Scribd
Upload
80 views25 pages

Digital Forensics Evidence Collection

The document discusses collecting digital evidence from crime scenes, including securing networks, documenting the scene, isolating cell phones and other devices, the order of volatility, forensic cloning, and risks and challenges of cloning.

Uploaded by

dungnthe172688
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
80 views25 pages

Digital Forensics Evidence Collection

The document discusses collecting digital evidence from crime scenes, including securing networks, documenting the scene, isolating cell phones and other devices, the order of volatility, forensic cloning, and risks and challenges of cloning.

Uploaded by

dungnthe172688
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 25

Module 4: Collecting

Evidence
Topics

• Crime scenes
• Documenting
• Chain of Custody
• Forensic cloning
• Live and Dead Systems
• Hashing
• Final Report
Crime Scenes and
Collecting Evidence
Securing the Scene

• Unnecessary people must be


kept out
• Network connections place
data at risk
• Once it is assured that volatile
data won't be lost, disconnect
network cables
• Isolate seized phoned from
network
– Image from
crimescenecleanupdetroit.com
Cell Phones

• Valuable evidence
– Text messages, email, call logs, contacts
• Interacting with the phone can change
data
– Apple's "Find My iPhone" app can be used to remotely wipe the
phone

[reference: DFIR-Smartphone-Forensics-Poster]
Removable Media

• Memory cards can be tiny


• Hidden in books, wallets, hat bands, etc.
• Also DVDs, external hard drives, thumb
drives, memory cards
• Examine books and manuals to determine
the skill level of the target
– Are they using encryption?

[reference: DFIR-Smartphone-Forensics-Poster]
Isolating Cell Phones

• Turn the phone off


– BUT it may require a password when turned back on
• Shielded container
– Paint can, Faraday bag
• Power
– Provide external battery pack to keep phone alive
– Seize power cables if phone is off, so it can be charged for
examination

[reference: DFIR-Smartphone-Forensics-Poster]
Questions at the Scene

• After scene is secured, ask these questions


– What kinds of devices are present?
– How many device?
– Are the devices running?
– What tools are needed?
– Do we have the necessary expertise?
Order of Volatility

• Gather most volatile evidence first


– CPU, cache and registers
– Routing table, ARP cache, processes
– RAM
– Temp files/swap space
– Hard disk
– Remotely logged data
– Archival media
Documenting the Scene

If you don't write it down, it didn't happen


Types of Documentation

• Photographs
• Written notes
• Video
• Record precise details
– Type, make, model, serial number
– Whether a device is on or off
– Network connections
– Peripheral connections like printers
– Document and label cables
Photography

• Walk through the scene to find


devices and see what will be needed
• Then photograph entire scene before
anything is disturbed
• Broad perspective, then each item of
evidence in its original position
– Add a ruler in a second photo for perspective
• Photos don't replace notes
Notes

• No set standard
• Chronological is common
• Those notes will guide you in court
later
• Notes can be discoverable and may
be seen by other side
– Don't draw conclusions or speculate
Chain of Custody
Marking Evidence

• Initials, dates, case numbers


• Permanent markers
• Sealed in evidence anti-static bag
• Tamper-resistant evidence tape
Forensic cloning
Cloning

• Exact copy of a hard drive, bit for bit


• Gathers unallocated space and Master File
Table
• Time-consuming process
• Usually done at the lab, not on the scene\
• In civil cases, you may lack legal
authorization to remove the computer
– Must clone it on-scene
Purpose of Cloning

• Examine a copy, not the original


– Unless there are exigent circumstances, like a
missing child
• You can recover from mistakes
• A properly authenticated forensic clone is
as good as the original in court
The Cloning Process

• Copy one hard drive to another,


larger hard drive
• Source drive normally removed from
computer
• Critical to use a write-blocker
– Hardware or software
• Forensically clean destination drive first
• Proof of that goes in the case file
Forensically Clean Media

• Can be proven devoid of data


• "Sterile"
• Overwrite entire drive with a pattern
of data
– Such as 00000000
Forensic Image Formats

• Proprietary
– EnCase (.E01) – Actually "Expert Witness"
– AccessData Custom Content Image (.AD1)
• Open
– Advanced Forensics Format (AFF)
• Open format, see link Ch 4a
– Raw (.dd or .001)
• Direct uncompressed disk image
Risks and Challenges

• Biggest Risk: Writing to the evidence drive


• Bad sectors
• Damaged or malfunctioning drives
• Corrupt boot sector
• Antiforensics measures (theoretical, not
practical risk)
eDiscovery

• Gathering and presenting electronically


stored information (ESI) for legal cases
• Cloning preserves evidence best
– Can be expensive and impractical
• du Pont v. Kolon
– Kolon lost and was hit with
– $920 million judgement
– 20-year ban from competing with du Pont
Spoilation
Q&A

http://fpt.edu.vn 06/04/24 25

You might also like