Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Digital Forensic Evidence

No description

Gavin McKay

on 14 December 2012

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Digital Forensic Evidence

5) Disconnect all cords 6) Check for HPA and hard drives then package everything with antistatic evidence bags. Digital Forensic Evidence How do you preserve it and make it admissible in court? What are the tools of digital evidence and how are they used? What are the problems with digital evidence and how can they be solved? How does law enforcement obtain digital evidence? Procedures to handle digital evidence must be up to date so it remains admissible in court. Also, always make sure to store evidence on separate tapes so as to keep the evidence separate from other cases. The steps to handling digital evidence Identification Preservation Collection Examination Analysis Presentation Things that could possibly be evidence must be identified. This can be tricky because frequently not everything at a crime scene is evidence. Ex: Log files, external logs, primary memory, and volatile memory Transient: evidence that may not be there that long. Semi-permanent: evidence that will remain longer. Digital evidence is extremely volatile and can easily be lost or modified. This can be prevented or minimized by taking steps such as having multiple backup copies, data on readable discs only which cannot be rewritten, observing the chain of custody, and when it is absolutely necessary to access the data, note what was done and when. When evidence is being collected off of a stand alone home computer, the best way to do so while keeping it all in tact is to follow the following procedure. 1) Leave the computer off if it is off and photograph the scene and computer. If the screen is on photograph the screen as well. 2) Collect live data like RAM and network connections. 3) If the hard disk is encrypted collect a logical image, a clone. 4)Unplug the computer by removing the plug from the tower or removing the battery, label all cords, and document the device model numbers and serial numbers. 7) Take all storage media, keep everything away from magnets, and collect all instruction manuals and notes from the area. 8) Finally, show all the steps used when collecting the evidence. Examination of digital evidence should be done by professionals trained in digital forensics so as not to ruin anything. A useful piece of information is known as metadata. Metadata is basically data on data. It summarizes what the actual data has to say and it can be utilized to tell a lot about the actual data. Examples of this are the name and address of the user who created the data, the location of a file on a computer, or even the date and time stamp of the data. Many court rooms have their own digital evidence presentation rules which one must be abide by. It also should be remembered that the evidence must be admitted before being brought up while discussion is occurring. Court rooms that are set up for digital evidence usually include some sort of big flat screen and some individual monitors for the judge and others to look at the presentation. If the court room is not set up for digital evidence presentation, or even if it is, sometimes it can be good to hire a professional company to use the tools for the digital presentation so you do not have to worry about them. Resources: Works Cited
Cameron, Stuart. "Digital Evidence." FBI. N.p., Aug. 2011. Web. 08 Oct. 2012. <http://www.fbi.gov/stats-services/publications/law-enforcement-bulletin/august-2011/digital-evidence>.
"Cyber Forensics: Evidence Collection, Management, and Handling." Security Trancends Technology, 5 Mar. 2009. Web. 20 Oct. 2012. <http://www2.tech.purdue.edu/cit/Courses/cit556/Conferences/San.pdf>.
"Digital Evidence Analysis: Metadata Analysis and Extraction." National Institute of Justice. N.p., 05 Nov. 2012. Web. 08 Nov. 2012. <http://nij.gov/nij/topics/forensics/evidence/digital/analysis/metadata.htm>.
Kozushko, Harley. "Digital Evidence." N.p., 23 Nov. 2003. Web. 08 Oct. 2012. <http://infohost.nmt.edu/~sfs/Students/HarleyKozushko/Papers/DigitalEvidencePaper.pdf>.
Lefton, Scott. "A Practical Guide to Presenting Electronic Evidence at Trial." Midwest Trial Services, n.d. Web. 20 Oct. 2012. <http://www.midwesttrial.com/documents/A%20Practical%20Guide%20to%20Presenting%20Electronic%20Evidence%20-%20FINAL.pdf>.
"NCFS- Digital Evidence." NCFS- Digital Evidence. N.p., n.d. Web. 8 Oct. 2012. <http://www.ncfs.org/digital_evd.html>.
Paul, Henry. "Best Practices in Digital Evidence Collection." Computer Forensics and Incident Response. N.p., n.d. Web. 20 Oct. 2012. <http://computer-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-evidence-collection/>.
Wwdt4h. "Rules of Digital Evidence and Access Data Technology." Scribd. AccessData Corporation, n.d. Web. 08 Oct. 2012. <http://www.scribd.com/doc/32210834/Rules-of-Digital-Evidence-and-Access-Data-Technology>.






Works Cited:
1. articles.forensicfocus.com/2011/08/22/the-challenges-facing-computer-forensics-investigators-in-obtaining-information-from-mobile-devices-for-use-in-criminal-investigations/
2. Al-Zarouni, Marwan. “Mobile Handset Forensic Evidence: A Challenge for Law Enforcement”.
3. Australian Digital Forensics Conference. Edith Cowan University. Abstract. December 4, 2006
5. Introduction to forensic Science and Criminalistics. Mc Graw Hill. R.E Gaensslen, Howard A. Harris, Henry Lee.
6. http://ncfs.org/craiger.5778-85.SPIE.pdf
7. Craiger, J.P., Politt, M., &Swagger, J. Digital Evidence and law enforcement. To appear in H.Bidgolio (Ed.), Handbook of Information Security. New York: John Wiley & Sons, 2005
8. Wayner, P. Disappearing Cryptography Information Hiding: Steganography and Watermaking. San Fransiciso: Morgan Kaufann, 2002
9. http://www.fbi.gov/stats-services/publications/law-enforcement-bulletin/august-2011/digital-evidence
10. http://topics.info.com/Computer-Forensics_572 Evidence Digital Evidence Court: Something that makes a fact or point at issue more or less clear for the trier of fact Criminal Investigation: Something that provides proof of a crime or no crime, including various elements of that crime. Digital forensic evidence is information stored or transmitted in binary form that may be relied on in court, to help jurors establish the facts of the case and support or refute legal theories of the case. What is digital evidence and forensics? Devices Digital evidence can be found on a computer hard drive, a mobile phone, a personal digital assistant (PDA), a CD, and a flash card in a digital camera, GPS devices, MP3's etc.. Digital evidence can be extracted from almost any electronic device that we use or input data into. Digital Forensics Digital evidence is commonly associated with electronic crime, or e-crime, such as child pornography or credit card fraud. However, digital evidence is now used to prosecute all types of crimes, not just e-crime. For example, suspects' e-mail or mobile phone files might contain critical evidence regarding their intent, their whereabouts at the time of a crime and their relationship with other suspects. Digital Forensics is the collection, preservation, discovery, analysis, and presentation of evidence found on digital devices. Digital forensic investigation experts draw on a variety of methods for discovering, analyzing, and scientifically verifying information that resides on all kinds of digital devices Sources of electronic data have grown exponentially with the popularity of, for instance, text messaging, social networking, and e-mail.This highlights the importance of not only collecting such digital evidence but also having up-to-date procedures for its proper handling, archival, and maintenance, particularly to ensure its suitability for presentation in court. -Sources of electronic data have grown exponentially with the popularity of text messaging, social networking, and e-mail.
-Key component of police investigations and a potential source of evidence that could prove critical in supporting the prosecution of different types of crimes. Law enforcement agencies and departments are training more investigators to specialize in recognizing, handling, and deciphering the information on computers and digital devices. -Involves crimes such as terrorism, child pornography, violent crimes, theft or destruction of intellectual property, corporate crimes, Internet crimes, and financial fraud and embezzlement The most important step for a first-responder investigator is to determine how best to preserve that device and its data. -Recording and documenting the scene, including photographs of the mobile device in an undisturbed state should be included. Types of Digital Evidence Image acquired from google images -Computer Hard Drive
-Personal Digital Assistant
-Flash Card in Camera
-Mobile Phone
-Compact Disk
-GPS Device Image taken from google images -Evidence from mobile phones is becoming more and more important

-Usually related to drug investigations or child pornography

-Cell Phone Towers- help with tracking a person

-Terrorists used cell phones to detonate the bombs in the Madrid bombing that killed 190 in 2004 - For law enforcement officers to obtain evidence legally they must have probable cause and a warrant that allows for search and seizure. -Exporting information from several digital devices and importing it into the software-investigators can see a timeline of events

-Makes it easier for investigators to understand what happened

-Also, makes it easier for the jury to understand the criminal activity and any connections among offenders -Vital in computer and
internet crimes

Also includes:
-Facial Recognition
-Crime Scene Photos
-Surveillance Tapes FISWG- develop consensus standards, guidelines and best practices for the discipline of image-based comparisons of human features, primarily face Past Method-
-Confiscate computer, then create an exact duplicate- called an image
-Some data can not be recovered once the computer is shut down

Current Method-
-Collect as much data as possible at the scene, while the device is still on
-Evidence should not be changed in any way while it is being collected
-Only those with the specific training should examine the evidence
-Everything must be documented BTK Killer

-“Bind, Torture, Kill”
-Sent a message to police on a floppy disk
-Found a link to his first name “Dennis” and to the Lutheran Church he attended
-Police came across Dennis Rader
-DNA evidence was a close match to Rader’s daughter, so they knew the killer was related to her
-This was enough to make an arrest
-He plead guilty- sentenced to 10 consecutive life sentences. Eligible for parole in 2180. -Software and operating systems are rapidly changing and being updated
-Law enforcement has to constantly update their tools and training
-One example is the Cloud- Apple product
Create, share and store files on remote computers- this disguises the identity of the person
-There are many training courses that help to train investigators Training Data Mining Cell Phones -Evidence can change from moment to moment within a computer.
-Transmission lines can easily be altered
-Changes can be made during collection. -Many people can not read computer evidence because of the complexity of the systems
-Investigators usally need software to help mine the vast amounts of data that is stored on computers and other devices Problems One of the most problematic part of the whole process is linking specific individual to documents and logs found. Linking the Data Conclusion Practical investigations tend to rely on multiple streams of evidence which corroborate each other
- each stream may have its weaknesses, but taken together may point to a single conclusion THE END
Full transcript