1 / 47

COS/PSA 413

COS/PSA 413. Day 10. Agenda. Lab 4 Write-ups are in Will have corrected by next class Lab 5 write-ups due Oct 19 Assignment 3 posted (due Oct 21) Capstone Proposals Over due See guidelines in WebCT All 10 require some modifications (emails sent) Got one back so far Exam 2 on Oct 21

joanna
Download Presentation

COS/PSA 413

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. COS/PSA 413 Day 10

  2. Agenda • Lab 4 Write-ups are in • Will have corrected by next class • Lab 5 write-ups due Oct 19 • Assignment 3 posted (due Oct 21) • Capstone Proposals Over due • See guidelines in WebCT • All 10 require some modifications (emails sent) • Got one back so far • Exam 2 on Oct 21 • Chaps 5-9, 10 M/C (30 Points) , 10 Short Answer (30 points), 5 Essays (40 points) Open Book, Open Notes, 70 min. time limit. • Today we will discuss Processing Crime and Incident scenes • Chap 8 in 1e and Chap 5e in 2e (mostly the same except using different forensics tools)

  3. Processing Crime and Incident Scenes Chapter 8

  4. Learning Objectives • Process Crime and Incident Reports • Process a Law Enforcement Crime Scene • Prepare for a Search • Secure a Computer Incident or Crime Scene • Seize Digital Evidence at the Scene • Collect Digital Evidence • Review a Case

  5. Processing Crime and Incident Reports

  6. Collecting Evidence in Private-Sector Incident Scenes • Freedom of Information Act (FOIA) • States public records are open and available for inspection • Citizens can request public documents created by federal agencies • Homeland Security Act • Patriot Act

  7. Collecting Evidence in Private-Sector Incident Scenes (continued) • Corporate environment is much easier than criminal environment • Employees’ expectation of privacy • Create and publish a privacy policy • Use warning banners • State when an investigation can be initiated • Reasonable suspicion

  8. Collecting Evidence in Private-Sector Incident Scenes (continued)

  9. Collecting Evidence in Private-Sector Incident Scenes (continued) • Avoid becoming a law enforcement agent • Check with your corporate attorney on how to proceed • Commingled data • Warrants • Subpoena • Civil liability

  10. Processing Law Enforcement Crime Scenes • Criminal rules of search and seizure • Probable cause • Specific crime was committed • Evidence exists • Place to be searched includes evidence • Warrant • Probable cause • Witness

  11. Processing Law Enforcement Crime Scenes (continued)

  12. Understanding Concepts and Terms Used in Warrants • Innocent information • Unrelated information • Limiting phrase • Separate innocent information from evidence • Plain view doctrine • Searched area can be extended • Knock and announce

  13. Preparing for a Search • Most important step in computing investigations • Steps: • Identifying the nature of the case • Identifying the type of computer system • Determining whether you can seize a computer • Obtaining a detailed description of the location

  14. Preparing for a Search (continued) • Steps (continued): • Determining who is in charge • Using additional technical expertise • Determining the tools you need • Preparing the investigation team

  15. Identifying the Nature of the Case • Private or public • Dictates: • How you proceed • Resources needed during the investigation

  16. Identifying the Type of Computing System • Identify: • Size of the disk drive • Number of computers at the crime scene • OSs • Specific details about the hardware • Easier to do in a controlled environment, such as a corporation

  17. Determining Whether You Can Seize a Computer • Ideal situation • Seize computers and take them to your lab • Not always possible • Need a warrant • Consider using portable resources

  18. Obtaining a Detailed Description of the Location • Get as much information as you can • Identify potential hazards • Interact with your HAZMAT team • HAZMAT guidelines • Protect your target disk before using it • Check for high temperatures

  19. Determining Who Is in Charge • Corporate computing investigations require only one person to respond • Law enforcement agencies: • Handle large-scale investigations • Designate leader investigators

  20. Using Additional Technical Expertise • Look for specialists • OSs • RAID servers • Databases • Can be hard • Educate specialists in proper investigative techniques • Prevent evidence damage

  21. Determining the Tools You Need • Prepare your tools using incident and crime scene information • Initial-response field kit • Lightweight • Easy to transport • Extensive-response field kit • Includes all tools you can afford

  22. Determining the Tools You Need (continued)

  23. Determining the Tools You Need (continued)

  24. Preparing the Investigation Team • Review facts, plans, and objectives • Coordinate an action plan with your team • Collect evidence • Secure evidence • Slow response can cause digital evidence lost

  25. Securing a Computer Incident or Crime Scene • Preserve the evidence • Keep information confidential • Define a secure perimeter • Use yellow barrier tape • Legal authority • Professional curiosity • Can destroy evidence

  26. Seizing Digital Evidence at the Scene • Law enforcement can seize evidence with a proper warrant • Corporate investigators rarely can seize evidence • U.S. DoJ standards for seizing digital data • Civil investigations follow same rules • Require less documentation, though • Consult with your attorney for extra guidelines

  27. Processing a Major Incident or Crime Scene • Guidelines • Keep a journal • Secure the scene • Be professional and courteous with onlookers • Remove people who are not part of the investigation • Video record the computer area • Pay attention to details

  28. Processing a Major Incident or Crime Scene (continued) • Guidelines (continued) • Sketch the incident or crime scene • Check computers as soon as possible • Save data from current applications as safe as possible • Make notes of everything you do when copying data from a live suspect computer • Close applications and shutdown the computer

  29. Processing a Major Incident or Crime Scene (continued) • Guidelines (continued) • Look for information related to the investigation • Passwords, passphrases, PINs, bank accounts • Collect documentation and media related to the investigation • Hardware, software, backup media

  30. Processing Data Centers with an Array of RAIDs • Sparse evidence file recovery • Extracts only data related to evidence for your case from allocated files • Minimizes how much data you need to analyze • Doesn’t recover residual data in free or slack space • If you have a computer forensics tool that accesses the unallocated space on a RAID system, work it on a test system first to make sure it doesn’t corrupt the RAID computer

  31. Using a Technical Advisor at an Incident or Crime Scene • Technical specialists • Responsibilities: • Know aspects of the seized system • Is direct investigator handling sensitive material • Help securing the scene • Help document the planning strategy • Conduct ad hoc trainings • Document activities

  32. Sample Civil Investigation • Recover specific evidence • Suspect’s Outlook e-mail folder (PST file) • Covert surveillance • Company policy • Risk of civil or criminal liability • Sniffing tools • For data transmissions

  33. Sample Criminal Investigation • Computer crimes examples • Fraud • Check fraud • Homicides • Need a warrant to start seizing evidence • Limit searching area

  34. Sample Criminal Investigation (continued)

  35. Reviewing a Case Tasks to perform in a case: - Identify the case requirements - Plan your investigation - Execute the investigation - Complete the case report - Critique the case

  36. Reviewing a Case

  37. Reviewing a Case Identifying the Case Requirements - What is the nature of the case? Two people are missing or overdue at work. - What are their names? George Popson and Martha Heiser - What do they do? George is a supervisor in the Accounts Payable Department, and Martha is a shipping clerk.

  38. Reviewing a Case Identifying the Case Requirements - What is the OS of the suspect computer? Microsoft Windows 98. - What type of media needs to be examined? One floppy disk drive.

  39. Reviewing a Case Planning Your Investigation - George and Martha’s absences might or might not be related. - George’s computer might contain information explaining their absence. - No one else has used George’s computer since he disappeared. - You need to make an image of George’s computer and attempt to retrieve evidence related to the case.

  40. Chapter Summary • In the private sector, an incident scene is often a place of work, such as a contained office or manufacturing area. Because everything from the computers used to violate a company policy to the surrounding facility is under a controlled authority, it is easier to investigate and control the scene than in a criminal environment.

  41. Chapter Summary • Companies should publish policies stating that they reserve the right to inspect computing assets at will; otherwise, the employees’ expectation of privacy prevents an employer from legally conducting an intrusive investigation. A well-defined corporate policy states that an employer has the right to examine, inspect, or access any company-owned computing asset. If the policy statement is issued to all employees, the employer can investigate computing assets at will without any privacy right restrictions.

  42. Chapter Summary • Proper procedure needs to be followed even in private-sector investigations, because civil litigations can become criminal investigations very easily. As a corporate investigator, you must ensure that sensitive company information does not become commingled with criminal evidence.

  43. Chapter Summary • If an internal corporate case is turned over to law enforcement because of criminal activity, the corporate investigator must avoid becoming an agent of law enforcement because at that time, affidavits and search warrants are needed. • The plain view doctrine applies when items that are evidentiary, and not specified in a warrant under probable cause, are in plain view.

  44. Chapter Summary • Criminal cases require a properly executed and well-defined search warrant. A specific crime and specific location must be spelled out in the warrant. For all criminal investigations in the United States, the Fourth Amendment to the Constitution specifies that a law enforcement officer may only search for and seize criminal evidence with probable cause, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed.

  45. Chapter Summary • When preparing for a case, you need to describe the nature of the case, identify the type of Operating System (OS), determine whether you can seize the computer, and obtain a description of the location. • If dealing with a hazardous material (HAZMAT) situation, you may need to have someone else obtain the evidence from the location.

  46. Chapter Summary • Always take pictures or use a digital camera to document the scene. Then methodically record what exists at the scene. Prevent professional curiosity from contaminating evidence by limiting who enters the scene.

  47. Chapter Summary • As you collect digital evidence, guard against physically destroying or contaminating it. Take precautions to prevent static electricity discharge to electronic devices. If possible, bag or box digital evidence and any hardware you collect from the incident or crime scene. As you collect the hardware, sketch the equipment, including extra markings of where components were located. Tag and number each cable, port, and any other connection and record its number and description in a log.

More Related