Importance of Digital Evidence in Court

: YSECORP

Importance of Digital Evidence
IFA Presentation 2007
IFA, 8th March 2007 - Presentation

Agenda : YSECORP

Defining Digital Evidence
Why Important
Challenges
General Methodologies
Seizure Practices
Safe Acquisition Methods
Safeguarding Digital Evidence


Defining Digital Evidence : YSECORP

Some Definitions :

 Digital Evidence
Information stored or transmitted in binary form that may be relied upon in
court.
 Original Digital Evidence
Physical items and those data objects, which are associated with those items at
the time of seizure.
 Duplicate Digital Evidence
A duplicate is an accurate digital reproduction of all data objects contained on
the original physical item.
 Copy
A copy is an accurate reproduction of information contained in the data objects
independent of the original physical item.



Some Definitions (cont’d) :

 Chain of Custody
A means of accountability, that shows who obtained the evidence, where and
when the evidence was obtained, who secured the evidence, who had control or
possession of the evidence.
 Rules of Evidence
Evidence must be competent, relevant, and material to the issue.



5 Rules of Evidence :

 Admissible
Must be able to be used in court or elsewhere
 Authentic
Evidence relates to incident in relevant way
 Complete (no tunnel vision)
Exculpatory evidence for alternative suspects
 Reliable
No question about authenticity & veracity
 Believable
Clear, easy to understand, and believable by a jury



The Evidence Life Cycle :

 Collection & identification
 Storage, preservation, and transportation
 Presentation of Evidence
 Return to production, owner, or court



Categories of Evidence :

 Best evidence
 Primary evidence used in trail
 Usually documentation falls into this category

 Secondary evidence
 Not viewed as reliable & strong in proving innocence or guilt
 Oral evidence

 Direct evidence
 Proves a fact all by itself
 Eye witness testimony



Categories of Evidence (cont’d) :

 Conclusive evidence
 Irrefutable and cannot be contradicted

 Circumstantial evidence
 Proves an intermediate fact that can be used to deduce or assume the
existence of another fact

 Corroborative evidence
 Supporting evidence used to help prove an idea or point

 Opinion evidence
 Pertains to witness testimony
 Witness must testify to only the facts of the issue and not their opinion of the facts



Digital Evidence is everywhere !



Digital Evidence is electronically data based, therefore difficult to handle :

 Volatile Data
 RAM memory, cache, network status, etc.

 Stored Data
 Fragile : May be destroyed upon startup (e.g. digital booby-trap) or MAC
times may be changing
 Hidden : Slack spaces, Hidden Files
 Temporary : Only active when application is running

 Manipulated Data
 Encryption
 Steganography



I present you, The Data Iceberg :

- Filenames
- Folders
- Log File Entries
-…

- File and Memory Slack
- NTFS streams
- Alien Binaries
- Swap Files
- Hidden Files
-…


Why Important : YSECORP

Q : Important to adequately acquire and investigate digital media ?

A : You think about the impact of following scenarios :

 The recovery of deleted files on a computer indicate Jon Doe is trading
in a network of pedophiles.

 Recovered numbers and cell location data on a cell phone prove Jane
Doe was not around the crime scene during the night of that murder.

 Using ―steganography‖ methods, seemingly harmless holiday pictures
hide messages that synchronize terrorist attacks worldwide.



Some Examples :



Characteristics of Digital Evidence :

 Evidence needs to be handled carefully to be usable in court.
 Digital evidence is difficult to handle.
 Special requirements to keep the chain of custody intact.
 An evidence may need to be presented in court in person, yet an
evidence is not a personal assumption.
 Judge decides, whether evidence is good enough.


Challenges : YSECORP

 Digital/ Electronic evidence is extremely volatile !

 Once the evidence is contaminated it cannot be de-contaminated ! The
process of manipulation is irreversible.

 The courts acceptance is based on the best evidence principle.
 With computer data, printouts or other output readable by sight, and bit
stream copies adhere to this principle.



 Technical Challenges that hinder law enforcement’s ability to find and
prosecute criminals operating online or work organized.

 Legal Challenges resulting from laws and legal frameworks required to
investigate cybercrime that lag behind technological, structural and
social changes (e.g. international and online investigations).

 Resource Challenges to ensure we have satisfied critical investigative
and prosecutorial needs at all levels of the government.



 Post Mortem analysis is commonly growing to be an established
computer forensic practice :
 Knowledgeable on Operating System knowledge and Data Storage
principles
 Increased maturity of digital evidence handling frameworks and methods
 Increasing set of forensically challenged software is available
 Growing marketplace of experience professionals

 Live Analysis is a problem :
 Knowledgeable on Operating System knowledge, TCP/IP knowledge, Data
Storage principles, cybercriminal profiling and hacking, etc.
 Highly stressful situations that encourage mistakes !
 Low maturity in handling procedures and professionalism when dealing
with live investigations.


General Methodologies : YSECORP

Basically :

 Acquiring the evidence without altering or damaging the original

 Authenticating the image

 Analyzing the data without modifying it



 Methodology in Belgium

 Methodology international
 Based on International Organization of Computer Evidence www.ioce.org
 G8 Principles

 Need for a framework and standards
 Digital Forensics Research Workshop (DFRWS) Digital Investigation
Framework
 Two-Tier Digital Investigations Process Framework



 Based on a specific law (―Wet Computercriminaliteit Wet van 28
november 2000 inzake informaticacriminaliteit (WIC), B.S. 03-02-2001,
2909‖)

 Actual implementation described in circulaire (―Circulaire 01/2002 van
de Procureurs-generaal bij de Hoven van Beroep inzake de wet
Informaticacriminaliteit‖)
– Principles are explained
– Technical annex (Definitions)
– It’s important to use the same vocabulary ( Law Enforcement – Private
Sector)

 Based on international principles.



 General principles of the IOCE – International Organization on
Computer Evidence (www.ioce.org) :
– Definitions
– General principles – evidence material handling
– Special considerations



 Definitions (IOCE) :
– Digital evidence
– Original digital evidence
– Media
– File system
– Active file
– Free or unallocated space
– Slack space
– Unused space
– Forensic copy
– File level copy



 General principles (IOCE) :
– When dealing with digital evidence, all of the general forensic and
procedural principles must be applied.
– Upon seizing digital evidence, actions taken should not change that
evidence.
– When it is necessary for a person to access original digital evidence, that
person should be trained for the purpose.
– All activity relating to the seizure, access, storage or transfer of digital
evidence must be fully documented, preserved and available for review.
– An Individual is responsible for all actions taken with respect to digital
evidence whilst the digital evidence is in their possession.
– Any agency, which is responsible for seizing, accessing, storing or
transferring digital evidence is responsible for compliance with these
principles.



 Additional Framework and Standards :

– Digital Forensics Research Workshop (www.dfrws.org)
– European Network of Forensic Science Institutes Forensic ( www.enfsi.org)
– Forensic Science Service (www.forensic.gov.uk)
– International Organization of Computer Evidence (www.ioce.org)
– Scientific Working Group on Digital Evidence (www.swgde.org)


Seizure Practices : YSECORP

Mere Best Practices, no strict regulatory requirements :

1. Control the scene
2. Allow only authorized persons access
3. Record the names of all individuals present during the search
4. Confirm when the system was last accessed
5. Establish a chronology of access to the media
6. Photograph or video tape the entire scene including the contents on
the monitor.



Some more :

 If the computer is ―Off‖ do not turn it on.
 Disconnect all remote access to the system (e.g., LAN cables, Modem
cables etc.). Be sure to tag and label all cables and connectors.
 Physically examine the system (i.e., remove covers and photograph).
 Document model and serial numbers of the system and its
components.
 Inventory all peripherals (PDAs, Printers, Scanners, WAP’s, Fax
machines etc.).
 Search scene for secondary storage media (USB drives, devices,
diskettes, wireless hard disks, tapes etc.)



First Responder Interviews are often overlooked :

 Separate and identify all persons (witnesses, subjects, or others) at the
scene and record their location at time of entry.
 Passwords. Any passwords required to access the system, software, or
data. (An individual may have multiple passwords, e.g., BIOS, system
login, network or ISP, application files, encryption pass phrase, e-mail,
access token, scheduler, or contact list.)
 Determine the ―Purpose‖ of the system :
 Any unique security schemes or destructive devices.
 Any offsite data storage.
 Any documentation explaining the hardware or software installed on the
system.



Document everything and preserve the Chain of Custody :

 Protects integrity of the evidence :
 Effective process of documenting the complete journey of the evidence
during the life of the case

 Allows you to answer the following questions :
 Who collected it?
 How & where?
 Who took possession of it?
 How was it stored & protected in storage?
 Who took it out of storage & why?



Some hardware tools for your Forensic Fieldkit :

Documentation Tools
Cable tags.
Indelible felt tip markers.
Stick-on labels.

Disassembly and Removal Tools
Flat-blade and Philips-type screwdrivers. Secure-bit drivers.
Anti-static Straps Small tweezers.
Hex-nut drivers. Vendor Specific screwdrivers
Standard and Needle-nose pliers. Star-type nut drivers.
Wire cutters.



Some forensic tools for your Forensic Fieldkit :

Rubber Gloves
Hand truck.
Large rubber bands.
List of contact telephone numbers for assistance.
Magnifying glass.
Printer paper.
Seizure disk.
Small flashlight.
Unused floppy diskettes (3.5 and 5.25 inch).
Blank & Zeroed Hard Drives.


Safe Acquisition Methods : YSECORP

 Acquisition is often referred to as : Forensic Duplication or Bit-to-Bit
Image :
 It’s a 1:1 bitwise copy of a complete physical storage medium

 Most important rule (1) : no changes to the original storage medium
must be tolerated !
 Some changes happen automatically and without notification !
 Acquiring evidence into a live operating system using SCSI, (S)ATA cables
may already be faulty, due to bit changes to the hard disk (Microsoft
Windows).

 Specialized read only equipment recommended : WriteBlocker,
Tableau, etc.



 Second most important rule (2) : all acquired data must be authentic
and relate in full integrity to its original evidence.

 Hashing algorithms are mandatory, yet often overlooked :
 Mostly used as For Your Information, yet may prove to be of utmost
importance
 Choose a secure Hashing algorithm; e.g. RIPEMD-160. Not MD5…



 Most important Rule of Thumb (3) : the chain of custody must be
protected at all times.
 Be your own picky secretary ! Note down every activity, build a credible
case.
 Basically, all manipulations must be recorded in time, and must allow one
to redo all actions and find the same results !

 Common rookie mistake : allow yourself to a structured approach in
recording, labeling and storing digital evidence.
 Prepare yourself !!
 When dealing with multiple data sources, it is very easy to lose track of
digital evidence.



 Hint from the trenches (4) : never manipulate live systems.
 Uncontrolled handling may destroy critical evidence ! Common mistakes
include :
— Killing unknown system processes
— Using the OS GUI
— Browsing the Internet or File System, hereby altering timestamps
— Running commands without logging
— Patching systems
— Installing forensic tools, etc.

 Using non-intrusive methods, i.e. FireWire memory dumps, one can acquire
volatile data from a live system.


Safeguarding Digital Evidence : YSECORP

 Properly inventory the system & peripherals
 Disconnect all peripherals
 Label all cables
 In the case of multiple systems label and code each system
 Place all magnetic media in antistatic packaging
 Properly label all containers used to hold the evidence
 Leave a ―Blank‖ of Forensic Boot disk in the diskette or CD-ROM drive
 In the case of media only properly be properly grounded prior to
removing the media (i.e., the use of a grounding wrist device is
recommended).
 In the case of media only record make, model, ser #, and stenciled
drive geometry



Transportation and Storage :

 Keep electronic evidence away from magnetic sources (e.g., radio
transmitters, speaker magnets and heated seats)
 Protect evidence from extremes in temperature
 Use proper anti-shock packing material in all containers (i.e., bubble
wrap, Styrofoam etc.)
 Maintain the chain of custody on all evidence transported.
 Warning prolonged storage can result in alteration of system evidence
(dates, times etc.) as batteries have a limited life span.
 Store all seized evidence in a properly secured storage area (e.g.,
locked cabinet, restricted access lab, etc.)



Transportation and Storage Tools :

 Antistatic bags.
 Antistatic bubble wrap.
 Cable ties.
 Evidence bags.
 Evidence tape.
 Packing materials (avoid materials that can produce static
 electricity such as Styrofoam or Styrofoam peanuts).
 Packing tape.
 Sturdy boxes of various sizes.


Questions : YSECORP

?

Importance of Digital Evidence in Court

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a Importance of Digital Evidence in Court

Semelhante a Importance of Digital Evidence in Court (20)

Mais de Filip Maertens

Mais de Filip Maertens (19)

Importance of Digital Evidence in Court