All India Police Duty Meet

DIGITAL FORENSICS QUESTIONS AND HINTS
SARADA AVADHANAM

1. What is Computer Forensics?
1.1. Computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded.
2. What is the objective of this?
2.1. To provide digital evidence of a specific or general activity.
3. To what ends?
3.1. Criminal investigation, or
3.2. Civil litigation,
3.3. Re-tracking steps taken when data has been lost.
4. What are the common scenarios? - Employee internet abuse (common, but decreasing) - Unauthorized disclosure of corporate information and data (accidental and intentional) - Industrial espionage - Damage assessment (following an incident) - Criminal fraud and deception cases - More general criminal cases (many criminals simply store information on computers, intentionally or unwittingly)
5. How is a computer forensic investigation approached?
5.1. Secure the subject system (from tampering during the operation);
5.2. Take a copy of hard drive (if applicable);
5.3. Identify and recovery all files (including those deleted);
5.4. Access/copy hidden, protected and temporary files;
5.5. Study 'special' areas on the drive (eg: residue from previously deleted files);
5.6. Investigate data/settings from installed applications/programs;
5.7. Assess the system as a whole, including its structure;
5.8. Consider general factors relating to the users activity;
5.9. Create detailed report.
5.10. A full audit log of your activities should be maintained.
6. Is there anything that should NOT be done during an investigation?
6.1. Avoid changing date/time stamps (of files for example) or changing data itself.
6.2. The same applies to the overwriting of unallocated space (which can happen on re-boot for example).
6.3. 'Study don't change' is a useful catch-phrase.
7. cases variety
7.1. Case 1: lost emails were recovered from the corrupted inbox of the email provider.
7.2. Case 2: The case of disgruntled employee : e-mails, letter and memorandums were all recovered from the hard disk
7.3. Case 3: The case of corrupted data: his computer was suddenly fail to boot forensics recovered his document file.
7.4. Case 4: The case of hatred and revenge: recover her window application as her system files were manually deleted
7.5. Case 5: The case of forgotten backup: Netscape was probably not backed up and overwritten during the O/S reinstallation. Forensics recovered the e-mails that has been overwritten.
8. Recognizing Potential Evidence
9. The computer may be
9.1. Contraband,
9.2. Fruits of the crime,
9.3. A tool of the offense, or
9.4. A storage container holding evidence of the offense.
10. Investigation produce electronic evidence.
11. Computers and related evidence range from the mainframe computer to the pocket-sized personal data assistant to the floppy diskette, CD or the smallest electronic chip device. Images, audio, text and other data on these media.
11.1. Protect,
11.2. Seize and
11.3. Search such devices as per best practices and guidelines.
12. Answers to the following questions will better determine the role of the computer in the crime:
12.1. Is the computer contraband of fruits of a crime?For example, was the computer software or hardware stolen?
12.2. Is the computer system a tool of the offense?For example, was the system actively used by the defendant to commit the offense? Were fake ids or other counterfeit documents prepared using the computer, scanner, and color printer?
12.3. Is the computer system only incidental to the offense, i.e., being used to store evidence of the offense?For example, is a drug dealer maintaining his trafficking records in his computer?
12.4. Is the computer system both instrumental to the offense and a storage device for evidence?For example did the computer hacker use her computer to attack other systems and also use it to store stolen credit card information?
13. Once the computer's role is understood, the following essential questions should be answered:
13.1. Is there probable cause to seize hardware?
13.2. Is there probable cause to seize software?
13.3. Is there probable cause to seize data?
13.4. Where will this search be conducted?
13.5. For example, is it practical to search the computer system on site or must the examination be conducted at a field office or lab?
13.6. If law enforcement officers remove the system from the premises to conduct the search, must they return the computer system, or copies of the seized date, to its owner/user before trial?
14. Considering the incredible storage capacities of computers, how will experts search this data in an efficient, timely manner?
14.1. Conducting a Search and/or Seizure
14.2. Importance of not changing the data/information (and therefore potential evidence) during the investigative or search process .CONDUCTING THE SEARCH AND/OR SEIZURE
15. Once the computer's role is understood and legal requirements are fulfilled:
16. Secure the Scene
16.1. Officer safety is paramount.
16.2. Preserve area for potential fingerprints.
16.3. Immediately restrict access to computer(s).Isolate from phone lines (because data on the computer can be accessed remotely).
17. Secure the Computer as Evidence
17.1. If computer is "OFF", do not turn "ON".
17.2. If computer is "ON"
17.2.1. Stand-alone computer (non-networked)
17.2.1.1. Consult computer specialist
17.2.1.2. If specialist is not available
17.2.1.2.1. Photograph screen, then disconnect all power sources; unplug from the wall AND the back of the computer.
17.2.1.2.2. Place evidence tape over each drive slot.
17.2.1.2.3. Photograph/diagram and label back of computer components with existing connections.
17.2.1.2.4. Label all connectors/cable end to allow reassembly as needed.
17.2.1.2.5. If transport is required, package components and transport/store components as fragile cargo.
17.2.1.2.6. Keep away from magnets, radio transmitters and otherwise hostile environments.
17.2.2. Networked or business computers
17.2.2.1. Consult a Computer Specialist for further assistance
17.2.2.2. Pulling the plug could:
17.2.2.2.1. Severely damage the system
17.2.2.2.2. Disrupt legitimate business
17.2.2.2.3. Create officer and department liability
18. OTHER ELECTRONIC STORAGE DEVICES
19. Electronic devices may contain viable evidence associated with criminal activity. Unless an emergency exists, the device should not be accessed. Should it be necessary to access the device, all actions associated with the manipulation of the device should be noted in order to document the chain of custody and ensure its admission in court.
20. Wireless Telephones
20.1. Potential Evidence Contained in Wireless Devices
20.1.1. Numbers called
20.1.2. Numbers stored for speed dial
20.1.3. Caller ID for incoming calls
20.1.4. Other information contained in the memory of wireless telephones
20.1.4.1. Phone/pager numbers
20.1.4.2. Names and addresses
20.1.4.3. PIN numbers
20.1.4.4. Voice mail access number
20.1.4.5. Voice mail password
20.1.4.6. Debit card numbers
20.1.4.7. Calling card numbers
20.1.4.8. E-mail/Internet access information
20.1.4.9. The on screen image may contain other valuable information
20.2. On/Off Rule
20.2.1. If the device is "ON", do NOT turn it "OFF".
20.2.1.1. Turning it "OFF" could activate lockout feature.
20.2.1.2. Write down all information on display (photograph if possible).
20.2.1.3. Power down prior to transport (take any power supply chords present).
20.2.2. If the device is "OFF", leave it "OFF".
20.2.2.1. Turning it on could alter evidence on device (same as computers).
20.2.2.2. Upon seizure get it to an expert as soon as possible or contact local service provider.
20.2.2.3. If an expert is unavailable, USE A DIFFERENT TELEPHONE and contact a round the clock service provided by the cellular telephone industry..
20.2.2.4. Make every effort to locate any instruction manuals pertaining to the device.
21. Electronic Paging Devices
21.1. Potential Evidence Contained in Paging Devices
21.1.1. Numeric pagers (receives only numeric digits; can be used to communicate numbers and code)
21.1.2. Alpha numeric pagers (receives numbers and letters and can carry full text)
21.1.3. Voice Pagers (can transmit voice communications (sometimes in addition to alpha numeric)
21.1.4. 2-way pagers (containing incoming and outgoing messages)
21.1.5. Best Practices
21.1.5.1. Once pager is no longer in proximity to suspect - turn it off. Continued access to electron communication over pager without proper authorization can be construed as unlawful interception of electronic communication.
21.1.6. Search of stored contents of pager.
21.1.6.1. Incident to arrest
21.1.6.2. With probable cause + exception
21.1.6.3. With consent
22. Facsimile Machines
22.1. Fax machines can contain:
22.1.1. Speed dial lists
22.1.2. Stored faxes (incoming and outgoing)
22.1.3. Fax transmission logs (incoming and outgoing)
22.1.4. Header line
22.1.5. Clock setting
22.2. Best practices
22.2.1. If fax machine is found "ON", powering down may cause loss of last number dialed and/or stored faxes.
22.3. Other Considerations
22.3.1. Search issues
22.3.1.1. Record telephone line number fax is plugged into
22.3.1.2. Header line should be the same as the phone line; user sets header line.
22.3.1.3. All manuals should be seized with equipment, if possible.
23. Caller ID Devices
23.1. May contain telephone and subscriber information from incoming telephone calls.
23.1.1. Interruption of the power supply to the device may cause loss of data if not protected by internal battery backup.
23.1.2. Document all stored data prior to seizure or loss of data may occur.
24. Smart CardsA plastic card the size of a standard credit card that holds a microprocessor (chip) which is capable of storing monetary value and other information.
24.1. Awareness
24.1.1. Physical characteristics of the card
24.1.2. Photograph of the smart card
24.1.2.1. Label and identify characteristics.
24.1.2.2. Features similar to credit card/driver's license.
24.1.2.3. Detect possible alteration or tampering during same examination.
24.2. Uses of Smart Cards
24.2.1. Point of sale transactions
24.2.2. Direct exchange of value between cardholders
24.2.3. Exchange of value over the Internet
24.2.4. ATM capabilities
24.2.5. Capable of storing other data and files similar to a computer
24.3. Circumstances Raising Suspicion Concerning Smart Cards
24.3.1. Same as credit cards
24.3.2. Numerous cards (different names or same issuing vendor)
24.3.3. Signs of tampering (cards can be found in the presence of computer or other electronic devices)
24.4. Questions to Ask When Encountering Smart Cards
24.4.1. Who was issued the card (the valid cardholder)?
24.4.2. Who issued the card?
24.4.3. What are the uses of the cards?
24.4.4. Why does the person have numerous cards?
24.4.5. Can this computer or device alter the card?
24.5. Other Considerations
25. Smart Card technology is used in some cellular phones and may be found in or with cellular devices