The Discovery, Processing, Acquisition and Presentation

8/7/2019 The Discovery, Processing, Acquisition and Presentation

http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 1/69

ABS 1

The Discovery, Processing,

Acquisition and Presentation

of Digital Evidence

Amitesh Bharat Singh, IRS

Additional Commissioner

Presentation made at NACEN, India



ABS 2

The First Responder

After securing the scene and all persons atthe scene, the first responder should visuallyidentify all potential evidence and ensure that

the integrity of both the digital and traditionalevidence is preserved. Digital evidence oncomputers and other electronic devices canbe easily altered, deleted, or destroyed. First

responders should document, photograph,and secure digital evidence as soon aspossible at the scene.



ABS 3

«

When securing and evaluating the scene, the first responder should²

secure crime scenes.

Immediately secure all electronic devices, including personal or

portable devices. Ensure that no unauthorized person has access to any electronic

devices at the crime scene.

Refuse offers of help or technical assistance from anyunauthorized persons.

Remove all persons from the crime scene or the immediate areafrom which evidence is to be collected.

Ensure that the condition of any electronic device is not altered.

Leave a computer or electronic device off if it is already turnedoff.



ABS 4

Types of Computers



ABS 5

Types of Hard Drives



ABS 6

External Hard Drives



ABS 7



ABS 8



ABS 9



ABS 10

Memory CARDS



ABS 11

Memory Cards



ABS 12

Handheld devices



ABS 13



ABS 14

Other sources of digital

evidence



ABS 15



ABS 16



ABS 17

servers



ABS 18



ABS 19

Evaluating the potential

sources of evidence

Components such as keyboard, mouse, removable storagemedia, and other items may hold latent evidence such asfingerprints, DNA, or other physical evidence that should bepreserved. First responders should take the appropriate steps to

ensure that physical evidence is not compromised duringdocumentation.

Developments in technology and the convergence of communications capabilities have linked even the mostconventional devices and services to each other, to computers,and to the Internet. This rapidly changing environment makes it

essential for the first responder to be aware of the potentialdigital evidence in telephones, digital video recorders, other household appliances, and motor vehicles.



ABS 20

Is it on or off?

If a computer is on or the power state cannot be determined, the firstresponder should² Look and listen for indications that the computer is powered on. Listen for

the sound of fans running, drives spinning, or check to see if light emittingdiodes (LEDs) are on.

Check the display screen for signs that digital evidence is being destroyed.Words to look out for include ³delete,´ ³format,´ ³remove,´ ³copy,´ ³move,´³cut,´ or ³wipe.´

Look for indications that the computer is being accessed from a remotecomputer or device.

Look for signs of active or ongoing communications with other computers or users such as instant messaging windows or chat rooms.

Take note of all cameras or Web cameras (Web cams) and determine if theyare active.

First responders should separate and identify all adult persons of interest atthe crime scene and record their location at the time of entry onto the scene.

No one should be allowed access to any computer or electronic device.



ABS 21

Preliminary Interviews

Within the parameters law, firstresponders should obtain as muchinformation from these individuals-adult persons of interest- aspossible, including: Names of all users of the computers

and devices. All computer and Internet user

information.

All login names and user accountnames.

Purpose and uses of computers anddevices.

All passwords.

Any automated applications in use. Type of Internet access.

Any offsite storage.

Internet service provider.

Installed software documentation.

All e-mail accounts.

Security provisions in use.

Web mail account information.

Data access restrictions in place.

All instant message screen names.

All destructive devices or software inuse.

MySpace, Facebook, or other onlinesocial networkingWeb site accountinformation.

Any other relevant information.



ABS 22

Keep Documenting

Documentation of a crime scene creates a record for theinvestigation. It is important to accurately record the location of the scene; the scene itself; the state, power status, and conditionof computers, storage media, wireless network devices, mobile

phones, smart phones, PDAs, and other data storage devices;Internet and network access; and other electronic devices. Thefirst responder should be aware that not all digital evidence maybe in close proximity to the computer or other devices.

Officials may need to move a computer or another electronicdevice to find its serial numbers or other identifiers. Moving a

computer or another electronic device while it is on may damageit or the digital evidence it contains. Computers and other electronic devices should not be moved until they are poweredoff.



ABS 23

Documenting the crime scene

The initial documentation of the scene should include a detailed record usingvideo, photography, and notes and sketches to help recreate or convey thedetails of the scene later. All activity and processes on display screens shouldbe fully documented.

Documentation of the scene should include the entire location, including thetype, location, and position of computers, their components and peripheral

equipment, and other electronic devices. The scene may expand to multiplelocations; first responders should document all physical connections to and fromthe computers and other devices.

Record any network and wireless access points that may be present andcapable of linking computers and other devices to each other and the Internet.The existence of network and wireless access points may indicate thatadditional evidence exists beyond the initial scene.

Some circumstances may not permit first responders to collect all electronicdevices or components at a scene or location.

Certain factors may prohibit collecting some computer systems and other electronic devices and the information they contain; however, these devicesshould be included in the first responder¶s documentation of the scene.



ABS 24

Evidence Collection

Digital evidence must be handled carefully to preserve theintegrity of the physical device as well as the data it contains.Some digital evidence requires special collection, packaging, andtransportation techniques. Data can be damaged or altered by

electromagnetic fields such as those generated by staticelectricity, magnets, radio transmitters, and other devices.Communication devices such as mobile phones, smart phones,PDAs, and pagers should be secured and prevented fromreceiving or transmitting data once they are identified andcollected as evidence.

If data encryption is in use on a computer, data storage device,or other electronic device and it is improperly powered off duringdigital evidence collection, the data it contains may becomeinaccessible.



ABS 25

Assess the Situation

To prevent the alteration of digital evidence during

collection, first responders should first²

Document any activity on the computer,

components, or devices.

Confirm the power state of the computer. Check for

flashing lights, running fans, and other sounds that

indicate the computer or electronic device is

powered on. If the power state cannot bedetermined from these indicators, observe the

monitor to determine if it is on, off, or in sleep mode.



ABS 26

Identify computer¶s power

status

After identifying the computer¶s power status, follow the steps listedbelow for the situation most like your own:

Situation 1:The monitor is on. It displays a program, application,work product, picture, e-mail, or Internet site on the screen. 1. Photograph the screen and record the information displayed. 2. Proceed to ³If the Computer Is ON´

Situation 2:The monitor is on and a screen saver or picture isvisible. 1. Move the mouse slightly without depressing any buttons or rotating the

wheel. Note any onscreen activity that causes the display to change to alogin screen, work product, or other visible display.

2. Photograph the screen and record the information displayed. 3. Proceed to ³If the Computer Is ON´



ABS 27

Monitor on

Situation 3:The monitor is on, however, the

display is blank as if the monitor is off.

1.Move the mouse slightly without depressing any buttons or

rotating the wheel. The display will change from a blankscreen to a login screen, work product, or other visible

display. Note the change in the display.

2. Photograph the screen and record the information

displayed.

3. Proceed to ³If the Computer Is ON´



ABS 28

Monitor off

Situation 4:The monitor is powered off. The display is blank.

1. If the monitor¶s power switch is in the off position, turn the monitor on. The display changes from a blank screen to a login screen,work product, or other visible display. Note the change in the

display.2. Photograph the screen and the information displayed.

3. Proceed to ³If the Computer Is ON´

Situation 5:The monitor is powered off. The display is blank.

4. If the monitor¶s power switch is in the off position, turn the monitor

on. The display does not change; it remains blank. Note that nochange in the display occurs.

5. Photograph the blank screen.

6. Proceed to ³If the Computer Is OFF´



ABS 29

Monitor on, display blank

Situation 6:The monitor is on. The displayis blank.

1. Move the mouse slightly without depressing any

buttons or rotating the wheel; wait for a response.2. If the display does not change and the screen remains

blank, confirm that power is being supplied to themonitor. If the display remains blank, check thecomputer case for active lights, listen for fans spinning

or other indications that the computer is on.3. If the screen remains blank and the computer case

gives no indication that the system is powered on,proceed to ³If the Computer Is OFF´



ABS 30

Computer if Off

If the Computer Is OFF

For desktop, tower, and minicomputers follow thesesteps:1. Document, photograph, and sketch all wires, cables, and

other devices connected to the computer.2. Uniquely label the power supply cord and all cables, wires,

or USB drives attached to the computer as well as thecorresponding connection each cord, cable, wire, or USBdrive occupies on the computer.

3. Photograph the uniquely labeled cords, cables, wires, andUSB drives and the corresponding labeled connections.

4. Remove and secure the power supply cord from the backof the computer and from the wall outlet, power strip, or battery backup device.



ABS 31

Computer is off «

5. Disconnect and secure all cables, wires, and USB drives from the computer and document the device or equipment connected at the opposite end.

6. Place tape over the floppy disk slot, if present.

7. Make sure that the CD or DVD drive trays are retracted into place; note

whether these drive trays are empty, contain disks, or are unchecked; andtape the drive slot closed to prevent it from opening.

8. Place tape over the power switch.

9. Record the make, model, serial numbers, and any user-applied markings or identifiers.

10. Record or log the computer and all its cords, cables, wires, devices, andcomponents according to agency procedures.

11. Package all evidence collected following agency procedures to preventdamage or alteration during transportation and storage.



ABS 32

Laptops«

For laptop computers follow these steps:1. Document, photograph, and sketch all wires, cables, and devices connected to the

laptop computer.

2. Uniquely label all wires, cables, and devices connected to the laptop computer as wellas the connection they occupied.

3. Photograph the uniquely labeled cords, cables, wires, and devices connected to the

laptop computer and the corresponding labeled connections they occupied.4. Remove and secure the power supply and all batteries from the laptop computer.

5. Disconnect and secure all cables, wires, and USB drives from the computer anddocument the equipment or device connected at the opposite end.

6. Place tape over the floppy disk slot, if present.

7. Make sure that the CD or DVD drive trays are retracted into place; note whether thesedrive trays are empty, contain disks, or are unchecked; and tape the drive slot closedto prevent it from opening.

8. Place tape over the power switch.9. Record the make, model, serial numbers, and any user- applied markings or identifiers.

10. Record or log the computer and all its cords, cables, wires, devices, and componentsaccording to agency procedures.

11. Package all evidence collected following agency procedures to prevent damage or alteration during transportation and storage.



ABS 33

If the Computer is ON

For practical purposes, removing the power supply when youseize a computer is generally the safest option. If evidence of acrime is visible on the computer display, however, you may needto request assistance from personnel who have experience involatile data capture and preservation.

In the following situations, immediate disconnection of power isrecommended: Information or activity onscreen indicates that data is being

deleted or overwritten.

There is indication that a destructive process is being performedon the computer¶s data storage devices.

The system is powered on in a typical Microsoft®Windows®environment. Pulling the power from the back of the computer willpreserve information about the last user to login and at what timethe login occurred, most recently used documents, most recentlyused commands, and other valuable information.



ABS 34

When not to switch it off..

In the following situations, immediate disconnection of power isNOT recommended:

Data of apparent evidentiary value is in plain view onscreen. Thefirst responder should seek out personnel who have experience

and training in capturing and preserving volatile data beforeproceeding

Indications exist that any of the following are active or in use:

Chat rooms, Open text documents, Remote data storage, Instantmessage windows, Child pornography, Contraband, Financialdocuments, Data encryption, or other Obvious illegal activities.

For mainframe computers, servers, or a group of networkedcomputers, the first responder should secure the scene andrequest assistance from personnel who have training in collectingdigital evidence from large or complex computer systems.



ABS 35

Other Forms of Evidence

Be alert to the crime scene environment.Look out for pieces of paper with possiblepasswords, handwritten notes, blank pads of

paper with impressions from prior writings,hardware and software manuals, calendars,literature, and text or graphic material printedfrom the computer that may reveal

information relevant to the investigation.These forms of evidence also should bedocumented and preserved.



ABS 36

Other Electronic and Peripheral

Devices of Potential Evidential Value

Electronic devices such as those listed below may containinformation of evidentiary value to an investigation. Except inemergency situations, such devices should not be operated andthe information they might contain should not be accesseddirectly. If a situation warrants accessing these devices and the

information they contain immediately, all actions taken should bethoroughly documented. Data may be lost if a device is notproperly handled or its data properly accessed.

The following are examples of electronic devices, components,and peripherals that first responders may need to collect asdigital evidence:

Audio recorders, GPS accessories, Answering machines, Computer chips,Pagers, Cordless landline telephones, Copy machines, Cellular telephones,Hard drive duplicators, Facsimile (fax) machines, Printers, Multifunctionmachines (printer, scanner, copier, and fax), Wireless access points., Laptoppower supplies and accessories, Smart cards, Videocassette recorders(VCRs), Scanners, Telephone caller ID units, Personal Computer MemoryCard International Association (PCMCIA) cards, PDAs



ABS 37

Where is the potential

evidence?

Data Storage media including the hard drive, may contain information such as e-mail messages, Internet browsing history, Internet chat logs and buddy lists,photographs, image files, databases, financial records, and event logs.

Handheld devices such as mobile phones, smart phones, PDAs, digitalmultimedia (audio and video) devices, pagers, digital cameras, and globalpositioning system (GPS) receivers may contain software applications, data,

and information such as documents, e-mail messages, Internet browsinghistory, Internet chat logs and buddy lists, photographs, image files, databases,and financial records

Peripheral devices themselves and the functions they perform or facilitate are allpotential evidence. Information stored on the device regarding its use also isevidence, such as incoming and outgoing phone and fax numbers; recentlyscanned, faxed, or printed documents; and information about the purpose for or use of the device. In addition, these devices can be sources of fingerprints,

DNA, and other identifiers. Other elements of the crime scene that are related to digital information, such as

electronic devices, equipment, software, hardware, or other technology that canfunction independently, in conjunction with, or attached to computer systems.These items may be used to enhance the user¶s access of and expand thefunctionality of the computer system, the device itself, or other equipment.



ABS 38

Tools and Materials for

Collecting Digital Evidence

Cameras (photo and video).

Cardboard boxes.

Notepads.

Gloves.

Evidence inventory logs.

Evidence tape.

Paper evidence bags. Evidence stickers, labels, or tags.

Crime scene tape.

Antistatic bags.

Permanent markers.

Nonmagnetic tools.

First responders should also have radiofrequency-shielding material such as faradayisolation bags or aluminum foil to wrap cellphones, smart phones, and other mobilecommunication devices after they have beenseized.Wrapping the phones in radiofrequency-shielding material prevents thephones from receiving a call, text message, or other communications signal that may alter theevidence.



ABS 39

Special Handling

Special handling may be required to preserve theintegrity and evidentiary value of these electronicdevices. First responders should secure thedevices and request assistance from personnel

who have advanced training in collecting digitalevidence.

When collecting electronic devices, components,and peripherals such as those listed above,remember to collect the power supplies, cables,

and adapters for those devices as well. Due care should be taken in packing, transporting and

storing the evidence so as not to damage it in anyway.



ABS 40

Computers in a Business

Environment

Business environments frequently have complicatedconfigurations of multiple computers networked to each other, toa common server, to network devices, or a combination of these.Securing a scene and collecting digital evidence in these

environments may pose challenges to the first responder.Improperly shutting down a system may result in lost data, lostevidence, and potential civil liability.

The first responder may find a similar environment in residentiallocations, particularly when a business is operated from thehome.

In some instances, the first responder may encounter unfamiliar operating systems or unique hardware and softwareconfigurations that require specific shutdown procedures ±thiswill again require expert help.



ABS 41

Labeling properly



ABS 42

Helping out the Forensics

To assist in the forensic examination, the first

responder should document the following

information when possible:

A summary of the case.

Passwords to digital evidence seized.

Investigation point-of-contact information.

Preliminary reports and documents. Keyword lists.



ABS 43

Narcotics- Pointers to where

evidence may lie- example 1

Potential digital evidence in narcotics investigations includes: Computers.

Handheld mobile devices.

Removable media.

External data storage devices. PDAs, address books, and contact information.

Forged identification.

Databases.

Information regarding Internet activity.

Drug receipts.

Blank prescription forms. Printed e-mail, notes, and letters.

Financial asset records.

GPS devices.



ABS 44

Online or Economic Fraud

- example 2

Potential digital evidence in onlineor economic fraud investigationsincludes: Computers.

Removable media.

Mobile communication devices.

External data storage devices. Online auction sites and account

data.

Databases.

PDAs, address books, and contactlists.

Printed e-mail, notes, and letters.

Calendars or journals.

Financial asset records.

Accounting or recordkeepingsoftware.

Printed photos and image files.

Records or notes of chat sessions.

Information regarding Internetactivity.

Customer credit information.

Online banking information.

List(s) of credit card numbers.

Telephone numbers and call logs.

Credit card magnetic strip reader.

Credit card statements or bills.

Printers, copiers, and scanners.

Suspected criminal activity.

Suspect information includingnicknames.



ABS 45

Internet ± Purpose of Use

The investigator should be aware that criminals mayuse the Internet for numerous reasons, including²

Trading/sharing information (e.g., documents,photographs, movies, sound files, text and graphic files,and software programs).

Concealing their identity.

Assuming another identity.

Identifying and gathering information on victims.

Communicating with co-conspirators. Distributing information or misinformation.

Coordinating meetings, meeting sites, or parcel drops.



ABS 46

Scope of Investigations

Investigations vary in scope and complexity. Evidence of thecrime may reside on electronic devices in numerous jurisdictionsand may encompass multiple suspects and victims.

Complex evidentiary issues are frequently encountered in

Internet and network investigations. Sources of informationneeded to investigate the case may be located anywhere in theworld and may not be readily available to the investigator, suchas²

Victims and suspects and their computers.

Data on workstations/servers/routers of third parties such as

businesses, government entities, and educational institutions. Internet Service Provider records.



ABS 47

Preserve the evidence

Digital evidence is fragile and can easily be lost. For example: It can change with usage.

It can be maliciously and deliberately destroyed or altered.

It can be altered due to improper handling and storage.

For these reasons, evidence should be expeditiouslyretrieved and preserved. Also consider that wheninvestigating offenses involving the Internet, time, date,and time zone information may prove to be very

important. Server and computer clocks may not beaccurate or set to the local time zone. The investigator should seek other information to confirm the accuracy of time and date stamps.



ABS 48

Crime Scene Investigations

At the scene, the best judgment of the investigator (based on training, experience, and availableresources) will dictate the investigative approach. Insome cases a forensic examination of the computer

will be needed. The investigator should be awarethat any action taken on the computer system mightaffect the integrity of the evidence. Only in exigentcircumstances (e.g., imminent threat of loss of life or serious physical injury) should an investigator

attempt to gain information directly from a computer on the scene. Any action taken should be welldocumented.



ABS 49

Action at the Crime Scene«

In some cases it may be sufficient to collect information from thecomplainant (and computer), document the incident, and foregoa forensic examination of the complainant¶s computer. However,if a suspect¶s computer is identified and recovered, in most

situations it should be submitted for forensic examination topreserve the integrity of the evidence.

An investigator should not attempt to examine a computer system if the investigator has not received special trainingin forensic examination of computers. The investigator should follow agency policy or contact an agency with a

forensic examination capability.



ABS 50

It is important to remember that traditional

investigative process must be followed

Witnesses must be identified and interviewed,evidence must be collected, investigative processesshould be documented, and chain-of-custody and thelegal process must be followed.

In addition, the investigator should consider thefollowing:

Was a crime committed? Who has jurisdiction?

What resources are needed to conduct the investigation?

Are sufficient resources available to support theinvestigation?

What other resources are available?

Are there legal issues for discussion with the prosecutor?



ABS 51

IP address and apartment

address

Major provider Local provider Network Device IPAddress 129.6.13.23 Street Building Floor ApartmentUnit Address MG Road,16 Maple Apt., Flat #2

The IP address does not denote a physical location of the device at the time it is connected to the Internet.



ABS 52

IP address«

IP addressing uses four decimal-separated

numbers, which allows for a total of 256^4 or

1,099,511,627,776 unique addresses. This

addressing scheme is being expanded to

accommodate additional Internet usage.

Regardless of the addressing scheme used,

the method of tracing the IP address willlikely remain the same



ABS 53

Private IP address

Three groups of IP addresses are specifically

reserved for use by any private network and are not

seen on the public Internet. Information for these IP

addresses comes from the owner of the network.The ranges are:

10.0.0.0 to 10.255.255.255

172.16.0.0 to 172.31.255.255

192.168.0.0 to 192.168.255.255



ABS 54

Internet Service Providers

Internet Service Providers (ISPs) may becommercial vendors or organizations, such as abusiness or government entity. They may reserveblocks of IP addresses that can be assigned to its

users. ISPs may log the date, time, account user

information, and ANI (Automatic Number Identification) or caller line identification at the timeof connection. If logs are kept, they may be kept for

a limited time depending on the established policy of the ISP. Currently, no general legal requirementexists for log preservation; therefore, some ISPs donot store logs.



ABS 55

Dynamic & Static IP addresses

³Dynamic´ IP addresses are temporarily assigned from a pool of available addresses registered to an ISP. These addresses areassigned to a device when a user begins an online session. As a result,a device¶s IP address may vary from one logon session to the next.

³Static´ IP addresses are permanently assigned to devices configured

to always have the same IP address. A person, business, or organization maintaining a constant Internet presence, such as aWebsite, generally requires a static IP address.

The date and time an IP address was assigned must be determined totie it to a specific device or user account. The ISP may maintainhistorical log files relating these dynamically assigned IP addresses

back to a particular subscriber or user at a particular time.



ABS 56

Packets

Data sent over the Internet are divided into packets that are routedthrough the Internet and reassembled at the destination.

When information such as files, e-mail messages, HyperText MarkupLanguage (HTML) documents, or Web pages are sent from one placeto another on a network, the network operating system divides the

information into chunks of an efficient size for routing. Each of these packets includes the address of the destination. The

individual packets for the information being routed may travel differentroutes through a network.When they have all arrived, they arereassembled into the original file.



ABS 57

Network Devices

Network devices and services include routers,2 firewalls,3proxy servers/gateways,4 Network Address Translation(NAT),5 and Dynamic Host Configuration Protocol (DHCP).

By design, these devices and services may or may not have alogging feature that captures source and destination IP

information, login user name, and date and time of logins. Someor all of these network devices and services may alter or maskthe true source or destination IP address. It may be necessary towork with the network administrator to determine the true sourceor destination IP address.



ABS 58

DNS

Domain Name System (DNS) servers are the

³phonebooks´ of the Internet. They maintain

directories that match IP addresses with

registered domains and resolve the text that

people understand (the domain name) into a

format that devices understand (the IP

address).



ABS 59

Registering Domain Names

A person or an organization can register a domain name as longas it is not already registered. Domain names are registered withthe Internet Corporation for Assigned Names and Numbers(ICANN), a nonprofit organization responsible for Internetaddress assignment and domain name server management.

Information required to register a domain name includes name,address, phone number, billing information, e-mail address, andtechnical and administrative contact information. In addition tothis information, the date that a domain was registered may beavailable from the registrar. Although this information may

provide investigative leads, the investigator should be aware thatthe information originates from the person registering the domainname and may be fictitious.



ABS 60

Spoofing, masking, and

redirecting

Advanced methods of obscuring actions on theInternet include hiding the IP address, pretending tobe someone else, and sending traffic throughanother IP address. These methods are commonlyreferred to as masking,7 spoofing,8 andredirecting.9 Advanced training is required toinvestigate or identify when these actions havetaken place. Therefore, even after completing legal

process, traditional investigative methods may stillbe necessary to identify the end user. In somecases, masking, spoofing, or redirecting mayprevent the identification of the user.



ABS 61

The Key

All communications on the Internet and across networks rely on an IPaddress to reach their destination. The key to investigating crimesrelating to the Internet and networks is to identify the originating IPaddress and trace it to a source. These skills enable an investigator tolocate additional sources of evidence, corroborate victim and witnessstatements, and potentially locate a suspect.

Given an IP address and a date and time (including the time zone),most ISPs can identify the registered user assigned to the IP address atthe specific time, enabling the investigator to request additionalinformation. However, the investigator may need to use traditionalinvestigative methods to identify the person using the account at thattime.



ABS 62

RECOVERY OF DIGITAL

EVIDENCE

Every cyber crime has certain unique points and these determinethe initial steps to be taken towards the recovery of digitalevidence while investigating the crime. Once these initialprocedures have been completed the actual process of datarecovery can begin. During this process it is important that theinvestigator ensures that the examination is conducted only onduplicate evidence.

In addition, it is vital that it can be proven in a court that theexamination has been conducted thoroughly and the evidence isauthentic and unaltered. This process of examination of

computer evidence is painstaking and tedious. It has to beperformed with extreme care.



ABS 63

HARD DISK/ FLOPPY

EXAMINATION

The following procedures must be followed for

examining computer hard disks:

The media used for the examination process

should be virus free.

The original media should not be used for the

examination. Only a bit-stream image of the

original hard disk should be used. The bit-stream

image should be taken in a non-invasive manner.



ABS 64

EXAMINATION«

The bit-stream image should be verified by MD-5 hashvalue.

The boot record data, command files such as theCONFIG.SYS file and the AUTOEXEC.BAT should be

examined. All recoverable deleted files should be restored.

All the files contained on the hard disk should be listed.

The unallocated storage space and slack space should beexamined.

Attempts should be made to decrypt password-protectedfiles.



ABS 65

RECOVERY PROCEDURE

Normal Files: These are regular files used by the user and areusually easy to access. Most of the time, users do not encryptthis information and nor do they have any passwords to protect it.These files may contain evidence like incriminating letters, notes,figures, etc.

Deleted files: These are the files that have been deleted by theuser. Usually when any file is deleted it may be possible torecover it from the Recycle Bin of the computer. If the user hasbeen cautious enough to empty the recycle bin, then thisrecovery becomes difficult. But not impossible. It may be possibleto recover the deleted data or at least fragments of the deleteddata by inspecting the unallocated storage space on thecomputer



ABS 66

STILL OTHER KINDS OF FILES

Password protected files: Most programmes offer the user theoption of protecting the information contained in a file through theuse of a password. This means that this information will nolonger be available to everybody. Only a particular user will beable to access the information.

Encrypted files: By utilizing some encryption scheme it ispossible for the user to ensure that no one else, even if they seethe contents of a file, can understand these contents. Theencryption software makes the original contents of the files looklike incomprehensible gibberish. Until and unless the contents

are decrypted, no one can understand them.



ABS 67

CONCEPTS

FILE SLACK

RAM SLACK

DRIVE SLACK

DELETED IS NOT DELETED

FILE ALLOCATION TABLES



ABS 68

OTHER SOURCES OF EVIDENCE

INFORMATION CONTAINED IN

BROWSERS¶

EXAMINATION OF LOG FILES



ABS 69

Thank You

The Discovery, Processing, Acquisition and Presentation

Documents