Chapter 04 Homework Explain Your Students That Seizing Digital Data

Guide to Computer Forensics and Investigations, Fifth Edition 4-1

Chapter 4

Processing Crime and Incident Scenes

At a Glance

Instructor’s Manual Table of Contents

• Overview

• Objectives

• Teaching Tips

• Quick Quizzes

Guide to Computer Forensics and Investigations, Fifth Edition 4-2

Lecture Notes

Overview

In this chapter, you learn how to process a computer investigation scene. Evidence rules

are critical, whether you’re on a corporate or a criminal case. As you’ll see, a civil case

can quickly become a criminal case, and a criminal case can revert to a civil case. This

Chapter Objectives

• Explain the rules for digital evidence

• Describe how to collect evidence at private-sector incident scenes

• Explain guidelines for processing law enforcement crime scenes

• List the steps in preparing for an evidence search

• Describe how to secure a computer incident or crime scene

Teaching Tips

Identifying Digital Evidence

1. Define digital evidence as any information stored or transmitted in digital form. U.S.

3. Describe some of the general tasks investigators perform when working with digital

evidence, including:

a. Identify digital information or artifacts that can be used as evidence

b. Collect, preserve, and document evidence

Understanding Rules of Evidence

1. Explain that consistent practices help verify your work and enhance your credibility. In

addition, you should comply with your state’s rules of evidence or with the Federal

Rules of Evidence.

2. Mention that evidence admitted in a criminal case can be used in a civil suit, and vice

versa.

4. Mention that digital evidence is unlike other physical evidence because it can be

5. Explain that most federal courts have interpreted computer records as hearsay evidence.

6. Explain that the business-record exception allows “records of regularly conducted

7. Describe the following two categories of computer records:

8. Explain that computer and digitally stored records must also be shown to be authentic

9. Mention that collecting evidence according to the approved steps of evidence control

helps ensure that the computer evidence is authentic.

11. Explain that one test to prove that computer-stored records are authentic is to

4-2 to illustrate your explanation.

13. Explain that the best evidence rule states that to prove the content of a written

14. Explain that the Federal Rules of Evidence allow a duplicate instead of originals when it

is produced by the same impression as the original. As long as bit-stream copies of data

Collecting Evidence in Private-Sector Incident Scenes

1. Mention that private-sector organizations include businesses, large corporations, and

2. Explain that NGOs must comply with state public disclosure and federal Freedom of

Information Act (FOIA) laws and make certain documents available as public records.

The FOIA allows citizens to request copies of public documents created by federal

agencies.

3. Mention that a special category of private-sector businesses includes ISPs and other

4. Explain that investigating and controlling computer incident scenes in the corporate

5. Explain that typically, businesses have inventory databases of computer hardware and

6. In addition, a corporate policy statement about misuse of computing assets allows

Guide to Computer Forensics and Investigations, Fifth Edition 4-5

8. Explain that corporate investigators should know under what circumstances they can

9. Mention that if a corporate investigator finds that an employee is committing or has

committed a crime, the employer can file a criminal complaint with the police.

10. Emphasize that employers are usually interested in enforcing company policy, not

11. Describe the actions to follow if you discover evidence of a crime during a company

policy investigation, including:

a. Determine whether the incident meets the elements of criminal law

Processing Law Enforcement Crime Scenes

1. Mention that to process a crime scene properly, you must be familiar with criminal rules

2. Explain that law enforcement officers may search for and seize criminal evidence only

3. Mention that with probable cause, a police officer can obtain a search warrant from a

4. Explain that the Fourth Amendment states that only warrants “particularly describing

the place to be searched, and the persons or things to be seized” can be issued.

Guide to Computer Forensics and Investigations, Fifth Edition 4-6

Understanding Concepts and Terms Used in Warrants

1. Define innocent information as unrelated information often included with the evidence

2. Explain that judges often issue a limiting phrase to the warrant, which allows the police

to separate innocent information from evidence.

3. Explain that the plain view doctrine states that objects falling in plain view of an officer

4. Discuss the three criteria that must be met for the plain view doctrine to apply:

a. Officer is where he or she has a legal right to be

Preparing for a Search

2. Explain that to perform these tasks, you might need to get answers from the victim and

Identifying the Nature of the Case

1. Mention that when you’re assigned a computing investigation case, you start by

2. Explain that the nature of the case dictates how you proceed, and what types of assets or

Identifying the Type of OS or Digital Device

1. Explain that for law enforcement, this step might be difficult because the crime scene

2. Mention that you should also determine which OSs and hardware might be involved. If

Guide to Computer Forensics and Investigations, Fifth Edition 4-7

Discuss the benefits of having configuration management databases to identify

Determining Whether You Can Seize a Computers and Digital Devices

1. Explain that the type of case and the location of the evidence determine whether you

can remove computers from the scene.

2. Mention that law enforcement investigators need a warrant to remove computers from a

4. Explain that if you aren’t allowed to take the computers to your lab, then you need to

Getting a Detailed Description of the Location

1. Encourage your students to get as much information as they can about the location and

conditions of the crime scene location.

2. If you have to deal with hazardous materials, keep a tight interaction with your

HAZMAT team and follow the HAZMAT guidelines, including:

a. Protect your safety and health while protecting the evidence

Determining Who Is in Charge

1. Describe the differences between corporate computing investigations and investigations

Using Additional Technical Expertise

1. Illustrate situations where you may need the help of specialists. For example, when

2. Mention that specialists need to be trained in proper investigation techniques to avoid

Determining the Tools You Need

1. Mention that you should prepare your tools using incident and crime scene information.

Preparing the Investigation Team

1. Explain to your students the importance of reviewing all the details about the incident

Quick Quiz 1

1. The ISO standard 27037 gives guidance on what procedures countries should have in

place for _____.

2. A statement made while testifying at a hearing by someone other than an actual witness

is known as _____.

3. ____ records are data the system maintains, such as system log files and proxy server

logs.

4. NGOs must comply with state public disclosure and federal _____ laws and make

certain documents available as public records.

5. ____ is facts or circumstances that lead a reasonable person to believe a crime has been

Securing a Computer Incident or Crime Scene

1. Mention the two major benefits of securing the crime scene:

2. Describe how you can create a security perimeter by using yellow barrier tape and

3. Define professional curiosity and explain its negative effects.

Seizing Digital Evidence at the Scene

2. Explain to your students that seizing digital data must follow standards defined by the

U.S. Department of Justice (DoJ) for both criminal and corporate investigations.

3. Emphasize that when seizing digital data, always consult with your attorney for

Preparing to Acquire Digital Evidence

2. List some of the questions that you need to ask your supervisor or senior forensics

examiner in your organization before acquiring digital evidence, including:

a. Do you need to take the entire computer and all peripherals and media in the

immediate area?

b. How are you going to protect the computer and media while transporting them

to your lab?

c. Is the computer powered on when you arrive?

d. Is the suspect you’re investigating in the immediate area of the computer?

e. Is it possible the suspect damaged or destroyed the computer, peripherals, or

media?

f. Will you have to separate the suspect from the computer?

Processing an Incident or Crime Scene

1. Present a list with guidelines for processing a crime scene. The list should include

2. Illustrate each one of these guidelines with as many examples as you can.

3. Describe the steps to properly bag and tag evidence, including:

a. Assign one person, if possible, to collect and log all evidence

4. Explain that you should also look for information related to the investigation, such as

5. List the documentation items that students should collect, including the following

material:

a. Hardware, including peripheral devices

Processing Data Centers with RAID Systems

1. Define sparse acquisition as a technique for extracting evidence from large systems. It

2. Explain that one drawback of this technique is that it doesn’t recover data in free or

slack space.

Using a Technical Advisor

2. Explain that a technical advisor can help you list the tools you need to process the

incident or crime scene. The advisor is the person guiding you about where to locate

3. Describe the responsibilities assigned to external advisors, including:

a. Know all aspects of the seized system

b. Direct investigators handling sensitive material

c. Help securing the scene

Documenting Evidence in the Lab

1. Explain that you should be sure to record your activities and findings as you work. For

this, maintain a journal to record the steps you take as you process evidence.

2. Explain that your goal is to be able to reproduce the same results when you or another

3. Mention that a journal serves as a reference that documents the methods you used to

Processing and Handling Digital Evidence

2. Describe the steps to create image files, including:

a. Copy all image files to a large drive

Storing Digital Evidence

1. Explain that the media you use to store digital evidence usually depends on how long

you need to keep it.

3. Explain that magnetic tapes have more capacity and a longer lifespan than CDs and

Evidence Retention and Media Storage Needs

1. Explain that to help maintain the chain of custody for digital evidence, you should

2. Use Figure 5-7 to show that an evidence custody form should contain an entry for every

person who handles the evidence.

3. Emphasize that if you need to retain evidence indefinitely, you must check with your

Documenting Evidence

1. Mention that to document evidence, you can create or use an evidence custody form. An

evidence custody form serves the following functions:

a. Identifies the evidence

2. Explain that you can add more information to your form, such as a section listing MD5

and SHA-1 hash values. Include any detailed information you might need to reference.

Guide to Computer Forensics and Investigations, Fifth Edition 4-12

Evidence bags also include labels or evidence forms you can use to document your

Obtaining a Digital Hash

1. Define Cyclic Redundancy Check (CRC) as a mathematical algorithm that determines

2. Define Message Digest 5 (MD5) as a mathematical formula that translates a file into a

3. Describe the three rules for forensic hashes:

a. You can’t predict the hash value of a file or device.

4. Define Secure Hash Algorithm version 1 (SHA-1) as a newer hashing algorithm

developed by the National Institute of Standards and Technology (NIST).

6. Explain that most computer forensics hashing needs can be satisfied with a nonkeyed

7. Describe how to use the MD5 function in FTK Imager to obtain the digital signature of

Reviewing a Case

1. This section describes the following general tasks you perform in any computer

forensics case:

a. Identify the case requirements

b. Plan your investigation

Sample Civil Investigation

1. Present an example of a policy violation and the steps a digital forensics investigator

should take during the investigation.

2. Define terms like covert surveillance and sniffing tools. Accompany your definitions

Sample Criminal Investigation

1. Present an example of a criminal investigation, highlighting the role of a warrant. Use

Reviewing Background Information for a Case

1. Introduce the M57 Patents case where a computer that was discovered to contain

Planning the Investigation

1. Explain that during this phase, you must find out some background information on the

2. In addition, you should make an image of the suspect’s computer disk drive and

Conducting the Investigation: Acquiring Evidence with OSForensics

Quick Quiz 2

1. Evidence is commonly lost or corrupted through ____, which involves police officers

and other professionals who aren’t part of the crime scene processing team.

2. If a 30-year lifespan for data storage is acceptable for your digital evidence, older _____

systems are a good choice.

3. The _____ is a mathematical algorithm that determines whether a file’s contents have

changed.

4. A(n) ____ is a unique hash number generated by a software tool, such as the Linux

md5sum command.

Guide to Computer Forensics and Investigations, Fifth Edition 4-14

Answer: nonkeyed hash set

5. Real-time surveillance requires _____ data transmissions, which allows network

administrators and others to determine what data is being transmitted over the network.

Class Discussion Topics

1. Have students discuss the initial- and extensive-response field kits described in this

chapter. What do they think about the kits? Would they add or remove something from

the kits?

2. Have students analyze and discuss a case where Company A claims its network was

compromised by a connection from Company B network. How should both companies

proceed? Who should be involved?

Additional Projects

1. Have students develop a policy that states a corporate right to conduct investigations on

its computer assets.

Additional Resources

http://en.wikipedia.org/wiki/Freedom_of_Information_Act_(United_States)

3. USA PATRIOT Act:

4. Search warrant:

5. Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal

Investigations:

6. Automated Fingerprint Identification System:

7. MD5:

8. Covert surveillance software Web sites:

Guide to Computer Forensics and Investigations, Fifth Edition 4-16

Key Terms

into a unique hexadecimal value.

➢ digital evidence — Evidence consisting of information stored or transmitted in

electronic form.

➢ digital hash — A unique hexadecimal value that identifies a file.

➢ extensive-response field kit — A portable kit designed to process several computers

➢ keyed hash set — A value created by an encryption utility’s secret key.

➢ limiting phrase — Wording in a search warrant that limits the scope of a search for

evidence.

➢ low-level investigations — Corporate cases that require less effort than a major

criminal case.

a law enforcement officer, who has the right to be in position to have that view, are

subject to seizure without a warrant and can be introduced as evidence.

➢ probable cause — An indication that a crime has been committed, evidence of the

specific crime exists, and evidence for the specific crime exists at the place to be

searched.