Processing Crimes & Incident Scenes PDF

Summary

This document provides an overview of procedures for processing crimes and incidents, focusing on digital evidence handling and collection methods. It outlines the importance of evidence preservation, digital forensics, and associated legal aspects.

Full Transcript

Processing Crimes & CSSY4104/ITSY402 Incident Scenes MODULE 2 Module 2 Outline Lesson 1. Explain the rules for controlling digital evidence Lesson 2. Preparing for a Search: Describe how to collect evidence Lesson 3. List the steps for an...

Processing Crimes & CSSY4104/ITSY402 Incident Scenes MODULE 2 Module 2 Outline Lesson 1. Explain the rules for controlling digital evidence Lesson 2. Preparing for a Search: Describe how to collect evidence Lesson 3. List the steps for an evidence search Lesson 4. Securing a computer incident or crime scene Lesson 5. Seizing and storing digital evidence CSSY4104/ITSY402 2 First Lesson We will cover these skills:  Discipline knowledge and skills  Digital and technical competency Learning Outcome:  Develop the ability to perform essential forensic data acquisition and analysis CSSY4104/ITSY402 3 Identifying Digital Evidence  DIGTITAL EVIDENCE can be any information stored or transmitted in digital form. Because you can’t see or touch digital data directly, it’s  Following are the general tasks investigators difficult to explain and describe. Is digital perform when working with digital evidence: evidence real or virtual? Identify digital information or artifacts that can  U.S. courts accept digital evidence as physical be used as evidence. evidence, which means digital data is treated as a tangible object, such as a weapon, paper Collect, preserve, and document evidence. document, or visible injury, that’s related to a criminal or civil incident. Analyze, identify, and organize evidence.  In addition, ISO standard 27037 gives guidance Rebuild evidence or repeat a situation to verify on what procedures countries should have in that the results can be reproduced reliably. place for digital evidence. However, each country has its own interpretation of what can or can’t be presented in court or accepted as evidence. CSSY4104/ITSY402 4 Identifying Digital Evidence  Collecting digital devices while processing a crime or incident generated from a computer process or algorithm, not usually scene must be done systematically. To minimize confusion, data a person creates. Computer-stored records, however, are reduce the risk of losing evidence, and avoid damaging electronic data that a person creates and saves on a computer or evidence, only one team should collect and catalog digital digital device, such as a spreadsheet or word processing evidence at a crime scene or lab, if practical. document. Some records combine computer-generated and computer-stored evidence, such as a spreadsheet containing  If there’s too much evidence or too many systems to make it mathematical operations (computer-generated records) practical for one team to perform these tasks, all examiners generated from a person’s input (computer-stored records). must follow the same established operating procedures, and a lead or managing examiner should control collecting and cataloging evidence. You should also use standardized forms for tracking evidence to ensure that you consistently handle evidence in a safe, secure manner.  One way of categorizing digital records is by dividing them into computer-generated records and computer-stored records. Computer-generated records are data the system maintains, such as system log files and proxy server logs. They are output CSSY4104/ITSY402 5 Identifying Digital Evidence  Collecting evidence according to approved steps of evidence  One test to prove that computer-stored records are authentic is control helps ensure that the computer evidence is authentic, as to demonstrate that a specific person created the records. does using established forensics software tools. Establishing who created digital evidence can be difficult, however, because records recovered from slack space or  Courts have consistently ruled that forensics investigators don’t unallocated disk space usually don’t identify the author. The have to be subject matter experts on the tools they use. same is true for other records, such as anonymous e-mails or text messages. To establish authorship of digital evidence in these cases, attorneys can use circumstantial evidence, which  When attorneys challenge digital evidence, often they raise the requires finding other clues associated with the suspect’s issue of whether computer-generated records were altered or computer or location. damaged after they were created.  Attorneys might also question the authenticity of computer- generated records by challenging the program that created them.  To date, courts have been skeptical of unsupported claims about digital evidence. Asserting that the data changed without specific evidence isn’t sufficient grounds to discredit the digital evidence’s authenticity. Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain hearsay. Courts then apply the business-records exception to hearsay as it relates to digital evidence. CSSY4104/ITSY402 6 Collecting Evidence in Computer Incident Scenes  Private-sector organizations include small to investigated. Everything from the computers medium businesses, large corporations, and non- used to violate a company policy to the government organizations (NGOs), which might surrounding facility is under a controlled get funding from the government or other authority—that is, company management. agencies. Typically, businesses have inventory databases of computer hardware and software. Having  ISPs and other communication companies make access to these databases and knowing what up a special category of private sector applications are on suspected computers help businesses. ISPs can investigate computer abuse identify the forensics tools needed to analyze a committed by their employees but not by policy violation and the best way to conduct the customers. They must preserve customer analysis. privacy, especially when dealing with e-mail.  Investigating and controlling computer incident scenes in private-sector environments is much easier than in crime scenes. In the private sector, the incident scene is often a workplace, such as a contained office or manufacturing area, where a policy violation is being CSSY4104/ITSY402 7 Collecting Evidence in Computer Incident Scenes  To investigate employees suspected of improper  A well-defined company policy, therefore, should use of company digital assets, a company policy state that an employer has the right to examine, statement about misuse of digital assets allows inspect, or access any company-owned digital private-sector investigators to conduct covert assets. If a company issues a policy statement to surveillance with little or no cause and access all employees, the employer can investigate company computer systems and digital devices digital assets at will without any privacy right without a warrant, which is an advantage. restrictions.  However, if a company doesn’t display a warning banner or publish a policy stating that it reserves the right to inspect digital assets at will, employees have an expectation of privacy.  When an employee is being investigated, this expected privacy prevents the employer from legally conducting an intrusive investigation. CSSY4104/ITSY402 8 Processing Law Enforcement in Crime Scenes  To process a crime scene correctly, you must be evidence, making your warrant as specific as familiar with criminal rules of search and seizure. possible to avoid challenges from defense You should also understand how a search attorneys is a good practice. warrant works and what to do when you process one.  A well-defined company policy, therefore, should state that an employer has the right to examine,  A law enforcement officer can search for and inspect, or access any company-owned digital seize criminal evidence only with probable assets. If a company issues a policy statement to cause. Probable cause is the standard specifying all employees, the employer can investigate whether a police officer has the right to make an digital assets at will without any privacy right arrest, conduct a personal or property search, or restrictions. obtain a warrant for arrest. With probable cause, a police officer can obtain a search warrant from a judge to authorize a search and the seizure of specific evidence related to the criminal complaint.  Although several court cases have allowed latitude when searching and seizing digital CSSY4104/ITSY402 9 Terms Used in Warrants  Unrelated information (referred to as “innocent information”) is often included with the evidence you’re trying to recover.  When finding “commingled evidence,” judges often issue a limiting phrase to the warrant, which allows the police to separate innocent information from evidence. The warrant must list which items can be seized.  When approaching or investigating a crime scene, you might find evidence related to the crime but not in the location the warrant specifies. You might also find evidence of another unrelated crime. In these situations, this evidence is subject to the “plain view doctrine.” The plain view doctrine states that objects falling in the direct sight of an officer who has the right to be in a location are subject to seizure without a warrant and can be introduced into evidence. For the plain view doctrine to apply, three criteria must be met: The officer is where he or she has a legal right to be. Ordinary senses must not be enhanced by advanced technology in any way, suchas with binoculars. Any discovery must be by chance. CSSY4104/ITSY402 10 Preparing for a Search  Preparing for search and seizure of computers or digital devices is probably the most important step in digital investigations. The better you prepare, the smoother your investigation will be. The following are the steps for an evidence search: 1. Identifying the nature of the case 2. Identifying the type of OS or digital device 3. Determining whether you can seize computers and digital devices 4. Getting a detailed description of the location 5. Determining who is in charge 6. Determining the tools you need 7. Preparing the Investigation Team CSSY4104/ITSY402 11 Securing a Digital Incident or Crime Scene  Investigators secure an incident or crime scene to preserve the evidence and to keep information about the incident or crime confidential. Information made public could jeopardize the investigation.  For major crime scenes, digital investigators aren’t usually responsible for defining a scene’s security perimeter. These cases involve other specialists and detectives who are collecting physical evidence and recording the scene. For incidents involving mostly computers, the computers can be a crime scene within a crime scene or a secondary crime scene, containing evidence to be processed. The evidence is in the computer, but the courts consider it physical evidence. CSSY4104/ITSY402 12 Securing a Digital Incident or Crime Scene  Evidence is commonly lost or corrupted because of professional curiosity, which involves the presence of police officers and other professionals who aren’t part of the crime scene–processing team. They just have a compelling interest in seeing what happened, but their presence could contaminate the scene directly or indirectly. Keep in mind that even those authorized and trained to search crime scenes can alter the scene or evidence inadvertently.  Remember that professional curiosity can corrupt and CSSY4104/ITSY402 13 Seizing Digital Evidence at the Scene  With proper search warrants, law enforcement can seize all digital systems and peripherals.  In private-sector investigations, you might have similar authority; however, you might have the authority only to make an image of the suspect’s drive.  Depending on company policies, private-sector investigators rarely have the authority to seize all computers and peripherals. CSSY4104/ITSY402 14 Preparing to Acquire Digital Evidence  The evidence you acquire at the scene depends on the nature of the case and the alleged crime or violation. For a criminal case involving a drug dealer’s computer, for example, you need to take the entire computer along with any peripherals and media in the area, including smartphones, USB devices, CDs/DVDs, printers, cameras, and scanners. You might also need to seize smart TVs, gaming systems, and other devices attached to the network. Seizing peripherals and other media ensures that you leave no necessary system components behind, but predicting what components might be critical to the system’s operation is often difficult. On the other hand, if you’reninvestigating employee misconduct, you might need only a few specific items. CSSY4104/ITSY402 15 Preparing to Acquire Digital evidence  Before you collect digital evidence, ask your supervisor or senior forensics examiner in the organization the following questions: Do you need to take the entire computer and all peripherals and media in the immediate area? How are you going to protect the computer and media while transporting them to your lab? This precaution includes blocking devices from accessing wireless networks while in transport. Is the computer powered on when you arrive? (This question is discussed in more detail later in “Processing Incident or Crime Scenes.”) Is the suspect you’re investigating in the immediate area of the computer? Is it possible the suspect damaged or destroyed the computer, peripherals, or media? Will you have to separate the suspect from the computer? CSSY4104/ITSY402 16 Processing Incidents or Crime Scenes  Keep a journal to document your activities. Include the date and time you arrive on the scene, the people you encounter, and notes on every important task you perform. Update the journal as you process the scene.  To secure the scene, use whatever is practical to make sure only authorized people can access the area.  Take video and still recordings of the area around the computer or digital device. Start by recording the overall scene, and then record details with close-up shots, including the back of all computers.  When you finish videotaping or photographing the scene, sketch the incident or crime scene. This sketch is usually a rough draft with notes on objects’ dimensions and distances between fixed objects.  Because digital data is volatile, check the state of each computer or device at the scene as soon as possible. Determine whether the computer is powered on or off or in hibernation or sleep mode. If it’s off, leave it off.  As a general rule, don’t cut electrical power to a running system unless it’s an older Windows or MS-DOS system.  If you’re working on a network or Internet investigation and the computer is on, save data in any current applications as safely as possible and record all active windows or shell sessions.  As you’re copying data on a live suspect computer, make notes in your journal about everything you do so that you can explain your actions in your formal report to prosecutors and other attorneys.  If you can’t save an open application to external media, save it to the suspect drive with a new filename. Changing the filename avoids overwriting an existing file that might not have been updated already.  If the nature of the case doesn’t permit you to seize the computer or digital device, create an image of the hard drive. CSSY4104/ITSY402 17 Documenting Evidence in the Lab  After you collect digital evidence at the scene, you transport it to a forensics lab, which should be a controlled environment that ensures the security and integrity of digital evidence. In any investigative work, be sure to record your activities and findings as you work. To do so, you can maintain a journal to record the steps you take as you process evidence. CSSY4104/ITSY402 18 Handling Digital Evidence  Copy all image files to a terabyte drive or a storage area network (SAN). Most forensics labs have several machines set up with disk-imaging software and multiple hard drives that can be exchanged as needed for your cases. You can use these resources to copy image files to large drives. Some might be equipped with large network storage devices for ongoing cases. Start your forensics tool to access and open the image files. Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital hash. Later in “Obtaining a Digital Hash,” you learn how to compare MD5 or SHA-1 hashes to make sure the evidence hasn’t changed. When you finish copying image files to a larger drive, secure the original media in an evidence locker. Don’t work with the original media; it should be stored in a locker that has an evidence custody form. Be sure to fill out the form and date it. CSSY4104/ITSY402 19 Storing Digital Evidence  With digital evidence, you need to consider how and on what type of media to save it and what type of storage device is recommended to secure it. The choice of media for storing digital evidence usually depends on how long you need to keep it. If you investigate criminal matters, store the evidence as long as you can. The ideal storage media for digital data used to be CDs and DVDs. (CDs from the 1980s could last up to 5 years. The expected lifespan of CDs and DVDs is now 2 to 5 years.) The optimum choice now is solid-state USB drives. Although they’re more expensive than CDs and DVDs, they’re more durable.  You can also use magnetic tape to preserve evidence data. The 4-mm DAT magnetic tapes store from 40 to 72 GB or more of data, but they’re slow at reading and writing data. If you’re using these tapes, test stored data by copying the contents from the tape back to a disk drive. Then verify that the data is good by examining it with forensics tools or doing an MD5 hash comparison of the original data and the newly restored data. CSSY4104/ITSY402 20 Module Progress Lesson 1. Rules for controlling digital evidence Lesson 2. Preparing for a search Lesson 3. Steps for an evidence search Lesson 4. Securing digital evidence Lesson 5. Seizing and storing digital evidence CSSY4104/ITSY402 21 Course Progress Lesson 1. Understanding Digital Forensics Lesson 2. Processing Crimes and Incident Scenes Lesson 3. Windows Forensics Lesson 4. Recovering Graphic Files Lesson 5. Network Forensics CSSY4104/ITSY402 22 Thank You for Listening! Next up… Module 3 – Windows Forensics

Use Quizgecko on...
Browser
Browser