1. Discuss the validation requirements for the technology used in digital forensics. 2. List the ways suspects use the Internet in computer related crimes discussed in the lecture notes. 3. Discuss th
Berkeley College Cyber Crime
Lecture Notes-Chapter 12
PROCESSING OF EVIDENCE AND REPORT PREPARATION
Digital Forensics: Science and Technology
What Makes Digital Forensics a Science?
The processes used must be repeatable and proven.
If the examiner does a process that is haphazard or too varied from one examination to the next it is not scientific.
Validation of Technology in Digital Forensic Investigations
1.Selecting a Forensic Tool:
Is it read only? Yes or No.
Can the examiner repeat results? What are the validation steps?
Is the data verified and if so how?
Was it designed for forensics, and are the images gathered valid?
Is it a commercial tool that is being used in forensics?
How is the image file created?
2. Designing a Proper Test Plan or Validation Plan
a. Scope of the Plan.
b. How often will the test be redone.
c. Create baseline for test.
d. Establish base parameters for tool.
e. Evaluate base parameters against manufacturer.
f. Run test image of baseline.
g. Compare results with tool manufacturer if available.
h. Repeat process and note differences.
Aspects of Data Technology
1.Documentation Requirement: Analysts should continue the documentation process that was initiated by the evidence technicians at the crime scene.
2. Using a variety of software packages, it is now possible to thoroughly analyze
all of the information on each piece of storage media.
3. Investigators should properly document all forensic software utilized.
4. All media used in the analysis of computer evidence must be sterile prior to
analysis.
5. Licenses for all forensic software that is used in the analysis should be verified.
6. Examiners should note the condition of the suspect equipment prior to analysis.
7. Analysts should ensure that they are conducting the analysis on an image of the
suspect data and not the original. The original should be forensically pure.
8. Analysts should utilize appropriate manipulation techniques to defeat passwords
if traditional password cracking software doesn’t work.
9. Investigators may use software capable of restoring files that suspects attempted
to erase or hide.
10. Examiners should list all the file on the suspect drive after the recovery as part
of the documentation process.
Evidence from Internet Activity and Smartphones
Internet Activity: most cases will involve the Internet in some way.
1.Investigators must be able to document a relationship between the suspect and the evidence.
Links may include: IP addresses, domain names and e-mails.
2. Suspects may use the Internet for a variety of reasons:
a. Trading or sharing information.
b. Concealing their identity.
c. Assuming another identity.
d. Identifying or gathering information on victims.
e. Distributing information or misinformation.
f. Coordinating meetings, meeting sites or parcel drops.
Smartphones and GPS Forensics:
Smartphones have become like minicomputers and may contain criminal evidence:
Read Only Memory (ROM)
Random Access memory(RAM)
Support memory cards
Forensic Reports
All reports involving data analysis should include the date, time and
identification of investigative personnel for the following events:
Evidence seizure: description of the physical condition of the seized evidence.
Digital imaging and verification: software used.
Application of forensic software: text searching, restoration of files, indexing, file reviewers, data carving, e-mail viewers.
Special techniques or unique problems encountered.
Consultation with outside sources.
HOMEWORK QUESTIONS CHAPTER 12
Discuss the validation requirements for the technology used in digital forensics.
List the ways suspects use the Internet in computer related crimes discussed in the lecture notes.
Discuss the reporting requirements for forensic investigators described in the lecture notes.
What makes digital forensics a science?
