How To Understand The Law Of Fornsics

Similar documents
Cell Phone Forensics For Legal Professionals

MSc Computer Security and Forensics. Examinations for / Semester 1

Overview of Computer Forensics

Hands-On How-To Computer Forensics Training

CYBER FORENSICS. KRISHNA SASTRY PENDYALA Cyber Forensic Division Central Forensic Science Laboratory Hyderabad.

CCE Certification Competencies

Case Study: Mobile Device Forensics in Texting and Driving Cases

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

Computer Forensics. Securing and Analysing Digital Information

Digital Forensics for Attorneys Overview of Digital Forensics

Modern Digital Forensics!!

Case Study: Smart Phone Deleted Data Recovery

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

Guidelines on Digital Forensic Procedures for OLAF Staff

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices

Discovery of Electronically Stored Information ECBA conference Tallinn October 2012

Incident Response and Forensics

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

Digital Forensics, ediscovery and Electronic Evidence

Guide to Computer Forensics and Investigations, Second Edition

How to Avoid The Biggest Electronic Evidence Mistakes. Ken Jones Senior Technology Architect Pileum Corporation

A Short Introduction to Digital and File System Forensics

Mobile Device Forensics: A Brave New World?

About Your Presenter. Digital Forensics For Attorneys. Overview of Digital Forensics

Cellebrite UFED Physical Pro Cell Phone Extraction Guide

EC-Council Ethical Hacking and Countermeasures

On the Trail of the Craigslist Killer: A Case Study in Digital Forensics

BDO CONSULTING FORENSIC TECHNOLOGY SERVICES

Digital Forensics & e-discovery Services

Informatica forense. Mobile Forensics - Approfondimenti tecnici e particolarità degli smartphone

Using Computer Forensics in your Investigations

plantemoran.com What School Personnel Administrators Need to know

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

e-discovery Forensics Incident Response

Computing forensics: a live analysis

Computer Forensics Basics, First Responder, Collection of Evidence

Digital and Cloud Forensics

Admissibility of Digital Photographs in Criminal Trials

Understanding ediscovery and Electronically Stored Information (ESI)

Computer Forensics Today

What Happens When You Press that Button? Explaining Cellebrite UFED Data Extraction Processes

Massachusetts Digital Evidence Consortium. Digital Evidence Guide for First Responders

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Developing Computer Forensics Solutions for Terabyte Investigations

EnCase v7 Essential Training. Sherif Eldeeb

Chapter 7 Securing Information Systems

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

SAMPLE ELECTRONIC DISCOVERY INTERROGATORIES AND REQUESTS FOR PRODUCTION

Mobile Devices in Electronic Discovery

Digital Forensics for Attorneys - Part 2

Network Documentation Checklist

How To Manage Cloud Data Safely

Introduction to Data Forensics. Jeff Flaig, Security Consultant January 15, 2014

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

What You Should Know About ediscovery

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

E-Discovery Technology Considerations

Digital Forensic Techniques

Certified Digital Forensics Examiner

HIPAA/HITECH Compliance Using VMware vcloud Air

Introduction to Network Security Comptia Security+ Exam. Computer Forensics. Evidence. Domain 5 Computer Forensics

IAPE STANDARDS SECTION 16 DIGITAL EVIDENCE

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001

EnCase 7 - Basic + Intermediate Topics


winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR

PD590-KT. Guide Android 4.4.2

To Catch a Thief: Computer Forensics in the Classroom

Managing ios Devices. Andrew Wellington Division of Information The Australian National University XW11

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

Where is computer forensics used?

Incident Response and Computer Forensics

This guide describes features that are common to most models. Some features may not be available on your tablet.

Mobile Device Forensics. Rick Ayers

CDFE Certified Digital Forensics Examiner (CFED Replacement)

[DESCRIPTION OF CLAIM, INCLUDING RELEVANT ACTORS, EVENTS, DATES, LOCATIONS, PRODUCTS, ETC.]

How To Get A Computer Hacking Program

GadgetTrak Mobile Security Android & BlackBerry Installation & Operation Manual

(b) slack file space.

CERTIFIED DIGITAL FORENSICS EXAMINER

Chapter 8: On the Use of Hash Functions in. Computer Forensics

Transcription:

Computer and Phone Forensics Califorensics i Don Vilfer, JD, ACE 916-789-1602 Don@Califorensics.com www.califorensics.com WHY DO WE CARE ABOUT FORENSICS? Lawyers and Investigators need to be equipped to adequately advise clients or employers. You have a duty to prepare your cases for adequate discovery. You have a duty to advise your clients/management about their discovery obligations. INITIAL RESPONSE Gather sufficient info to develop a response Traditional investigation Don t attempt data recovery Avoid spoiling the evidence (logs, free space, etc.) Consult with someone knowledgeable Consider locations of relevant evidence (thumbdrives, router logs, cameras) Develop a strategy drawing on your skills and what you will hopefully learn today! 1

COMPUTER FORENSICS VS. EDISCOVERY Computer Forensics: the use of specialized techniques for recovery, authentication and analysis of electronically stored data. Electronic Discovery: the process of locating, searching and securing electronic data to produce as evidence in a legal proceeding. Data Constantly Changes FORENSIC IMAGE The creation of a Forensic Duplicate of the storage media. FRE Section 1003: a duplicate is admissible to the same extent as the original unless (1) a genuine question is raised as to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original. 2

CHARACTERISTICS OF A FORENSIC IMAGE Hash Value (Digital Fingerprint) Data cannot be changed Includes Unallocated Space, Drive Freespace and File Slack Difference from Ghost Acceptable in court as Best Evidence FORENSIC IMAGES/DATA ACQUISITION Drive Removal and write-blocking Live Images Boot Disks Triage-Live Searching and Acquisition Networks-remote imaging (even across the ocean) is possible PRESERVING THE ORIGINAL EVIDENCE FOR EXAMINATION i.e., To Shutdown Or Not To Shutdown RAM-volatile data. Now capable of being RAM volatile data. Now capable of being forensically captured! Leave computer on if you suspect recent monkey business. Hard Drive-reasons to not leave computer on or access files. The evidence changes simply by booting. 3

BUT, THE USUAL RULES OF EVIDENCE STILL APPLY Chain of Custody must be able to account for the location of the evidence from the moment it was collected. Ath Authentication computer ti ti t evidence is considered writings and recordings under the Rules of Evidence and must be authenticated to be admissible. Validation is it really the same? (Hash files) WHO WILL DO IT? Avoid your client s IT Professional Qualifications: ACE EnCE CFE etc. FORENSIC PROCESSES (NOW WHAT DO WE DO WITH IT?) Review information on the drive Recover deleted files. Data Carving. Searches in free space. Recovering web-based e-mail. Determining activities on the computer (copying, printing, deleting, burning). Break passwords and encryption. 4

Application to Research Misconduct Sources of data. Acquiring data from multiple computers and lab equipment. Review of Communications (recovery of emails). Authenitcating information supplied by the subject of the inquiry. Comparison of Digital Images. ORI Color Overlay of Two Data Sets Data Set 1 Data Set 2 Data Set 2 Over Data Set 1 Adjustments to Bring Out Detail Original Equalized 5

PHONES ARE MORE PREVALENT THAN COMPUTERS Some Statistics No. of Phone % of Pop Computers China 1.1B 75% 53M India 900M 74% 60M US 327M 104% 223M WHAT IS RECOVERABLE It Depends- dependent on phone OS, model, forensic capabilities Email Voicemail Text Messages Location Data- Maps, WiFi, Apps, Photos Network Detail - local network - carrier network (see attached) Example of Photo Location Data 6

EXAMPLE OF PHOTO LOCATION DATA Even a Missed Call may be Relevant PHONE vs. COMPUTER FORENSICS Flash h Storage vs. Disk- wear levelingl File Systems Types of Data Security- password, disk wipe, phone encryption 7

FORENSIC APPROACH S Logical vs. Physical SIM SD Cards Chip Offs Backups LOGICAL vs. PHYSICAL DATA CARVING Data Carved Image Carved SMS 8

SIM CARDS Subscriber Identity Module Stores Data so the user can be identified on the network Can be used to store SMS and contacts Portable Will contain cell site information SIM Clones SD CARDS May contain photos, documents, videos or phone data Standard storage media and can be examined as such May have data when the phone is inaccessible CHIP OFFS When all else fails. 9

BACKUPS Blackberry (ipb) i Phone Backup Cloud INITIAL RESPONSE Leave It On? Passwords Faraday Solutions Data Cables LIVE FORENSICS DEMO What s on Your Phone (or mine) 10

Questions? Califorensics i Don Vilfer, JD, ACE 916-789-1602 Don@Califorensics.com www.califorensics.com 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information