effect of erroneous ruling• Error may not be predicated upon a ruling which admits or excludes
evidence unless a substantial right of the party is affected• (1) Objection. - In case the ruling is one admitting evidence, a timely objection
or motion to strike appears of record, stating the specific ground of objection, if the specific ground was not apparent from the context; or
• (2) Offer of proof. - In case the ruling is one excluding evidence, the substance of the evidence was made known to the court by offer or was apparent from the context within which questions were asked
Rulings on Evidence:
These rules shall be construed to secure fairness in administration, elimination of unjustifiable expense and delay, and promotion of growth and development of the law of evidence to the end that the truth may be ascertained and proceedings justly determined
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Federal Rules of Evidence (cont’d)
• (b) Record of offer and ruling• The court may add any other or further statement which shows the
character of the evidence, the form in which it was offered, the objection made, and the ruling there on. It may direct the making of an offer in question and answer form
• (c) Hearing of jury• Proceedings shall be conducted, to the extent practicable, so as to
prevent inadmissible evidence from being suggested to the jury by any means, such as making statements or offers of proof or asking questions in the hearing of the jury
• (d) Plain error• Nothing in this rule precludes taking notice of plain errors affecting
substantial rights although they were not brought to the attention of the court
Rulings on Evidence:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Federal Rules of Evidence (cont’d)
• Questions of admissibility generally• Preliminary questions concerning the qualification of a person to be a
witness, the existence of a privilege, or the admissibility of evidence shall be determined by the court, subject to the provisions of subdivision (b)
• In making its determination, it is not bound by the rules of evidence except those with respect to privileges
• Relevancy conditioned on fact• When the relevancy of evidence depends upon the fulfillment of a
condition of fact, the court shall admit it upon, or subject to, the introduction of evidence sufficient to support a finding of the fulfillment of the condition
• Testimony by accused• The accused does not, by testifying upon a preliminary matter, become
subject to cross-examination as to other issues in the case
Preliminary Questions:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Federal Rules of Evidence (cont’d)
• Hearing of jury• Hearings on the admissibility of confessions shall in all cases be
conducted out of the hearing of the jury• Hearings on other preliminary matters shall be conducted when the
interests of justice require, or when an accused is a witness and so requests
• Weight and credibility• This rule does not limit the right of a party to introduce before the jury
evidence relevant to weight or credibility
Preliminary Questions:
• When evidence which is admissible as to one party or for one purpose but not admissible as to another party or for another purpose is admitted, the court, upon request, shall restrict the evidence to its proper scope and instruct the jury accordingly
Limited Admissibility:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Federal Rules of Evidence (cont’d)
Hearsay Rule:
• Hearsay is a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted
• It is not admissible except as provided by these rules or by other rules prescribed by the Supreme Court pursuant to statutory authority or by Act of Congress
Statements which are not hearsay:
• Prior statement by witness• Admission by party-opponent
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Federal Rules of Evidence (cont’d)
• Present sense impression• Excited utterance• Statements for purposes of medical diagnosis or treatment• Recorded recollection• Records of regularly conducted activity• Absence of entry in records kept in accordance with the provisions• Public records and reports• Records of vital statistics
Even if the declarant is available as a witness, the following are not excluded by the hearsay rule:
Rule 803. Hearsay Exceptions - Availability of Declarant Immaterial
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Federal Rules of Evidence (cont’d)
Rule 804. Hearsay Exceptions; Declarant Unavailable
If the declarant is unavailable as a witness, the following are not excluded by the hearsay rule:
• Former testimony• Statement under belief of impending death• Statement against interest• Statement of personal or family history
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Federal Rules of Evidence (cont’d)
• Writings and recordings:• Writings and recordings consist of letters, words, or numbers, or their equivalent, set
down by handwriting, typewriting, printing, photostating, photographing, magnetic impulse, mechanical or electronic recording, or other form of data compilation
• Photographs:• Photographs include still photographs, X-ray films, video tapes, and motion pictures
• Original:• An original of a writing or recording is the writing or recording itself or any
counterpart intended to have the same effect by a person executing or issuing it
• Duplicate:• A duplicate is a counterpart produced by the same impression as the original, or
from the same matrix, or by means of photography, including enlargements and miniatures, or by mechanical or electronic re-recording, or by chemical reproduction, or by other equivalent techniques which accurately reproduces the original
Rule 1001: Definitions
Content of writing, recording, and photographs
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Federal Rules of Evidence (cont’d)
• To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by Act of Congress
Rule 1002: Requirement of Original
• A duplicate is admissible to the same extent as an original unless • (1) a genuine question is raised as to the authenticity of the original or • (2) in the circumstances it would be unfair to admit the duplicate in lieu
of the original
Rule 1003: Admissibility of Duplicates
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Federal Rules of Evidence (cont’d)
• The original is not required, and other evidence of the contents of a writing, recording, or photograph is admissible if:• (1) Originals are lost or destroyed. All originals are lost or have been
destroyed, unless the proponent lost or destroyed them in bad faith• (2) Original is not obtainable. No original can be obtained by any
available judicial process or procedure• (3) Original is in possession of the opponent. At a time when an original
was under the control of the party against whom offered, that party was put on notice, by the pleadings or otherwise, that the contents would be a subject of proof at the hearing, and that party does not produce the original at the hearing
• (4) Collateral matters. The writing, recording, or photograph is not closely related to a controlling issue
Rule 1004: Admissibility of Other Evidence of Contents
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
International Organization on Computer Evidence (IOCE)
The International Organization on Computer Evidence (IOCE) was established in 1995
The purpose of this organization is to provide a forum to global law enforcement agencies for exchanging information regarding cyber crime investigation and other issues associated with computer forensics
IOCE develops a service for direct communication between member agencies and arranges many conferences to establish a strong relationship
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
http://www.ioce.org/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IOCE International Principles for Digital Evidence
When dealing with digital evidence, all of the general forensic and procedural principles must be applied
Upon seizing digital evidence, actions taken should not change that evidence
When it is necessary for a person to access the original digital evidence, that person should be trained for the purpose
All activities relating to the seizure, access, storage, or transfer of the digital evidence must be fully documented, preserved, and available for review
An individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession
Any agency, which is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scientific Working Group on Digital Evidence (SWGDE)http://www.swgde.org/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SWGDE Standards for the Exchange of Digital Evidence
• In order to ensure that the digital evidence is collected, preserved, examined, or transferred in a manner safeguarding the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system. Standard Operating Procedures (SOPs) are documented quality-control guidelines that must be supported by proper case records and broadly accepted procedures, equipment, and materials
Principle 1
• All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency's policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency's management authority
Standards and Criteria 1.1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SWGDE Standards for the Exchange of Digital Evidence (cont’d)
• Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness
Standards and Criteria 1.2
• Procedures used must be generally accepted in the field or supported by data gathered and recorded in a scientific manner
Standards and Criteria 1.3
• The agency must maintain written copies of appropriate technical procedures
Standards and Criteria 1.4
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SWGDE Standards for the Exchange of Digital Evidence (cont’d)
• The agency must use hardware and software that is appropriate and effective for the seizure or examination procedure
Standards and Criteria 1.5
• All activities relating to the seizure, storage, examination, or transfer of the digital evidence must be recorded in writing and be available for review and testimony
Standards and Criteria 1.6
• Any action that has the potential to alter, damage, or destroy any aspect of the original evidence must be performed by qualified persons in a forensically sound manner
Standards and Criteria 1.7
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and Collecting Potential Evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and Collecting Potential Evidence
• They are address books, database files, audio or video files, documents or text files, image or graphics files, Internet bookmarks or favorites and spreadsheet files, where you can obtain information of investigative value
User-Created Files
• They are compressed files, misnamed files, encrypted files, password-protected files, hidden files, and steganography
User-Protected Files
• They are backup files, log files, configuration files, printer spool files, cookies, swap files, hidden files, system files, history files, and temporary files
Computer-Created Files
Computer Systems:
Evidence is found in files that are stored on servers, memory cards, hard drives, removable storage devices and media such as floppy disks, CDs, DVDs, cartridges, and tape
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and Collecting Potential Evidence (cont’d)
Hard drive
• Hard drive is an electronic storage device which stores data magnetically• It stores the data in different file formats such as text, picture, and video file etc.• To collect the evidence, check text , picture, video, multimedia, database, and
computer program files
Thumb drive
• Thumb drive is a removable data storage device with USB connection• It is small in size and lightweight• To collect the evidence, check text, graphics, image, and picture files
Memory card
• Memory card is a removable electronic storage device and used in many devices such as digital camera, PDA, computer etc.
• Data present in the memory card is not lost when power is turned off• To collect the evidence, check event logs, chat logs, test file, image file, picture
file, and browsing history of Internet
Hard drive
Thumb drive
Memory card
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Access Control Devices:
Smart card
• It is a portable device that contains a microprocessor, which stores encryption key or password and digital certificate
Dongle
• It is a copy protection device provided with software that is plugged into a computer port
Biometric scanner
• It is connected to a computer system that identifies the physical characteristics of an individual
Electronic Devices: Types and Collecting Potential Evidence (cont’d)
Smart Cards
Dongle
Biometric scanner
Evidence is found in recognizing or authenticating the information of the card and the user, level of access, configurations, permissions, and in the device itself
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Deleted messages
Last number called
Memo
Phone numbers
Tapes
Answering Machine:
It is a part of a telephone or is connected between a telephone and the landline connection
Evidence is found in voice recordings such as:
Electronic Devices: Types and Collecting Potential Evidence (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and Collecting Potential Evidence (cont’d)
• Images• Removable cartridges• Video• Sound• Time and Date stamp
Evidence is found in:
Digital Camera:
It records images and video and transfers them to computer media with the help of conversion hardware
Digital Camera
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and Collecting Potential Evidence (cont’d)
Handheld Devices such as Personal Digital Assistants (PDAs) and Electronic Organizers
• PDA is a hand held and portable device that includes computing, telephone/fax, paging, and networking
• Evidence is found in Address book, appointment calendars or information, documents, e-mail, handwriting, password, phone book, text messages, and voice messages
Modem:
• It is used by computers to communicate over telephone lines
• Evidence is found on the device itself Modem
PDA
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and Collecting Potential Evidence (cont’d)
• Evidence is found on the MAC (Media Access Control) address
Local Area Network (LAN) Card/Network Interface Card (NIC)
• Routers, hubs, and switches connect different computers or networks• For routers, evidence is found in the configuration files• For hubs and switches, evidence is found on the devices themselves
Routers, Hubs, and Switches
• Server is a central computer which gives service to other computers connected in the same network
• Evidence is found in the computer system
Server
• Network cables consists of a variety of colors, thicknesses, shapes, and connectors depending on the components they are connected with
• Evidence is found on the devices
Network Cables and Connectors
Network Interface Card
Router
Hub
Switches
Network Cables
Connectors
Network Components:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and Collecting Potential Evidence (cont’d)
• It is a handheld and portable electronic device for sending and receiving electronic messages that may be in numeric form or in alphanumeric form
• It contains volatile evidence such as address information, text messages, e-mail, voice messages, and phone numbers
Pager:
• It includes thermal, laser, inkjet and impact printers, which are connected to the computer over a cable (serial, parallel and universal serial bus) or accessed over an infrared port
• Some printers contain a memory buffer, which enables you to receive and store multiple documents
• Evidence is found through usage logs, time and date information, and network identity information, Ink cartridges, and Time and date stamp
Printer:
Pager
Printer
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and Collecting Potential Evidence (cont’d)
Removable Storage Device and Media:
Storage device and media such as tape, CD, DVD, floppy are used to store digital information
These devices are portable and stores different files such as text, graphics, multimedia, and video files
Evidence is found in the devices themselves
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and Collecting Potential Evidence (cont’d)
Scanner:
It is an optical device connected to a computer, which enables the document to pass on the scanning device and sends it to the computer as a file
Evidence is found by looking at the marks on the glass of the scanner
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and Collecting Potential Evidence (cont’d)
Telephones:
• Evidence is found through:• Names• Phone numbers• Caller identification information• Appointment information• Electronic mail and pages
Copiers:
• They make the copies of printed or graphical documents• Evidence is found in:
• Documents• User usage logs• Time and date stamps
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and Collecting Potential Evidence (cont’d)
• They read the information that is present on the tracks of the magnetic stripe
• Evidence is found through:• Card expiration date• User’s address• Credit card numbers• User’s name
Credit Card Skimmers:
• Evidence in found through:• Address book• Notes• Appointment calendars• Phone numbers• Email
Digital Watches:
Credit Card Skimmer
Digital Watch
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Facsimile (Fax) Machines• Evidence is found through:
• Documents• Phone numbers• Film cartridge• Send or receive logs
Global Positioning Systems (GPS)• Evidence is found through:
• Previous destinations• Way points• Routes and• Travel Logs
Electronic Devices: Types and Collecting Potential Evidence (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Assessment
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Digital Evidence Examination Process
Evidence Assessment
Evidence Acquisition
Evidence Preservation
Evidence Examination and Analysis
Evidence Documentation and Reporting
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Assessment
The digital evidence should be thoroughly assessed with respect to the scope of the case to determine the course of the action
Conduct a thorough assessment by reviewing the search warrant or other legal authorization, case detail, nature of hardware and software, potential evidence sought, and the circumstances surrounding the acquisition of the evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Assessment (cont’d)
Prioritize the evidence where necessary:
• Location where evidence is found or• Stability of the media to be examined
Determine how to document the evidence (e.g., photograph, sketch, notes)
Evaluate storage locations for electromagnetic interference
Determine the condition of the evidence as a result of packaging, transport, or storage
Assess the need to provide continuous electric power to the battery-operated devices
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Prepare for Evidence Acquisition
• An initial estimate of the impact of the situation on the organization's business
• A detailed network topology diagram that highlights the affected computer systems and provides details about how those systems might be affected
• Summaries of interviews with users and system administrators• Outcomes of any legal and third-party interactions• Reports and logs generated by tools used during the assessment phase• A proposed course of action
Documentation that helps in preparing for evidence acquisition:
To prepare for the acquisition of evidence, all the actions and outcomes of the previous phases of the digital evidence examination process should be determined properly
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Acquisition
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Preparation for Searches
Before preparing a warrant to seize all or part of a computer system and the information it contains, it is critical to determine the computer's role in the offense
• A counterfeiter might use his computer, scanner, and color printer to scan U.S. currency and then print money
• A drug dealer may store records pertaining to customers, prices, and quantities delivered on a personal computer
• A blackmailer may type and store threatening letters in his computer
• Attackers often use their computers both to attack other’s computer systems and to store the stolen files
For example:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Seizing the Evidence
If a computer is used to store the evidence then the storage media should be seized in addition with other devices
While running programs to collect analysis information, the books found in the scene should be collected to understand the programs
The suspect should be prevented from touching the system
At the time of seizing process, the computer should not be powered down
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Imaging
Remove the subject storage device and perform the acquisition using the examiner’s system
When attaching the subject device to the examiner’s system, configure the storage device so that it will be recognized
Ensure that the examiner’s storage device is forensically clean when acquiring the evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Bit-Stream Copies
Bit-Stream Copy is a bit-by-bit copy of the original storage medium and exact copy of the original disk
A bit-stream image is the file that contains the bit-stream copy of all the data on a disk or partition
The computer should not be operated and computer evidence should not be processed until bit stream backups have been made of all hard disk drives and floppy disks
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Write Protection
Write protection should be initiated, if available, to preserve and protect original evidence
Creating a known value for the subject evidence prior to acquiring the evidence (e.g. performing an independent cyclic redundancy check(CRC), MD5 hashing)
If hardware write protection is used:
• Install a write protection device• Boot the system with the examiner’s controlled operating system
If software write protection is used:
• Boot the system with the examiner-controlled operating system• Activate write protection
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Acquisition
Digital evidence is fragile and can be altered, damaged, or destroyed by improper handling or examination
In case of failure, evidence may be unusable or it may lead to an inaccurate conclusion
Acquire the original digital evidence in a manner that protects and preserves the evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Acquisition from Crime Location (cont’d)
Disassemble the case of the computer to be examined to permit physical access to the storage devices
Ensure that the equipment is protected from static electricity and magnetic fields
Identify the storage devices that need to be acquired; these devices can be internal, external, or both
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Acquisition from Crime Location (cont’d)
• Drive condition (e.g. make, model, geometry, size, jumper settings, location, drive interface)
• Internal components (e.g. sound card, video card, network card, including media access control (MAC) address, personal computer memory card international association (PCMCIA) cards)
Document internal storage devices and hardware configuration:
Disconnect storage devices (using the power connector or data cable from the back of the drive or from the motherboard) to prevent the destruction, damage, or alteration of data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acquiring Evidence from Storage Devices
Investigate the geometry of any storage devices to ensure that all space is accounted for, including host-protected data areas (e.g. non-host specific data such as the partition table matches the physical geometry of the drive)
Capture the electronic serial number of the drive and other user-accessible, host-specific data
Acquire the subject evidence to the examiner's storage device using the appropriate software and hardware tools such as:
• Stand-alone duplication software• Forensic analysis software suite• Dedicated hardware devices
Verify successful acquisition by comparing the known values of the original and the copy or by doing a sector-by-sector comparison of the original to the copy
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Evidence
Data on digital evidence can be collected either locally or over a network
Acquiring the data locally has the advantage of greater control over the computer(s) and the data involved
Other factors, such as the secrecy of the investigation, the nature of the evidence that must be gathered, and the timeframe for the investigation will ultimately determine whether the evidence is collected locally or over the network
Create accurate documentation that will later allow to identify and authenticate the evidence that are collected
Determine which investigation methods to use i.e., typically a combination of offline and online investigations is used
In offline investigations, additional analysis is performed on a bit-wise copy of the original evidence
In an online investigation, analysis is performed on the original live evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Evidence (cont’d)
• Server information includes server role, logs (such as event logs), files, and applications
• Logs from internal and external facing network devices, such as firewalls, routers, proxy servers, network access servers (NAS), and intrusion detection systems (IDS) that may be used in the possible attack path
• Internal hardware components, such as network adapters (which include media access control (MAC) address information) and PCMCIA cards
• Storage devices that need to be acquired (internal and external), including hard disks, network storage devices, and removable media
Identify and document the potential sources of data:
Note: When capturing volatile data, carefully consider the order in which the data is collected
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Evidence (cont’d)
• If any internal storage devices are to be removed, turn off the computer first
• Before turning off the computer, verify that all volatile data has been captured
• Determine whether to remove the storage device from the suspect computer and use your own system to acquire the data
• Create a bit-wise copy of the evidence in a backup destination, ensuring that the original data is write-protected
• Document the internal storage devices and ensure that information about their configurations is included
• Verify the data collected, create checksums, and digital signatures when possible to establish that the copied data is identical to the original
Use the following methods to collect data from the storage media and record storage media configuration information:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Evidence (cont’d)
• Process Register• Virtual and physical memory• Network state• Running processes• Disks, floppies, tapes• CD-ROM, paper printouts
Evidence can be collected from a live computer by searching:
• Running processes (ps or the /proc file system)• Active network connections (netstat)• ARP cache (arp)• List of open files (lsof)• Virtual and physical memory (/dev/mem, /dev/kmem)
Volatile and important sources of evidence on live systems and the commands used to capture the evidence:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Evidence (cont’d)
• Guidance Software’s EnCase (www.guidancesoftware.com)• Accessdata’s Forensic Toolkit (www.accessdata.com)
Computer Forensic Tools for Data Collection include:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Evidence from RAM
• When an application is opened, RAM stores the files present in that application
• The memory is lost when the files are closed and is used by the operating system for other file storage
• Do not power down the computer which may destroy the critical information
• Evidence can be present in RAM even after wiping from the hard disk, to perform this:
• Wipe the file from the hard disk after opening it using a wiping tool• Use a utility dd to write the contents of RAM into hard disk which is a general
purpose UNIX utility; copies files and is useful for creating forensic images
Trace Evidence in RAM
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Evidence from RAM (cont’d)
• At the time of no RAM memory available to allocate memory for an application, the operating system transfers the content present in RAM to a temporary Swap file to use the RAM memory for new application
• The contents in the swap file are overwritten frequently• The examiner can trace the swap file by searching the headers
and footers associated with a particular file
Trace evidence in Swap file
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Evidence from a Stand-alone Network Computer
Do not use the computer for evidence search
Photograph all the devices connected to the computer
Do not turn on the system, if it is in off state
If the computer is ON, take a photograph of the screen
If the computer is ON and the screen is blank, move the mouse slowly and take a photograph of the screen
Unplug all the cords and devices connected to the computer and label them for later identification
If the computer is connected to the router and modem, unplug the power
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody
Chain of Custody is a road map that tells about how the evidence is collected, analyzed, and preserved to present in front of the court
It ensures auditing of the original data evidence and tracking the logs accurately
In chain of custody, all the transfer of evidence from person to person should be documented
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Evidence Form
Date Type of Incident Case#
Model# Manufacturer# Serial#
Consent Required Y/N Signature of Consenting Person Tag#
Description of Form
Person Receiving Evidence Signature
Chain of Custody
Form
LocationDate Reason
To
Location
From
LocationDate Reason
To
Location
From
LocationDate Reason
To
Location
From
LocationDate Reason
To
Location
Final Disposition of Evidence Date
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Preservation
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Preserving Digital Evidence: Checklist
Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals
Verify if the monitor is in on, off, or in sleep mode
Remove the power cable depending on the power state of the computer i.e., in on, off, or in sleep mode
Do not turn “on” the computer if it is in “off” state
Take photo of the monitor screen if the computer is in “on” state
Check the connections of the telephone modem, cable, ISDN, and DSL
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Preserving Digital Evidence: Checklist (cont’d)
Remove the plug from the power router or modem
Remove any floppy disks that are available at the scene to safeguard the potential evidence
Keep tape on drive slots and power connector
Photograph the connections of the computer and the corresponding cables and label them individually
Label every connector and cable that are connected to the peripheral devices
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Preserving Digital Evidence: Checklist (cont’d)
Personal digital assistants (PDAs), cell phones, and digital cameras store information in the internal memory
Do not turn “on” the device if it is in “off” state
Leave the device “on” if it is in “on” state, only in case of PDAs or cell phones
Photograph the screen display of the device
Label and collect all the cables and transport them along with the device
Make sure that the device is charged
Hold the additional storage media such as memory sticks and compact flash
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Preserving Digital Evidence: Checklist (cont’d)
Transfer fragile data to a non-volatile medium/device without disrupting any other component of the computer
Do not use the victim’s hard disk to store the fragile data
Avoid the use of too much virtual memory as it may cause data overwriting
Use floppy disk for a small amount of data/information
Do not use USB or firewire drive to store data because they change the system’s state
If the victim’s system is connected to the Internet, use the same path that is used by the intruder to extract the data from the victim’s computer
Disconnect the victim’s computer from the Internet to protect it from further attack
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Preserving Digital Evidence: Checklist (cont’d)
Do not use the original digital data regularly for examination
Do not run any program on the victim’s computer
If any changes occur during the collection of the evidence, document all the changes accordingly
Capture an accurate image of the system as possible
Do not run any anti-virus program because it changes date and time of each file they scan
Ensure that your actions are repeatable
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Preserving Floppy and Other Removable Media
• Tape over the notch• Mark the information such as date, time, and initials
using the permanent marker • Place in static free bags
5 ¼ inch disks
• Place the write protected tab in the open position• Mark the information using permanent marker• Place in static free bags
3 ½ inch disks
• Remove the plastic write enable ring• Mark the information on tape up to first 10-13 feet• Place in static free bags
Reel-to-reel tapes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Preserving Floppy and Other Removable Media (cont’d)
• Remove the record tab• Mark the information on plastic surface of tape using the
permanent marker• Place in static free bag
Cassette tapes
• Tape over the notch• Mark the information using permanent marker• Place in static free bags
Disk cartridges (removable hard drives)
• Align the arrow at safe mark by turning the dial• Mark the information on plastic surface using the
permanent marker • Place in static free bag
Cartridge tapes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Handling Digital Evidence
Wear protective latex gloves for searching and seizing operations on the site
Store the electronic evidence in a secure area and climate controlled environment
Use wireless StrongHold bag to block the wireless signals from getting to the electronic device
Avoid folding and scratching storage devices such as diskettes, CD–ROMs, and tape drives
Pack the magnetic media in antistatic packaging
Protect the electronic evidence from magnetic field, dust, vibration, and other factors that may damage the integrity of the electronic evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Store and Archive
• Physically secure and store the evidence in a tamperproof location• Ensure that no unauthorized personnel has access to the evidence, over the network, or
otherwise• Protect storage equipment from magnetic fields• Make at least two copies of the evidence that are collected, and store one copy in a
secure offsite location• Ensure that the evidence is physically secured (for example, by placing the evidence in
a safe) as well as digitally secured• Clearly document the chain of custody of the evidence
• Create a check-in / check-out list that includes information such as the name of the person examining the evidence, the exact date and time they check out the evidence, and the exact date and time they return it
Best practices for data storage and archival include the following:
When evidence is collected and ready for analysis, it is important to store and archive the evidence in a way that ensures its safety and integrity
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Digital Evidence Findings
• Digital laboratory experts must educate the case agents, prosecutors to review the report of the evidence finding which includes:• In-service training• Legal updates• Individual conversations• Discussion on how to find report
Educate the intended audience:
• Finding report should include:• Investigator’s request• Detailed description of the examined items• Receipt and disposition of the founded evidence• Examiner’s identity
Develop a report of findings:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Examination and Analysis
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DO NOT Work on the Original Evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Examination
General forensic principles apply when examining digital evidence
Different types of cases and media may require different methods of examination
Persons conducting an examination of digital evidence should be trained for this purpose
The examination should not be conducted on the original evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Examination (cont’d)
• Prepare working directory/directories on separate media to which evidentiary files and data can be recovered and/or extracted
Preparation
• There are two different types of extraction: physical and logical• The physical extraction phase identifies and recovers data
across the entire physical drive without the file system• The logical extraction phase identifies and recovers files
and data based on the installed operating system(s), file system(s), and/or application(s)
Extraction
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Physical Extraction
• Keyword searching, file carving, and extraction of the partition table, and unused space on the physical drive
• Performing a keyword search across the physical drive may be useful as it allows the examiner to extract data that may not be accounted for by the operating system and file system
• File carving utilities processed across the physical drive may assist in recovering and extracting useable files and data that may not be accounted by the operating system and file system
• Examining the partition structure may identify the file systems present and determine if the entire physical size of the hard drive is accounted for
This may include the following methods:
During this stage, the extraction of the data from the drive occurs at the physical level regardless of file systems present on the drive
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logical Extraction
• Extraction of the file system information to reveal characteristics such as directory structure, file attributes, file names, date and time stamps, file size, and file location
• Data reduction to identify and eliminate known files through the comparison of the calculated hash values to the authenticated hash values
• Extraction of files pertinent to the examination. Methods to accomplish this may be based on the file’s name and extension, file header, file content, and location on the drive
• Recovery of the deleted files• Extraction of the password-protected, encrypted, and compressed data• Extraction of file slack• Extraction of the unallocated space
Steps may include:
During this stage, the extraction of the data from the drive is based on the file system(s) present on the drive and may include data from such areas as active files, deleted files, file slack, and unallocated file space
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Analyze Host Data
• Identify what you are looking for, there will be a large amount of host data, and only a portion of that data might be relevant to the incident
• Examine the operating system data, including clock drift information, and any data loaded into the host computer's memory to see if you can determine whether any malicious applications or processes are running or scheduled to run
• Examine the running applications, processes, and network connections• Use tools such as Windows Sysinternals ProcessExplorer,
LogonSession, and PSFile to perform these tasks
Procedures used to analyze host data are:
Host data includes information about the operating system and application’s components
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Analyze Storage Media
• Perform offline analysis on a bit-wise copy of the original evidence• Determine whether data encryption was used, such as the Encrypting File
System (EFS) in Microsoft Windows. Several registry keys can be examined to determine whether EFS was ever used on the computer
• If necessary, uncompress any compressed files and archives• Create a diagram of the directory’s structure
Procedures used to extract and analyze data from the storage media collected are:
The storage media collected during the ‘Acquire the Data’ phase contains many files
Analyze these files to determine their relevance to the incident, which can be a daunting task because the storage media such as hard disks and backup tapes often contain hundreds of thousands of files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Analyze Storage Media (cont’d)
• Identify files of interest• Examine the registry, the database that contains Windows
configuration information, for information about the computer boot process, installed applications, and login information such as username and logon domain
• Search the contents of all gathered files to help identify files that may be of interest
• Study the metadata of files of interest, using tools such as Encase
• Use file viewers to view the content of the identified files, which allow you to scan and preview certain files without the original application that created them
Procedures used to extract and analyze data from the storage media collected are:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Analyze Network Data
• Examine network service logs for any events of interest
• Examine firewall, proxy server, intrusion detection system (IDS), and remote access service logs
• View any packet sniffer or network monitor logs for data that might help you determine the activities that took place over the network
Procedure used in analyzing network data are:
The investigations focus on and examine images of the data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Analysis of Extracted Data
Analysis is the process of interpreting the extracted data to determine their significance to the case
Some examples of analysis that may be performed include:
• Timeframe analysis• Data hiding analysis• Application and file analysis• Ownership and possession
Analysis may require a review of the request for service, legal authority for the search of the digital evidence, investigative leads, and/or analytical leads
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Timeframe Analysis
• Reviewing the time and date stamps contained in the file system metadata (e.g. last modified, last accessed, created, change of status) to link files of interest to the timeframes relevant to the investigation
• An example of this analysis would be using the last modified date and time to establish when the contents of a file were last changed
• Reviewing the system and application logs that may be present• These may include error logs, installation logs, connection logs, security logs, etc. • For example, examination of a security log may indicate when a user name/password
combination was used to log into a system
Two methods used for timeframe analysis:
Timeframe analysis can be useful in determining when events occurred on a computer system, which can be used as a part of associating usage of the computer to an individual(s) at the time the events occurred
Take into consideration any differences in the individual’s computer date and time as reported in the BIOS
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Hiding Analysis
• Correlating the file headers to the corresponding file extensions to identify any mismatches
• Presence of mismatches may indicate that the user intentionally hid data
• Gaining access to all password-protected, encrypted, and compressed files, which may indicate an attempt to conceal the data from unauthorized users. A password itself may be as relevant as the contents of the file
• Steganography
Methods used include:
Data can be concealed on a computer system. Data hiding analysis can be useful in detecting and recovering such data and may indicate knowledge, ownership, or intent
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Application and File Analysis
Many programs and files identified may contain information relevant to the investigation and provide insight into the capability of the system and the knowledge of the user
Results of this analysis may indicate the additional steps that need to be taken in the extraction and analysis processes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Application and File Analysis (cont’d)
• Reviewing file names for relevance and patterns• Examining the file’s content• Identifying the number and type of the operating system(s)• Correlating the files with the installed applications• Considering relationships between files; example, correlating Internet
history to cache files and e-mail files to e-mail attachments• Identifying the unknown file types to determine their value to the
investigation• Examining the users’ default storage location(s) for applications and the
file structure of the drive to determine if files have been stored in their default or alternate location(s)
• Examining user-configuration settings• Analyzing file metadata, the content of the user-created file containing
data additional to that presented to the user, typically viewed through the application that created it
Some examples include:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ownership and Possession
• Placing the subject at the computer at a particular date and time may help to determine ownership and possession (timeframe analysis)
• Files of interest may be located in non default locations (e.g., user-created directory named “child porn”) (application and file analysis)
Elements of knowledgeable possession may be based on the analysis described, including one or more of the following factors:
In some instances, it may be essential to identify the individual(s) who created, modified, or accessed a file. It may also be important to determine ownership and knowledgeable possession of the questioned data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ownership and Possession (cont’d)
• The file name itself may be of evidentiary value and also may indicate the contents of the file (application and file analysis)
• Hidden data may indicate a deliberate attempt to avoid detection (hidden data analysis)
• If the passwords needed to gain access to the encrypted and password-protected files are recovered, the passwords themselves may indicate possession or ownership (hidden data analysis)
• Contents of a file may indicate ownership or possession by containing information specific to a user (application and file analysis)
Elements of knowledgeable possession may be based on the analysis described above, including one or more of the following factors:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Documentation and Reporting
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documenting the Evidence
Documentation of the digital evidence examination is an ongoing process, therefore it is important to correctly record each step during the examination
Report should be written simultaneously with the examination and presentation of the report should be consistent with the departmental policies
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Examiner Report
The common consideration list that helps the examiner throughout the documentation process:
• Take notes when discussing with the case investigator• Preserve a copy of the search authority and chain of
custody documentation• Write detailed notes about each action taken• Include date, time, complete description, and result of
each action taken in the documentation• Document any irregularities encountered during the
examination• Include the operating system’s name, software, and
installed patches
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Final Report of Findings
Disclose specific files related to the request
Other files, including deleted files, that support the findings
String searches, keyword searches, and text string searches
Internet-related evidence, such as website traffic analysis, chat logs, cache files, e-mail, and news group activity
Graphic image analysis
Indicators of ownership, which could include program registration data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Final Report of Findings (cont’d)
Descriptive Data analysis
Description of the relevant programs on the examined items
Techniques used to hide or mask data, such as encryption, steganography, hidden attributes, hidden partitions, and file name anomalies
Supporting materials
• List supporting materials that are included with the report, such as printouts of particular items of evidence, digital copies of evidence, and chain of custody documentation
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Evidence Worksheet
Case Number : ________________ Exhibit Number: ______________
Laboratory Number: ____________ Control Number: ______________
Computer Information
Manufacturer: ________________ Model: ____________________
Serial Number: __________________________________________
Examiner marking: _______________________________________
Computer Type: Desktop Laptop Other: ________
Computer Condition: Good Damage
Number of hard Drives: __________ 3.5’’Floppy drive 5.25’’ Floppy drive
Modem Network card Tape drive Tape drive type: ________
100 MB Zip 250 MB Zip CD Reader CD Read/write
DVD Others: _____________________
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Evidence Worksheet (cont’d)
CMOS Information Not Available
Password Logon Yes No Password = ________
Current Time _______ AM PM Current Date ___/___/___
COMS Time _________ AM PM Current Date ___/___/___
CMOS Hard Drive #1 Setting
Capacity:______ Cylinders:_______ Heads:______ Sectors:_______
Made: LBA Normal Auto Legacy CHS
Capacity:______ Cylinders:_______ Heads:______ Sectors:_______
Made: LBA Normal Auto Legacy CHS
CMOS Hard Drive #2 Setting
Auto
Auto
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hard Drive Evidence Worksheet
Case Number : ________________ Exhibit Number: ______________
Laboratory Number: ____________ Control Number: ______________
Hard Drive #1 Label Information [Not Available ] Hard Drive #2 Label Information [Not Available ]
Manufacturer: ________________
Model: _____________________
Serial Number: _______________
Capacity:_______ Cylinders:_________
Heads:_________ Sectors:__________
Controller Rev.____________________
IDE 50 Pin SCSI
68 Pin SCSI 80 Pin SCSI Other
Jumper: Master Slave
Cable Select Undetermined
Manufacturer: ________________
Model: _____________________
Serial Number: _______________
Capacity:_______ Cylinders:_________
Heads:_________ Sectors:__________
Controller Rev.____________________
IDE 50 Pin SCSI
68 Pin SCSI 80 Pin SCSI Other
Jumper: Master Slave
Cable Select Undetermined
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hard Drive Evidence Worksheet (cont’d)
Hard Disk #1 Parameter Information
DOS FDisk PTable PartInfo Linux Fdisk SafeBack Encase Other:___
Capacity:______ Cylinders:_______ Heads:______ Sectors:_______
LBA Address Sectors: _____________ Formatted Drive Capacity: ____________
Volume Label: __________________________________________________
Partitions:
Name Bootable? Start End Type
________ _________ _________ _________
________ _________ _________ _________
________ _________ _________ _________
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Removable Media Worksheet
Case Number : ________________ Exhibit Number: ___________
Laboratory Number: ____________ Control Number: ___________
Media Type / Quality
Diskette [ ] LS 120 [ ] 100 MB Zip [ ] 250 MB Zip [ ]
1 GB Jaz [ ] 2 GB Jaz [ ] Magneto-optical [ ] Tape [ ]
CD [ ] DVD [ ] Other [ ]
ExaminationExhibit #
Sub-Exhibit #Triage Duplicated Browse Unerase
Keyword Search
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Crime and Digital Evidence Consideration by Crime Category
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Crime and Digital Evidence Consideration by Crime Category
• Account data based on online auction sites• Accounting or bookkeeping software and related data
files• Address books• Customer information or credit card data• Databases• Digital camera software• E-mail/notes/letters• Financial or asset records• Internet browser history or cache files
Online auction fraud
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Child Exploitation/Abuse:• Chat logs• Date and time stamps• Digital camera software• E-mail/notes/letters• Games• Graphic editing and viewing software• Images• Internet activity logs• Movie files• User-created directory and file names that
categorize images
Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Address books• Configuration files• E-mail/notes/letters• Executable programs• Internet activity logs• Internet protocol (IP) address and user name• Internet Relay Chat (IRC) logs• Source code• Text files (user names and passwords)
Computer Intrusion:
Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Death Investigation:• Address books• Diaries• E-mail/notes/letters• Financial/asset records• Images• Internet activity logs• Legal documents and wills• Medical records• Telephone records
Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Check, currency, and money order images• Credit card skimmers• Images of signatures• False financial transaction forms• False identification
Economic Fraud (Including Online Fraud and Counterfeiting):
• Internet activity logs• Legal documents• Telephone records• Victim’s background research• E-mail/notes/letters• Financial or asset records
E-Mail Threats/Harassment/Stalking:
Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Extortion:
• Date and time stamps• E-mail/notes/letters• History log• Internet activity logs• Temporary Internet files• User names
Gambling:
• Customer database and player records• Customer information or credit card data• Electronic money• Sports betting statistics• Image players
Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Credit card generators• Credit card reader/writer• Digital cameras• Scanners
Hardware and software tools:
• Birth certificates• Check cashing cards• Digital photo images for photo identification• Driver’s license• Electronic signatures• Fictitious vehicle registrations• Scanned signatures• Social security cards
Identification templates:
Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
Identity Theft:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
• E-mails and newsgroup postings• Erased documents• Online orders• Online trading information• System files and file slack• World Wide Web activity at forgery sites
Internet activity related to ID theft:
• Business checks• Cashiers checks• Counterfeit money• Credit card numbers• Fictitious court documents• Fictitious loan documents• Fictitious sales receipts
Negotiable instruments:
Identity Theft:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Narcotics:• Address books• Calendar• Databases• Drug recipes• E-mail/notes/letters• False identification• Financial/asset records• Internet activity logs• Prescription form images
Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Prostitution:
• Address books• Biographies• Calendar• Customer database/records• E-mail/notes/letters• False identification• Financial/asset records• Internet activity logs• Medical records• World Wide web page advertising
Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Chat logs• E-mail/notes/letters• Image files of software certificates• Internet activity logs• Serial numbers• Software cracking information and utilities• User-created directory and file names that
classify the copyrighted software
Software Piracy:
Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Cloning software• Customer database/records• Electronic Serial Number (ESN)/Mobile
Identification Number (MIN) pair records• E-mail/notes/letters• Financial/asset records• “How to phreak” manuals• Internet activity• Telephone records
Telecommunications Fraud:
Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Digital evidence is information and digital data of investigative value that is recorded or preserved on electronic devices
Rules of evidence govern whether, when, how, and for what purpose proof of a case may be placed before a trier of fact for consideration
The digital evidence should be thoroughly assessed with respect to the scope of the case to determine the course of action
Digital evidence is fragile and can be altered, damaged, or destroyed by improper handling or examination
Transfer fragile data to a non-volatile medium/device without disrupting any other component of the computer
Documentation of digital evidence examination is an ongoing process, therefore it is important to correctly record each step during the examination
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited