DOC PREVIEW
CMU ISR 08732 - Collecting Evidence from a Running Computer

This preview shows page 1-2-3-4 out of 12 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Collecting Evidence from a Running Computer:A Technical and Legal Primer for the Justice CommunityBy Todd G. Shipley, CFE, CFCEandHenry R. Reeve, Esq.SEARCHThe NaTioNal CoNsorTium for JusTiCeiNformaTioN aNd sTaTisTiCs2This report was prepared by SEARCH, The National Consortium for Justice Information and Statistics, Francis X. Aumand III, Chairman, and Ronald P. Hawley, Executive Director. This report was produced as a product of a project funded by the Office of Juvenile Justice and Delinquency Prevention (OJJDP), Office of Justice Programs, U.S. Department of Justice, under Cooperative Agreement No. 2005-MC-CX-K021, awarded to SEARCH Group, Incorporated, 7311 Greenhaven Drive, Suite 145, Sacramento, California 95831. Contents of this document do not necessarily reflect the views or policies of the OJJDP or the U.S. Department of Justice. Copyright © SEARCH Group, Incorporated, dba SEARCH, The National Consortium for Justice Information and Statistics, 2006.AcknowledgmentsThis primer was prepared by Todd G. Shipley, CFE, CFCE, Director of Systems Security and High Tech Crime Training for SEARCH, The National Consortium for Justice Information and Statistics, and Henry R. “Dick” Reeve, General Counsel and Deputy District Attorney, Denver, Colorado.This paper was written under the direction of the Legal Committee of the Working Group of the Internet Crimes Against Children Task Forces.SEARCHThe NaTioNal CoNsorTium for JusTiCeiNformaTioN aNd sTaTisTiCs7311 Greenhaven drive, suite 145sacramento, California 95831Phone: (916) 392-2550fax: (916) 392-8440 www.search.org3The traditional method for law enforcement when dealing with the search and seizure of computers at a crime scene is to simply unplug the computer and book it into the evidence facility. From there, the investigator requests that the computer be examined by a trained digital evidence examiner. The examiner then makes a “forensically sound” copy of the computer’s hard drive(s)1 and reviews the copy for evidence or contraband. Upon completion, the examiner reports the findings back to the investigator.Traditional Computer Search and Seizure MethodologyTraditionally, computer forensics has focused on researching, develop-ing, and implementing proper techniques, tools, and methodologies to collect, store, and preserve sensitive data that is left on a system’s hard drive(s).—First Responders Guide to Computer Forensics (CERT Training and Education Handbook)1 a forensically sound copy of a computer hard drive is one that is a bit-for-bit copy.This methodology was developed in the early days of computer forensics to ensure that the data was not changed in any way. It was developed in light of a number of considerations, including defending against later challenges in court that the investigator or examiner altered or created evidence found on the device. Since the early 1990s, this methodology has been central to law enforcement’s response in handling computers found at a crime scene. As stated in a 2001 National Institute of Justice (NIJ) publication titled Electronic Crime Scene Investigation: A Guide for First Responders:“Each responder must understand the fragile nature of electronic evidence and the principles and procedures associated with its collection and preservation. Actions that have the4potential to alter, damage, or destroy original evidence may be closely scrutinized by the courts.”2A more recent NIJ document, Forensic Examination of Digital Evidence: A Guide for Law Enforcement, further states:“When dealing with digital evidence, the following general forensic and procedural principles apply:• Actions taken to secure and collect digital evidence should not affect the integrity of that evidence.• Persons conducting an examination of digital evidence should be trained for that purpose.• Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review.Through all of this, the examiner should be cognizant of the need to conduct an accurate and impartial examination of the digital evidence.”3What this means simply is that law enforcement officers generally should not do anything that changes electronic evidence unless the circumstances of a particular situation justify something different. Inadvertent or accidental changing of evidence could be caused by simply looking through files on a running computer or by booting up the computer to “look around” or play games on it. This strict methodology has historically provided for original evidence that, if relevant, is difficult for defense counsel to successfully challenge when it is introduced in court. However, we must remember that every crime scene is changed by the action of law enforcement being there. In fact, the NIJ research report Crime Scene Investigation: A Guide for Law Enforcement acknowledges that contamination occurs, and describes methods to limit that contamination.4It is important to note that potential evidence may be lost or destroyed if a running computer is encountered by law enforcement and seized as part of an investigation using the historical methodology described above. (A “running computer” is defined as a computer that is already “powered on” when encountered at a crime scene.)2 u.s. department of Justice, office of Justice Programs, National institute of Justice (Washington, dC: July 2001) at page 1. The guide was written and approved by the Technical Working Group for electronic Crime scene investigation.3 u.s. department of Justice, office of Justice Programs, National institute of Justice (Washington, dC: april 2004) at page 1.4 u.s. department of Justice, office of Justice Programs, National institute of Justice (Washington, dC: January 2000). This report was written and approved by the Tech-nical Working Group on Crime scene investigation.5There are other types of volatile data that could be considered evidence of interest to an investigation. This potentially exculpatory information may also simply “go away” when the system is turned off or loses power. This type of volatile data as potential evidence can also be collected from a running Microsoft Windows computer. Some of the additional data that can be collected may include:1. Who is logged into the system.2. Open ports and listening applications.3. Lists of currently running processes.4. Registry information.5. System information.6.


View Full Document

CMU ISR 08732 - Collecting Evidence from a Running Computer

Documents in this Course
gnusort

gnusort

5 pages

Notes

Notes

24 pages

Citron

Citron

63 pages

Load more
Download Collecting Evidence from a Running Computer
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Collecting Evidence from a Running Computer and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Collecting Evidence from a Running Computer 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?