9
7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA

7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA

Embed Size (px)

Citation preview

Page 1: 7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA

7 Handling a Digital Crime Scene

Dr. John P. Abraham

Professor

UTPA

Page 2: 7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA

Introduction

• GOAL: Sequestered environment where– All contents are mapped and recorded– Accompanying photographs and basic diagrams showing areas

and items– Evidence is frozen in place

• This chapter deals with handling individual computers as a source of evidence.

• US department of Justice and Secret Service• Electronic Crime Scene Investigation.• Best Practices for Seizing Electronic Evidence• Guide for first responders

• Also The good practice guide for computer based evidence by association of chief of police officers (ACPO)

Page 3: 7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA

Major principles

• No action taken should change data held on a computer or storage media

• Anyone accessing the computer must be competent in cyber forensics.

• An audit trail or other record of all processes applied to electronic evidence must be kept.

• Person in charge of the overall case has the responsibility of ensuring that the law and these principles are adhered to.

Page 4: 7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA

Authorization

• Obtain written authorizations and instructions from attorneys.

• Private and personal computer access would require warrant unless an employee agrees to the search.

• Work place computer may not require a warrant.• Digital investigators are generally authorized to

collect and examine only what is directly pertinent to the investigation.

Page 5: 7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA

Preparing to handle digital crime scenes

• Make diagrams and have a plan as to what to examine.

• What type of tools should be brought to the scene.

• Bring questionnaire to interview individuals at the crime scene.

Page 6: 7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA

Surveying the Digital Crime Scene

• Look at laptops, handheld devices,• Digital video records (DVRs)• Gaming systems• External hard drives• Digital cameras• DVDs• Look for installation disks that give clues• Network configurations, look for remote machine

in the facility or outside.

Page 7: 7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA

Preserving the Digital Crime Scene

• Controlling Entry points – secure the crime scene.

• Save biometric access system data and video recordings.

• Save network level logs (copy).• Preserve all backup media, do not overwrite

backup media.• Preserve emails on the servers.• Keyboards may have fingerprints.

Page 8: 7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA

Preserving data on live systems

• The contents of volatile memory must be obtained such as a note being written.

• Which account is running under certain processes.

• Capture information related to active processes and network connections.

Page 9: 7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA

Shutting down

• Remove power from the back of the machine.

• Open the case and remove power to the hard drives.

• Check for missing parts

• Check for explosives.