Digital Forensics Larry Daniel
Introduction A recent research report from The Yankee Group found that 67.6 percent of US households in 2002 contained at least one PC The investigators foresee three-quarters of all US households containing PCs by 2007.
Introduction The UCLA study found that surprising numbers of households have more than one PC. In cases where more than one PC is present, the home computers are often networked. As of December of 2005, 71.4% of US households have computers.
Some Famous Criminal Cases Scott Peterson Internet history showing searches for dump sites. Michelle Theer Email and other documents. (Over 20 thousand documents) Michael Jackson Internet history and Email. BTK Killer Used to trace letter back to church computer.
Different Sides Different Roles Prosecution Side Sworn Law Enforcement Officer Writes Search Warrants Receives Evidence Computers, etc. Acquires Images, Analyzes Data Presents findings to Prosecutors and Detectives May not be involved again until arrest is made or case goes to trial.
Different Sides Different Roles Defense Side Private Expert Receives Evidence from Law Enforcement Agency. Consults with Attorney on Relevant Facts Active Member of Defense Team May Review Other Evidence to Enhance Computer Analysis May Interview Defendant May Work with Other Experts.
The basic computer looks like these. Some Basics
Common Misteaks Calling these monitors, CPUs, Hard Drives, etc.
Monitors Newer LCD on Left Older Analog CRT on Right Nothing is stored in these. They just make pretty pictures.
CPU CPU Central Processing Unit Only performs calculations. Stores nothing. The brain of the computer.
Inside The Computer The Hard Drive stores the evidence
Inside The Computer Hard drives can hold thousands of Documents Pictures Music files Movies Passwords Emails
Inside The Computer RAM Random Access Memory Only contains data while the computer is turned on. Temporary processing storage only used while operating the computer. Is cleared when the computer shuts down or restarts.
Introduction A Digital, AKA Computer Forensics investigation, involves four major areas: Acquisition Obtaining the original evidence. Preservation Protecting the original evidence. Analysis Finding relevant evidence. Presentation Presenting the evidence in court.
Forensics Tools Encase Forensics Software Used by NC SBI, FBI, Air Force OSI, Scotland Yard, US Navy, Fayetteville PD Most widely used forensics software in the world. Paraben Email Examiner Specially designed to recover email.
Acquisition First contact with the original evidence. Most critical time for protecting the originals. Most likely time for police or others to damage or change evidence. General rules MUST be followed to preserve and protect evidence during this critical first response period. First point in establishing chain of custody.
Digital Evidence Location not always obvious. Easy to conceal. Easy to miss. Easy to damage.
Digital Evidence Hard Drive CD-ROM Floppy Disk
Digital Evidence Picture Phones Blackberry ipod
Digital Evidence USB Drives Digital Cameras Smart Media
Acquisition First responders should be trained to handle this type of evidence. Digital evidence is fragile. Digital evidence is easily altered if not handled properly. Simply turning a computer on or operating the computer changes and damages evidence.
Fragile Nature of Digital Evidence "The problem is the uninitiated police officer who will go in and turn on a computer to look to see if it's worthwhile to send the computer in for examination," said Peter Plummer, assistant attorney general in Michigan's high-tech crime unit. "When you boot up a computer, several hundred files get changed, the date of access, and so on," Plummer said. "Can you say that computer is still exactly as it was when the bad guy had it last?" Source: AP Article from Computers Today www.technologysu.com Email Section
Fragile Nature of Digital Evidence The nature of computer based evidence makes it inherently fragile. Data can be erased or changed without a trace, impeding an investigator s job to find the truth. The efforts of first responders are critical to ensure that the evidence is gathered and preserved in a simple, secure, and forensically sound manner. Source: Preservation of Fragile - Digital Evidence by First Responders - Special Agent Jesse Kornblum -Air Force Office of Special Investigations
Fragile Nature of Digital Evidence Fragile data are those things stored on the hard drive but that can be easily altered, especially by a first responder trying to determine if an incident has occurred. These could include access dates on files or temporary files. Once these files have been altered by a first responder, there is no way to recover the original data. Source: Preservation of Fragile - Digital Evidence by First Responders - Special Agent Jesse Kornblum -Air Force Office of Special Investigations
Fragile Nature of Digital Evidence The simple act of turning a computer on can destroy or change critical evidence and render that evidence useless. Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit Even the normal operation of the computer can destroy computer evidence that might be lurking in unallocated space, file slack, or in the Windows swap file. Computer Forensics, Computer Crime Scene Investigation, 2 nd Ed. John R. Vacca
Fragile Nature of Digital Evidence The next 3 slides demonstrate what happens when you operate a computer. Evidence is modified. Evidence is destroyed. Source: Preservation of Fragile - Digital Evidence by First Responders - Special Agent Jesse Kornblum -Air Force Office of Special Investigations
Files In Original Condition
Files After Opening and Viewing The last accessed date and time changes any time a file is opened and viewed while the computer is in operation.
Files After Saving The last written date and time changes any time a file is saved or copied while the computer is in operation.
Seizing Computer Evidence General Guidelines
General Guidelines for Seizing Computers and Digital Evidence Seizing a Stand-Alone Home Computer in a Residence If the computer is powered off, DO NOT turn it on. If the computer is powered on, do not allow the suspect or any associate to touch it. Offers to shut the computer down may be a ruse to start a destructive program that may destroy the evidence. This can be done with one keystroke. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit
General Guidelines for Seizing Computers and Digital Evidence Before touching the computer, place an unformatted or blank floppy disk into the floppy disk drive(s), document, videotape and/or photograph the computer system, and write detailed notes about what is on the computer s screen. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit
General Guidelines for Seizing Computers and Digital Evidence Photograph the back of the computer and everything that is connected to it. Photograph and label the back of any computer components with existing connections to the computer. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit
General Guidelines for Seizing Computers and Digital Evidence If you have a computer specialist on the scene, he will have been trained to recognize the operating system and will know the proper way to shut down the computer system without altering files or losing any evidence. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit
General Guidelines for Seizing Computers and Digital Evidence If you do not have a computer specialist on the scene, the safest way to turn off a Windows 98/95/3.1/DOS computer, is to Pull the plug from the back of the computer. Pulling the plug could severely damage the system; disrupt legitimate business, and create officer and department liability. It is especially important to have a specialist available when dealing with business computers, networked computers and computers based on Macintosh, Windows NT, and Unix/Linux operating systems. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit
General Guidelines for Seizing Computers and Digital Evidence After shutting the computer down and powering the computer off: Disconnect all power sources; unplug the power cords from the wall and the back of the computer. Notebook computers may need to have their battery removed. Place evidence tape over each drive slot, the power supply connector, and any other opening into the computer. This should include sealing the case itself Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit
General Guidelines for Seizing Computers and Digital Evidence Only specially trained and qualified Computer Forensic Investigators working in a laboratory setting should analyze computers and other forms of digital evidence. The simple act of turning a computer on can destroy or change lritical evidence and render that evidence useless. The Maryland State Police Computer Forensics Laboratory will not routinely accept digital evidence for analysis if that evidence has been tainted though handling by unqualified personnel. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit
Preservation Once digital evidence is seized it must be handled carefully to preserve and protect the evidence. Everything should be tagged. No one should operate or preview any evidence on writable media without proper tools and training. Forensically sound copies of all original evidence must be made before analysis. Records must be kept.
Analysis Analysis involves recovering and analyzing evidence for relevance to the case. Accepted tools should be used. Search and analysis must be within the scope of the warrant. Bench notes should be kept by the examiner.
What are you looking for? E-Mail Pictures Internet History Documents Spreadsheets Internet Chat Logs Financial Data PDF Files Suspiciously Renamed Files Yahoo Messenger, AOL Chat, MSN Messenger, Internet Relay Chat Many Others
Hiding The Evidence Deleting Files Deleting Internet History Formatting Drives Re-Partitioning Drives Physically Destroying Hard Drives and Floppies Passwords Using On-Line E-Mail Hotmail Yahoo Mail IPods and personal storage devices that can be overlooked.
Recovering The Evidence Find Deleted Files Un-Format Drives Rebuild Partitions Recover Passwords Find hidden files and folders. Re-construct web pages. Locate deleted Email
Analysis Metadata Many types of files contain metadata. Metadata is information embedded in the file itself that contains information about the file. Microsoft Office Documents Computer name Total Edit Time Number of editing sessions. Where printed. Number of times saved. Digital camera pictures. Make and model of camera Dates and times
Document Metadata
Picture Metadata
Internet History Before Clearing
Internet History After Clearing
Presentation Court presentation for a jury must be simple and straightforward. Timelines Emails Documents Pictures
How Computer Evidence is Used Verify Alibis Establish Relationships Between Defendant and Victim or Accomplices Establish Documentation of Events Establish Mitigating Circumstances Documents for use by Forensic Psychologists Document Time Lines
Discovery Officer s investigator s notes Forensic investigator s bench notes Search warrant Forensically sound copies of all imaged media Forensics report
Questions?