Chapter 1: Introduction to Forensics (OCR PDF)

PART | Introduction to Forensics © phyZick/Shutterstock CHAPTER 1_ ‘Introduction to Forensics CHAPTER2 Overview of Computer Crime CHAPTER 3 Forensic Methods and Labs CHAPTER 1 Introduction to Forensics © phyZick/Shutterstock THIS CHAPTER INTRODUCES YOU TO THE FIELD of computer forensics. It covers some legal issues, the basic concepts of the forensic process, and a review of the basic computer and networking knowledge you will need. This chapter forms the basis for the subsequent chapters. It is important to be comfortable with the material in this chapter before proceeding. Chapter 1 Topics This chapter covers the following topics and concepts: e What is computer forensics? e What do you need to know about the field of digital forensics? e What do you need to know for computer forensic analysis? e What is the Daubert standard? e What are the relevant laws? e What are the federal guidelines? Chapter 1 Goals When you complete this chapter, you will be able to: Understand the basic concepts of forensics Maintain the chain of custody Understand basic hardware and networking knowledge needed for forensics Know the basic laws related to computer forensics What Is Computer Forensics? Before you can answer the question, “What is computer forensics?”, you should address the question, “What is forensics?” The American Heritage Dictionary defines forensics as “the use of science and technology to investigate and establish facts in criminal or civil courts of law.” Essentially, forensics is the use of science to process evidence so you can establish the facts of a case. The individual case being examined could be criminal or civil, but the process is the same. The evidence has to be examined and processed in a consistent, scientific manner. This is to ensure that the evidence is not accidentally altered and that appropriate conclusions are derived from that evidence. You have probably seen some crime drama wherein forensic techniques were a part of the investigative process. In such dramas, a bullet is found and forensics is used to determine which gun fired the bullet. Or perhaps a drop of blood is found and forensics is used to match the DNA to a suspect. These are all valid aspects of forensics. However, our modern world is full of electronic devices with the capacity to store data. The extraction of that data in a consistent, scientific manner is the subject of computer forensics. In fact, with the proliferation of smartphones, smartwatches, and other devices, some now refer to this field as digital forensics, emphasizing the wide range of different devices that can be included. The U.S. Computer Emergency Response Team (US-CERT) defines computer forensics in this manner: Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts.... Forensics deals primarily with the recovery and analysis of latent evidence. Latent evidence can take many forms, from finger-prints left on a window to DNA evidence recovered from bloodstains to the files on a hard drive. According to the website Computer Forensics World: Generally, computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and_ preserve evidence/information which is magnetically stored or encoded. The objective in computer forensics (or digital forensics, if you prefer) is to recover, analyze, and present computer-based material in such a way that it can be used as evidence in a court of law. In computer forensics, as in any other branch of forensic science, the emphasis must be on the integrity and security of evidence. A forensic specialist must adhere to stringent guidelines and avoid taking shortcuts. Any device that can store data is potentially the subject of computer forensics. Obviously, that includes devices such as network servers, personal computers, and laptops. However, computer forensics also encompasses devices such as smartphones, routers, tablets, printers, and global positioning system (GPS) devices. Remember that any device that can store data is a potential subject of computer forensics. Although the subject of computer forensics, as well as the tools and techniques used, is significantly different from traditional forensics—like DNA analysis and _ bullet examination—the goal is the same: to obtain evidence that can be used in some legal proceeding. Computer forensics applies to all the domains of a typical IT infrastructure, from the User Domain and Remote Access Domain to the Wide Area Network (WAN) Domain and Internet Domain (see FIGURE 1-1). LAN domain LAN-to-WAN domain WAN ipconfig Windows IP Configuration Wireless LAN adapter Wireless Network Connection 2: Media State.. ! Media disconnected Connect ion-aa eae Deets eee : Wireless LAN adapter Wireless Network Connection: Connection-specific DNS soleil ; mi Va\h eal) BOSC eae : Fee ote A ty eee IPv4 Address.. PPP it: se 16 ne Subnet Mask. e ee eo rat rae Default CoS ee ee ee ee es ee | os ee ee Ethernet adapter Local Area Connection: Media State.. : Media disconnected Connect ion- nyt ce ae DNS Suffix’ Ethernet adapter VirtualBox Host-Only Network: Connection-specific DNS aalnical 7 Link-local IPv6 cece oe. : fe80: Ag an 6578: af 54%49 IPv4 Address.. ~ ew ew ww t 192, es Subnet Mask « i we # « « » & « » F ZS.255, roe ‘9 Default Gateway a ee e Tunnel adapter isatap. gateway. Z2wire.net: Media State.. : Media disconnected Connect ion-specific DNS Suffix. Tunnel adapter Reusable ISATAP Interface €15831C80-8547-4DBC-ASE7-160479674F 9B}: Media State........... =: Media oP erelalasren ei FIGURE 1-2 Bivireyhanen This command gives you some information about your connection to a network or to the internet. Most important, you find out your own IP address. The command also has the IP address for your default gateway, which is your connection to the outside world. Running the ipconfig command is a first step in determining your system’s network configuration. You can see that this option gives you much more information. For example, ipconfig/all gives the name of your computer, when your computer obtained its IP address, and more. Using ping Another commonly used command is ping, which is used to send a test packet, or echo packet, to a machine to find out if the machine is reachable and how long the packet takes to reach the machine. This useful diagnostic tool can be employed in elementary hacking techniques. The command is shown in FIGURE 1-3. Administrator: Command Prompt Il | > C:\>ping www.chuckeasttom. com =u ing sbsfe- ate ae bap mf@. yahoodns.net [67.1.46] with 32 bytes of data ‘i ey nore 1.46: bytes=32 time=65ms Sain amore a 61.46: bytes=32 time=64ms Reply from 67.195.61.46: bytes=32 time=64ms Reply from 67.195.61.46: bytes=32 time=65ms Ping statistics os 67.195.61.46: Packets: Sent = 4, Received = Lost = Approximate round wots times in ire seconds: Minimum = 64ms, Maximum = 65ms, Average he) FIGURE 1-3 fate You can see in FIGURE 1-3 that a 32-byte echo packet was sent to the destination and returned. The TTL item means time to live. That time unit is how many intermediary steps, or hops, the packet should take to the destination before giving up. Remember that the internet is a vast conglomerate of interconnected networks. Your packet probably won't go Straight to its destination. It will have to take several hops to get there. As with ipconfig, you Can type in ping -? to find out various ways you can refine your ping. Working with tracert The final command this section examines is the tracert command. While tracert can be useful for some live network troubleshooting, the information reported by tracert is not useful or trustworthy for forensic examination. This same command can be executed in Linux or UNIX, but there it is called “traceroute” rather than “tracert.” You can see this command in FIGURE 1-4. oo Administrator: Command Prompt C:iN>tracert www.chuckeasttom.com Tracing route to [email protected]@. yahoodns.net [67.195.61. over a maximum o Ops: i Tardis [192. aan cal a [email protected] een St S10 0b E1600 ODN | ed FS 1427. 2754.141.53 ma) tgeQ-O-4.plaotxsoWih.texas. onl junal eee) ape renamed nt 3 agg21.plantxmp@ ir.texas.rr. 6 agg?/. Shes [email protected]. Pi ya dllatx Si0 Nee >: 4—|- 2 al 8 1.716 9 ore 17,133 7) UNKNOWN-216-115-102-x. yahg9: el 4 i ae-3.pat?Z. ai yahoo.com ve Pee ae-6.patZ2.g ,.62] KS a eee aes ibe yahoo. com [66. 196.67. ee et-1-@[email protected]?-a- ae toe com [67.195 ‘ aus te-8-1.bas2-1-f1l ree rae koe alt eee geo.vip. Pare] er steer com L67. 195.61. 46 Trace complete. o> This section is just a brief overview of the hardware, software, and networking knowledge you should have in order to study forensics. If you find you are lacking in one or more areas, do some review in those areas before you proceed. Obscured Information and Anti-Forensics Two more challenges in obtaining digital evidence are obscured information and anti- forensics. Obscured Information Information can be obscured in a number of ways. Obscured information may be scrambled by encryption, hidden using steganographic software, compressed, or in a proprietary format. Sometimes, cybercriminals obscure information to deter forensic examination. More often, companies use certain manipulation and storage techniques to protect business-sensitive information. Regardless of the reason for obscured data, collecting and analyzing it is difficult. Data that has been obscured through encryption, steganography, compression, or proprietary formats can sometimes be converted with some serious detective work and the right tools. Forensic specialists often must do quite a bit of work to decrypt encrypted information. In many cases, the investigator cannot decrypt information unless the data owner provides the encryption key and algorithm. When digital evidence has been encrypted and is in use on a live system, an investigator might have to collect evidence through a live extraction process. Anti-Forensics Every investigation is unique. Investigations are not necessarily friendly activities. Forensic specialists may have to conduct the investigation with or without the cooperation of the information owner. And the information owner may or may not be the target of the investigation. Investigations are difficult with uncooperative information owners. Attackers may use techniques to intentionally conceal their identities, locations, and behavior. For example, perpetrators may conceal their identities by using networked connections at a library, an internet café, or another public computer kiosk. Or they may use encryption or anonymous services to protect themselves. The actions that perpetrators take to conceal their locations, activities, or identities are generally termed anti-forensics. Cybercriminals are becoming better at covering their tracks as their awareness of digital forensics capabilities increases. The following are examples of anti-forensics techniques: e Data destruction—Methods for disposing of data vary. They can be as simple as wiping the memory buffers used by a program, or they can be as complex as repeatedly overwriting a cluster of data with patterns of 1s and Os. Digital evidence can be destroyed easily. For example, starting a computer updates timestamps and modifies files. Attaching a hard disk or USB stick modifies file-system timestamps. Powering off a machine destroys volatile memory. Suspects may delete files and folders and defragment their hard drives in an attempt to overwrite evidence. Data hiding—Suspects often store data where an investigator is unlikely to find it. They may hide data, for example, in reserved disk sectors or as logical partitions within a defined, public partition. Or they may simply change filenames and extensions. Data transformation—Suspects may process information in a way that disguises its meaning. For example, they may use encryption to scramble a message based on an algorithm. Or they may use steganography to hide a message inside a larger message. File system alteration—Suspects often corrupt data structures and files that organize data, such as a Windows NT File System (NTFS) volume. The Daubert Standard One legal principle that is key to forensics and is all too often overlooked in forensics books is the Daubert standard. The Cornell University Law School defines the Daubert standard as follows: Standard used bya trial judge to make a preliminary assessment of whether an expert's scientific testimony is based on reasoning or methodology that is scientifically valid and can properly be applied to the facts at issue. Under this standard, the factors that may be considered in determining whether the methodology is valid are: (1) whether the theory or technique in question can be and has been tested; (2) whether it has been subjected to peer review and publication; (3) its known or potential error rate; (4) the existence and maintenance of standards controlling its operation; and (5) whether it has attracted widespread acceptance within a relevant scientific community. What this means, in layman’s terms, is that any scientific evidence presented in a trial has to have been reviewed and tested by the relevant scientific community. For a computer forensics investigator, that means that any tools, techniques, or processes you utilize in your investigation should be ones that are widely accepted in the computer forensics community. You cannot simply make up new tests or procedures. This, naturally, brings up a question: How do new techniques become widely accepted? Let’s suppose you have developed a new tool that extracts forensic information from the Windows Registry. A first step might be to provide a copy of that tool to a few professors of forensics, allowing them to experiment with it. You might also publish an article describing it. After it has been tested by the forensic community and articles about it have been read (and possibly rebutted), then your tool would be usable in real forensic investigations. It is important to remember the Daubert standard because it will affect your forensic approach. It also reminds us of an even more basic concept: The evidence you collect is important only if it is admissible in court. So you have to pay attention to the techniques and tools you use and maintain the chain of custody. If you fail to use widely accepted techniques, to fully document your methodology, and to use only those tools and techniques you are qualified to use, the opposing attorney might issue what is commonly called a “Daubert challenge.” This is a motion to exclude all or part of your testimony due to it failing to meet the Daubert standard. Daubert challenges are quite common in civil cases, but are not common in criminal court. There has been a movement in the legal community in recent years to increase Daubert challenges in criminal court. The rationale behind this is that some people believe that “junk science” is making its way into criminal proceedings, and well-articulated Daubert challenges could reduce that. U.S. Laws Affecting Digital Forensics There are many laws that affect digital forensics investigation. For example, some jurisdictions have passed laws that require the investigator to be either a law enforcement officer or a licensed private investigator to extract the evidence. Of course, that does not prevent a forensic investigator from working with information someone else extracted or extracting evidence if the information owner gave his or her permission. It is important to be aware of the legal requirements in the jurisdiction in which you work. The Federal Privacy Act of 1974 The Privacy Act of 1974 establishes a code of information-handling practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by U.S. federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual. The Privacy Protection Act of 1980 The Privacy Protection Act (PPA) of 1980 protects journalists from being required to turn over to law enforcement any work product and documentary materials, including sources, before it is disseminated to the public. Journalists who most need the protection of the PPA are those who are working on stories that are highly controversial or that describe criminal acts, because the information gathered may also be useful to law enforcement. The Communications Assistance to Law Enforcement Act of 1994 The Communications Assistance to Law Enforcement Act of 1994 is a federal wiretap law for traditional wired telephony. It was expanded in 2004 to include wireless, voice over packets, and other forms of electronic communications, including signaling traffic and metadata. Unlawful Access to Stored Communications: 18 U.S.C. § 2701 This act covers access to a facility through which electronic communication is provided or exceeding the access that was authorized. It is broadly written to apply to a range of offenses. Punishment can be up to 5 years in prison and fines for the first offense. The actual wording of the statute is as follows: 1. Offense. —Except as provided in subsection (c) of this section whoever— intentionally accesses without authorization a facility through which an electronic communication service is provided; or 2. intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section. This law is used less frequently than the Computer Fraud and Abuse Act. However, it is written broadly enough to cover a number of acts. Primarily, the focus is on any facility, server, or device used to store electronic communications. It is sometimes the case that when employees leave a company, they seek to take information that they can use in competition with the company. This can include emails or other stored communications. The Electronic Communications Privacy Act of 1986 The Electronic Communications Privacy Act of 1986 governs the privacy and disclosure, access, and interception of content and traffic data related to electronic communications. The Computer Security Act of 1987 The Computer Security Act of 1987 was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information. The Foreign Intelligence Surveillance Act of 1978 The Foreign Intelligence Surveillance Act of 1978 (FISA) is a law that allows for collection of “foreign intelligence information” between foreign powers and agents of foreign powers using physical and electronic surveillance. A warrant is issued by the FISA court for actions under FISA. The Child Protection and Sexual Predator Punishment Act of 1998 The Child Protection and Sexual Predator Punishment Act of 1998 requires service providers that become aware of the storage or transmission of child pornography to report it to law enforcement. The Children’s Online Privacy Protection Act of 1998 The Children’s Online Privacy Protection Act of 1998 (COPPA) protects children 13 years of age and under from the collection and use of their personal information by websites. It is noteworthy that COPPA replaces the Child Online Protection Act of 1988 (COPA), which was determined to be unconstitutional. The Communications Decency Act of 1996 The Communications Decency Act of 1996 was designed to protect persons 18 years of age and under from downloading or viewing material considered indecent. This act has been subject to court cases that subsequently changed some definitions and penalties. The Telecommunications Act of 1996 The Telecommunications Act of 1996 includes many provisions relative to the privacy and disclosure of information in motion through and across telephony and computer networks. The Wireless Communications and Public Safety Act of 1999 The Wireless Communications and Public Safety Act of 1999 allows for collection and use of “empty” communications, which means nonverbal and nontext communications, such as GPS information. The USA PATRIOT Act The USA PATRIOT Act is the primary law under which a wide variety of internet and communications information content and metadata is currently collected. Provisions exist within the PATRIOT Act to protect the identity and privacy of U.S. citizens. The Sarbanes-Oxley Act of 2002 The Sarbanes-Oxley Act of 2002 contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies. 18 USC 1030 Fraud and Related Activity in Connection with Computers This is one of the most widely used laws in hacking cases. It covers a wide range of crimes involving illicit access of any computer. 18 USC 1020 Fraud and Related Activity in Connection with Access Devices This is closely related to 1030 but covers access devices (Such as routers). The Digital Millennium Copyright Act (DMCA) This controversial law was enacted in 1998. It makes it a crime to publish methods or techniques to circumvent copyright protection. It is controversial because it has been used against legitimate researchers publishing research papers. 18 USC § 1028A Identity Theft and Aggravated Identity Theft As the name suggests, this law targets any crime related to identity theft. It is often applied in stolen credit card cases. 18 USC § 2251 Sexual Exploitation of Children This law covers a range of child exploitation crimes and is often seen in child pornography cases. Related to this rather broad law are several others, such as: e 18 U.S.C. § 2260: Production of sexually explicit depictions of a minor for importation into the United States e 18 U.S.C. § 2252: Certain activities relating to material involving the sexual exploitation of minors (possession, distribution, and receipt of child pornography) e 18 U.S.C. 8 2252A: Certain activities relating to material constituting or containing child pornography Warrants According to the Supreme Court, a “seizure of property occurs when there is some meaningful interference with an individual’s possessory interests in that property” (United States v. Jacobsen, 466 U.S. 109, 113 ). The Court also characterized the interception of intangible communications as a seizure, in the case of Berger v. New York (388 U.S. 41, 59-60 ). That means that law enforcement need not take property in order for it to be considered seizure; merely interfering with an individual's access to his or her own property constitutes seizure. Berger v. New York extends that to communications. If law enforcement’s conduct does not violate a person’s “reasonable expectation of privacy,” then formally it does not constitute a Fourth Amendment “search” and no warrant is required. There have been many cases where the issue of reasonable expectation of privacy has been argued. To use an example that is quite clear, if you save a message in an electronic diary, you clearly have a reasonable expectation of privacy; however, if you post such a message on a public bulletin board, you can have no expectation of privacy. In less clear cases, a general rule is that courts have held that law enforcement officers are prohibited from accessing and viewing information stored in a computer if it would be prohibited from opening a closed container and examining its contents in the same situation. Warrants are not needed when evidence is in plain sight. For example, if a detective is talking to someone about a string of burglaries in the neighborhood and can clearly see child pornography on that person’s computer screen, no warrant is needed. Another exception to the need for a warrant is consent. If someone who is authorized to provide consent (for example, the owner of a phone or computer) gives law enforcement that consent to a search, then no warrant is needed. In computer crime cases, two consent issues arise particularly often. First, when does a search exceed the scope of consent? For example, when a person agrees to the search of a location, such as his or her apartment, does that consent authorize the retrieval of information stored in computers at the location? Second, who is the proper party to consent to a search? Can roommates, friends, and parents legally grant consent to a search of another person’s computer files? These are all critical questions that must be considered when searching a computer. In general, courts have held that only the actual owner of a property can grant consent, or someone who has legal guardianship of the owner. For example, a parent of a minor child can grant consent to search the child’s living quarters and computers. However, a roommate who shares rent can grant consent to search only shared living quarters and computers co-owned by both parties. A roommate cannot grant consent to search the private property of the other person. There are other cases where investigators don’t need a warrant. One such circumstance is border crossing. Anyone going through customs in any country may have their belongings searched. This can include a complete forensic examination of laptops, cell phones, and other devices. Another such instance where a warrant is not needed is if there is imminent danger that evidence will be destroyed. In the case of the United States v. David, the court held that “When destruction of evidence is imminent a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity.” It is also important not to exceed the scope of a warrant. In United States v. Schlingloff, 2012 U.S. Dist. LEXIS 157272 (C.D. Ill. Oct. 24, 2012), Judge Shadid held that use of Forensic Toolkit’s (FTK) Known File Filter (KFF) to alert on child pornography files was outside the scope of a warrant issued to look for evidence of identity theft. In this case, the owner of the device was suspected of identity theft, and a warrant was issued so that police could search for evidence of that crime. However, the investigator used the Known File Filter to search for child pornography, and indeed found illegal images on the computer in question. Federal Guidelines If you are setting up a forensic lab, or if you are new to forensics, a good place to start is the federal guidelines. Two agencies in particular—the FBI and the Secret Service—are particularly important. The FBI If an incident occurs, the FBI recommends that the first responder should preserve the state of the computer at the time of the incident by making a backup copy of any logs, any damaged or altered files, and any other files modified, viewed, or left by the intruder. This last part is critical. Hackers frequently use various tools and may leave traces of their presence. Furthermore, the FBI advises that if the incident is in progress, you should activate any auditing or recording software you might have available. Collect as much data about the incident as you can. In other words, this might be a case where you do not take the machine offline, but rather analyze the attack in progress. The FBI computer forensics guidelines stress the importance of securing any evidence. They further stress that computer evidence can come in many forms. Here are a few common forms: Hard drives e System logs e Portable storage, such as USB drives and external drives e Router logs e Emails e Chat room logs e Cell phones e SIM cards for cell phones e Logs from security devices, such as firewalls and intrusion-detection systems e Databases and database logs What you secure will be dependent upon the nature of the cybercrime. For example, in the case of child predators, online stalkers, or online fraud, email may be very important, but router logs may be irrelevant. The FBI also stresses that you should work with a copy of the hard drive, not the original. The FBI has a cybercrimes web page, which is a very useful resource for learning more about trends in cybercrime and in computer forensics. The Secret Service The U.S. Secret Service is the premier federal agency tasked with combating cybercrime. It has a website devoted to computer forensics that includes forensics courses. These courses are usually for law enforcement personnel. FYI Since 9/11, the U.S. Secret Service has been tasked with taking the lead in U.S. cybercrime efforts. There are electronic crime task force centers set up in several major cities, including Atlanta, Baltimore, Birmingham, Boston, Buffalo, Chicago, Dallas, Houston, and San Francisco. These electronic crime task force centers cooperate with other law enforcement agencies, including local police departments, in computer crime investigations. The Secret Service also has released a guide for first responders to computer crime. The agency has listed its “golden rules” to begin the investigation. They are as follows: e Officer safety: Secure the scene and make it safe. e If you reasonably believe that the computer is involved in the crime you are investigating, take immediate steps to preserve the evidence. e Determine whether you have a legal basis to seize the computer, such as plain view, search warrant, or consent. e Do not access any computer files. If the computer is off, leave it off. e If itis on, do not start searching through the computer. Instead, properly shut down the computer and prepare it for transport as evidence. e If you reasonably believe that the computer is destroying evidence, immediately shut down the computer by pulling the power cord from the back of the computer. e If acamera is available and the computer is on, take pictures of the computer screen. If the computer is off, take pictures of the computer, the location of the computer, and any electronic media attached. e Determine whether special legal or privacy considerations apply, such as those for doctors, attorneys, clergy, psychiatrists, newspapers, or publishers. These are all important first steps to both preserving the chain of custody and ensuring the integrity of the investigation from the very beginning. The Regional Computer Forensics Laboratory Program The Regional Computer Forensics Laboratory (RCFL) Program is a national network of forensic laboratories and training centers. The FBI provides startup and operational funding, training, staff, and equipment to the program. State, local, and other federal law enforcement agencies assign personnel to staff RCFL facilities. Each of the 16 RCFLs examines digital evidence in support of criminal and national security investigations. The RCFL Program provides law enforcement at all levels with digital forensics expertise. It works with a wide variety of investigations, including terrorism, child pornography, fraud, and homicide. The RCFL Program conducts digital forensics training. In 2008, for example, the program trained nearly 5000 law enforcement personnel in system forensics tools and techniques. For more information, see http:/Awww.rcfl.gov. CHAPTER SUMMARY This chapter explored the basics of computer forensics. You have learned general principles, such as working only with a copy of the drive you're investigating and maintaining the chain of custody. The chapter also examined the types of digital forensics done as well as the laws regarding digital forensics. You should be familiar with the Daubert standard, warrants, federal forensic guidelines, and the general forensic procedure. KEY CONCEPTS AND TERMS Anti-forensics Cell-phone forensics Chain of custody Computer forensics Curriculum vitae (CV) Daubert standard Demonstrative evidence Digital evidence Disk forensics Documentary evidence Email forensics Expert report Expert testimony Internet forensics Live system forensics Network forensics Real evidence Software forensics Testimonial evidence Volatile memory CHAPTER 1 ASSESSMENT. In acomputer forensics investigation, this describes the route that evidence takes from the time you find it until the case is closed or goes to court. A. Rules of evidence B. Law of probability C. Chain of custody D. Policy of separation. If the computer is turned on when you arrive, what does the Secret Service recommend you do? A. Begin your investigation immediately. B. Shut the computer down according to the recommended Secret Service procedure. C. Transport the computer with power on. D. Unplug the machine immediately.. Why should you note all cable connections for a computer you want to seize as evidence? A. To know what outside connections existed B. In case other devices were connected C. To know what peripheral devices existed D. To know what hardware existed. What is the essence of the Daubert standard? A. That only experts can testify at trial B. That an expert must affirm that a tool or technique is valid C. That only tools or techniques that have been accepted by the scientific community are admissible at trial D. That the chain of custody must be preserved. When cataloging digital evidence, the primary goal is to do what? A. Make bitstream images of all hard drives. B. Preserve evidence integrity. C. Keep evidence from being removed from the scene. D. Keep the computer from being turned off. 6. Which of the following is important to the investigator regarding logging? A. The logging methods B. Log retention C. Location of stored logs D. All of the above 7. Your roommate can give consent to search your computer. A. True B. False 8. Evidence need not be locked if it is at a police station. A. True B. False References. Cornell Law School Legal Information Institute. (n.d.) Rule 702. Testimony by Expert Witness. | Retrieved from https://Awww.law.cornell.edu/rules/fre/rule_702 on January 27, 2021.. Cornell Law School Legal Information Institute. (n.d.) Rule 703. Bases of an Expert. Retrieved from INO https://Awww.law.cornell.edu/rules/fre/rule_703 on January 27, 2021.. Cornell Law School Legal Information Institute. (n.d.) Rule 704. Opinion on an Ultimate Issue. Io Retrieved from https:/Awww.law.cornell.edu/rules/fre/rule_704 on January 27, 2021.. Cornell Law School Legal Information Institute. (n.d.) Rule 705. Disclosing the Facts or Data > Underlying an Expert. Retrieved from https:/Awww.law.cornell.edu/rules/fre/rule_705 on January 27, 2021.. Cornell Law School Legal Information Institute. (n.d.) Rule 705. Court-Appointed Expert Witness. ion Retrieved from https:/Awww.law.cornell.edu/rules/fre/rule_706 on January 27, 2021.. Cornell Law School Legal Information Institute. (n.d.) Rule 401. Test for Relevant Evidence. Retrieved Im from https://www.law.cornell.edu/rules/fre/rule_401 on January 27, 2021.

Chapter 1: Introduction to Forensics (OCR PDF)

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue