Unformatted text preview:

Guide to Computer Forensics and Investigations Fourth EditionObjectivesObjectives (continued)Identifying Digital EvidenceIdentifying Digital Evidence (continued)Understanding Rules of EvidenceUnderstanding Rules of Evidence (continued)Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Collecting Evidence in Private-Sector Incident ScenesCollecting Evidence in Private-Sector Incident Scenes (continued)Slide 17Slide 18Slide 19Slide 20Processing Law Enforcement Crime ScenesProcessing Law Enforcement Crime Scenes (continued)Slide 23Understanding Concepts and Terms Used in WarrantsUnderstanding Concepts and Terms Used in Warrants (continued)Preparing for a SearchIdentifying the Nature of the CaseIdentifying the Type of Computing SystemDetermining Whether You Can Seize a ComputerDetermining Whether You Can Seize a Computer (continued)Obtaining a Detailed Description of the LocationDetermining Who Is in ChargeUsing Additional Technical ExpertiseDetermining the Tools You NeedSlide 35Slide 36Slide 37Preparing the Investigation TeamSecuring a Computer Incident or Crime SceneSeizing Digital Evidence at the ScenePreparing to Acquire Digital EvidencePreparing to Acquire Digital Evidence (continued)Processing an Incident or Crime SceneProcessing an Incident or Crime Scene (continued)Slide 45Slide 46Processing Data Centers with RAID SystemsUsing a Technical AdvisorUsing a Technical Advisor (continued)Documenting Evidence in the LabProcessing and Handling Digital EvidenceStoring Digital EvidenceStoring Digital Evidence (continued)Evidence Retention and Media Storage NeedsEvidence Retention and Media Storage Needs (continued)Documenting EvidenceDocumenting Evidence (continued)Obtaining a Digital HashObtaining a Digital Hash (continued)Slide 60Slide 61Reviewing a CaseSample Civil InvestigationSample Criminal InvestigationSample Criminal Investigation (continued)Reviewing Background Information for a CaseIdentifying the Case RequirementsPlanning Your InvestigationConducting the Investigation: Acquiring Evidence with AccessData FTKSlide 70Conducting the Investigation: Acquiring Evidence with AccessData FTK (continued)Slide 72Slide 73Slide 74Slide 75Slide 76SummarySummary (continued)Slide 79Chapter 5Processing Crime and Incident ScenesGuide to Computer Forensicsand InvestigationsFourth EditionGuide to Computer Forensics and Investigations 2Objectives•Explain the rules for digital evidence•Describe how to collect evidence at private-sector incident scenes•Explain guidelines for processing law enforcement crime scenes•List the steps in preparing for an evidence search•Describe how to secure a computer incident or crime sceneGuide to Computer Forensics and Investigations 3Objectives (continued)•Explain guidelines for seizing digital evidence at the scene•List procedures for storing digital evidence•Explain how to obtain a digital hash•Review a case to identify requirements and plan your investigationGuide to Computer Forensics and Investigations 4Identifying Digital Evidence•Digital evidence–Can be any information stored or transmitted in digital form•U.S. courts accept digital evidence as physical evidence–Digital data is a tangible object•Some require that all digital evidence be printed out to be presented in courtGuide to Computer Forensics and Investigations 5Identifying Digital Evidence (continued)•General tasks investigators perform when working with digital evidence:–Identify digital information or artifacts that can be used as evidence–Collect, preserve, and document evidence–Analyze, identify, and organize evidence–Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably•Collecting computers and processing a criminal or incident scene must be done systematicallyGuide to Computer Forensics and Investigations 6Understanding Rules of Evidence•Consistent practices help verify your work and enhance your credibility•Comply with your state’s rules of evidence or with the Federal Rules of Evidence•Evidence admitted in a criminal case can be used in a civil suit, and vice versa•Keep current on the latest rulings and directives on collecting, processing, storing, and admitting digital evidenceGuide to Computer Forensics and Investigations 7Understanding Rules of Evidence (continued)•Data you discover from a forensic examination falls under your state’s rules of evidence–Or the Federal Rules of Evidence•Digital evidence is unlike other physical evidence because it can be changed more easily–The only way to detect these changes is to compare the original data with a duplicate•Most federal courts have interpreted computer records as hearsay evidence–Hearsay is secondhand or indirect evidenceGuide to Computer Forensics and Investigations 8Understanding Rules of Evidence (continued)•Business-record exception–Allows “records of regularly conducted activity,” such as business memos, reports, records, or data compilations•Generally, computer records are considered admissible if they qualify as a business record•Computer records are usually divided into: –Computer-generated records–Computer-stored recordsGuide to Computer Forensics and Investigations 9Understanding Rules of Evidence (continued)•Computer records must be shown to be authentic and trustworthy–To be admitted into court•Computer-generated records are considered authentic–If the program that created the output is functioning correctly•Collecting evidence according to the proper steps of evidence control helps ensure that the computer evidence is authenticGuide to Computer Forensics and Investigations 10Understanding Rules of Evidence (continued)•When attorneys challenge digital evidence–Often they raise the issue of whether computer-generated records were altered•Or damaged after they were created•One test to prove that computer-stored records are authentic is to demonstrate that a specific person created the records–The author of a Microsoft Word document can be identified by using file metadataGuide to Computer Forensics and Investigations 11Guide to Computer Forensics and Investigations 12Guide to Computer Forensics and Investigations 13Understanding Rules of Evidence (continued)•The process of establishing digital evidence’s trustworthiness originated with written documents and the best evidence rule•Best evidence rule states:–To prove the content of a written document, recording, or photograph,


View Full Document

USF ACG 6936 - Study guide

Download Study guide
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Study guide and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Study guide 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?