Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1575 McKee Road (Suite 204)Dover, DE 19904
Delaware State Police
Introduction to Digital Evidence
Guide for Educators and School Administration
My Background
U of D graduate in 1992BS majors in Psychology and SociologyHired by DSP in 1992Five years as road TrooperThree years in Criminal InvestigationsAssigned to HTCU in October 1999
CFCE recognition from IACISDelaware Valley HTCIA memberApproximately 600 hours of computer forensic trainingFirst real exposure to computers in 1982.Watched a lot of Star Trek
What we do in a nutshell . . .
Provide forensic analysis of digital media and recovery of digital evidence Conduct investigations where the computer is the target of the crimeProvide technical and investigative assistance to local, state and federal law enforcement agencies
Computer Forensicsfo·ren·sic ( f … -rµn“s¹k, -z ¹k) adj. 1. Relating to, used in, or appropriate for courts of law . . . .
Computer Forensics: “The employment of a set of predefined procedures to thoroughly examine a computer system using software and tools to extract and preserve evidence of criminal activity” ¹Footnote1.)Dorothy A. Lunn – Computer Forensics “An Overview”. http://www.sans.org/infosecFAQ/incident/forensics.htm
What is Digital Evidence?
Information stored or transmitted in binary form that may be relied upon in court. ¹
Footnote
1.) NIJ Guide Electronic Crime Scene Investgation
What can be found as digital evidence?
Correspondence (e-mails, Instant Messages)Graphics files (Child porn, trophy pictures)Text files (confessions in a diary, instructions for making bombs/drugs)Sound files (voicemail or recorded messages)Spreadsheets or other bookkeeping records (financial information)Databases – (lists of contraband)
Where can digital evidence be found?Where can digital evidence be found?
Where else?Where else?
Newer devices
Locations of digital evidence
Evidence of the local crime may be found in several places.Evidence may be found on both the victims and the suspects computersEvidence may be found on the ISP servers or on a online storage area (may be in another state or country)
Operating SystemsMicrosoft Windows (XP, ME, 2000, 98, 95, NT, DOS)Apple (MacOS X, Classic)Linux (RedHat, Mandrake, SuSE)Unix LindowsNovellBeOS
Recovery from Fire
Recovery from Damaged CD/DVDs
Before After
Welcome to HTCU!
HTCU Lab
Forensic Workstation
“Freddie” Portable Forensic Workstation
How we examine digital evidence
A copy of the media is madeThe copy of media is verified as being a true exact copyThe original media is stored for evidence and the copy is examined using forensic software
Searching For Data
Files in directories in which suspect had accessInternet files (cache, history, .htm files) File types that most likely to relate to each individual case
Erased Files
The System does not really “erase” filesOnly marks space as “available”
Data is still there until it is overwrittenEven then, some data may remain in slack for years
Often fully or partially recoverableFormatting only erases the pointers or File Allocation Tables (FAT).
Allocated Vs. Unallocated Space
Allocated space – files and data recognized and used by the operating systemUnallocated space – area of the media not in use by the operating system
Allocated Space
Operating system Directories, programs and filesNames, dates and times are associated with files/directoriesEasily viewable by most usersCan contain deleted, hidden and encrypted files
Unallocated Space
Raw dataNo longer has file names, dates or timesPartial or complete files can be recovered from this area
Keyword Searches
Evidence can sometimes be located by using a keyword search.Media (eg. Hard drive) can be analogized to a file cabinet containing thousands of documents with text.Keyword searches allow the examiner to spot files or data containing the specified words (ie. Victim’s name, phone numbers, credit card numbers, social security numbers, etc.)
Computer Related Crimes most Commonly Seen in Schools
Bomb ThreatsHarassmentsTerroristic ThreateningUnauthorized AccessInterruption of Computer Services
** Digital evidence may exist for any type of crime, common or uncommon**
Ten Steps to Prevent and Preserve Evidence
1.) Have a signed computing policy in place and on file.
MandatoryOnce a yearStudentsTeachersAdministrationStaff
2.) Banner SystemReminds users of computing policiesExplains that there is no expectation of privacyNot good without signed computing policy
3.) Forced Sign-onsSign-on unique to userMandatory to use systemLoggingUser permissions setForced password changes
4.)Assigned Computers and Sign-in sheets.
Used if forced sign-ons and logging is not an option.Puts a user at the computer at a given date and time.
5.) Use Filters, Firewalls and Virus Protection
Filters weed out questionable or inappropriate content.Firewalls protect from outside intrusions.Use virus protection on every computer.Use intrusion detection software.
6.) Preview Internet Web Sites
Preview Internet Web Sites that are to be used in lesson plans or assignments.Look for potential problemsAdjust lesson plans or assignments if necessary
7.) Know where your computers are located.
Keep a current database of IP addresses know where they belongHave a current/updated map of the computers physical location.Use a naming convention that is consistent.
8.) Know your system administrator.
Have your system administrator’s contact information on hand.System administrator will most likely one of law enforcement’s first point of contact.
9.) Stop and Secure ComputerOnce problem is identified STOP use of the computer.Secure the computer in a locked room.If an E-mail is the source of the problem, preserve the entire message including the headers.
10.) Contact Law Enforcement.If present contact the SRO (School Resource Officer) first.If there is no SRO contact your local law enforcement agency.DSP-HTCU will assist the local agency if requested.
Questions?
Det. Steve Whalen, CFCE
Delaware State Police -
Office: 302-739-2761Fax: 302-739-1398