EEL4802 MODULE 1.pdf

Full Transcript

Introduction to Forensic Science
and the Scientific Method
EEL4802 - Introduction to Digital Forensics
Introduction of Instructor
Instructor name: Matt Ruddell
Background: Trainer III at the National
Forensic Science Technology Center a
program at FIU
Previously served as a Senior Crime Lab
Analyst for the Florida Department of Law
Enforcement in the Digital Evidence section

Primary contact through Canvas Email
Secondary contact [email protected]
Introduction
What is this course
about?
Forensic Science in
general
Digital Forensics
What is involved in
being a Forensic
Analyst
Finding artifacts and
evidence on digital
media
Forensic Science
What is the definition of “forensic”?
The application of science and scientific principles to matters of the law.

Two keywords in that definition -
Forensic Disciplines
Almost any science, that can be applied to matters of the law can be
considered forensic.

Crime Scene Biometric databases
DNA Drug Chemistry
DNA Database Toxicology
Questioned Documents Digital
Firearms (Ballistics) Fire and explosive
Latent Prints analysis
Forensic Disciplines
Some are less common, and their validity as a forensic science is not
universally recognized.

Engineering Shoe and Tire
Entomology Gunshot residue
Psychology Trace Analysis
Anthropology
Odontology
Scientific Method
The scientific method, framework
developed by Aristotle, involves:

1. Making observations
2. Developing a question.
3. Making conjectures (hypotheses) and
predictions
Scientific Method
4. Developing and performing
experiments to test those
hypotheses/predictions.
5. Making observations
(results).
6. Validating or revamping
those predictions or
hypotheses based on the
observations (analysis).
Where are the jobs?
Where is forensics done?
Almost anywhere.

Law Enforcement
Local, State and Federal
Other Government Agencies
Not necessarily Law Enforcement
SEC, HHS, FCC, Military, etc
Private Practice
Civil matters, incident response (digital)
International Organizations
Human rights violations, war crimes, etc
Who does the forensics?
Sworn law enforcement officers/first responders
In the field triage and/or collection
Crime scene technicians
Specially trained to identify and collect evidence
Forensic scientists
Typically lab based analysis of evidence
 Brief History of Forensics
The foundations of forensic science has been around for a long time.
The ancient Chinese used fingerprints to identify business documents.
In 1835, Scotland Yard's Henry Goddard became the first person to use
physical analysis to connect a bullet to the murder weapon.
In 1836, a Scottish chemist named James Marsh developed a chemical test to
detect arsenic, which was used during a murder trial. First use in a court of
law.

http://science.howstuffworks.com/forensic-lab-technique1.htm KURT HUTTON/PICTURE POST/GETTY IMAGES
Brief History of Forensics
The foundations of forensic science has been around for a long time.
In 1892, Sir Francis Galton established the first system for classifying
fingerprints.
Independently Sir Edward Henry, Commissioner of the Metropolitan Police of
London, developed his own system in 1896 based on the direction, flow,
pattern and other characteristics in fingerprints.

http://science.howstuffworks.com/forensic-lab-technique1.htm
Brief History of Forensics
The foundations of forensic science has been around for a long time.
Bullet examination became more precise in the 1920s, when American
physician Calvin Goddard created the comparison microscope.
August Vollmer, chief of the Los Angeles Police, established the first American
police crime laboratory in 1924.
In 1930, scientist Karl Landsteiner won the Nobel Prize for classifying human
blood into its various groups which lead to the use of blood type evidence in
court.
FBI lab set up in 1932.

http://science.howstuffworks.com/forensic-lab-technique1.htm
Brief History of Forensics
The foundations of forensic science has been around for a long time.
In the 1970s, a team of scientists at the Aerospace Corporation in California
developed a method for detecting gunshot residue using scanning electron
microscopes.
1977 Personal Computers became more mainstream with the mass market
release of three computers for home users including the Apple II
1981 the IBM PC was released
Brief History of Digital Forensics
What about Digital?

Digital forensics is still in the early stages of development respective
to the other disciplines.
1978 Florida Computer Crimes Act – Unauthorized modification or deletion of
data on a computer system
Canada passed legislation in 1983
1984 FBI Computer Analysis and Response Team (CART) established
US Federal Computer Fraud and Abuse Act in 1986
Brief History of Digital Forensics
In his 1995 book, "High-Technology Crime: Investigating Cases Involving
Computers", K Rosenblatt wrote:

“Seizing, preserving, and analyzing evidence stored on a
computer is the greatest forensic challenge facing law
enforcement in the 1990s. Although most forensic tests, such as
fingerprinting and DNA testing, are performed by specially
trained experts the task of collecting and analyzing computer
evidence is often assigned to patrol officers and detectives.”
Brief History of Digital Forensics
Courts and legislative bodies are still trying to catch up.
Court rules against man who was forced to fingerprint-unlock his phone - Unlocking a phone
like this "is no more testimonial than furnishing a blood sample.
https://arstechnica.com/tech-policy/2017/01/court-rules-against-man-who-was-forced-to-
fingerprint-unlock-his-phone/
Miami sextortion case asks if a suspect can be forced to decrypt an iPhone - Does the Fifth
Amendment mean you don't have to hand over your password?
https://arstechnica.com/tech-policy/2017/04/miami-sextortion-case-asks-if-a-suspect-be-forced-
to-decrypt-an-iphone/
Man jailed indefinitely for refusing to decrypt hard drives loses appeal
https://arstechnica.com/tech-policy/2017/03/man-jailed-indefinitely-for-refusing-to-decrypt-hard-
drives-loses-appeal/
Brief History of Digital Forensics
Courts and legislative bodies are still trying to catch up.
Judge: Fifth Amendment doesn’t protect encrypted hard drives
https://arstechnica.com/tech-policy/2012/01/judge-fifth-amendment-doesnt-protect-encrypted-
hard-drives/
Appeals court: Fifth Amendment protections can apply to encrypted hard drives
https://arstechnica.com/tech-policy/2012/02/appeals-court-fifth-amendment-protections-can-
apply-to-encrypted-hard-drives/
Brief History of Digital Forensics
Courts and legislative bodies are still trying to catch up.
“Get a warrant”—Florida appeals court admonishes cops in two murder cases - Fourth
District appeals court rules unanimously in suspects' favor.
https://arstechnica.com/tech-policy/2018/09/get-a-warrant-florida-appeals-court-
admonishes-cops-in-two-murder-cases/
License plate reader error leads to traffic stop at gunpoint, court case- Flagged vehicle did not
even match the model of what the woman was driving.
https://arstechnica.com/tech-policy/2014/05/after-being-held-at-gunpoint-due-to-lpr-
error-woman-gets-day-in-court/
Locard’s Exchange Principle
Locard’s Exchange Principle
Paul L. Kirk expressed the principle as follows:
"Wherever he steps, whatever he touches, whatever he
leaves, even unconsciously, will serve as a silent witness
against him. Not only his fingerprints or his footprints, but
his hair, the fibers from his clothes, the glass he breaks, the
tool mark he leaves, the paint he scratches, the blood or
semen he deposits or collects. All of these and more, bear
mute witness against him. This is evidence that does not
forget. It is not confused by the excitement of the moment.
It is not absent because human witnesses are. It is factual
evidence. Physical evidence cannot be wrong, it cannot
perjure itself, it cannot be wholly absent. Only human
failure to find it, study and understand it, can diminish its
value."
Locard’s Exchange Principle
Questions we need to ask ourselves:

How does this principle apply to Digital Forensics?

Does it even apply?

Is Digital Evidence the same as Physical Evidence?
What does it take to be a forensic analyst?
Technical Ability
Training and Education

Personal Attributes
Attention to Detail
Organization
Respect for the Process
Ability to be unbiased
Integrity
Battling the CSI effect
The CSI effect – unrealistic expectation of the capabilities, timelines,
and general glamorousness of forensic science.

Juries
…and Judges
Customers
Lawyers
Cops
Overlords
Public at large
End
Questions?
Digital Forensic Science
EEL4802 - Introduction to Digital Forensics
What is Digital Forensics?
According to Wikipedia:

Digital forensics (sometimes known as digital forensic science) is a branch of
forensic science encompassing the recovery and investigation of material
found in digital devices, often in relation to computer crime.
The Science part is important
In order for our
findings to be
admissible in a court
of law – we must meet
certain standards

Standards which
include following the
scientific method
Quick recap on the Scientific Method
1. Making observations
2. Developing a question.
3. Making conjectures
(hypotheses) and predictions
4. Developing and performing
experiments to test those
hypotheses/predictions.
5. Making observations
(results/analysis).
6. Validating or revamping
those predictions or
hypotheses based on the
observations
(analysis/conclusion). Note – This graphic includes an additional step
“Conclusion” which may be considered part of
“Analysis” by some
Digital Forensic Science Method
1. Observe – there was an incident (crime or otherwise)
2. Questions – How did this happen? Who did it? When was this file
created? Etc.
3. Hypothesis – this is what we think happened
4. Test – what happens when I do this? What artifacts get left behind?
5. Results – this is what happened on my test device
6. Analysis - do I see the same thing on my suspect device?
7. Conclusion – do I need to do more testing?
Digital Forensics – the search for Digital
Evidence

What is Digital Forensics all about?
My answer: The analysis of digital media for the presence or absence of
digital evidence – data that is useful to an investigation (criminal or civil) -
the extraction and preservation of that data, and the presentation of that
data in a readable format.
Digital Crime Scene
Crime scene analysts are trained to:
1. respond to a physical location where a crime was possibly committed
2. secure the scene to prevent changes
3. thoroughly document the scene
4. methodically search the scene to locate evidence of potential value
5. secure and collect physical evidence that may be relevant to the case
Digital Crime Scene
Digital Forensic analysts are trained to:
1. respond to a digital location where a crime was possibly committed
2. secure the data to prevent changes
3. thoroughly document the data
4. methodically search the data to locate evidence of potential value
5. secure and extract data that may be relevant to the case
Digital Forensics
What makes digital forensics unique in the world of forensics?

Investigations try to answers the five W’s & H
Digital Forensics
DNA and finger prints can tell you who was there

Chemistry, Toxicology, fire debris analysis can tell you what a substance is

Crime Scene can tell you where and with the help of medical examiners, when
Digital Forensics
Digital can tell you why
What was someone thinking?

What was their state of mind?

Is there any evidence this was
premeditated?
Where is Digital Evidence?
Computers & Laptops
Tablets, Netbooks, & eReaders
Cell Phones & Smartphones
iPods and MP3 players
Gaming systems
Flash media (thumb drives, memory
cards…)
DVRs
GPS devices
CDs/DVDs/Blu-ray Discs
Others?
What is Digital Evidence?
Any data stored in a digital format that can be used in a criminal
investigation
Digital evidence artifacts can include:
Chat/Email
Pictures/Video
Location Data
Documents, financial statements, etc
Web browsing history/searches
Peer-to-Peer/Download information
Etc.
Business and Personal Documents
Artifacts may include
personal documents:
Memos and Letters
Diaries
Picture Albums
Financial Data
Even if the investigation does not directly involve financial crimes,
financial information can be valuable
Investments and Stock Information
Bank Account Information
Tax Information
Business Invoices
Spreadsheets
Financial transactions
Contact and Schedule Information
Develop pattern of life or establish connections to individuals
Personal calendars
Contact lists
GPS

Maps
Travel Itinerary/ Reservations
Communications
Email, Chats, and Text Messages
Call History from Cell Phone
Many more…
Personality Profiles
Based on Internet Search History and/or documents found on the
device
Medical Conditions
Travel Interests
Fetishes
Technical Docs (Schematics, Chemicals, Blueprints, etc)
Contraband
Scanned Money
Checks and Signatures
Drivers Licenses/ID’s
Child Pornography
Computer Viruses
File Sharing
Peer-to-Peer (P2P)
Programs like, Frostwire, Shareaza, Ares, Kazaa, Bearshare,
µTorrent, Spiral Frog, Ares, eMule...
Torrents
Files are downloaded piecemeal from multiple sources instead of
just one source per file
Websites
Other ways to share files?
Cloud Storage
Digital Evidence, not stored on the device itself

Upload your data for storage on a provider’s servers, freeing up space on your
local drives and giving you access to your data from anywhere you have internet
access

What if the information is no longer on the device you are
examining?

Could it still be in the cloud?

How do we get it from the cloud provider?
Internet Service Provider or Website Host
What information might the ISP have about a particular device that
may be useful?

IP address
Email
Logs
Internet Service Provider or Website Host
What information might the host of a web server have?
Username or other information
IP address
Logs
Evolution of Digital Forensics
Changes in data storage/device media
Flash media, volatility

Decreasing size, increasing capabilities

A wireless world

More networking -> less privacy
Digital World Creates Challenges
Amount of data!
MB -> GB -> TB -> PB -> ????
Encryption
Getting better all the time
Rapidly changing technology
Makes it hard to keep up
Privacy concerns
Device manufacturers are
paying attention…
Remember we are Battling the CSI effect
The CSI effect – unrealistic expectation of the capabilities, timelines,
and general glamorousness of forensic science.

Especially true for Digital

We are not all hackers
We are not all programmers
Sometimes, the data just isn’t there
Digital Forensic Challenges
Unrealistic expectations.
Can you tell me who was behind the keyboard when this file was
downloaded?

I thought you guys could break any PIN lock.

What do you mean you can’t recover that file that was deleted a year ago?

Look for any illegal stuff.

Can you enhance this face so we can get an ID?
Digital is one Part of the Picture
Forensic scientist do not work in a vacuum

All disciplines and investigators must work together

Remember – Digital may not be the only kind of forensic evidence
found on a device
Latent Prints?
DNA?
Who processes it first?
End
Any questions?
Legal role of the Digital Forensic
Analyst
EEL4802 - Introduction to Digital Forensics
The Law
Forensic Analysts are not Lawyers!
Legal questions need to be answered by Lawyers.
However, we need to realize the end game of all our work is…

Testimony
in Court
Digital Forensics – the search for Digital
Evidence
Remember this slide?
What is Digital Forensics all about?
My answer: The analysis of digital media for the presence or absence of
digital evidence – data that is useful to an investigation (criminal or civil) -
the extraction and preservation of that data, and the presentation of that
data in a readable format.
Evidence?
What is “evidence?”
noun: evidence
1. the available body of facts or information indicating whether a belief or
proposition is true or valid.

In this sense, it is not really a legal term.
Evidence – in the eye of the beholder
What is “evidence?”
noun: evidence
1. the available body of facts or information indicating
whether a belief or proposition is true or valid.

1. Who determines what is considered evidence during the forensic
exam?

2. Who determines what is considered evidence during the
investigation?

3. Are there differences between these two?
Evidence in Court of Law
Who determines what is considered evidence in court?

Lawyers present it to the courts

The Judge decides if it is admissible
Rules of Evidence
Oh yes!
https://www.rulesofevidence.org/
Adopted by congress in 1975
(originated in 1972 by the Supreme
Courts)
Applies to US Federal Courts –
however…
Relevance, efficiency, reliability and
overall fairness of evidence
Digital Forensics / Investigation
Digital Forensic Analyst versus Criminal Investigator
Non-sworn versus sworn
Roles and responsibilities
Legal abilities
Science?
NAS Report
In August 2009 National Academy of Sciences
(NAS) issued a report

“Strengthening Forensic Science in the United
States: A Path Forward”

Many recommendations were made to remove
bias, improve scientific nature/study of forensics,
and to standardize forensics nationally
Recommendation #4
“To improve the scientific bases of forensic science examinations
and to maximize independence from or autonomy within the law
enforcement community, Congress should authorize and
appropriate incentive funds to the National Institute of Forensic
Science(NIFS) for allocation to state and local jurisdictions for the
purpose of removing all public forensic laboratories and facilities
from the administrative control of law enforcement agencies or
prosecutors’ offices.”

Strengthening Forensic Science in the United States: A Path Forward
http://www.nap.edu/catalog/12589.html pg 24
What does recommendation #4 mean?
The investigator should not be the
person conducting the forensics.

The person conducting the
forensics should not be under the
“administrative control” of the
person conducting the
investigation.

What problems could this cause?
Role of Law Enforcement
Access to contraband: Don’t really want this stuff to exist outside of
controlled environments
Scanned Money
Checks and Signatures
Drivers Licenses/ID’s
Child Pornography
Computer Viruses
Role of Law Enforcement
Who has the authority to serve search
warrants?

Who has the authority to issue
subpoenas?

It sure isn’t the lab geek (despite what
you see on TV)
Role of the Forensic Scientist
Expert Witness

The ultimate role of the forensic scientist, in any discipline, is to
testify in court – sometimes as an expert witness

What is an “expert?”
Expert Witness
Noun:
a person who is permitted
to testify at a trial because
of special knowledge or
proficiency in a particular
field that is relevant to the
case.

What does this mean?
Expert Witness
1. Training or experience
2. Makes the evidence more accessible or
understood by the trier of facts
3. Court may admit them as an expert witness.

Experts can give opinions and interpretations in
court.

Defined and Regulated under the Federal Rules of
Evidence Rule 702.
Voir Dire
Several definitions including:
Questions asked of potential Jurors to determine possible bias or conflicts

Series of questions asked by the attorneys to determine the qualifications
and competence of an expert witness

Any hearing outside the presence of the jury
Voir Dire
Series of questions asked by the attorneys to
determine the qualifications and competence of an
expert witness
Training and Experience
Formal Education
Testimony Experience
Have you ever been an expert before?
Scientific Evidence
The very nature of scientific evidence makes it difficult for judges and
juries to understand

Can’t be an expert in all things

Difficult to determine if someone is an expert or their science is valid
if you don’t understand it

What qualifies as “scientific evidence”
Frye Standard
Frye is based on a 1923 Federal Court of appeals
ruling involving the admissibility of polygraph
evidence

The Frye standard, Frye test, or general acceptance
test is a test to determine the admissibility of
scientific evidence. It provides that expert opinion
based on a scientific technique is admissible only
where the technique is generally accepted as
reliable in the relevant scientific community.

en.wikipedia.org/wiki/Frye_standard
Daubert Standard
Frye is fine, but then no new or novel science can be
admissible as it can not be regarded as “generally
accepted” in the scientific community

In the landmark Supreme court case Daubert v. Merrell
Dow Pharmaceuticals, in 1993 the court ruled that Rule
702 of the Federal Rules of Evidence did not incorporate
the Frye "general acceptance" test as a basis for assessing
the admissibility of scientific expert testimony.
Instead it ruled that the rule incorporated a flexible
reliability standard instead.
Daubert Standard
Guidelines for admitting scientific expert testimony:

Judge is gatekeeper: Under Rule 702, the task of "gatekeeping", or assuring
that scientific expert testimony truly proceeds from "scientific knowledge",
rests on the trial judge.

Relevance and reliability: This requires the trial judge to ensure that the
expert's testimony is "relevant to the task at hand" and that it rests "on a
reliable foundation".

http://en.wikipedia.org/wiki/Daubert_standard
Daubert Standard
Scientific knowledge = scientific method/methodology: A conclusion will qualify
as scientific knowledge if the proponent can demonstrate that it is the product of
sound "scientific methodology" derived from the scientific method.
Daubert Standard
Illustrative Factors: The Court defined
"scientific methodology" as the
process of formulating hypotheses and
then conducting experiments to prove
or falsify the hypothesis, and provided
a set of illustrative factors (i.e., not a
"test") in determining whether these
criteria are met:
Daubert Standard
“scientific methodology”

Whether the theory or technique employed by the expert is generally
accepted in the scientific community;
Whether it has been subjected to peer review and publication;
Whether it can be and has been tested;
Whether the known or potential rate of error is acceptable; and
Whether the research was conducted independent of the particular litigation
or dependent on an intention to provide the proposed testimony
Daubert versus Frye
Frye
Relies on the scientific community to determine what is “generally accepted”
science
Judges role as gatekeeper is limited – rely on the scientific community
Daubert
If a method is relevant, reliable and follows the rules of evidence it does not
have to be “generally accepted as reliable” to be admissible
Judges role as gatekeeper is much more liberal
Why do we have these standards?
Science is complicated, and
the courts need experts they
can rely on

Standard help to prevent -
Junk Science
Pseudoscience
Wrongful convictions
Wrongful exonerations
Unscrupulous “experts”
Why do we have these standards?
The court system places a lot
of trust in the forensic expert.

Judges and juries cannot be
experts in all the sciences
that go into Forensic analyses

The consequences of getting
it wrong are severe!
Trouble in Forensics
There have been lots of problems in the forensic science disciplines
over the past several years

Massachusetts Chemist charged in “dry-labbing” incident
http://cen.acs.org/articles/90/i41/Chemist-Charged-Crime-Lab-Scandal.html
North Carolina Lab agents “manipulated and withheld the results of
hundreds of tests…”
http://www.huffingtonpost.com/2012/05/14/north-carolina-state-bureau-of-
investigation-duane-deaver_n_1516328.html
Trouble in Forensics
FDLE chemist stole evidence
http://articles.orlandosentinel.com/2014-02-04/news/os-fdle-chemist-
arrested-20140204_1_criminal-cases-fdle-commissioner-gerald-bailey-
chemist
FBI overstates analysis value of hair and trace analysis
http://arstechnica.com/science/2015/04/the-science-and-lack-thereof-
behind-the-fbis-retreat-on-hair-analysis/
Expert witness falsifies credentials
http://www.fox13news.com/news/local-
news/expert-witness-accused-of-lying-about-
credentials
Legal Issues
As a newer forensic discipline, there is an ever shifting legal landscape
when it comes to digital.

Especially in regards to passwords:
https://arstechnica.com/tech-policy/2018/10/court-teens-driving-
killed-someone-but-he-cant-be-forced-to-give-up-passcode/

https://arstechnica.com/tech-policy/2017/05/judge-miami-reality-
tv-star-must-unlock-her-iphone-in-extortion-case/

https://arstechnica.com/tech-policy/2017/05/jail-looms-large-for-
suspects-ordered-to-reveal-forgotten-passwords/
Search Warrant issues
The Search Warrant gives law enforcement the authority to search
based on probable cause and signed off on by a judge

This is in place to protect citizens from unlawful search and seizure
(4th Amendment)
Search Warrant Issues
The Search Warrant often defines:
What items may be searched
Who may do the searching
Where the search is to take place
A general time frame in which the search must be conducted
Search Warrant Issues
What items may be searched

“When electronic storage media are to be searched because they store
information that is evidence of a crime, the items to be seized under the
warrant should usually focus on the content of the relevant files rather than
the physical storage media” (Searching and Seizing Computers and Obtaining
Evidence in Criminal Investigations, Computer Crime and Intellectual Property
Section, Criminal Division, U.S. Department of Justice, Washington, D.C (3rd
ed 2009) at 72)
Search Warrant Issues
What items may be searched

Care must be taken by the forensic analyst not to exceed the scope of the
warrant

Investigator may need to get a second warrant based on what is found “in
plain view”
Search Warrant Issues
Who may do the searching

Search warrants generally list a law enforcement officer of the particular
agency as the conductor of the search
Other agencies
Crime lab analysts
Search Warrant issues
Where the search is to take place

Language should include removing the items offsite to conduct the forensic
analysis
Search Warrant issues
A general time frame in which the search must be conducted

The Federal Rules of Criminal Procedure require a search warrant be executed
within 10 days of issuance.

Forensics in 10 days? I don’t think so…

Fourth Amendment only requires the forensic analysis of a seized item be
conducted within a reasonable time
See United States v. Mutschelkaus, 564 F. Supp. 2d 1072, 1077 (D.N.D. 2008
End
Any questions?
Best Practices - Digital Forensics
EEL4802 - Introduction to Digital Forensics
Best Practices
…not the only practices
What you do will depend heavily on where you work
Battlefield is very different than a cozy crime lab
Best Practices Include
Standard Operating Procedures
Must be written down
This is what I did, and this is why I did it
Maintain some consistency from analyst to analyst or lab to lab
Should be revised periodically
Exceptions to SOP may be granted on a case by case basis
Best Practices Include
Quality Control
Must be written down
Entire Program of Quality
Individual in charge of Quality
Accreditation to prove Quality
Best Practices Include
Validation Testing
Must be written down
How do you know the tools you are using work?
How do you know the next version of the tool doesn’t have some critical bug
that will effect your results?
Maintain a list of validated and approved tools
Best Practices Include
Proficiency Testing
Testing the individual
Testing the system
Maintaining proficiency – especially important in this field
Keeping up with new technology
Verifiable, documented proof that you can do the job
Documentation
Documentation
Everything must be carefully documented and saved
If it is not written down, it didn’t happen
Training

A clear and well defined training program should be in place

A qualified trainer should be designated

Training should cover all fundamentals of the discipline with competency
tests to demonstrate mastery of each topic

Outcomes and metrics of all training exercises and tests should be clearly
defined
Training
Training should include an overview of Forensic Science and the
scientific method

Training should include courtroom testimony or public speaking
component

Training should have well defined benchmarks and a clear end date
Training
Ongoing training is critical to
maintain proficiency in this field

Training plans and requirements
should be written down and
clearly understood

Training can be external or
internal, as long as the training is
provided by qualified trainers
Examination Environment
Several factors to consider
Adequate power and cooling
Work space free of contaminates
Limited/controlled access
Mechanisms to prevent cross contamination
Examination Equipment
Workstation considerations
Should be powerful enough to run
the tools
Should provide enough ports of
various kinds to attach peripherals
In most cases should allow the
examiner unfettered access to the
OS
Should be familiar to the analyst

Several options built specifically
for forensics
Examination Equipment
Other Forensic tools
Cables and batteries
Write blockers
Adapters
Storage media
Documentation tools (pens, paper, digital camera with all accessories)
Preparing to Begin Analysis
Review any documentation submitted
Search Warrant
Consent to search
Service Request
Case summary
Preparing to Begin Analysis
Prevent the “open ended” analysis

Look for anything illegal or useful.

When am I done?
Standard Operating Procedures
What is the purpose of an SOP?
Clear set of guidelines for analysts to follow
Sets out limitations and requirements that must be met
Keeps everyone in their lanes
Inform observers
Standard Operating Procedures
When you sit down to write you SOPs consider the following:
Standard Operating Procedures
Scope of your lab resources
Equipment
Capabilities of the personnel
Standard Operating Procedures
Not every situation can be addressed
Should be specific enough to provide
clear guidance
Should be vague enough to allow some
flexibility
Don’t box yourself in
Standard Operating Procedures
Plain language
Trainees
Overlords
Assessors
Standard Operating Procedures
If you want people to do it – write it into the SOP
Standard Operating Procedures
Look to the future
SOP revisions can and do happen,
but how often?
What do you have coming down the
pipe? Are your SOPs going to handle
that?
Standard Operating Procedures
Format
Different sections to address each process or major point
Section 1 – Introduction/Glossary/Definitions
Section 2 – Evidence Handling
Section 3 – Approved Tools
Section 4 – Forensic Imaging of Hard Drives
Etc.
Standard Operating Procedures
Format
Each section should be clear and concise (nobody likes 100+ page SOPs)
Organization is key
Try to group things to avoid repeating yourself
Remember – people will need to read this thing

Keep in mind any agency or accreditation requirements
Standard Operating Procedures
Format
Numbering schemes can be good, but they can also bite you
If a change is made to add a section all the numbering can change
3.1.2 is added
means the previous 3.1.2 becomes 3.1.3
Previous 3.1.2.12 becomes 3.1.3.12
Etc.

References to other sections can help, but they can also bite you
If section 5.2 referenced section 3.1.2 – well that is now 3.1.3 so now 5.2 needs to
change to reflect that
Best practices –
Tool requirements
Write blockers
What are they?
How do they work?
Why do we need to use one?

Validation Testing
Why validate your tools?
Which tools need to be validated?
How do you validate a tool?
Write Blocker
Write blockers are hardware devices or software programs that
prevent data from being written to a device.

Data

Data
Hardware
Write blockers
Most write blockers work one of two ways
It denies all write attempts to the device and reports to the
OS that the write was a failure
It caches all write attempts and reports to the OS that the
write is successful, but the data never makes it to the
device
Whether it is software or hardware the write blocker
needs to tell the OS something!
Why use one?
Every time you boot your computer thousands of files have their
date/time stamps updated

Windows likes to reach out and “touch” any device that is attached to
it often trying to create “Recycle Bins” and other system files on the
drive

These actions constitute manipulation of the data by the analyst – a
big problem
Why use one?
In the legal sense this is an issue because you have to be able to prove
what you modified, and what you didn’t.

Any good attorney would question how you could prove that you
didn’t change the data in question on the drive.

This is why the use of write blockers is so important.
Validation Testing
Validation testing is a very common concept
software engineering
project management
software testing

It is “…the process of checking that a software system meets
specifications and that it fulfills its intended purpose.”

http://en.wikipedia.org/wiki/Software_verification_and_validation
Validation Testing
It is important for you as a forensic analyst to validate the tools you
use

Rely on these tools to make interpretations of the data
how they work
that they work
that we have some way to test them
Which tools need to be validated?
No simple answer (It depends)

Does your write blocker need to be validated?
Yes
Does your primary forensic tool need to be validated?
Yes - but can you really test all the functionality of a complex forensic suite?
Which tools need to be validated?
Does a tool that carves data from unallocated need to be validated?
Yes – more than likely
Does a tool that interprets a database need to be validated?
Yes – see Casey Anthony case
Does your operating system need to be validated?
Probably not
Which tools need to be validated?
Does a video player need to validated?
Probably not
Does Microsoft office need to be validated?
Probably not

It really depends on your agency, the SOPs you have in place, how
much record keeping is required and a number of other factors
Which tools need to be validated?
Bottom line: If in doubt, it is always better to validate, than not to
validate
Validation Test Plan
The plan should have several components:
The item to be validated including version number if appropriate
A description of what the tool does (or is supposed to do)
A general description of how you plan to test the functionality of the tool
A list of equipment you need to complete the testing
Validation Testing
Once the validation plan is approved, you can proceed to the testing
Keep in mind, the testing should be thorough and as complete as
possible
Document everything
Digital Camera/Screenshots
Also keep in mind, it may not be possible to test EVERY single variable
that may exist in an experiment, but do your best to explore all
options
DO NOT FORGET – Digital Forensics is a
SCIENCE
Your testing should follow the scientific method as closely as possible
NIST
Welcome to the Computer Forensics Tool Testing (CFTT) Project Web
Site.
http://www.cftt.nist.gov/