He was summarily sentenced to two life terms with an additional sentence of to years in prison The DNA Initiative.
The arrest and conviction of Woodall brought some much needed closure to both of the victims and peace to the community as a whole. During the investigation it was found that Woodall was innocent, and that he, too, was a victim. What the panel found was extremely disturbing. The panel also found that his supervisors may have been culpable as well, overlooking or hiding complaints about his performance Chan, In , twenty-four years later, the real suspect was arrested and eventually con- victed of the crimes of which Woodall was originally found guilty.
Cases like this hammer home the need for effective quality assurance programs in all forensic sciences. Tool Validation Our tools, be they hardware or software, must function as they are designed. A validation process clearly demonstrates that the tool is working properly, is reliable, and yields accurate results. To do otherwise will put any evidence found in real jeopardy of being excluded. There are different types of documentation and reports used throughout the entire forensic process.
Normally, all the paperwork associated with a specific case is collected into a case file. The case file will contain all of the documentation pertaining to the case, including paperwork generated by the examiner and others. They help guide personnel through the process and ensure that a high level of quality is main- tained. Forms ensure all the necessary information is captured in a uniform manner. Typically, forms are used to describe the evidence in detail make, model, serial number, etc.
They must be detailed enough to enable another examiner to duplicate the process used during the examination. This applies to both criminal and civil cases. It can be months or even years before a case ever gets to trial.
By the time you have to testify, you may only be able to recall few, if any, facts of the case. The case documentation, and your notes in particular, will prove a great tool to refresh your recollection.
The lawyers, investigators, judges, and clients will most likely have little to no technical background. All too often these reports are filled with technical jargon and details that only serve to frustrate and confuse the majority of its intended audience. These reports should be comprehensible to a nontechnical audience. Jargon and acronyms should be kept to an absolute minimum. The summary is a brief description of the results of the examina- tion.
The end users of our reports find this feature useful, especially in light of the massive caseload and amount of information they are typically dealing with. The findings included here should be supported and explained in the detailed findings. The detailed findings provide the substance of the report. They provide the details of the examination, steps taken, results, and so on.
Anything we can do to help our intended audience wade through any unfamiliar jargon and acronyms is always a good thing. Conveying our findings in a way that can be understood is our responsibility as forensic professionals. There are tools for specific purposes as well as tools with broader functionality.
They can be commer- cial tools that must be purchased or they can be open source that are freely avail- able. There are advantages and disadvantages to all. Keep in mind, no single tool does everything or does everything exceedingly well. Using multiple tools is also a great way to vali- date your findings.
The same results, with two different tools, significantly increase the reliability of the evidence. Tool Selection The digital forensic tool market boasts a large number of products, with more roll- ing out all the time.
How does an examiner know which tools are reliable and which ones are not? How should these tools be validated? After each update, the tool should be validated again. Hardware There are many hardware tools out there designed and built specifically for digital forensics. Some of these tools include cloning devices, cell phone acquisition devices, write blockers, portable storage devices, adapters, cables, and more. As you might expect, digital forensics is heavily dependent on an assortment of hardware such as PCs, servers, write blockers, cell phone kits, cables, and so on.
Figure 3. Courtesy of Cpl. Bob Boggs. Computers are the backbone of any digital forensics lab. So as an examiner you will need the best computer workstation you can afford. Digital forensic exams require quite a bit of computing power. A good exam machine has multiple, multi- core processors, as much RAM as you can get the more the better , and large, fast hard drives. Forensic software manufacturers provide detailed lists of minimum and suggested hardware requirements.
Straying below the minimums is done at your own risk. They are: 1. Oracle Database 2. Client-side Processing Engine 4. Distributed Processing Engine The minimums and recommended specifications will vary with each compo- nent, but suffice it to say that you can never have too much RAM or computing power.
For example, on a machine running the Oracle database, the FTK user interface and the primary processing engine, AccessData recommends the requirements shown in Table 3. The minimum and recommended requirements will change depending on which configuration is used.
Examiners frequently sift through massive amounts of data. As such, digital forensics labs need to have the capacity to store voluminous amounts of data. In browsing the PCs for sale on bestbuy. Multiterabyte drives are also available. Small-scale devices such as cell phones and GPS units are pouring into labs across the country.
These devices require different hardware from that used on laptops and desktops. When dealing with cell phones, having the proper cable is critical. Unlike PCs, mobile devices lack much of the standardization with regard to connectors and cables. Labs need to have a wide selection of cables on hand to cope with the vast array of handsets that walk through the doors. Fortunately, the manufacturers of mobile phone forensic hardware provide many of the required cables.
Several companies make hardware cloning devices. These tools can really speed up the process, cloning multiple drives at once. They can also provide write protection, hash authentication, drive wiping, an audit trail, and more. Crime scene kits are very useful outside the lab. These kits are preloaded with all of the supplies an examiner would need in the field to collect digital evidence.
Software There is a wide array of digital forensic software products on the market today. Some are general tools that serve a variety of functions. Others are more focused, serving a fairly limited purpose. These applications tend to focus on a very speci- fic type of evidence, e-mail or Internet, for example.
When selecting software, a choice needs to be made between going with open source tools or a commercially produced product. There are advantages and dis- advantages to both.
Factors such as cost, functionality, capabilities, and support are some of the criteria that can be used to make this decision. SIFT Workstation is a powerful, free, open source tool. This tool is capable of file carving as well as analyzing file systems, web history, recycle bin, and more.
It can also analyze net- work traffic and volatile memory. It can also generate a timeline, which can be immensely helpful during an investigation. Both are excellent and can make exams easier and more efficient. The reality is that no single tool does it all. For that reason, budget permitting, labs need to have a variety of tools available.
More and more specialty tools are coming on the market. These tools focus on one aspect of digital evidence such as e-mail or web-based evidence.
Dependence on the Tools GUI-based forensic tools can become a crutch. Examiners need to understand not only what the tool is doing, but also how the artifact in question is created to begin with.
Some of the forensic tools that an examiner may use are listed in Table 3. Many of these companies offer video tutorials or demonstrations of their pro- ducts. These can be a great source of additional information. They are typically available from their web site or on YouTube. This is in no way meant as an endorsement of a specific tool.
These are only a representative sampling of the many tools that are available. Accreditation 41 Table 3. They are to: 1. It requires an unbelievable amount of time, planning, documentation, and money. Nothing is taken for granted. Every standard met must be backed up with extensive, detailed documentation. The first is the legacy pro- gram and the second is the international program.
As you might expect, there are differences between the two programs as well as some common ground. A major difference is the number of criteria that must be met under each program.
The international program has considerably more standards to meet than the legacy program. Non-accredited labs can and do successfully process evidence. The reality is that obtaining and main- taining an accredited forensic lab is both a cash and labor-intensive proposition.
The kind of staffing and funding commitment required is tough to secure and frankly is not an option for everyone. It was founded in by engineers and chemists of the Penn- sylvania Railroad. Accreditation versus Certification These terms may seem interchangeable; however, in the context of a forensic laboratory, they are not.
As described earlier, accreditation refers to the labora- tory, whereas certification pertains to the individual examiners. Certification normally requires an examiner to pass a written or practical test s. SWGDE asserts that any digital forensic certification must address the following core competencies, at a minimum: 1. Pre-examination procedures and legal issues 2. Media assessment and analysis 3. Data recovery 4. Specific analysis of recovered data 5. Documentation and reporting 6.
Well presented forensic evidence can be very, very persuasive to a jury. Many, many cases turn on the forensic evidence itself or the lack thereof. The forensic laboratory therefore plays a pivotal role in the search for justice.
Quality must be a priority in every forensic laboratory and to every forensic professional. Digital forensics is no different. Quality is achieved through the strict adherence to established quality standards as part of an overall quality assurance program. Accreditation of a digital forensics laboratory is one way to ensure conformance to these standards. Standards for digital forensics are drafted by the ASTM.
Accreditation and certification are not synonymous. The primary difference is that accreditation pertains to the physical lab where certification applies to the personnel conducting the examinations. Only tools that have been tested and proven reliable should be used when processing a case. This testing procedure is known as validation.
Digital forensic practitioners use both software and hardware tools in their work. No one single tool does everything or does it well. Most labs will have a variety of tools at their disposal to give them the broad capability they need given the wide array of technology they see coming in the door for analysis.
Downloads: AccessData. Digital Evidence Accreditation. Digital Evidence Accreditation: Forensic Magazine. Papers: Digital-evidence. Retrieved from LATimes. Federal Bureau of Investigation. James, S. National Institute of Justice. Department of Justice, Office of Justice Programs. National Institute of Standards and Technology. Virtual Digital Forensics Lab. Retrieved from WSAZ. Nothing kills the excitement faster than three solid hours of paperwork.
It all starts at the crime scene. Just locating the evidence can be tough. Especially with stamp- sized or smaller memory cards and the like. They could be hidden in an almost limitless number of places. At the scene, examiners could be confronted with a variety of devices and sto- rage media. They could find one or more running computers and wireless devices like cell phones.
Together, they present some unique challenges for the investigator. Actions during the collection process must be well documented. Notes, photos, video, and sketches record our actions and refresh our recollections. As digital evidence is extremely volatile, preservation is paramount. If at all possible, a forensic image or clone is made of the suspect media.
The exam is conducted on the clone which is an exact bit for bit copy rather than the original. Digital evidence has been the focus of criminal, civil, and administrative proceedings. There are distinct differences in how the scene and the evidence may be handled and documented for these proceedings.
Some cases, like a homicide, will require painstaking documentation. Others, like a civil dispute, will necessitate a somewhat less intense response. While acknowledging these subtle differences, there are certain core principles and protocols that will remain consistent.
The scene and its evidence must be protected from accidental or intentional compromise. Nosy neighbors, the news media, and police supervisors are typical crime scene trespassers.
Securing a traditional scene is accomplished by stringing crime scene tape, posting guards, or simply asking people to leave. In contrast, a scene with digital evidence presents an entirely new dimension of access. Most computers and digital devices are connected to the Internet, cellu- lar, or other kinds of networks.
For computers, it may be a matter of removing the Ethernet cable or unplugging a wireless modem or router. With wireless devices such as cell phones, we must take steps to isolate the phone from network signals.
Removable Media If legally permissible such as with a warrant , we want to search anywhere that could contain a piece of storage media. Despite their small size, memory cards can hold a ton of potential evidence such as child pornography or stolen credit card numbers. A quick check of Amazon. Gigabytes GB are pretty abstract for most of us.
Picture a set of all seven books in the Harry Potter series. With some simple math, we find that our 64 GB memory card can hold approximately seven thousand complete sets of books on something about the size of a postage stamp! Think about the amount of evidence that could be pulled from just one memory card. For example, books and man- uals can give investigators clues as to the skill level of the target and what kind of technology they may be up against.
Perhaps the biggest payoff is an alert to the possible use of encryption. Discarded packaging in the trash could also be helpful. Any forensic examiner would tell you that avoiding encryption is definitely worth the trouble. Cell Phones Almost everyone has a cell phone these days. As such, they often contain some very valuable evidence.
Text messages, e-mail, call logs, and contacts are examples of what you can recover. These items can be used to show intent, determine the last person to come in contact with a murder victim, establish alibis, determine approximate locations, and more. As with other electronic devices, our first mandate is to make no changes to the device or its storage media.
Therefore, interacting with the phone should be avoided unless absolutely necessary. Cell phones are particularly vulnerable because they can be wiped by the cell provider or even by the owner them- selves.
This functionality is intended to protect your data should you lose your phone or have it stolen. We must address this concern by isolating or shielding the phone as soon as possible. The concern with this approach is the same as a PC. The phone may be password-protected. Once powered down, the code may be necessary to access the phone.
If possible, it may be best to isolate the phone in a Faraday bag or arson can and leave it powered on. It can then be transported to the lab to be examined in a shielded room, and so on. Empty paint cans and Faraday bags are two of the more typical choices. Both of these items are effective at safeguarding the phone from cell signals. See Figure 4. If not, it can receive calls, text messages, or even commands to delete all the data.
A Faraday bag is one way to prevent a network signal from reaching the phone. The function of the bag is based on the work of Michael Faraday, an English scientist who specialized in electromagnetism Microsoft Corporation. Power Power is a concern whenever you seize a cell phone. If the phone is on, it will continuously try to connect to a tower, draining the battery. If the phone is off, you should also seize the power cables.
Lab personnel may very well need to recharge the device in order to complete their exam. Documenting the Scene 49 Failing to remove connectivity to these devices not only risks destruction of the evidence; it can raise serious concerns about its integrity as well.
A competent attorney could successfully argue that this evidence is untrustworthy and should be excluded. Once these questions are answered, the real work begins. Generally, we want to start with the most volatile evidence first.
In computer parlance, this is known as the order of volatility. This descending list works from the most volatile RAM to the least volatile archived data.
The order of volatility is: 1. CPU, cache, and register content 2. Routing table, ARP cache, process table, kernel statistics 3. Memory 4. Data on hard disk 6. Remotely logged data 7. Regardless of the situation, any time evidence is collected, documentation is a vitally important part of the process. There are several different types of documentation. The most common in terms of digital forensics are photographs and written notes; video is also an option for documenting evidence.
This documentation process begins the moment investigators arrive at the scene. Typically, we start by noting the date and time of our arrival along with all the people at the scene. The remainder of our notes consists of detailed descriptions of the evidence we collect, its location, the names of who discov- ered and collected it, and how it was collected.
A piece of digital evidence is described by type, make, model, serial number, or other similar descriptors. Virtually everything we see, find, and do should be documented. After the scene and evidence are secure, our attention can turn to the documen- tation as well as identifying and collecting potential sources of evidence.
Photography Next, the entire scene should be photographed. Photos should be taken of the scene before anything is disturbed, including the evidence. Remember, at some point, you may have to walk a judge or jury through this scene weeks, months, or even years later. Start with a broad perspective, perhaps the outside of the house or office being investigated. After the overall scene has been photographed, we can then focus on each individual piece of evidence.
Long-, medium-, and close-range photos show the item in the context of its surroundings. The photos of each item should clearly show the condition of the item as it was found. We need to pay particular attention to and capture things like identifying information such as serial numbers, damage, and connections. Connection examples could include networks and peripherals such as printers and scanners. So, when in doubt shoot more, not less. This is done to give some perspective to the item.
It gives us an idea as to the size of that particular piece of evidence. Photographs are used to depict the scene and the evidence exactly as we find them to help supplement our notes. They are used to refresh our recollections when we go to court. Photos are a great aid to help us tell our story to the judge and jury.
They really are worth a thousand words. Labels are placed on both ends of a cable to help document how what was connected to the PC at the time it was collected. There is no set standard for note-taking. Chronological order is a common method. You would want to note things such as the time you arrived, who was present at the scene, who took what action, who found and collected which piece of evidence, and so on.
Never lose sight of the fact that you will be relying on these photos, notes, and reports months or years later when you prepare for court. With that in mind, you will want more detail rather than less. Memories fade, cases run together, and details get blurry. They should also be legible for the same reason. If cost is a concern, keep in mind that digital photos are cheap. What you write in those notes matters to other people involved in the case, especially if they end up being turned over to the opposition.
Under certain legal requirements, your notes could become discoverable and made available to the opposing side. This can happen if you take your notes with you to the witness stand. You could very well end up eating those words and losing the case. Saving the interpretations and conclusions until after the analysis is a much better approach.
One of those is a well-documented chain of custody. A computer taken in as evidence makes many stops on its road to trial. Each of these stops must be noted, tracking each and every time the evidence item changes hands or locations.
Without this detailed accounting, the evidence will be deemed untrustworthy and inadmissible. Civil cases may differ a bit in that IT staff or others may hold the distinction of being the first link. The evidence is marked as it is collected. Typically, evidence items are marked with initials, dates, and possibly case numbers.
Apart from documenting the chain of custody, these marks help authenticate the item should it be introduced in court. The person who collected the item may be asked to identify it from the witness stand.
What needs to be proved is that the item presented is the same one that was collected. These marks make this identification a near sure thing. Items small enough are normally sealed in a bag with tamper-proof evidence tape. The seal is then initialed and dated. The bags are usually made of paper, plastic, or special anti-static material.
The anti-static material bags are used for electronics because this material helps protect the sensitive electronics found on hard drives from being damaged by static electricity. In other words, every bit 1 or 0 is duplicated on a separate, for- ensically clean piece of media, such as a hard drive.
Why go to all that trouble? Why not just copy and paste the files? The reasons are significant. First, copying and pasting only gets the active data. That is, data that are accessible to the user. These are the files and folders that users interact with, such as a Microsoft Word document. Second, it does NOT get the data in the unallocated space, including deleted and partially overwritten files.
All of this would result in an ineffective and incomplete forensic exam. Photo courtesy of Marshall University. Cloning a drive can be a pretty time-consuming process, and for that reason it usually makes more sense to do the cloning in the lab as opposed to at the scene.
Cloning in the lab eliminates the need to be on scene for what could be hours. It also provides a much more stable environ- ment, affording us better control of the process. Before we take a computer off premises, we must have the legal authority to do so. In a criminal case, this request and the rationale behind it should be part of the search warrant application. In civil cases, this provision can be negotiated by the parties or ordered by a judge.
Most civil cases with digital evidence focus on business computers. Purpose of Cloning We know from earlier chapters that digital evidence is extremely volatile.
As such, you never want to conduct your examination on the original evidence unless there are exigent circumstances or there is no other option available. Exigent circum- stances could include situations in which a child is missing. Sometimes there are no tools or techniques available to solve the problem at hand.
If possible, the original drive should be preserved in a safe place and only brought out to reimage if needed. Hard drives are susceptible to failure. Having two clones gives you one to examine and one to fall back on. Ideally, all examinations are done on a clone as opposed to the original.
In the eyes of the court, a properly authen- ticated forensic clone is as good as the original. The Cloning Process Cloning a hard drive should be a pretty straightforward process, at least in theory. Typically, you will clone one hard drive to another. The destination drive must be at least as large if not slightly larger than our source drive.
Although it is not always possible, knowing the size of the source in advance is pretty handy. Bringing the right size drive will save a lot of time and aggravation. The drive we want to clone the source is normally removed from the computer. A write block is a crucial piece of hardware or software that is used to safeguard the original evidence during the cloning process.
The hardware write block is placed between the cloning device PC, laptop, or standalone hardware and the source. The write block prevents any data from being written to the original evidence drive. Using this kind of device eliminates the possibility of inad- vertently compromising the evidence.
Remember, the hardware write blocking device goes in between the source drive and the cloning platform. There is a little prep work involved in making a clone.
This paperwork becomes part of the case file. Once the connections are made, the process is started with the press of a couple of buttons or clicks of a mouse. When complete, a short report should be gen- erated by the tool indicating whether or not the cloning was successful.
Forensically Clean Media A forensically clean drive is one that can be proven to be devoid of any data at the time the clone is made. Being sterile is another way of looking at it. It is important to prove the drive is clean because comingled data is inadmissible data. Drives can be cleaned with the same devices used to make the clones.
The cleaning process overwrites the entire hard drive with a particular pattern of data such as Casey, Forensic Image Formats The end result of the cloning process is a forensic image of the source hard drive.
Our finished clone can come in a few different formats. The file extension is the most visible indicator of the file format. AD1 There are differences in the formats, but they are all forensically sound. Some, like DD, are open source, while others, like AD1, are proprietary.
Choosing one format over the other can simply be a matter of preference. Most forensic examination tools will read and write multiple image formats. In addition to being forensically sound, the other major consideration is that the tools to be used can read the image. The documentation with the tool should provide this information.
Compatibility is a concern. This is especially true when exchanging image files between examiners. Risks and Challenges The biggest risk during the cloning process is in writing to the source or evidence drive. Any writes to the evidence will compromise its integrity and jeopardize its admissibility. This is a fundamentals course with a focus on the average network engineer, so you don't need to be an IT expert to follow most of the concepts.
Learn when a breach occurs, what actions you can take, and how to learn from the breach to prevent future attacks. This video course focuses on using open source technology available in the Kali Linux framework along with other tools to simplify forensic tasks. You will master the basics of digital forensics, learn best practices, and explore legal and forensic service concepts.
He has extensive experience in designing security solutions and architectures for the top Fortune corporations and the U. Joseph runs thesecurityblogger website, a popular resource for security and product implementation. He is the author and contributor of several publications including titles on building security operations centers SOC s, CCNA cyber ops certification, web penetration testing, and hacking with raspberry pi. Follow Joseph at www. Aamir Lakhani is a leading senior security strategist.
He is responsible for providing IT security solutions to major enterprises and government organizations. Lakhani c. The book includes professional quality illustrations of technology that help anyone understand the complex concepts behind the science. Users will find invaluable information on theory and best practices along with guidance on how to design and deliver successful explanations. Each chapter was written by an accomplished expert in his or her field, many of them with extensive experience in law enforcement and industry.
The author team comprises experts in digital forensics, cybercrime law, information security and related areas. Digital forensics is a key competency in meeting the growing risks of cybercrime, as well as for criminal investigation generally. Considering the astonishing pace at which new information technology — and new ways of exploiting information technology — is brought on line, researchers and practitioners regularly face new technical challenges, forcing them to continuously upgrade their investigatory skills.
Designed to prepare the next generation to rise to those challenges, the material contained in Digital Forensics has been tested and refined by use in both graduate and undergraduate programs and subjected to formal evaluations for more than ten years. Encompasses all aspects of the field, including methodological, scientific, technical and legal matters Based on the latest research, it provides novel insights for students, including an informed look at the future of digital forensics Includes test questions from actual exam sets, multiple choice questions suitable for online use and numerous visuals, illustrations and case example images Features real-word examples and scenarios, including court cases and technical problems, as well as a rich library of academic references and references to online media Digital Forensics is an excellent int.
These two fields are finding increasing importance in law enforcement and the investigation of cybercrime as the ubiquity of personal computing and the internet becomes ever-more apparent. Digital forensics involves investigating computer systems and digital artefacts in general, while multimedia forensics is a sub-topic of digital forensics focusing on evidence extracted from both normal computer systems and special multimedia devices, such as digital cameras.
This book focuses on the interface between digital forensics and multimedia forensics, bringing two closely related fields of forensic expertise together to identify and understand the current state-of-the-art in digital forensic investigation.
Both fields are expertly attended to by contributions from researchers and forensic practitioners specializing in diverse topics such as forensic authentication, forensic triage, forensic photogrammetry, biometric forensics, multimedia device identification, and image forgery detection among many others. Key features: Brings digital and multimedia forensics together with contributions from academia, law enforcement, and the digital forensics industry for extensive coverage of all the major aspects of digital forensics of multimedia data and devices Provides comprehensive and authoritative coverage of digital forensics of multimedia data and devices Offers not only explanations of techniques but also real-world and simulated case studies to illustrate how digital and multimedia forensics techniques work Includes a companion website hosting continually updated supplementary materials ranging from extended and updated coverage of standards to best practice guides, test datasets and more case studies.
You'll also learn how to incorporate quality assurance into an investigation, how to prioritize evidence items to examine triage , case processing, and what goes into making an expert witness. The Second Edition also features expanded resources and references, including online resources that keep you current, sample legal documents, and suggested further reading. Learn what Digital Forensics entails Build a toolkit and prepare an investigative plan Understand the common artifacts to look for in an exam Second Edition features all-new coverage of hard drives, triage, network intrusion response, and electronic discovery; as well as updated case studies, expert interviews, and expanded resources and references.
Details on digital forensics for computers, networks,. This book teaches you how to conduct examinations by discussing what digital forensics is, the methodologies used, key technical concepts and the tools needed to perform examinations. Use this hands-on, introductory guide to understand and implement digital forensics to investigate computer crime using Windows, the most widely used operating system. This book provides you with the necessary skills to identify an intruder's footprints and to gather the necessary digital evidence in a forensically sound manner to prosecute.
This hands-on textbook provides an accessible introduction to the fundamentals of digital forensics. A particular focus is presented on establishing sound forensic thinking and methodology, supported. Get up and running with collecting evidence using forensics best practices to present your findings in judicial or administrative proceedings Key Features Learn the core techniques of computer forensics to acquire and secure digital evidence skillfully Conduct a digital forensic examination and document the digital evidence collected Analyze security systems.
Digital Forensics with Open Source Tools is the definitive book on investigating and analyzing computer systems and media using open source tools.
The book is a technical procedural guide, and explains the use of open source tools on Mac, Linux and Windows systems as a platform for performing computer forensics.
Electronic discovery refers to a process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a legal case.
0コメント