computer forensics bacs 371 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Computer Forensics BACS 371 PowerPoint Presentation
Download Presentation
Computer Forensics BACS 371

Loading in 2 Seconds...

play fullscreen
1 / 23

Computer Forensics BACS 371 - PowerPoint PPT Presentation

  • Uploaded on

Computer Forensics BACS 371. Evidence Collection & Admissibility. Outline. Evidence overview Evidence admissibility Challenges to evidence Evidence acquisition Preserving evidence Evidence authenticity Forensic methodology Special considerations. 5 Rules of Evidence.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Computer Forensics BACS 371' - muniya

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
computer forensics bacs 371
Computer ForensicsBACS 371

Evidence Collection & Admissibility

  • Evidence overview
  • Evidence admissibility
  • Challenges to evidence
  • Evidence acquisition
  • Preserving evidence
  • Evidence authenticity
  • Forensic methodology
  • Special considerations
5 rules of evidence
5 Rules of Evidence
  • Admissibility – the evidence must be admissible in court.
  • Authenticity – the evidence must relate to the incident in question
  • Completeness – the evidence must be comprehensive
  • Reliability – the evidence must be consistent and uncontaminated
  • Believability – the evidence should be clearly understandable and believable by the jury
admissible evidence
Admissible Evidence?

What makes evidence “admissible”?

  • Short answer – if a judge says it is, it is…
  • Judges use guidelines for admissibility:
    • Is the evidence relevant?
    • Is the evidence authentic and credible?
    • Is the evidence competent?
  • An overriding principle is the “exclusionary rule” which says it is not admissible if it was not collected legally.
is it relevant
Is it Relevant?
  • The question of relevance is usually the first considered by a judge. If it is not relevant, then it will not be admissible.
  • To be considered relevant the evidence must satisfy 2 conditions:
    • It must be material – directly relating to the case being presented.
    • It must be probative – proves something that will help get to the truth of the situation.
is it authentic and credible
Is it Authentic and Credible?
  • The question of authenticity is basically asking if the evidence is what it purports to be.
  • This requires asking a number of questions which include:
    • Is the material an opinion?
    • If it is an opinion, is it the opinion of an expert witness?
    • Was it collected correctly?
    • Could it have been altered in any way?
is it competent
Is it Competent?
  • It is not prejudicial in any way. This applies primarily to evidence not directly related to the case.
  • It is not privileged. For example, it cannot involve attorney-client, doctor-patient, … privileged communication.
  • It cannot be collected in violation of Constitutional rights.
  • It cannot be hearsay (except for expert witnesses).
  • It cannot violate an exclusionary rule.
withstanding challenges to evidence
Withstanding Challenges to Evidence
  • Criminal trials are often preceded by a suppression hearing.
  • This is where the admissibility (i.e., suppression) of evidence is determined.
  • At this hearing, the judge determines if the 4th Amendment was correctly followed.
  • Also, if proper discovery procedure is not followed, defendants can challenge evidence admissibility.
exclusionary rules
Exclusionary Rules
  • Exclusionary rules test whether evidence will be admissible (judges use them).
  • Exclusionary rules pertain to the following:
    • Relevancy
    • Privilege
    • Opinion of an expert
    • Hearsay
    • Authentication
acquiring evidence legal aspects
Acquiring Evidence – Legal Aspects

There are a number of pertinent legal aspects to acquiring evidence. These include:

  • The 4th Amendment affects how forensic analysts can acquire evidence
  • Preserving the evidence
  • Establish authenticity of the evidence
  • Following a repeatable process to ensure admissibility
4 th amendment considerations when acquiring evidence
4th Amendment Considerations when Acquiring Evidence
  • When does evidence “seizure” occur?
  • Who owns the computer that contains data?
  • What type of image “good enough” to be searched?
  • Do attempts to delete data involve privacy or indicate a cover-up?
  • When searching a network, where do you stop?
  • What if one search leads to another? Where does one search stop and another begin?
preserving the evidence
Preserving the Evidence

Computer Forensics is the discipline of acquiring, preserving, retrieving, and presenting electronic data.

Three C’s of evidence:

  • Care
  • Control
  • Chain of Custody
preserving and storing the evidence
Preserving and Storing the Evidence
  • Keep evidence in possession or control at all times
  • Document movement of evidence between investigators (chain of custody).
  • Secure evidence appropriately so that it can’t be tampered with or corrupted.
  • Mathematically authenticate data. (i.e., hash values)
preserving the evidence1
Preserving the Evidence
  • Preserving the evidence means that you practice a defensible (objective, unbiased) approach that is:
    • Performed in accordance with forensic science principles
    • Based on standard or current best practices
    • Conducted with verified tools to identify, collect, filter, tag and bag, store, and preserve e-evidence
    • Conducted by individuals who are certified in the use of verified tools, if such certification exists
    • Documented thoroughly
establishing authenticity
Establishing Authenticity
  • You should use one of the following 3 criminal evidence rules:
    • Authentication – show that it’s a true copy
    • Best Evidence Rule – work with the original
    • Exceptions to Hearsay rule – confessions or business records

Forensic analyst tend to use authentication based upon hash values

legal authenticity standards
Legal Authenticity Standards

Over the years, several evidence standards have been devised.

  • Relevancy test – Anything that is materially relevant to case
  • Frye Standard – Technique my be sufficiently established (general acceptance test)
  • CoppolinoStandard – Even if not generally accepted, court can accept if good foundation laid
  • Marx Standard – No need to sacrifice common sense
  • DaubertStandard – Rigorous test with special discovery procedures
forensic methodology
Forensic Methodology

A forensic methodology is a well-defined, repeatable process used by forensic analysts to ensure that:

  • Evidence is properly collected, prepared, and stored
  • Evidence is analyzed in a consistent and thorough manner acceptable to the court
  • Analyst objectivity is maintained
  • Documentation is collected to ensure that a comprehensive report can be generated.
brief outline of the scientific method
Brief Outline of the Scientific Method

Successful forensic examinations generally follow the scientific method.

  • Identify and research a problem
  • Formulate a hypothesis
  • Conceptually and empirically test the hypothesis
  • Evaluate the hypothesis with regards to test results
  • If hypothesis is acceptable, evaluate its impact. If not, reevaluate the hypothesis
special considerations
Special Considerations
  • Digital Forensics has some special considerations when it comes to evidence.
    • The plain view doctrine
    • Multiple computer users
    • Search with consent
plain view doctrine
Plain View Doctrine
  • The plain view doctrine was developed for physical, tangible evidence.
  • Digital evidence requires a more refined definition of “plain view”
    • Inadvertence approach
    • Prophylactic test approach
    • Computers as containers approach
multiple computer users
Multiple Computer Users
  • Any time a computer is configured for multiple users the issue of privacy becomes convoluted.
  • Legal search in these cases revolves around the notion of “reasonable expectation of privacy.”
  • Accounts with passwords are a strong case for individual account privacy.
  • The problem is also present in network environments and cloud storage situations.
search with consent
Search with Consent
  • Multiple computer user accounts combined with forensic tools that cannot distinguish who actually owns a file can cause search with consent problems.
  • The general rule is that consent cannot be given to another users files if an effort has been made to segregate the users (e.g., passwords, independent folders, …)
  • The issue is clouded when the user accounts have administrative privilege (since they can reset passwords).
  • Evidence must be admissible, authentic, complete, reliable, and believable.
  • Judges determine admissibility based on a set of exclusionary rules and other procedural concerns.
  • Improper search and seizure can make even the best evidence inadmissible.
  • There are various ways to establish the authenticity of evidence.
  • Certain special considerations must be taken into account when working with digital evidence.