evidence handling
DESCRIPTION
If the evidence is there the case is yours to lose. Evidence Handling. Evidence. First do no harm. Evidence: cannot be altered. cannot be tampered with. cannot be added. reserved for LAPD only. Evidence. Admissible must be legally obtained and relevant Reliable - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/1.jpg)
Evidence Handling
If the evidence is there the case is yours to lose.
![Page 2: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/2.jpg)
Evidence
• First do no harm.
• Evidence:cannot be altered.cannot be tampered with.cannot be added.reserved for LAPD only.
![Page 3: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/3.jpg)
Evidence
●Admissible● must be legally obtained and relevant
●Reliable● has not been tainted (changed) since acquisition
●Authentic● the real thing, not a replica
●Complete● includes any exculpatory evidence
●Believable● lawyers, judge & jury can understand it
![Page 4: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/4.jpg)
Rule #2
• Evidence must be reliable.• Must be able to prove that evidence has not
changed since seizure.• Always accounted for.
![Page 5: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/5.jpg)
MD5/File Signature
• MD5 – Message Digest version 5• A mathematical calculation of the data in a file• If one bit is changed the MD5 is vastly different• Often referred to the hash code of the file• Acts as a unique signature of the file
![Page 6: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/6.jpg)
Rule #2
• Reliable evidence.• In order to demonstrate that evidence presented
in court is identical to that seized in accordance with a search warrant, it is sufficient to show the MD5 file/drive signatures match.
• Accepted judicial procedure.
![Page 7: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/7.jpg)
File/Drive Signature
• MD5 hash code of a file/disk/drive is unique to that file/disk/drive
• The MD5 hash code calculates a number that can prove that the file/drive has not changed.
• Procedure:1. Calculate the MD5 code of the seized digital evidence as
soon after the seizure as possible.2. When challenged re-calculate the MD5 code.3. Compare, if equal then evidence has not changed.
Otherwise the evidence is inadmissible.
![Page 8: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/8.jpg)
WinHex
• The general purpose forensic analysis tool we will use for this course.
• Excellent professional grade tool.• You can download a trial version.• It has limited capability, but you can do a lot
with it and complete your assignments in the lab.
• I the license is good for all versions before 2007.
![Page 9: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/9.jpg)
WinHexFile Signature
• Open the application• File -> open
• Find Documents and Settings\UserData\index.dat• Select
• Tools -> Compute Hash• Select MD5 (128 bit)• Note the hash code or file signature
![Page 10: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/10.jpg)
WinHex
![Page 11: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/11.jpg)
Open File
![Page 12: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/12.jpg)
Open UserData Folder
![Page 13: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/13.jpg)
Index.dat Opened
![Page 14: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/14.jpg)
Calculate MD5 HashFile Signature
![Page 15: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/15.jpg)
File Signature
![Page 16: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/16.jpg)
Protect Your Evidence
• Be sure you use a write blocker of some kind• You can’t trust software, Unless
• It has been tested and validated• Usually by a third party
• Floppies and tapes have physical protection
![Page 17: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/17.jpg)
Hash of a Floppy
• Be sure the write protect thingee is open• Start WinHex• Open floppy
• Be sure you select the physical device• Calculate the Hash
![Page 18: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/18.jpg)
Open Disk
![Page 19: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/19.jpg)
Open DiskPhysical Media
![Page 20: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/20.jpg)
Open Floppy Media
![Page 21: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/21.jpg)
Open Floppy
![Page 22: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/22.jpg)
Calculate Disk Signature
![Page 23: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/23.jpg)
Recover File from the Floppy
• Select possible file• After you recover this file
• Select the physical device• Calc hash• Compare with the previous hash• Have they changed?
![Page 24: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/24.jpg)
Open Partition 1Double Click
![Page 25: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/25.jpg)
Explore Floppy
![Page 26: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/26.jpg)
Select File
![Page 27: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/27.jpg)
Not For Temp Licensed Users OnlyMust export to your docs to view
• Right click on file to recover• Choose Recover/Copy …• Choose Folder to restore to, click• Double click on file
![Page 28: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/28.jpg)
Voila
![Page 29: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/29.jpg)
Re-Calc Hash
• Recalculate the hash of the floppy• The floppy has been accessed• The access time of the file should have been
changed• Hence the hash of the floppy should change• Did it?
![Page 30: Evidence Handling](https://reader030.vdocuments.mx/reader030/viewer/2022020111/56813079550346895d96551d/html5/thumbnails/30.jpg)
Lab – Due
• Be sure that the write protect hole is clear• Calculate the MD5 Signature of your floppy• Record it.• Recover a file and view, include it in your report.
Remember Alt – PrtSc and paste it where you want it.• Recalculate the hash of the floppy. Are they the same?