Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Guide to Computer Forensics and Investigations, Fifth Edition 4-1
Chapter 4
Processing Crime and Incident Scenes
At a Glance
Instructor’s Manual Table of Contents
• Overview
• Objectives
• Teaching Tips
• Quick Quizzes
Guide to Computer Forensics and Investigations, Fifth Edition 4-2
Lecture Notes
Overview
In this chapter, you learn how to process a computer investigation scene. Evidence rules
are critical, whether you’re on a corporate or a criminal case. As you’ll see, a civil case
can quickly become a criminal case, and a criminal case can revert to a civil case. This
Chapter Objectives
• Explain the rules for digital evidence
• Describe how to collect evidence at private-sector incident scenes
• Explain guidelines for processing law enforcement crime scenes
• List the steps in preparing for an evidence search
• Describe how to secure a computer incident or crime scene
Teaching Tips
Identifying Digital Evidence
1. Define digital evidence as any information stored or transmitted in digital form. U.S.
3. Describe some of the general tasks investigators perform when working with digital
evidence, including:
a. Identify digital information or artifacts that can be used as evidence
b. Collect, preserve, and document evidence
Understanding Rules of Evidence
1. Explain that consistent practices help verify your work and enhance your credibility. In
addition, you should comply with your state’s rules of evidence or with the Federal
Rules of Evidence.
2. Mention that evidence admitted in a criminal case can be used in a civil suit, and vice
versa.
4. Mention that digital evidence is unlike other physical evidence because it can be
5. Explain that most federal courts have interpreted computer records as hearsay evidence.
6. Explain that the business-record exception allows “records of regularly conducted
7. Describe the following two categories of computer records:
8. Explain that computer and digitally stored records must also be shown to be authentic
9. Mention that collecting evidence according to the approved steps of evidence control
helps ensure that the computer evidence is authentic.
11. Explain that one test to prove that computer-stored records are authentic is to
4-2 to illustrate your explanation.
13. Explain that the best evidence rule states that to prove the content of a written
14. Explain that the Federal Rules of Evidence allow a duplicate instead of originals when it
is produced by the same impression as the original. As long as bit-stream copies of data
Collecting Evidence in Private-Sector Incident Scenes
1. Mention that private-sector organizations include businesses, large corporations, and
2. Explain that NGOs must comply with state public disclosure and federal Freedom of
Information Act (FOIA) laws and make certain documents available as public records.
The FOIA allows citizens to request copies of public documents created by federal
agencies.
3. Mention that a special category of private-sector businesses includes ISPs and other
4. Explain that investigating and controlling computer incident scenes in the corporate
5. Explain that typically, businesses have inventory databases of computer hardware and
6. In addition, a corporate policy statement about misuse of computing assets allows
Guide to Computer Forensics and Investigations, Fifth Edition 4-5
8. Explain that corporate investigators should know under what circumstances they can
9. Mention that if a corporate investigator finds that an employee is committing or has
committed a crime, the employer can file a criminal complaint with the police.
10. Emphasize that employers are usually interested in enforcing company policy, not
11. Describe the actions to follow if you discover evidence of a crime during a company
policy investigation, including:
a. Determine whether the incident meets the elements of criminal law
Processing Law Enforcement Crime Scenes
1. Mention that to process a crime scene properly, you must be familiar with criminal rules
2. Explain that law enforcement officers may search for and seize criminal evidence only
3. Mention that with probable cause, a police officer can obtain a search warrant from a
4. Explain that the Fourth Amendment states that only warrants “particularly describing
the place to be searched, and the persons or things to be seized” can be issued.
Guide to Computer Forensics and Investigations, Fifth Edition 4-6
Understanding Concepts and Terms Used in Warrants
1. Define innocent information as unrelated information often included with the evidence
2. Explain that judges often issue a limiting phrase to the warrant, which allows the police
to separate innocent information from evidence.
3. Explain that the plain view doctrine states that objects falling in plain view of an officer
4. Discuss the three criteria that must be met for the plain view doctrine to apply:
a. Officer is where he or she has a legal right to be
Preparing for a Search
2. Explain that to perform these tasks, you might need to get answers from the victim and
Identifying the Nature of the Case
1. Mention that when you’re assigned a computing investigation case, you start by
2. Explain that the nature of the case dictates how you proceed, and what types of assets or
Identifying the Type of OS or Digital Device
1. Explain that for law enforcement, this step might be difficult because the crime scene
2. Mention that you should also determine which OSs and hardware might be involved. If
Guide to Computer Forensics and Investigations, Fifth Edition 4-7
Discuss the benefits of having configuration management databases to identify
Determining Whether You Can Seize a Computers and Digital Devices
1. Explain that the type of case and the location of the evidence determine whether you
can remove computers from the scene.
2. Mention that law enforcement investigators need a warrant to remove computers from a
4. Explain that if you aren’t allowed to take the computers to your lab, then you need to
Getting a Detailed Description of the Location
1. Encourage your students to get as much information as they can about the location and
conditions of the crime scene location.
2. If you have to deal with hazardous materials, keep a tight interaction with your
HAZMAT team and follow the HAZMAT guidelines, including:
a. Protect your safety and health while protecting the evidence
Determining Who Is in Charge
1. Describe the differences between corporate computing investigations and investigations
Using Additional Technical Expertise
1. Illustrate situations where you may need the help of specialists. For example, when
2. Mention that specialists need to be trained in proper investigation techniques to avoid
Determining the Tools You Need
1. Mention that you should prepare your tools using incident and crime scene information.
Preparing the Investigation Team
1. Explain to your students the importance of reviewing all the details about the incident
Quick Quiz 1
1. The ISO standard 27037 gives guidance on what procedures countries should have in
place for _____.
2. A statement made while testifying at a hearing by someone other than an actual witness
is known as _____.
3. ____ records are data the system maintains, such as system log files and proxy server
logs.
4. NGOs must comply with state public disclosure and federal _____ laws and make
certain documents available as public records.
5. ____ is facts or circumstances that lead a reasonable person to believe a crime has been
Securing a Computer Incident or Crime Scene
1. Mention the two major benefits of securing the crime scene:
2. Describe how you can create a security perimeter by using yellow barrier tape and
3. Define professional curiosity and explain its negative effects.
Seizing Digital Evidence at the Scene
2. Explain to your students that seizing digital data must follow standards defined by the
U.S. Department of Justice (DoJ) for both criminal and corporate investigations.
3. Emphasize that when seizing digital data, always consult with your attorney for
Preparing to Acquire Digital Evidence
2. List some of the questions that you need to ask your supervisor or senior forensics
examiner in your organization before acquiring digital evidence, including:
a. Do you need to take the entire computer and all peripherals and media in the
immediate area?
b. How are you going to protect the computer and media while transporting them
to your lab?
c. Is the computer powered on when you arrive?
d. Is the suspect you’re investigating in the immediate area of the computer?
e. Is it possible the suspect damaged or destroyed the computer, peripherals, or
media?
f. Will you have to separate the suspect from the computer?
Processing an Incident or Crime Scene
1. Present a list with guidelines for processing a crime scene. The list should include
2. Illustrate each one of these guidelines with as many examples as you can.
3. Describe the steps to properly bag and tag evidence, including:
a. Assign one person, if possible, to collect and log all evidence
4. Explain that you should also look for information related to the investigation, such as
5. List the documentation items that students should collect, including the following
material:
a. Hardware, including peripheral devices
Processing Data Centers with RAID Systems
1. Define sparse acquisition as a technique for extracting evidence from large systems. It
2. Explain that one drawback of this technique is that it doesn’t recover data in free or
slack space.
Using a Technical Advisor
2. Explain that a technical advisor can help you list the tools you need to process the
incident or crime scene. The advisor is the person guiding you about where to locate
3. Describe the responsibilities assigned to external advisors, including:
a. Know all aspects of the seized system
b. Direct investigators handling sensitive material
c. Help securing the scene
Documenting Evidence in the Lab
1. Explain that you should be sure to record your activities and findings as you work. For
this, maintain a journal to record the steps you take as you process evidence.
2. Explain that your goal is to be able to reproduce the same results when you or another
3. Mention that a journal serves as a reference that documents the methods you used to
Processing and Handling Digital Evidence
2. Describe the steps to create image files, including:
a. Copy all image files to a large drive
Storing Digital Evidence
1. Explain that the media you use to store digital evidence usually depends on how long
you need to keep it.
3. Explain that magnetic tapes have more capacity and a longer lifespan than CDs and
Evidence Retention and Media Storage Needs
1. Explain that to help maintain the chain of custody for digital evidence, you should
2. Use Figure 5-7 to show that an evidence custody form should contain an entry for every
person who handles the evidence.
3. Emphasize that if you need to retain evidence indefinitely, you must check with your
Documenting Evidence
1. Mention that to document evidence, you can create or use an evidence custody form. An
evidence custody form serves the following functions:
a. Identifies the evidence
2. Explain that you can add more information to your form, such as a section listing MD5
and SHA-1 hash values. Include any detailed information you might need to reference.
Guide to Computer Forensics and Investigations, Fifth Edition 4-12
Evidence bags also include labels or evidence forms you can use to document your
Obtaining a Digital Hash
1. Define Cyclic Redundancy Check (CRC) as a mathematical algorithm that determines
2. Define Message Digest 5 (MD5) as a mathematical formula that translates a file into a
3. Describe the three rules for forensic hashes:
a. You can’t predict the hash value of a file or device.
4. Define Secure Hash Algorithm version 1 (SHA-1) as a newer hashing algorithm
developed by the National Institute of Standards and Technology (NIST).
6. Explain that most computer forensics hashing needs can be satisfied with a nonkeyed
7. Describe how to use the MD5 function in FTK Imager to obtain the digital signature of
Reviewing a Case
1. This section describes the following general tasks you perform in any computer
forensics case:
a. Identify the case requirements
b. Plan your investigation
Sample Civil Investigation
1. Present an example of a policy violation and the steps a digital forensics investigator
should take during the investigation.
2. Define terms like covert surveillance and sniffing tools. Accompany your definitions
Sample Criminal Investigation
1. Present an example of a criminal investigation, highlighting the role of a warrant. Use
Reviewing Background Information for a Case
1. Introduce the M57 Patents case where a computer that was discovered to contain
Planning the Investigation
1. Explain that during this phase, you must find out some background information on the
2. In addition, you should make an image of the suspect’s computer disk drive and
Conducting the Investigation: Acquiring Evidence with OSForensics
Quick Quiz 2
1. Evidence is commonly lost or corrupted through ____, which involves police officers
and other professionals who aren’t part of the crime scene processing team.
2. If a 30-year lifespan for data storage is acceptable for your digital evidence, older _____
systems are a good choice.
3. The _____ is a mathematical algorithm that determines whether a file’s contents have
changed.
4. A(n) ____ is a unique hash number generated by a software tool, such as the Linux
md5sum command.
Guide to Computer Forensics and Investigations, Fifth Edition 4-14
Answer: nonkeyed hash set
5. Real-time surveillance requires _____ data transmissions, which allows network
administrators and others to determine what data is being transmitted over the network.
Class Discussion Topics
1. Have students discuss the initial- and extensive-response field kits described in this
chapter. What do they think about the kits? Would they add or remove something from
the kits?
2. Have students analyze and discuss a case where Company A claims its network was
compromised by a connection from Company B network. How should both companies
proceed? Who should be involved?
Additional Projects
1. Have students develop a policy that states a corporate right to conduct investigations on
its computer assets.
Additional Resources
http://en.wikipedia.org/wiki/Freedom_of_Information_Act_(United_States)
3. USA PATRIOT Act:
4. Search warrant:
5. Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal
Investigations:
6. Automated Fingerprint Identification System:
7. MD5:
8. Covert surveillance software Web sites:
Guide to Computer Forensics and Investigations, Fifth Edition 4-16
Key Terms
into a unique hexadecimal value.
➢ digital evidence — Evidence consisting of information stored or transmitted in
electronic form.
➢ digital hash — A unique hexadecimal value that identifies a file.
➢ extensive-response field kit — A portable kit designed to process several computers
➢ keyed hash set — A value created by an encryption utility’s secret key.
➢ limiting phrase — Wording in a search warrant that limits the scope of a search for
evidence.
➢ low-level investigations — Corporate cases that require less effort than a major
criminal case.
a law enforcement officer, who has the right to be in position to have that view, are
subject to seizure without a warrant and can be introduced as evidence.
➢ probable cause — An indication that a crime has been committed, evidence of the
specific crime exists, and evidence for the specific crime exists at the place to be
searched.
