Evidence Handling

If the evidence is there the case is yours to lose.

Evidence

• First do no harm.

• Evidence:cannot be altered.cannot be tampered with.cannot be added.reserved for LAPD only.

Evidence

●Admissible● must be legally obtained and relevant

●Reliable● has not been tainted (changed) since acquisition

●Authentic● the real thing, not a replica

●Complete● includes any exculpatory evidence

●Believable● lawyers, judge & jury can understand it

Rule #2

• Evidence must be reliable.• Must be able to prove that evidence has not

changed since seizure.• Always accounted for.

MD5/File Signature

• MD5 – Message Digest version 5• A mathematical calculation of the data in a file• If one bit is changed the MD5 is vastly different• Often referred to the hash code of the file• Acts as a unique signature of the file

Rule #2

• Reliable evidence.• In order to demonstrate that evidence presented

in court is identical to that seized in accordance with a search warrant, it is sufficient to show the MD5 file/drive signatures match.

• Accepted judicial procedure.

File/Drive Signature

• MD5 hash code of a file/disk/drive is unique to that file/disk/drive

• The MD5 hash code calculates a number that can prove that the file/drive has not changed.

• Procedure:1. Calculate the MD5 code of the seized digital evidence as

soon after the seizure as possible.2. When challenged re-calculate the MD5 code.3. Compare, if equal then evidence has not changed.

Otherwise the evidence is inadmissible.

WinHex

• The general purpose forensic analysis tool we will use for this course.

• Excellent professional grade tool.• You can download a trial version.• It has limited capability, but you can do a lot

with it and complete your assignments in the lab.

• I the license is good for all versions before 2007.

WinHexFile Signature

• Open the application• File -> open

• Find Documents and Settings\UserData\index.dat• Select

• Tools -> Compute Hash• Select MD5 (128 bit)• Note the hash code or file signature

WinHex

Open File

Open UserData Folder

Index.dat Opened

Calculate MD5 HashFile Signature

File Signature

Protect Your Evidence

• Be sure you use a write blocker of some kind• You can’t trust software, Unless

• It has been tested and validated• Usually by a third party

• Floppies and tapes have physical protection

Hash of a Floppy

• Be sure the write protect thingee is open• Start WinHex• Open floppy

• Be sure you select the physical device• Calculate the Hash

Open Disk

Open DiskPhysical Media

Open Floppy Media

Open Floppy

Calculate Disk Signature

Recover File from the Floppy

• Select possible file• After you recover this file

• Select the physical device• Calc hash• Compare with the previous hash• Have they changed?

Open Partition 1Double Click

Explore Floppy

Select File

Not For Temp Licensed Users OnlyMust export to your docs to view

• Right click on file to recover• Choose Recover/Copy …• Choose Folder to restore to, click• Double click on file

Voila

Re-Calc Hash

• Recalculate the hash of the floppy• The floppy has been accessed• The access time of the file should have been

changed• Hence the hash of the floppy should change• Did it?

Lab – Due

• Be sure that the write protect hole is clear• Calculate the MD5 Signature of your floppy• Record it.• Recover a file and view, include it in your report.

Remember Alt – PrtSc and paste it where you want it.• Recalculate the hash of the floppy. Are they the same?