Processing Crimes & Incident Scenes PDF

Summary

This document provides an overview of procedures for processing crimes and incidents, focusing on digital evidence handling and collection methods. It outlines the importance of evidence preservation, digital forensics, and associated legal aspects.

Full Transcript

Processing Crimes & CSSY4104/ITSY402

Incident Scenes MODULE 2
Module 2 Outline

Lesson 1. Explain the rules for
controlling digital evidence

Lesson 2. Preparing for a Search:
Describe how to collect evidence

Lesson 3. List the steps for an
evidence search

Lesson 4. Securing a computer
incident or crime scene

Lesson 5. Seizing and storing digital
evidence

CSSY4104/ITSY402 2
First Lesson
We will cover these skills:
 Discipline knowledge and
skills
 Digital and technical
competency

Learning Outcome:
 Develop the ability to
perform essential forensic
data acquisition and
analysis

CSSY4104/ITSY402 3
 Identifying Digital Evidence

 DIGTITAL EVIDENCE can be any information
stored or transmitted in digital form. Because
you can’t see or touch digital data directly, it’s  Following are the general tasks investigators
difficult to explain and describe. Is digital perform when working with digital evidence:
evidence real or virtual?
Identify digital information or artifacts that can
 U.S. courts accept digital evidence as physical be used as evidence.
evidence, which means digital data is treated as
a tangible object, such as a weapon, paper Collect, preserve, and document evidence.
document, or visible injury, that’s related to a
criminal or civil incident. Analyze, identify, and organize evidence.
 In addition, ISO standard 27037 gives guidance Rebuild evidence or repeat a situation to verify
on what procedures countries should have in that the results can be reproduced reliably.
place for digital evidence. However, each
country has its own interpretation of what can or
can’t be presented in court or accepted as
evidence.

CSSY4104/ITSY402 4
 Identifying Digital Evidence

 Collecting digital devices while processing a crime or incident generated from a computer process or algorithm, not usually
scene must be done systematically. To minimize confusion, data a person creates. Computer-stored records, however, are
reduce the risk of losing evidence, and avoid damaging electronic data that a person creates and saves on a computer or
evidence, only one team should collect and catalog digital digital device, such as a spreadsheet or word processing
evidence at a crime scene or lab, if practical. document. Some records combine computer-generated and
computer-stored evidence, such as a spreadsheet containing
 If there’s too much evidence or too many systems to make it mathematical operations (computer-generated records)
practical for one team to perform these tasks, all examiners generated from a person’s input (computer-stored records).
must follow the same established operating procedures, and a
lead or managing examiner should control collecting and
cataloging evidence. You should also use standardized forms for
tracking evidence to ensure that you consistently handle
evidence in a safe, secure manner.

 One way of categorizing digital records is by dividing them into
computer-generated records and computer-stored records.
Computer-generated records are data the system maintains,
such as system log files and proxy server logs. They are output

CSSY4104/ITSY402 5
 Identifying Digital Evidence
 Collecting evidence according to approved steps of evidence  One test to prove that computer-stored records are authentic is
control helps ensure that the computer evidence is authentic, as to demonstrate that a specific person created the records.
does using established forensics software tools. Establishing who created digital evidence can be difficult,
however, because records recovered from slack space or
 Courts have consistently ruled that forensics investigators don’t unallocated disk space usually don’t identify the author. The
have to be subject matter experts on the tools they use. same is true for other records, such as anonymous e-mails or
text messages. To establish authorship of digital evidence in
these cases, attorneys can use circumstantial evidence, which
 When attorneys challenge digital evidence, often they raise the requires finding other clues associated with the suspect’s
issue of whether computer-generated records were altered or computer or location.
damaged after they were created.

 Attorneys might also question the authenticity of computer-
generated records by challenging the program that created
them.

 To date, courts have been skeptical of unsupported claims about
digital evidence. Asserting that the data changed without
specific evidence isn’t sufficient grounds to discredit the digital
evidence’s authenticity. Most federal courts that evaluate digital
evidence from computer-generated records assume that the
records contain hearsay. Courts then apply the business-records
exception to hearsay as it relates to digital evidence.

CSSY4104/ITSY402 6
 Collecting Evidence in Computer Incident Scenes

 Private-sector organizations include small to investigated. Everything from the computers
medium businesses, large corporations, and non- used to violate a company policy to the
government organizations (NGOs), which might surrounding facility is under a controlled
get funding from the government or other authority—that is, company management.
agencies. Typically, businesses have inventory databases
of computer hardware and software. Having
 ISPs and other communication companies make access to these databases and knowing what
up a special category of private sector applications are on suspected computers help
businesses. ISPs can investigate computer abuse identify the forensics tools needed to analyze a
committed by their employees but not by policy violation and the best way to conduct the
customers. They must preserve customer analysis.
privacy, especially when dealing with e-mail.

 Investigating and controlling computer incident
scenes in private-sector environments is much
easier than in crime scenes. In the private
sector, the incident scene is often a workplace,
such as a contained office or manufacturing
area, where a policy violation is being

CSSY4104/ITSY402 7
 Collecting Evidence in Computer Incident Scenes

 To investigate employees suspected of improper  A well-defined company policy, therefore, should
use of company digital assets, a company policy state that an employer has the right to examine,
statement about misuse of digital assets allows inspect, or access any company-owned digital
private-sector investigators to conduct covert assets. If a company issues a policy statement to
surveillance with little or no cause and access all employees, the employer can investigate
company computer systems and digital devices digital assets at will without any privacy right
without a warrant, which is an advantage. restrictions.

 However, if a company doesn’t display a warning
banner or publish a policy stating that it reserves
the right to inspect digital assets at will,
employees have an expectation of privacy.

 When an employee is being investigated, this
expected privacy prevents the employer from
legally conducting an intrusive investigation.

CSSY4104/ITSY402 8
 Processing Law Enforcement in Crime Scenes

 To process a crime scene correctly, you must be evidence, making your warrant as specific as
familiar with criminal rules of search and seizure. possible to avoid challenges from defense
You should also understand how a search attorneys is a good practice.
warrant works and what to do when you process
one.  A well-defined company policy, therefore, should
state that an employer has the right to examine,
 A law enforcement officer can search for and inspect, or access any company-owned digital
seize criminal evidence only with probable assets. If a company issues a policy statement to
cause. Probable cause is the standard specifying all employees, the employer can investigate
whether a police officer has the right to make an digital assets at will without any privacy right
arrest, conduct a personal or property search, or restrictions.
obtain a warrant for arrest. With probable cause,
a police officer can obtain a search warrant from
a judge to authorize a search and the seizure of
specific evidence related to the criminal
complaint.

 Although several court cases have allowed
latitude when searching and seizing digital

CSSY4104/ITSY402 9
Terms Used in Warrants

 Unrelated information (referred to as “innocent information”) is often included with the evidence you’re
trying to recover.
 When finding “commingled evidence,” judges often issue a limiting phrase to the warrant, which allows
the police to separate innocent information from evidence. The warrant must list which items can be
seized.
 When approaching or investigating a crime scene, you might find evidence related to the crime but not
in the location the warrant specifies. You might also find evidence of another unrelated crime. In these
situations, this evidence is subject to the “plain view doctrine.” The plain view doctrine states that objects
falling in the direct sight of an officer who has the right to be in a location are subject to seizure without a
warrant and can be introduced into evidence. For the plain view doctrine to apply, three criteria must be
met:
The officer is where he or she has a legal right to be.
Ordinary senses must not be enhanced by advanced technology in any way, suchas with binoculars.
Any discovery must be by chance.

CSSY4104/ITSY402 10
Preparing for a Search

 Preparing for search and seizure of computers or digital devices is probably the most
important step in digital investigations. The better you prepare, the smoother your
investigation will be. The following are the steps for an evidence search:
1. Identifying the nature of the case
2. Identifying the type of OS or digital device
3. Determining whether you can seize computers and digital devices
4. Getting a detailed description of the location
5. Determining who is in charge
6. Determining the tools you need
7. Preparing the Investigation Team

CSSY4104/ITSY402 11
 Securing a Digital
Incident or Crime
Scene
 Investigators secure an incident or
crime scene to preserve the
evidence and to keep information
about the incident or crime
confidential. Information made public
could jeopardize the investigation.
 For major crime scenes, digital
investigators aren’t usually
responsible for defining a scene’s
security perimeter. These cases
involve other specialists and
detectives who are collecting
physical evidence and recording the
scene. For incidents involving mostly
computers, the computers can be a
crime scene within a crime scene or
a secondary crime scene, containing
evidence to be processed. The
evidence is in the computer, but the
courts consider it physical evidence.

CSSY4104/ITSY402 12
 Securing a Digital
Incident or Crime
Scene

 Evidence is commonly lost or
corrupted because of
professional curiosity, which
involves the presence of police
officers and other professionals
who aren’t part of the crime
scene–processing team. They
just have a compelling interest
in seeing what happened, but
their presence could
contaminate the scene directly
or indirectly. Keep in mind that
even those authorized and
trained to search crime scenes
can alter the scene or evidence
inadvertently.
 Remember that professional
curiosity can corrupt and
CSSY4104/ITSY402 13
 Seizing Digital
Evidence at the
Scene
 With proper search warrants,
law enforcement can seize
all digital systems and
peripherals.
 In private-sector
investigations, you might
have similar authority;
however, you might have
the authority only to make
an image of the suspect’s
drive.
 Depending on company
policies, private-sector
investigators rarely have the
authority to seize all
computers and peripherals.

CSSY4104/ITSY402 14
Preparing to Acquire Digital Evidence
 The evidence you acquire at the scene depends on the nature of the case and the
alleged crime or violation. For a criminal case involving a drug dealer’s computer,
for example, you need to take the entire computer along with any peripherals and
media in the area, including smartphones, USB devices, CDs/DVDs, printers,
cameras, and scanners. You might also need to seize smart TVs, gaming systems,
and other devices attached to the network. Seizing peripherals and other media
ensures that you leave no necessary system components behind, but predicting
what components might be critical to the system’s operation is often difficult. On
the other hand, if you’reninvestigating employee misconduct, you might need only
a few specific items.

CSSY4104/ITSY402 15
Preparing to Acquire Digital evidence
 Before you collect digital evidence, ask your supervisor or senior forensics
examiner in the organization the following questions:
Do you need to take the entire computer and all peripherals and media in the
immediate area? How are you going to protect the computer and media while
transporting them to your lab? This precaution includes blocking devices from
accessing wireless networks while in transport.
Is the computer powered on when you arrive? (This question is discussed in more
detail later in “Processing Incident or Crime Scenes.”)
Is the suspect you’re investigating in the immediate area of the computer? Is it
possible the suspect damaged or destroyed the computer, peripherals, or media?
Will you have to separate the suspect from the computer?

CSSY4104/ITSY402 16
Processing Incidents or Crime Scenes
 Keep a journal to document your activities. Include the date and time you arrive on the scene, the people you encounter, and notes on every important
task you perform. Update the journal as you process the scene.

 To secure the scene, use whatever is practical to make sure only authorized people can access the area.

 Take video and still recordings of the area around the computer or digital device. Start by recording the overall scene, and then record details with
close-up shots, including the back of all computers.

 When you finish videotaping or photographing the scene, sketch the incident or crime scene. This sketch is usually a rough draft with notes on objects’
dimensions and distances between fixed objects.

 Because digital data is volatile, check the state of each computer or device at the scene as soon as possible. Determine whether the computer is
powered on or off or in hibernation or sleep mode. If it’s off, leave it off.

 As a general rule, don’t cut electrical power to a running system unless it’s an older Windows or MS-DOS system.

 If you’re working on a network or Internet investigation and the computer is on, save data in any current applications as safely as possible and record all
active windows or shell sessions.

 As you’re copying data on a live suspect computer, make notes in your journal about everything you do so that you can explain your actions in your
formal report to prosecutors and other attorneys.

 If you can’t save an open application to external media, save it to the suspect drive with a new filename. Changing the filename avoids overwriting an
existing file that might not have been updated already.

 If the nature of the case doesn’t permit you to seize the computer or digital device, create an image of the hard drive.

CSSY4104/ITSY402 17
Documenting Evidence in the Lab
 After you collect digital evidence at the scene, you transport it to a forensics lab,
which should be a controlled environment that ensures the security and integrity of
digital evidence. In any investigative work, be sure to record your activities and
findings as you work. To do so, you can maintain a journal to record the steps you
take as you process evidence.

CSSY4104/ITSY402 18
Handling Digital Evidence
 Copy all image files to a terabyte drive or a storage area network (SAN). Most
forensics labs have several machines set up with disk-imaging software and
multiple hard drives that can be exchanged as needed for your cases. You can use
these resources to copy image files to large drives. Some might be equipped with
large network storage devices for ongoing cases.
Start your forensics tool to access and open the image files.
Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital hash.
Later in “Obtaining a Digital Hash,” you learn how to compare MD5 or SHA-1 hashes
to make sure the evidence hasn’t changed.
When you finish copying image files to a larger drive, secure the original media in
an evidence locker. Don’t work with the original media; it should be stored in a
locker that has an evidence custody form. Be sure to fill out the form and date it.

CSSY4104/ITSY402 19
Storing Digital Evidence
 With digital evidence, you need to consider how and on what type of media to
save it and what type of storage device is recommended to secure it. The choice of
media for storing digital evidence usually depends on how long you need to keep it.
If you investigate criminal matters, store the evidence as long as you can. The ideal
storage media for digital data used to be CDs and DVDs. (CDs from the 1980s could
last up to 5 years. The expected lifespan of CDs and DVDs is now 2 to 5 years.) The
optimum choice now is solid-state USB drives. Although they’re more expensive
than CDs and DVDs, they’re more durable.
 You can also use magnetic tape to preserve evidence data. The 4-mm DAT
magnetic tapes store from 40 to 72 GB or more of data, but they’re slow at reading
and writing data. If you’re using these tapes, test stored data by copying the
contents from the tape back to a disk drive. Then verify that the data is good by
examining it with forensics tools or doing an MD5 hash comparison of the original
data and the newly restored data.

CSSY4104/ITSY402 20
Module Progress

Lesson 1. Rules for controlling digital evidence

Lesson 2. Preparing for a search

Lesson 3. Steps for an evidence search

Lesson 4. Securing digital evidence

Lesson 5. Seizing and storing digital
evidence

CSSY4104/ITSY402 21
Course Progress

Lesson 1. Understanding Digital Forensics

Lesson 2. Processing Crimes and Incident
Scenes

Lesson 3. Windows Forensics

Lesson 4. Recovering Graphic Files

Lesson 5. Network Forensics

CSSY4104/ITSY402 22
Thank You for Listening!
Next up… Module 3 – Windows Forensics