Computer Forensics
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

Computer Forensics PowerPoint PPT Presentation


  • 68 Views
  • Uploaded on
  • Presentation posted in: General

Computer Forensics. Presented by: Marcus Lawson J.D . President Josiah Roloff ENCE Vice President Global CompuSearch LLC Spokane WA (main office) 509-443-9293 Portland OR 503-542-7448 Sacramento CA 916-760-7362 Palm Springs (San Diego) 760-459-2122. Overview :. Digital evidence is…

Download Presentation

Computer Forensics

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Computer forensics

Computer Forensics

Presented by: Marcus Lawson J.D. President

Josiah Roloff ENCE Vice President

Global CompuSearch LLC

Spokane WA (main office) 509-443-9293

Portland OR 503-542-7448

Sacramento CA 916-760-7362

Palm Springs (San Diego) 760-459-2122


Computer forensics

Overview:

  • Digital evidence is…

  • Hard drives- DVDs/CDs

  • Floppy Diskettes- Flash cards/thumb drives

  • GPS devices- Mobile devices

  • Smart phones- Gaming devices

  • Scanners/copiers/printers- Cameras/Camcorders


Computer forensics

When a file is deleted, is it really gone?

When a file is “deleted” only pointers to that file are removed. The data remains in the same place on the hard drive indefinitely unless overwritten by new data.

Allocated vs. Unallocated file space


Computer forensics

How do we get at the relevant data we need?

Forensic Tools:

Keyword searching

Scripts

Sorting by date

Sorting by type


Computer forensics

The Examination Process

The Forensics Tools – How they work

Case View:


Computer forensics

The Examination Process

The Forensics Tools – How they work

Picture view:


It s not me i m being set up

It’s not me! I’m being set up!

Who is responsible????

Timelines of use

(1) how they are done

(2) what they reveal


Computer forensics

The Examination Process

The Forensics Tools – How they work

Timeline Analysis: Chat occurring on July 14, 2006


Computer forensics

The Examination Process

The Forensics Tools – How they work

Timeline Analysis:


Admission of digital evidence

Admission of Digital Evidence

Tools that are validated versus those that are not (Casey Anthony)

Examiner qualifications and opinion vs. factual testimony

Documentation of findings by the examiner

The answers to the questions should be the same regardless of who is asking them


Computer forensics

Digital Evidence Case Types


Computer forensics

Case Types

Homicide

Motive: Girlfriends, boyfriends and secret lovers?

Motive: Creepy paraphilias?

Planning: Buying scuba belts on Ebay?

Planning: Studying tide currents in the bay?

Timing: Your cell phone will rat you out every time!

Case Example : OR vs. Kim


Computer forensics

Case Strategies

Fraud

Planning

Methodology

Records/Emails

Co-conspirators?

United States vs. Havens


Computer forensics

Case Strategies

Child Pornography

Is it of a child?

Is it pornographic?

Web surfing

File sharing

Possession vs. Receipt vs. Distribution


Computer forensics

Discovery & CP cases:

Child pornography cases create special discovery issues As of August 2006, the defense can no longer obtain copies of media alleged to contain contraband in federal cases under the Adam Walsh Act and must do forensic exams at government facilities.

This creates significant problems for trial prep and adds significant cost to the analysis … a cost that is often paid with public funds.


Computer forensics

Discovery & CP cases:

The Order

Most states have refused to follow the Adam Walsh model and will allow defense forensic examiners to temporarily possess a forensic copy of the media in question via court order.

If a court order is granted, there are several important issues which should be addressed in the order. (WA State sample order)

What is to be provided by the government (forensic copy)

Where the media will be examined and stored (in state)

That no contraband will be copied or removed from the forensic image

The process to be followed when the case is over


Computer forensics

Case Strategies

The Kitchen Sink

Arson : (computer research)

Robbery : (recovered CCTV)

Vehicular Homicide : (GPS)

DUI : (breathalyzer source code)

Rape : (communications before or after)


Search warrant affidavits

Search Warrant Affidavits


Search warrant affidavits1

Search Warrant Affidavits

[14] We find it particularly significant that the IP addresses

from which the qem and foel websites were created were

traced to internet subscribers hundreds of miles away from the

Chisms’ home in Nine Mile Falls, Washington. We have

explained that a computer that is connected to the internet can

be uniquely identified by its IP number, much like a land-line

phone can be uniquely identified by its phone number. See

Forrester, 512 F.3d at 510 n.5. Moreover, we have repeatedly

recognized the utility of using IP address information to

investigate child pornography offenders.

CHISM v. WASHINGTON STATE


Search warrant affidavits2

Search Warrant Affidavits

The affidavit submitted by Marcus Lawson, the president of

a computer forensic company that examined Todd Chism’s

computers similarly admonishes:

[T]o have any success as an Internet criminal,

regardless of whether one was a thief, a hacker or a

child pornography collector, it would be incumbent

to use other people’s identities to do so. . . . It is primarily

for this reason that relying only on information provided by the user of a credit card that is associated with criminal activity is inherently unreliable.

CHISM v. WASHINGTON STATE


Search warrant affidavits3

Search Warrant Affidavits

What is an IP address and why is it so important?

Computers communicate on the Internet because of certain “protocols”. These protocols allow information to be broken down into small packets, transmitted to the computer you choose and then reassembled as the file you intended to send.


Search warrant affidavits4

Search Warrant Affidavits

IP addresses are globally unique numbers that allow each computer connected to the Internet to have it's own specific address (just like your residence) and really is the only way IP networks around the world can talk with each other without everything becoming a jumbled mess.


Search warrant affidavits5

Search Warrant Affidavits


Search warrant affidavits6

Search Warrant Affidavits

File Sharing cases (should have more than one incident)

WWW based cases (subscribers and/or server log files of IP’s)

Credit Card use by itself should not be relied upon (the account information used will typically be correct)

Facebook, Yahoo, Hotmail subpoenas


Search warrant affidavits7

Search Warrant Affidavits

Static vs. Dynamic IP Addresses

The date of IP connection to the subject address must coincide with the dates documented for the offense


Search warrant affidavits8

Search Warrant Affidavits

TFA Suchy was able to download 61 files from (the defendant), fifty of which were consistent with child pornography. TFA Suchyused CommView in order to identify the IP address utilized by (the defendant) which was 99.68.129.56.

A search of the American Registry for Internet Numbers (ARIN) online database indicated that IP address 99.68.128.56 is registered to AT&T Internet Services. Results from an administrative subpoena sent to AT&T Internet Services for the date and time the files were downloaded revealed that, at that day and time, the IP address was assigned to the account registered to (the defendant’s mother), 0000 Summer Wind Drive, Brecksville, Ohio 44141.


Search warrant affidavits9

Search Warrant Affidavits


Computer forensics

Computer Forensics

If you believe a case might need forensic assistance:

  • STOP all use of the device(s)- Preservation request - Subpoena’s sent asap

  • Create forensic copies of all electronic devices - An inexpensive insurance

  • Contact an expert to assist in determining how they can be most helpful


Computer forensics

Computer Forensics

Spokane (Main) Office : 509-443-9293

Portland Office : 503-542-7448

Sacramento Office : 916-760-7362

Palm Springs Office : 760-459-2122www.GCSforensics.com


  • Login