Before the investigatin
1 build a forensics workstation
2.building investigation team
3.review policies and laws
4.notify decision makers and acquire authorization, ex:書面授權 or Email
5. assess risks
6. build a computer investigation toolkit
7. define the forensics investigation methodology
ps:
scan forensics workstation by antivirus scanner before beginning an investigation
Readiness planning checklist
Define the business states that need digital evidence.
Identify the potential evidence available.
Decide the procedure for securely collecting the evidence that meets the requirement fn a forensically sound manner.
…
Investigation team include
attorney
photographer
incident responder
decision maker
incident analyzer
…omit…
…
Forensics investigation methodology
1.obtain search warrant
2.evaluate and secure the scene, ex:將現場拍照或攝影
3.collect the evidence
ps: ensue that the storage device is forensically clean when the evidence is collected
4.secure the evidence
5.acquire the data
6.analyze data
7.assess evidence and case
8.prepare the final report
9.testify as an expert witness
…
Chain of custody
a route that evidence takes from the time you find it until the case is closed or goes to court
A legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory
搜集,運送,保存,分析的運程中之人事時地物的記錄
ex: screenshot
Point of forms store to maintain a chain of custody
multi-evidence form should be placed in the report file
single-evidence forms should be kept with each hard drive in an approved secure container
…………………………………………………………………………………………………
Acquire and analyze data
Make 2 copies and different tool
1.original data —tool1(bit by bit)–> working data1
2.orignal data —tool2(bit by bit)–> working data2
3.check integirty of original data,working data1,working data2 by hash like md5,sha256,…etc
4.preserve orignal data
5.analyze working data1
if working data1 is broken, working data2-> working data1
refer
https://systw.net/note/af/sblog/more.php?id=312
Recovery below data
lost data
deleted data
…omit…
refer
https://systw.net/note/af/sblog/more.php?id=313
……………………………………………………………………………………………
Obtain search warrant
reference:
searching and seizing computers and obtaining electronic evidence in criminal investigations.pdf
Search warrant
a authorization for an investigation is carried out at a location
a legal document allows law enforcement to search at a location
ps:
without a warrent
police can’t seize equipment without a warrent
Circumstances of searches without a warrant:
destruction of evidence is imminent
a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity
corporate investigations
corporate investigations does not have to get a warrant
so it is typically easier than public investigations that have to get a warrant
….
The Fourth Amendment
preventing the police seizing electronic evidence without warrant
ex:
if the police go to suspect room and seized all of her computer equipment without a warrent,
lawyer of suspect can try to prove the police violated by The 4th Amendment
ps:
The Fourth Amendment
修正案保證人們的人身安全及財產免遭非法搜查和扣押。修正案還規定,無合理根據不得發佈搜查令和扣押令,而且只能對指定的地點進行搜查,只能對指定的人和 物品予以扣押。在美國早期歷史上該修正案只適用於聯邦政府,至1868年第十四條修正案通過後,通過第十四條修正案中的正當法律程序條款,該修正案的適用 範圍才被擴展到州。它確立了美國公民一項不受政府官員和代理人不正當入侵威脅的絕對權利。
ps:
常見知名法案如下
The Fourth Amendment(美國憲法第四條修正案)
The USA Patriot Act(美國愛國者法案)
The USA Freedom Act(美國自由法案)
ps:
silver platter doctrine(銀盤規則)
依該規則,只要聯邦官員未參與侵犯被告人權利的行為,則州警察非法取得的證據在聯邦法院可以被採信。1960年聯邦最高法院在埃爾金斯訴美國〔Elkins v. United States〕一案中推翻了此規則。
refer
http://lawyer.get.com.tw