1 / 11

Forensics

Forensics. Computer Evidence Evidence Acquision. Types of Evidence. Real Evidence A computer A hard disk A CD USB flash drive Documentary Evidence Written documents Computer Files Computer Log files. Types of Evidence. Testimonial Evidence Witness testimony in a courtroom

tasha-harvey
Download Presentation

Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forensics Computer Evidence Evidence Acquision

  2. Types of Evidence • Real Evidence • A computer • A hard disk • A CD • USB flash drive • Documentary Evidence • Written documents • Computer Files • Computer Log files

  3. Types of Evidence • Testimonial Evidence • Witness testimony in a courtroom • Written deposition • Demonstrative Evidence • Visual aids to help explain other evidence • Power Point presentation • Flow Chart • Diagram • Map

  4. Search and Seizure • Voluntary Surrender • Get written consent from owner of equipment • Employee may have signed agreement as a condition of employment • Subpoena • Used only when notification will not result in destruction of the evicence • Search Warrant • Used by law enforcement officers to seize evidence without giving prior notice to owner • Must present evidence of probable cause

  5. Chain of Custody • Shows that evidence was properly acquired and has not been modified • Each step of evidence collection, storage and analysismust be well documented • Every access to the evidence must show when, who, where, and what was done to the evidence

  6. Using Evidence in Court • Relevance • Must prove or disprove the facts of the case • Admissible • Legally collected • Not modified • Chain of custody • Best Evidence • Original document

  7. Digital Media • Create a checksum • Make a bit level image for analysis • Accessed Read Only • Verify that the checksum of the copy is the same as the original • Software Write Blocker • Hardware Write Blocker • Do analysis only on the copy and verify the checksum at the conclusion of the analysis

  8. Evidence Collection • Before touching anything, take pictures, draw sketches, write descriptions of everything • Take everything that might be relevant • Keyboard, mouse, media, documents, computer, hard disk, usb drives, etc. • Backup media • CDs, DVDs, BluRay Disks, tape (tape drive) • Notes containing passwords, URLs, phone numbers, names, addresses, email addresses

  9. Live Computers • Pull the plug? • Prevents the shutdown software from deleting evidence • Document system state? • Run software from a USB flash drive or CD to examine and document system state • Any programs run will change the state of RAM • Accessing files will change the file access date/time

  10. Where to Look? • Activity logs • Internet browser history • Files who’s extension does not match the file header • Check Recycle bin • Use un-erase tool to find deleted files • Search files for keywords • Search slack space • Look for encrypted files

  11. Presenting Evidence • Tell what, why, how and conclusions • Give the big picture, but have details ready if questioned • If there are volumes of evidence, present samples • Use visual aids to help simplify explanation

More Related