Sunteți pe pagina 1din 31

Computer Forensic

Investigation Procedure
Describe the basic steps in a computer
forensics investigation
Identify the legal and ethical issues affecting
evidence search and seizure
Identify the types of challenges to the
admissibility of e-evidence
Explain chain of custody

Computer forensics investigators are
detectives of the digital world. This lecture
introduces you to the generally accepted
methods used in computer forensics; computer
architecture, the Internet, and digital devices,
and the types of evidence these trails leave

Computers are routinely used to plan and
coordinate many types of crimes
Computer activities leave e-evidence trails
File-wiping software can be used to delete data
File-wiping process takes time and expertise
Many e-evidence traces can be found by
showing hidden files on a computer
Hidden = encrypted, deleted, etc.

Metadata is loosely defined as data about
Technical knowledge
data. of how data and
metadata are stored will determine what e-
It provides information about a certain item's
evidence is found For example, an image may include metadata
For this reason, technical knowledge
resolution, when of
that describes how large the picture is, the color
depth, the image the image
investigators must
was keep
created, pace
and otherwith
data. evolving
data storage devices

Answering the 5 Ws helps in criminal


of computer evidence so that it is acceptable

in a Court of Law.

Preserving evidence is critical in order to use the
evidence in a legal defense or prosecution
Scientific methods must be used in order to
preserve the integrity of the evidence collected
The original evidence should not be modified or
Image or a copy of original evidence must be
The image must be compared with the original
evidence to ensure its integrity

First and foremost is to identify evidence and
its location (search warrant, etc.)
Evidence may be contained in hard disks, or
in any other removable media such as
memory card, pen drive, etc.
Forensic investigators must carefully observe
crime scene and identify possible digital

Once identified, data need to be extracted
from the evidence
However, a computer forensic methodology
need to be followed (will be discussed later)
It is not easy to locate for information in
Technical knowledge on how to use forensic
tools and how data is stored in media is very

Once extracted, the data need to be analyzed
and interpreted
The analysis need to be done so that any
crime occurred can be confirmed

Proper documentation need to be maintained
throughout the investigation procedure.
The documentation need to be presented
before the court of law
The documentation comprises the chain of
custody form and documents related to
evidence analysis

Consistent with other scientific research, a
computer forensics investigation is a process
The Methodology

Goal of an investigation: collect evidence
using accepted methods so that the evidence
is accepted in the courtroom and admitted as
evidence in the trial
Judges acceptance of evidence is called
admission of evidence

Evidence admissibility requires legal search
and seizure and chain of custody
Chain of custody must include:
Where the evidence was stored
Who had access to the evidence
What was done to the evidence
In some cases, it may be more important to
protect operations than obtain admissible

Attempted extortion involving credit card
numbers by Maxim
Six months after the incident, Maxim still
could not be found
Evidence was compromised by FBI and
security firms who may have used original
data rather than a forensic copy

Digital profiling of crime suspects
E-evidence can supply patterns of behavior or imply
Evidence can include information stored on
computers, e-mail, cell phone data, and wiretaps

Methods used by investigators must achieve
these objectives:
Protect the suspect Analyze data in
system unallocated and slack
Discover all files space
Recover deleted files Print an analysis of the
Reveal contents of system
hidden files Provide an opinion of
Access protected or the system layout
encrypted files Provide expert
Use steganalysis to testimony or
identify hidden data consultation

Unallocated space: space that is not currently
used to store an active file but may have
stored a file previously
File slack: space that remains if a file does
not take up an entire sector
Unallocated space and slack space can
contain important information for an

Criminal trials may be preceded by a
suppression hearing
This hearing determines admissibility or
suppression of evidence
Judge determines whether ethical investigation
procedures has been followed in search and seizure
of evidence.
The success of any investigation depends on
proper and ethical investigative procedures

Investigators generally need a search warrant
to search and seize evidence
Law officer must prepare an affidavit that
describes the basis for probable cause a
reasonable belief that a person has
committed a crime
Search warrant gives an officer only a limited
right to violate a citizens privacy

Two reasons a search can take place without
a search warrant:
The officer may search for and remove any weapons
that the arrested person may use to escape or resist
The officer may seize evidence in order to prevent
its destruction or concealment
Warrants are not easy to get
Or sometimes get it too late to prevent a crime or
catch the perpetrator

Finding the motivethe why of the crime
can help in an investigation
Possible motives:
Financial gain, including extortion and blackmail
Cover up a crime
Remove incriminating information or
Steal goods or services without having to pay for
Industrial espionage

Computer is the crime target
Computer is the crime instrument
Computer is incidental to traditional crimes

Handling of e-evidence must follow the
three Cs of evidence: care, control, and
chain of custody
Chain of custody procedures
Keep an evidence log that shows when evidence
was received and seized, and where it is located
Record dates if items are released to anyone
Restrict access to evidence
Place original hard drive in an evidence locker
Perform all forensics on a mirror-image copy,
never on the original data

All reports of the investigation should be
prepared with the understanding that they
will be read by others
The investigator should never comment on
the guilt or innocence of a suspect or
suspects or their affiliations
Only the facts of the investigation should be
presented; opinions should be avoided

Investigate and/or review current computer
and computer-mediated crimes
Maintain objectivity when seizing and
investigating computers, suspects, and support
Conduct all forensics investigations
consistently with generally accepted
procedures and federal rules of evidence and
Keep a log of activities undertaken to stay
current in the search, seizure, and processing
of e-evidence

Computers and the Internet have contributed
to traditional and computer crimes
Effective forensic investigation requires any
technology that tracks what was done, who
did it, and when
Images or exact copies of the digital media
being investigated need to be examined by
trained professionals

There are several legal and ethical issues of
evidence seizure, handling, and investigation
Rules and laws regulate forensic
The need for e-evidence has led to a new
area of criminal investigation, namely
computer forensics
This field is still young

Computer forensics depends on an
understanding of technical and legal issues
Greatest legal issue in computer forensics is
the admissibility of evidence in criminal cases
Computer forensics investigators identify,
gather, extract, protect, preserve, and
document computer and other e-evidence
using acceptable methods

Laws of search and seizure, as they relate to
electronic equipment, must be followed
Failure to follow proper legal procedure will
result in evidence being ruled inadmissible in