COS/PSA 413

Day 10

Agenda

• Lab 4 Write-ups are in– Will have corrected by next class

• Lab 5 write-ups due Oct 19• Assignment 3 posted (due Oct 21)• Capstone Proposals Over due

– See guidelines in WebCT– All 10 require some modifications (emails sent)

• Got one back so far• Exam 2 on Oct 21

– Chaps 5-9, 10 M/C (30 Points) , 10 Short Answer (30 points), 5 Essays (40 points) Open Book, Open Notes, 70 min. time limit.

• Today we will discuss Processing Crime and Incident scenes– Chap 8 in 1e and Chap 5e in 2e (mostly the same except using different

forensics tools)

Processing Crime and Incident Scenes

Chapter 8

Learning Objectives

• Process Crime and Incident Reports• Process a Law Enforcement Crime Scene• Prepare for a Search• Secure a Computer Incident or Crime Scene• Seize Digital Evidence at the Scene• Collect Digital Evidence• Review a Case

Processing Crime and Incident Reports

Collecting Evidence in Private-Sector Incident Scenes

• Freedom of Information Act (FOIA)– States public records are open and available for

inspection– Citizens can request public documents created

by federal agencies

• Homeland Security Act

• Patriot Act

Collecting Evidence in Private-Sector Incident Scenes (continued)

• Corporate environment is much easier than criminal environment

• Employees’ expectation of privacy– Create and publish a privacy policy– Use warning banners

• State when an investigation can be initiated– Reasonable suspicion

Collecting Evidence in Private-Sector Incident Scenes (continued)

Collecting Evidence in Private-Sector Incident Scenes (continued)

• Avoid becoming a law enforcement agent

• Check with your corporate attorney on how to proceed– Commingled data– Warrants– Subpoena– Civil liability

Processing Law Enforcement Crime Scenes

• Criminal rules of search and seizure

• Probable cause– Specific crime was committed– Evidence exists– Place to be searched includes evidence

• Warrant– Probable cause– Witness

Processing Law Enforcement Crime Scenes (continued)

Understanding Concepts and Terms Used in Warrants

• Innocent information– Unrelated information

• Limiting phrase– Separate innocent information from evidence

• Plain view doctrine– Searched area can be extended

• Knock and announce

Preparing for a Search

• Most important step in computing investigations

• Steps:– Identifying the nature of the case– Identifying the type of computer system– Determining whether you can seize a computer– Obtaining a detailed description of the location

Preparing for a Search (continued)

• Steps (continued):– Determining who is in charge– Using additional technical expertise– Determining the tools you need– Preparing the investigation team

Identifying the Nature of the Case

• Private or public• Dictates:

– How you proceed – Resources needed during the investigation

Identifying the Type of Computing System

• Identify:– Size of the disk drive– Number of computers at the crime scene– OSs– Specific details about the hardware

• Easier to do in a controlled environment, such as a corporation

Determining Whether You Can Seize a Computer

• Ideal situation– Seize computers and take them to your lab

• Not always possible

• Need a warrant

• Consider using portable resources

Obtaining a Detailed Description of the Location

• Get as much information as you can

• Identify potential hazards– Interact with your HAZMAT team

• HAZMAT guidelines– Protect your target disk before using it– Check for high temperatures

Determining Who Is in Charge

• Corporate computing investigations require only one person to respond

• Law enforcement agencies:– Handle large-scale investigations– Designate leader investigators

Using Additional Technical Expertise

• Look for specialists– OSs– RAID servers– Databases

• Can be hard• Educate specialists in proper investigative

techniques– Prevent evidence damage

Determining the Tools You Need

• Prepare your tools using incident and crime scene information

• Initial-response field kit– Lightweight– Easy to transport

• Extensive-response field kit– Includes all tools you can afford

Determining the Tools You Need (continued)

Determining the Tools You Need (continued)

Preparing the Investigation Team

• Review facts, plans, and objectives

• Coordinate an action plan with your team– Collect evidence– Secure evidence

• Slow response can cause digital evidence lost

Securing a Computer Incident or Crime Scene

• Preserve the evidence

• Keep information confidential

• Define a secure perimeter– Use yellow barrier tape– Legal authority

• Professional curiosity– Can destroy evidence

Seizing Digital Evidence at the Scene

• Law enforcement can seize evidence with a proper warrant

• Corporate investigators rarely can seize evidence• U.S. DoJ standards for seizing digital data• Civil investigations follow same rules

– Require less documentation, though

• Consult with your attorney for extra guidelines

Processing a Major Incident or Crime Scene

• Guidelines– Keep a journal– Secure the scene– Be professional and courteous with onlookers– Remove people who are not part of the

investigation– Video record the computer area

• Pay attention to details

Processing a Major Incident or Crime Scene (continued)

• Guidelines (continued)– Sketch the incident or crime scene– Check computers as soon as possible– Save data from current applications as safe as

possible– Make notes of everything you do when copying

data from a live suspect computer– Close applications and shutdown the computer

Processing a Major Incident or Crime Scene (continued)

• Guidelines (continued)– Look for information related to the

investigation• Passwords, passphrases, PINs, bank accounts

– Collect documentation and media related to the investigation

• Hardware, software, backup media

Processing Data Centers with an Array of RAIDs

• Sparse evidence file recovery– Extracts only data related to evidence for your case

from allocated files– Minimizes how much data you need to analyze– Doesn’t recover residual data in free or slack space– If you have a computer forensics tool that accesses

the unallocated space on a RAID system, work it on a test system first to make sure it doesn’t corrupt the RAID computer

Using a Technical Advisor at an Incident or Crime Scene

• Technical specialists

• Responsibilities:– Know aspects of the seized system– Is direct investigator handling sensitive material– Help securing the scene– Help document the planning strategy– Conduct ad hoc trainings– Document activities

Sample Civil Investigation

• Recover specific evidence– Suspect’s Outlook e-mail folder (PST file)

• Covert surveillance– Company policy– Risk of civil or criminal liability

• Sniffing tools– For data transmissions

Sample Criminal Investigation

• Computer crimes examples– Fraud– Check fraud– Homicides

• Need a warrant to start seizing evidence– Limit searching area

Sample Criminal Investigation (continued)

Reviewing a Case

Tasks to perform in a case: - Identify the case requirements - Plan your investigation - Execute the investigation - Complete the case report - Critique the case

Reviewing a Case

Reviewing a Case

Identifying the Case Requirements - What is the nature of the case?

Two people are missing or overdue at work. - What are their names?

George Popson and Martha Heiser - What do they do?

George is a supervisor in the Accounts Payable Department, and Martha is a shipping clerk.

Reviewing a Case

Identifying the Case Requirements- What is the OS of the suspect computer?

Microsoft Windows 98. - What type of media needs to be examined?

One floppy disk drive.

Reviewing a Case

Planning Your Investigation - George and Martha’s absences might or might not be related. - George’s computer might contain information explaining their absence. - No one else has used George’s computer since he disappeared. - You need to make an image of George’s computer and attempt to retrieve evidence related to the case.

Chapter Summary

- In the private sector, an incident scene is often a place of work, such as a contained office or manufacturing area. Because everything from the computers used to violate a company policy to the surrounding facility is under a controlled authority, it is easier to investigate and control the scene than in a criminal environment.

Chapter Summary

- Companies should publish policies stating that they reserve the right to inspect computing assets at will; otherwise, the employees’ expectation of privacy prevents an employer from legally conducting an intrusive investigation. A well-defined corporate policy states that an employer has the right to examine, inspect, or access any company-owned computing asset. If the policy statement is issued to all employees, the employer can investigate computing assets at will without any privacy right restrictions.

Chapter Summary

- Proper procedure needs to be followed even in private-sector investigations, because civil litigations can become criminal investigations very easily. As a corporate investigator, you must ensure that sensitive company information does not become commingled with criminal evidence.

Chapter Summary

- If an internal corporate case is turned over to law enforcement because of criminal activity, the corporate investigator must avoid becoming an agent of law enforcement because at that time, affidavits and search warrants are needed.

- The plain view doctrine applies when items that are evidentiary, and not specified in a warrant under probable cause, are in plain view.

Chapter Summary

- Criminal cases require a properly executed and well-defined search warrant. A specific crime and specific location must be spelled out in the warrant. For all criminal investigations in the United States, the Fourth Amendment to the Constitution specifies that a law enforcement officer may only search for and seize criminal evidence with probable cause, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed.

Chapter Summary

- When preparing for a case, you need to describe the nature of the case, identify the type of Operating System (OS), determine whether you can seize the computer, and obtain a description of the location.

- If dealing with a hazardous material (HAZMAT) situation, you may need to have someone else obtain the evidence from the location.

Chapter Summary

- Always take pictures or use a digital camera to document the scene. Then methodically record what exists at the scene. Prevent professional curiosity from contaminating evidence by limiting who enters the scene.

Chapter Summary

- As you collect digital evidence, guard against physically destroying or contaminating it. Take precautions to prevent static electricity discharge to electronic devices. If possible, bag or box digital evidence and any hardware you collect from the incident or crime scene. As you collect the hardware, sketch the equipment, including extra markings of where components were located. Tag and number each cable, port, and any other connection and record its number and description in a log.