ABS 1 The Discovery, Processing, Acquisition and Presentation of Digital Evidence Amitesh Bharat Singh, IRS Additional Commissioner Presentation made at NACEN, India
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 1/69
ABS 1
The Discovery, Processing,
Acquisition and Presentation
of Digital Evidence
Amitesh Bharat Singh, IRS
Additional Commissioner
Presentation made at NACEN, India
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 2/69
ABS 2
The First Responder
After securing the scene and all persons atthe scene, the first responder should visuallyidentify all potential evidence and ensure that
the integrity of both the digital and traditionalevidence is preserved. Digital evidence oncomputers and other electronic devices canbe easily altered, deleted, or destroyed. First
responders should document, photograph,and secure digital evidence as soon aspossible at the scene.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 3/69
ABS 3
«
When securing and evaluating the scene, the first responder should²
secure crime scenes.
Immediately secure all electronic devices, including personal or
portable devices. Ensure that no unauthorized person has access to any electronic
devices at the crime scene.
Refuse offers of help or technical assistance from anyunauthorized persons.
Remove all persons from the crime scene or the immediate areafrom which evidence is to be collected.
Ensure that the condition of any electronic device is not altered.
Leave a computer or electronic device off if it is already turnedoff.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 4/69
ABS 4
Types of Computers
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 5/69
ABS 5
Types of Hard Drives
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 6/69
ABS 6
External Hard Drives
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 7/69
ABS 7
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 8/69
ABS 8
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 9/69
ABS 9
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 10/69
ABS 10
Memory CARDS
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 11/69
ABS 11
Memory Cards
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 12/69
ABS 12
Handheld devices
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 13/69
ABS 13
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 14/69
ABS 14
Other sources of digital
evidence
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 15/69
ABS 15
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 16/69
ABS 16
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 17/69
ABS 17
servers
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 18/69
ABS 18
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 19/69
ABS 19
Evaluating the potential
sources of evidence
Components such as keyboard, mouse, removable storagemedia, and other items may hold latent evidence such asfingerprints, DNA, or other physical evidence that should bepreserved. First responders should take the appropriate steps to
ensure that physical evidence is not compromised duringdocumentation.
Developments in technology and the convergence of communications capabilities have linked even the mostconventional devices and services to each other, to computers,and to the Internet. This rapidly changing environment makes it
essential for the first responder to be aware of the potentialdigital evidence in telephones, digital video recorders, other household appliances, and motor vehicles.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 20/69
ABS 20
Is it on or off?
If a computer is on or the power state cannot be determined, the firstresponder should² Look and listen for indications that the computer is powered on. Listen for
the sound of fans running, drives spinning, or check to see if light emittingdiodes (LEDs) are on.
Check the display screen for signs that digital evidence is being destroyed.Words to look out for include ³delete,´ ³format,´ ³remove,´ ³copy,´ ³move,´³cut,´ or ³wipe.´
Look for indications that the computer is being accessed from a remotecomputer or device.
Look for signs of active or ongoing communications with other computers or users such as instant messaging windows or chat rooms.
Take note of all cameras or Web cameras (Web cams) and determine if theyare active.
First responders should separate and identify all adult persons of interest atthe crime scene and record their location at the time of entry onto the scene.
No one should be allowed access to any computer or electronic device.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 21/69
ABS 21
Preliminary Interviews
Within the parameters law, firstresponders should obtain as muchinformation from these individuals-adult persons of interest- aspossible, including: Names of all users of the computers
and devices. All computer and Internet user
information.
All login names and user accountnames.
Purpose and uses of computers anddevices.
All passwords.
Any automated applications in use. Type of Internet access.
Any offsite storage.
Internet service provider.
Installed software documentation.
All e-mail accounts.
Security provisions in use.
Web mail account information.
Data access restrictions in place.
All instant message screen names.
All destructive devices or software inuse.
MySpace, Facebook, or other onlinesocial networkingWeb site accountinformation.
Any other relevant information.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 22/69
ABS 22
Keep Documenting
Documentation of a crime scene creates a record for theinvestigation. It is important to accurately record the location of the scene; the scene itself; the state, power status, and conditionof computers, storage media, wireless network devices, mobile
phones, smart phones, PDAs, and other data storage devices;Internet and network access; and other electronic devices. Thefirst responder should be aware that not all digital evidence maybe in close proximity to the computer or other devices.
Officials may need to move a computer or another electronicdevice to find its serial numbers or other identifiers. Moving a
computer or another electronic device while it is on may damageit or the digital evidence it contains. Computers and other electronic devices should not be moved until they are poweredoff.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 23/69
ABS 23
Documenting the crime scene
The initial documentation of the scene should include a detailed record usingvideo, photography, and notes and sketches to help recreate or convey thedetails of the scene later. All activity and processes on display screens shouldbe fully documented.
Documentation of the scene should include the entire location, including thetype, location, and position of computers, their components and peripheral
equipment, and other electronic devices. The scene may expand to multiplelocations; first responders should document all physical connections to and fromthe computers and other devices.
Record any network and wireless access points that may be present andcapable of linking computers and other devices to each other and the Internet.The existence of network and wireless access points may indicate thatadditional evidence exists beyond the initial scene.
Some circumstances may not permit first responders to collect all electronicdevices or components at a scene or location.
Certain factors may prohibit collecting some computer systems and other electronic devices and the information they contain; however, these devicesshould be included in the first responder¶s documentation of the scene.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 24/69
ABS 24
Evidence Collection
Digital evidence must be handled carefully to preserve theintegrity of the physical device as well as the data it contains.Some digital evidence requires special collection, packaging, andtransportation techniques. Data can be damaged or altered by
electromagnetic fields such as those generated by staticelectricity, magnets, radio transmitters, and other devices.Communication devices such as mobile phones, smart phones,PDAs, and pagers should be secured and prevented fromreceiving or transmitting data once they are identified andcollected as evidence.
If data encryption is in use on a computer, data storage device,or other electronic device and it is improperly powered off duringdigital evidence collection, the data it contains may becomeinaccessible.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 25/69
ABS 25
Assess the Situation
To prevent the alteration of digital evidence during
collection, first responders should first²
Document any activity on the computer,
components, or devices.
Confirm the power state of the computer. Check for
flashing lights, running fans, and other sounds that
indicate the computer or electronic device is
powered on. If the power state cannot bedetermined from these indicators, observe the
monitor to determine if it is on, off, or in sleep mode.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 26/69
ABS 26
Identify computer¶s power
status
After identifying the computer¶s power status, follow the steps listedbelow for the situation most like your own:
Situation 1:The monitor is on. It displays a program, application,work product, picture, e-mail, or Internet site on the screen. 1. Photograph the screen and record the information displayed. 2. Proceed to ³If the Computer Is ON´
Situation 2:The monitor is on and a screen saver or picture isvisible. 1. Move the mouse slightly without depressing any buttons or rotating the
wheel. Note any onscreen activity that causes the display to change to alogin screen, work product, or other visible display.
2. Photograph the screen and record the information displayed. 3. Proceed to ³If the Computer Is ON´
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 27/69
ABS 27
Monitor on
Situation 3:The monitor is on, however, the
display is blank as if the monitor is off.
1.Move the mouse slightly without depressing any buttons or
rotating the wheel. The display will change from a blankscreen to a login screen, work product, or other visible
display. Note the change in the display.
2. Photograph the screen and record the information
displayed.
3. Proceed to ³If the Computer Is ON´
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 28/69
ABS 28
Monitor off
Situation 4:The monitor is powered off. The display is blank.
1. If the monitor¶s power switch is in the off position, turn the monitor on. The display changes from a blank screen to a login screen,work product, or other visible display. Note the change in the
display.2. Photograph the screen and the information displayed.
3. Proceed to ³If the Computer Is ON´
Situation 5:The monitor is powered off. The display is blank.
4. If the monitor¶s power switch is in the off position, turn the monitor
on. The display does not change; it remains blank. Note that nochange in the display occurs.
5. Photograph the blank screen.
6. Proceed to ³If the Computer Is OFF´
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 29/69
ABS 29
Monitor on, display blank
Situation 6:The monitor is on. The displayis blank.
1. Move the mouse slightly without depressing any
buttons or rotating the wheel; wait for a response.2. If the display does not change and the screen remains
blank, confirm that power is being supplied to themonitor. If the display remains blank, check thecomputer case for active lights, listen for fans spinning
or other indications that the computer is on.3. If the screen remains blank and the computer case
gives no indication that the system is powered on,proceed to ³If the Computer Is OFF´
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 30/69
ABS 30
Computer if Off
If the Computer Is OFF
For desktop, tower, and minicomputers follow thesesteps:1. Document, photograph, and sketch all wires, cables, and
other devices connected to the computer.2. Uniquely label the power supply cord and all cables, wires,
or USB drives attached to the computer as well as thecorresponding connection each cord, cable, wire, or USBdrive occupies on the computer.
3. Photograph the uniquely labeled cords, cables, wires, andUSB drives and the corresponding labeled connections.
4. Remove and secure the power supply cord from the backof the computer and from the wall outlet, power strip, or battery backup device.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 31/69
ABS 31
Computer is off «
5. Disconnect and secure all cables, wires, and USB drives from the computer and document the device or equipment connected at the opposite end.
6. Place tape over the floppy disk slot, if present.
7. Make sure that the CD or DVD drive trays are retracted into place; note
whether these drive trays are empty, contain disks, or are unchecked; andtape the drive slot closed to prevent it from opening.
8. Place tape over the power switch.
9. Record the make, model, serial numbers, and any user-applied markings or identifiers.
10. Record or log the computer and all its cords, cables, wires, devices, andcomponents according to agency procedures.
11. Package all evidence collected following agency procedures to preventdamage or alteration during transportation and storage.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 32/69
ABS 32
Laptops«
For laptop computers follow these steps:1. Document, photograph, and sketch all wires, cables, and devices connected to the
laptop computer.
2. Uniquely label all wires, cables, and devices connected to the laptop computer as wellas the connection they occupied.
3. Photograph the uniquely labeled cords, cables, wires, and devices connected to the
laptop computer and the corresponding labeled connections they occupied.4. Remove and secure the power supply and all batteries from the laptop computer.
5. Disconnect and secure all cables, wires, and USB drives from the computer anddocument the equipment or device connected at the opposite end.
6. Place tape over the floppy disk slot, if present.
7. Make sure that the CD or DVD drive trays are retracted into place; note whether thesedrive trays are empty, contain disks, or are unchecked; and tape the drive slot closedto prevent it from opening.
8. Place tape over the power switch.9. Record the make, model, serial numbers, and any user- applied markings or identifiers.
10. Record or log the computer and all its cords, cables, wires, devices, and componentsaccording to agency procedures.
11. Package all evidence collected following agency procedures to prevent damage or alteration during transportation and storage.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 33/69
ABS 33
If the Computer is ON
For practical purposes, removing the power supply when youseize a computer is generally the safest option. If evidence of acrime is visible on the computer display, however, you may needto request assistance from personnel who have experience involatile data capture and preservation.
In the following situations, immediate disconnection of power isrecommended: Information or activity onscreen indicates that data is being
deleted or overwritten.
There is indication that a destructive process is being performedon the computer¶s data storage devices.
The system is powered on in a typical Microsoft®Windows®environment. Pulling the power from the back of the computer willpreserve information about the last user to login and at what timethe login occurred, most recently used documents, most recentlyused commands, and other valuable information.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 34/69
ABS 34
When not to switch it off..
In the following situations, immediate disconnection of power isNOT recommended:
Data of apparent evidentiary value is in plain view onscreen. Thefirst responder should seek out personnel who have experience
and training in capturing and preserving volatile data beforeproceeding
Indications exist that any of the following are active or in use:
Chat rooms, Open text documents, Remote data storage, Instantmessage windows, Child pornography, Contraband, Financialdocuments, Data encryption, or other Obvious illegal activities.
For mainframe computers, servers, or a group of networkedcomputers, the first responder should secure the scene andrequest assistance from personnel who have training in collectingdigital evidence from large or complex computer systems.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 35/69
ABS 35
Other Forms of Evidence
Be alert to the crime scene environment.Look out for pieces of paper with possiblepasswords, handwritten notes, blank pads of
paper with impressions from prior writings,hardware and software manuals, calendars,literature, and text or graphic material printedfrom the computer that may reveal
information relevant to the investigation.These forms of evidence also should bedocumented and preserved.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 36/69
ABS 36
Other Electronic and Peripheral
Devices of Potential Evidential Value
Electronic devices such as those listed below may containinformation of evidentiary value to an investigation. Except inemergency situations, such devices should not be operated andthe information they might contain should not be accesseddirectly. If a situation warrants accessing these devices and the
information they contain immediately, all actions taken should bethoroughly documented. Data may be lost if a device is notproperly handled or its data properly accessed.
The following are examples of electronic devices, components,and peripherals that first responders may need to collect asdigital evidence:
Audio recorders, GPS accessories, Answering machines, Computer chips,Pagers, Cordless landline telephones, Copy machines, Cellular telephones,Hard drive duplicators, Facsimile (fax) machines, Printers, Multifunctionmachines (printer, scanner, copier, and fax), Wireless access points., Laptoppower supplies and accessories, Smart cards, Videocassette recorders(VCRs), Scanners, Telephone caller ID units, Personal Computer MemoryCard International Association (PCMCIA) cards, PDAs
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 37/69
ABS 37
Where is the potential
evidence?
Data Storage media including the hard drive, may contain information such as e-mail messages, Internet browsing history, Internet chat logs and buddy lists,photographs, image files, databases, financial records, and event logs.
Handheld devices such as mobile phones, smart phones, PDAs, digitalmultimedia (audio and video) devices, pagers, digital cameras, and globalpositioning system (GPS) receivers may contain software applications, data,
and information such as documents, e-mail messages, Internet browsinghistory, Internet chat logs and buddy lists, photographs, image files, databases,and financial records
Peripheral devices themselves and the functions they perform or facilitate are allpotential evidence. Information stored on the device regarding its use also isevidence, such as incoming and outgoing phone and fax numbers; recentlyscanned, faxed, or printed documents; and information about the purpose for or use of the device. In addition, these devices can be sources of fingerprints,
DNA, and other identifiers. Other elements of the crime scene that are related to digital information, such as
electronic devices, equipment, software, hardware, or other technology that canfunction independently, in conjunction with, or attached to computer systems.These items may be used to enhance the user¶s access of and expand thefunctionality of the computer system, the device itself, or other equipment.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 38/69
ABS 38
Tools and Materials for
Collecting Digital Evidence
Cameras (photo and video).
Cardboard boxes.
Notepads.
Gloves.
Evidence inventory logs.
Evidence tape.
Paper evidence bags. Evidence stickers, labels, or tags.
Crime scene tape.
Antistatic bags.
Permanent markers.
Nonmagnetic tools.
First responders should also have radiofrequency-shielding material such as faradayisolation bags or aluminum foil to wrap cellphones, smart phones, and other mobilecommunication devices after they have beenseized.Wrapping the phones in radiofrequency-shielding material prevents thephones from receiving a call, text message, or other communications signal that may alter theevidence.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 39/69
ABS 39
Special Handling
Special handling may be required to preserve theintegrity and evidentiary value of these electronicdevices. First responders should secure thedevices and request assistance from personnel
who have advanced training in collecting digitalevidence.
When collecting electronic devices, components,and peripherals such as those listed above,remember to collect the power supplies, cables,
and adapters for those devices as well. Due care should be taken in packing, transporting and
storing the evidence so as not to damage it in anyway.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 40/69
ABS 40
Computers in a Business
Environment
Business environments frequently have complicatedconfigurations of multiple computers networked to each other, toa common server, to network devices, or a combination of these.Securing a scene and collecting digital evidence in these
environments may pose challenges to the first responder.Improperly shutting down a system may result in lost data, lostevidence, and potential civil liability.
The first responder may find a similar environment in residentiallocations, particularly when a business is operated from thehome.
In some instances, the first responder may encounter unfamiliar operating systems or unique hardware and softwareconfigurations that require specific shutdown procedures ±thiswill again require expert help.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 41/69
ABS 41
Labeling properly
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 42/69
ABS 42
Helping out the Forensics
To assist in the forensic examination, the first
responder should document the following
information when possible:
A summary of the case.
Passwords to digital evidence seized.
Investigation point-of-contact information.
Preliminary reports and documents. Keyword lists.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 43/69
ABS 43
Narcotics- Pointers to where
evidence may lie- example 1
Potential digital evidence in narcotics investigations includes: Computers.
Handheld mobile devices.
Removable media.
External data storage devices. PDAs, address books, and contact information.
Forged identification.
Databases.
Information regarding Internet activity.
Drug receipts.
Blank prescription forms. Printed e-mail, notes, and letters.
Financial asset records.
GPS devices.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 44/69
ABS 44
Online or Economic Fraud
- example 2
Potential digital evidence in onlineor economic fraud investigationsincludes: Computers.
Removable media.
Mobile communication devices.
External data storage devices. Online auction sites and account
data.
Databases.
PDAs, address books, and contactlists.
Printed e-mail, notes, and letters.
Calendars or journals.
Financial asset records.
Accounting or recordkeepingsoftware.
Printed photos and image files.
Records or notes of chat sessions.
Information regarding Internetactivity.
Customer credit information.
Online banking information.
List(s) of credit card numbers.
Telephone numbers and call logs.
Credit card magnetic strip reader.
Credit card statements or bills.
Printers, copiers, and scanners.
Suspected criminal activity.
Suspect information includingnicknames.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 45/69
ABS 45
Internet ± Purpose of Use
The investigator should be aware that criminals mayuse the Internet for numerous reasons, including²
Trading/sharing information (e.g., documents,photographs, movies, sound files, text and graphic files,and software programs).
Concealing their identity.
Assuming another identity.
Identifying and gathering information on victims.
Communicating with co-conspirators. Distributing information or misinformation.
Coordinating meetings, meeting sites, or parcel drops.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 46/69
ABS 46
Scope of Investigations
Investigations vary in scope and complexity. Evidence of thecrime may reside on electronic devices in numerous jurisdictionsand may encompass multiple suspects and victims.
Complex evidentiary issues are frequently encountered in
Internet and network investigations. Sources of informationneeded to investigate the case may be located anywhere in theworld and may not be readily available to the investigator, suchas²
Victims and suspects and their computers.
Data on workstations/servers/routers of third parties such as
businesses, government entities, and educational institutions. Internet Service Provider records.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 47/69
ABS 47
Preserve the evidence
Digital evidence is fragile and can easily be lost. For example: It can change with usage.
It can be maliciously and deliberately destroyed or altered.
It can be altered due to improper handling and storage.
For these reasons, evidence should be expeditiouslyretrieved and preserved. Also consider that wheninvestigating offenses involving the Internet, time, date,and time zone information may prove to be very
important. Server and computer clocks may not beaccurate or set to the local time zone. The investigator should seek other information to confirm the accuracy of time and date stamps.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 48/69
ABS 48
Crime Scene Investigations
At the scene, the best judgment of the investigator (based on training, experience, and availableresources) will dictate the investigative approach. Insome cases a forensic examination of the computer
will be needed. The investigator should be awarethat any action taken on the computer system mightaffect the integrity of the evidence. Only in exigentcircumstances (e.g., imminent threat of loss of life or serious physical injury) should an investigator
attempt to gain information directly from a computer on the scene. Any action taken should be welldocumented.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 49/69
ABS 49
Action at the Crime Scene«
In some cases it may be sufficient to collect information from thecomplainant (and computer), document the incident, and foregoa forensic examination of the complainant¶s computer. However,if a suspect¶s computer is identified and recovered, in most
situations it should be submitted for forensic examination topreserve the integrity of the evidence.
An investigator should not attempt to examine a computer system if the investigator has not received special trainingin forensic examination of computers. The investigator should follow agency policy or contact an agency with a
forensic examination capability.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 50/69
ABS 50
It is important to remember that traditional
investigative process must be followed
Witnesses must be identified and interviewed,evidence must be collected, investigative processesshould be documented, and chain-of-custody and thelegal process must be followed.
In addition, the investigator should consider thefollowing:
Was a crime committed? Who has jurisdiction?
What resources are needed to conduct the investigation?
Are sufficient resources available to support theinvestigation?
What other resources are available?
Are there legal issues for discussion with the prosecutor?
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 51/69
ABS 51
IP address and apartment
address
Major provider Local provider Network Device IPAddress 129.6.13.23 Street Building Floor ApartmentUnit Address MG Road,16 Maple Apt., Flat #2
The IP address does not denote a physical location of the device at the time it is connected to the Internet.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 52/69
ABS 52
IP address«
IP addressing uses four decimal-separated
numbers, which allows for a total of 256^4 or
1,099,511,627,776 unique addresses. This
addressing scheme is being expanded to
accommodate additional Internet usage.
Regardless of the addressing scheme used,
the method of tracing the IP address willlikely remain the same
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 53/69
ABS 53
Private IP address
Three groups of IP addresses are specifically
reserved for use by any private network and are not
seen on the public Internet. Information for these IP
addresses comes from the owner of the network.The ranges are:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 54/69
ABS 54
Internet Service Providers
Internet Service Providers (ISPs) may becommercial vendors or organizations, such as abusiness or government entity. They may reserveblocks of IP addresses that can be assigned to its
users. ISPs may log the date, time, account user
information, and ANI (Automatic Number Identification) or caller line identification at the timeof connection. If logs are kept, they may be kept for
a limited time depending on the established policy of the ISP. Currently, no general legal requirementexists for log preservation; therefore, some ISPs donot store logs.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 55/69
ABS 55
Dynamic & Static IP addresses
³Dynamic´ IP addresses are temporarily assigned from a pool of available addresses registered to an ISP. These addresses areassigned to a device when a user begins an online session. As a result,a device¶s IP address may vary from one logon session to the next.
³Static´ IP addresses are permanently assigned to devices configured
to always have the same IP address. A person, business, or organization maintaining a constant Internet presence, such as aWebsite, generally requires a static IP address.
The date and time an IP address was assigned must be determined totie it to a specific device or user account. The ISP may maintainhistorical log files relating these dynamically assigned IP addresses
back to a particular subscriber or user at a particular time.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 56/69
ABS 56
Packets
Data sent over the Internet are divided into packets that are routedthrough the Internet and reassembled at the destination.
When information such as files, e-mail messages, HyperText MarkupLanguage (HTML) documents, or Web pages are sent from one placeto another on a network, the network operating system divides the
information into chunks of an efficient size for routing. Each of these packets includes the address of the destination. The
individual packets for the information being routed may travel differentroutes through a network.When they have all arrived, they arereassembled into the original file.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 57/69
ABS 57
Network Devices
Network devices and services include routers,2 firewalls,3proxy servers/gateways,4 Network Address Translation(NAT),5 and Dynamic Host Configuration Protocol (DHCP).
By design, these devices and services may or may not have alogging feature that captures source and destination IP
information, login user name, and date and time of logins. Someor all of these network devices and services may alter or maskthe true source or destination IP address. It may be necessary towork with the network administrator to determine the true sourceor destination IP address.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 58/69
ABS 58
DNS
Domain Name System (DNS) servers are the
³phonebooks´ of the Internet. They maintain
directories that match IP addresses with
registered domains and resolve the text that
people understand (the domain name) into a
format that devices understand (the IP
address).
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 59/69
ABS 59
Registering Domain Names
A person or an organization can register a domain name as longas it is not already registered. Domain names are registered withthe Internet Corporation for Assigned Names and Numbers(ICANN), a nonprofit organization responsible for Internetaddress assignment and domain name server management.
Information required to register a domain name includes name,address, phone number, billing information, e-mail address, andtechnical and administrative contact information. In addition tothis information, the date that a domain was registered may beavailable from the registrar. Although this information may
provide investigative leads, the investigator should be aware thatthe information originates from the person registering the domainname and may be fictitious.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 60/69
ABS 60
Spoofing, masking, and
redirecting
Advanced methods of obscuring actions on theInternet include hiding the IP address, pretending tobe someone else, and sending traffic throughanother IP address. These methods are commonlyreferred to as masking,7 spoofing,8 andredirecting.9 Advanced training is required toinvestigate or identify when these actions havetaken place. Therefore, even after completing legal
process, traditional investigative methods may stillbe necessary to identify the end user. In somecases, masking, spoofing, or redirecting mayprevent the identification of the user.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 61/69
ABS 61
The Key
All communications on the Internet and across networks rely on an IPaddress to reach their destination. The key to investigating crimesrelating to the Internet and networks is to identify the originating IPaddress and trace it to a source. These skills enable an investigator tolocate additional sources of evidence, corroborate victim and witnessstatements, and potentially locate a suspect.
Given an IP address and a date and time (including the time zone),most ISPs can identify the registered user assigned to the IP address atthe specific time, enabling the investigator to request additionalinformation. However, the investigator may need to use traditionalinvestigative methods to identify the person using the account at thattime.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 62/69
ABS 62
RECOVERY OF DIGITAL
EVIDENCE
Every cyber crime has certain unique points and these determinethe initial steps to be taken towards the recovery of digitalevidence while investigating the crime. Once these initialprocedures have been completed the actual process of datarecovery can begin. During this process it is important that theinvestigator ensures that the examination is conducted only onduplicate evidence.
In addition, it is vital that it can be proven in a court that theexamination has been conducted thoroughly and the evidence isauthentic and unaltered. This process of examination of
computer evidence is painstaking and tedious. It has to beperformed with extreme care.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 63/69
ABS 63
HARD DISK/ FLOPPY
EXAMINATION
The following procedures must be followed for
examining computer hard disks:
The media used for the examination process
should be virus free.
The original media should not be used for the
examination. Only a bit-stream image of the
original hard disk should be used. The bit-stream
image should be taken in a non-invasive manner.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 64/69
ABS 64
EXAMINATION«
The bit-stream image should be verified by MD-5 hashvalue.
The boot record data, command files such as theCONFIG.SYS file and the AUTOEXEC.BAT should be
examined. All recoverable deleted files should be restored.
All the files contained on the hard disk should be listed.
The unallocated storage space and slack space should beexamined.
Attempts should be made to decrypt password-protectedfiles.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 65/69
ABS 65
RECOVERY PROCEDURE
Normal Files: These are regular files used by the user and areusually easy to access. Most of the time, users do not encryptthis information and nor do they have any passwords to protect it.These files may contain evidence like incriminating letters, notes,figures, etc.
Deleted files: These are the files that have been deleted by theuser. Usually when any file is deleted it may be possible torecover it from the Recycle Bin of the computer. If the user hasbeen cautious enough to empty the recycle bin, then thisrecovery becomes difficult. But not impossible. It may be possibleto recover the deleted data or at least fragments of the deleteddata by inspecting the unallocated storage space on thecomputer
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 66/69
ABS 66
STILL OTHER KINDS OF FILES
Password protected files: Most programmes offer the user theoption of protecting the information contained in a file through theuse of a password. This means that this information will nolonger be available to everybody. Only a particular user will beable to access the information.
Encrypted files: By utilizing some encryption scheme it ispossible for the user to ensure that no one else, even if they seethe contents of a file, can understand these contents. Theencryption software makes the original contents of the files looklike incomprehensible gibberish. Until and unless the contents
are decrypted, no one can understand them.
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 67/69
ABS 67
CONCEPTS
FILE SLACK
RAM SLACK
DRIVE SLACK
DELETED IS NOT DELETED
FILE ALLOCATION TABLES
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 68/69
ABS 68
OTHER SOURCES OF EVIDENCE
INFORMATION CONTAINED IN
BROWSERS¶
EXAMINATION OF LOG FILES
8/7/2019 The Discovery, Processing, Acquisition and Presentation
http://slidepdf.com/reader/full/the-discovery-processing-acquisition-and-presentation 69/69
ABS 69
Thank You