Digital Data
challenging aspects of digital evidence
1.it is a chaotic form of evidence
2.it can be altered maliciously or unintentionally
3.it is circumstantial to be difficult to trace the system’s activity
4.create data remnants
Locard’s exchange principle:
當事人在crime scene中,一定會遺留一些東西(evidence),並且帶走一些東西(evidence)
characteristics digital evidence in court of law
admissible(可採證性) :admissible evidence in court of law
authentic(證據真偽)
complete(採證過程是否完整)
reliable(可靠度)
believable/convincing(說服力)
…
fragility of digital evidence
digitial data is fragile in nature, it is easy to be destoryed
as below:
data is lost permanently if computer is turned off
evidence may be overwrited
evidence may be deleted
ADF(Anti-digital forensics)
1.overwriting(wiping)
ex:repeat 35 overwriting to fully clean disk
2.bugs in forensic tools
3.obfuscation of data(混碼)
4.steganography(隱藏),cryptography(加密)
ps:
erasing data of Hard Disk: throw the hard disk into the fire
….
type of digital data
volatile data: can be modified ,ex: process memory, process-to-port mapping
non-volatile data: used for the secondary storage, ex:hard disk
transient data: if the machine is turned off ,all this information is lost, ex: cache data
fragile data: temporarily saved on the hard disk, ex: access date
residual data,檔案被殺掉時所殘留的部份資料
metadata,描述資料的資料
Digital photography: for chain of custody
……………………………………………………………………………………………………………….
Rules of Evidence
rule of evidence
用在法庭中,此證據的產生需符合的規則
a route that evidence takes from the found time until the case is closed or goes to court
best evidence rule
It states that the court only allows the original evidence of a document, photograph, or recording at the trial rather than a copy
common rule as below
federal rules of evidence
IOCE
SWGDE standards
IOCE
1.所有程序需要被遵守,all of the general forensic and procedural principles must be applied
2.扣押不可破壞證據, seizing digital evidence , actions taken should not change that evidence
3.搜證人員要受過訓練, person whould be trained for the purpose
4.符合chain of custody
5.保管人對證物有完全責任
6.保管單位對證物有完全責任
………………………………………………………………………………………………………………..
Types and Collecting Potential Evidence
type of files for potential evidence
user-created files: User產生的檔案
user-protected files:User加密的檔案
computer-created files: 電腦建立的檔案
categories of evidence
computer-genrated(admissible highly): by computer,
ex: log
computer-stored(admissible low): by user,
ex: txt
computer-generated and computer-stored.
ex:
email(head=computer-genrated ,body=computer-store),
pdf,doc(metadata=computer-genrated, content=computer-store)
photo file
ps:
metadata is like created,modified,accessed
challenges to the authenticity of computer records(evidence)
were records altered,manipulated, or damaged ?
is reliability of the computer program ?
how to indentity of author ?
ps:
a evidence was found in unrelated crime
plain view doctrine(一眼看清原則)
按照此項原則,警方在有合法根據進入的場所,無意中發現有關犯罪的物件,並一眼認出與犯罪有關,可即時予以扣押,並可將此物件作為證據提出,但警方不得以此原則為借口擴大搜查範圍,以圖獲取犯罪證據。
refer
http://lawyer.get.com.tw/Dic/DictionaryDetail.aspx?iDT=69573
………………………………………………………………………………………………………………….
Digital Evidence Examination Process
digital evidence examination process
1.evidence assessment
2.evidence acquistion
3.evidence preservation(important)
4.evidence examination and analysis
5.evidence documentation and reporting
ps:
check datetime
ex: check the date and time in the system’s CMOS with the hard drive removed from the suspect PC
…
Evidence acquistion
type of evidence acquistion
live collect, ex: memory dump on live computer
static collect, ex: disk dump on poweroff computer
ps:
the collection should proceed from the most volatile to the least volatile
searching list for live collect:
process register
virtual and physical memory
network state
running process
ps:
common evidence sources about RAM
memory
swapfile/pagefile
hibernate(休眠檔)
evidence acquisition checklist
1.don’t use the computer for evidence search.
2.photograph all the devices connected to the computer.
3.don’t turn on the system, if it is in off state.
4.if the computer is on, take a photograph of the screen.
5.if the computer is on and screen is blank, move the mouse slowly and take a photograph of the screen.
6. unplug all the cords and devices connected to the computer and label them for later identification.
7. if the computer is connected to the router and modem, unplug the power.
…
Evidence preservation
preserving evidence for cell phones
mkae sure that the device is charged if device is turned on
put on the special bag(訊號遮敝袋)
…
Digital examination and analysis
type of extraction for evidence examination:
physical extraction: ex: whole disk
logical extraction, ex: log or file on disk
ps:
using hash check before and after evidence examination