Forensics Process

Before the investigatin
1 build a forensics workstation
2.building investigation team
3.review policies and laws
4.notify decision makers and acquire authorization, ex:書面授權 or Email
5. assess risks
6. build a computer investigation toolkit
7. define the forensics investigation methodology
ps:
scan forensics workstation by antivirus scanner before beginning an investigation

Readiness planning checklist
Define the business states that need digital evidence.
Identify the potential evidence available.
Decide the procedure for securely collecting the evidence that meets the requirement fn a forensically sound manner.

...

Investigation team include
attorney
photographer
incident responder
decision maker
incident analyzer
...omit...


...

Forensics investigation methodology
1.obtain search warrant
2.evaluate and secure the scene, ex:將現場拍照或攝影
3.collect the evidence
ps: ensue that the storage device is forensically clean when the evidence is collected
4.secure the evidence
5.acquire the data
6.analyze data
7.assess evidence and case
8.prepare the final report
9.testify as an expert witness


...

Chain of custody
a route that evidence takes from the time you find it until the case is closed or goes to court
A legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory
搜集,運送,保存,分析的運程中之人事時地物的記錄
ex: screenshot

Point of forms store to maintain a chain of custody
multi-evidence form should be placed in the report file
single-evidence forms should be kept with each hard drive in an approved secure container


...............................................................................................................

Acquire and analyze data

Make 2 copies and different tool
1.original data ---tool1(bit by bit)--> working data1
2.orignal data ---tool2(bit by bit)--> working data2
3.check integirty of original data,working data1,working data2 by hash like md5,sha256,...etc
4.preserve orignal data
5.analyze working data1
if working data1 is broken, working data2-> working data1
refer
http://systw.net/note/af/sblog/more.php?id=312

Recovery below data
lost data
deleted data
...omit...
refer
http://systw.net/note/af/sblog/more.php?id=313


.........................................................................................................

Obtain search warrant

reference:
searching and seizing computers and obtaining electronic evidence in criminal investigations.pdf


Search warrant
a authorization for an investigation is carried out at a location
a legal document allows law enforcement to search at a location

ps:
without a warrent
police can't seize equipment without a warrent


Circumstances of searches without a warrant: 
destruction of evidence is imminent
a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity
corporate investigations
corporate investigations does not have to get a warrant

so it is typically easier than public investigations that have to get a warrant

....

The Fourth Amendment
preventing the police seizing electronic evidence without warrant

ex:
if the police go to suspect room and seized all of her computer equipment without a warrent,
lawyer of suspect can try to prove the police violated by The 4th Amendment

ps:
The Fourth Amendment
修正案保證人們的人身安全及財產免遭非法搜查和扣押。修正案還規定,無合理根據不得發佈搜查令和扣押令,而且只能對指定的地點進行搜查,只能對指定的人和 物品予以扣押。在美國早期歷史上該修正案只適用於聯邦政府,至1868年第十四條修正案通過後,通過第十四條修正案中的正當法律程序條款,該修正案的適用 範圍才被擴展到州。它確立了美國公民一項不受政府官員和代理人不正當入侵威脅的絕對權利。

ps:
常見知名法案如下
The Fourth Amendment(美國憲法第四條修正案)
The USA Patriot Act(美國愛國者法案)
The USA Freedom Act(美國自由法案)

ps:
silver platter doctrine(銀盤規則)
依該規則,只要聯邦官員未參與侵犯被告人權利的行為,則州警察非法取得的證據在聯邦法院可以被採信。1960年聯邦最高法院在埃爾金斯訴美國〔Elkins v. United States〕一案中推翻了此規則。 

refer
http://lawyer.get.com.tw 

 

2015-10-19 14:16:51發表 2015-10-19 15:40:15修改   

數據分析
程式開發
計算機組織與結構
資料結構與演算法
Database and MySql
manage tool
windows
unix-like
linux service
network
network layer3
network layer2
network WAN
network service
作業系統
數位鑑識

資訊安全解決方案
資訊安全威脅
Cisco security
Cisco network
Cisco layer3
Cisco layer2



  登入      [牛的大腦] | [單字我朋友] Powered by systw.net