{"id":367,"date":"2015-10-19T00:12:00","date_gmt":"2015-10-18T16:12:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=367"},"modified":"2023-10-31T00:14:13","modified_gmt":"2023-10-30T16:14:13","slug":"digital-evidence","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/367","title":{"rendered":"Digital Evidence"},"content":{"rendered":"\n

Digital Data<\/strong><\/h2>\n\n\n\n

challenging aspects of digital evidence<\/strong>
1.it is a chaotic form of evidence
2.it can be altered maliciously or unintentionally
3.it is circumstantial to be difficult to trace the system’s activity
4.create data remnants<\/p>\n\n\n\n

Locard’s exchange principle:<\/strong>
\u7576\u4e8b\u4eba\u5728crime scene\u4e2d,\u4e00\u5b9a\u6703\u907a\u7559\u4e00\u4e9b\u6771\u897f(evidence),\u4e26\u4e14\u5e36\u8d70\u4e00\u4e9b\u6771\u897f(evidence)<\/p>\n\n\n\n

characteristics digital evidence in court of law<\/strong>
admissible(\u53ef\u63a1\u8b49\u6027) :admissible evidence in court of law
authentic\uff08\u8b49\u64da\u771f\u507d\uff09\u3000
complete(\u63a1\u8b49\u904e\u7a0b\u662f\u5426\u5b8c\u6574)
reliable(\u53ef\u9760\u5ea6)
believable\/convincing(\u8aaa\u670d\u529b)<\/p>\n\n\n\n

…<\/p>\n\n\n\n

fragility of digital evidence<\/strong>
digitial data is fragile in nature, it is easy to be destoryed
as below:
\u3000data is lost permanently if computer is turned off
\u3000evidence may be overwrited
\u3000evidence may be deleted<\/p>\n\n\n\n

ADF(Anti-digital forensics)<\/strong>
1.overwriting(wiping)
ex:repeat 35 overwriting to fully clean disk
2.bugs in forensic tools
3.obfuscation of data(\u6df7\u78bc)
4.steganography(\u96b1\u85cf),cryptography(\u52a0\u5bc6)<\/p>\n\n\n\n


ps:
erasing data of Hard Disk: throw the hard disk into the fire<\/p>\n\n\n\n

….<\/p>\n\n\n\n

type of digital data<\/strong>
volatile data: can be modified ,ex: process memory, process-to-port mapping
non-volatile data: used for the secondary storage, ex:hard disk
transient data: if the machine is turned off ,all this information is lost, ex: cache data
fragile data: temporarily saved on the hard disk, ex: access date
residual data,\u6a94\u6848\u88ab\u6bba\u6389\u6642\u6240\u6b98\u7559\u7684\u90e8\u4efd\u8cc7\u6599
metadata,\u63cf\u8ff0\u8cc7\u6599\u7684\u8cc7\u6599
Digital photography: for chain of custody<\/p>\n\n\n\n

……………………………………………………………………………………………………………….<\/p>\n\n\n\n

Rules of Evidence<\/strong><\/h2>\n\n\n\n

rule of evidence<\/strong>
\u7528\u5728\u6cd5\u5ead\u4e2d,\u6b64\u8b49\u64da\u7684\u7522\u751f\u9700\u7b26\u5408\u7684\u898f\u5247
a route that evidence takes from the found time until the case is closed or goes to court<\/p>\n\n\n\n

best evidence rule<\/strong>
It states that the court only allows the original evidence of a document, photograph, or recording at the trial rather than a copy<\/p>\n\n\n\n

common rule as below<\/strong>
federal rules of evidence
IOCE
SWGDE standards<\/p>\n\n\n\n

IOCE<\/strong>
1.\u6240\u6709\u7a0b\u5e8f\u9700\u8981\u88ab\u9075\u5b88,all of the general forensic and procedural principles must be applied
2.\u6263\u62bc\u4e0d\u53ef\u7834\u58de\u8b49\u64da, seizing digital evidence , actions taken should not change that evidence
3.\u641c\u8b49\u4eba\u54e1\u8981\u53d7\u904e\u8a13\u7df4, person whould be trained for the purpose
4.\u7b26\u5408chain of custody
5.\u4fdd\u7ba1\u4eba\u5c0d\u8b49\u7269\u6709\u5b8c\u5168\u8cac\u4efb
6.\u4fdd\u7ba1\u55ae\u4f4d\u5c0d\u8b49\u7269\u6709\u5b8c\u5168\u8cac\u4efb<\/p>\n\n\n\n

………………………………………………………………………………………………………………..<\/p>\n\n\n\n

Types and Collecting Potential Evidence<\/strong><\/h2>\n\n\n\n

type of files for potential evidence<\/strong>
user-created files: User\u7522\u751f\u7684\u6a94\u6848
user-protected files:User\u52a0\u5bc6\u7684\u6a94\u6848
computer-created files: \u96fb\u8166\u5efa\u7acb\u7684\u6a94\u6848<\/p>\n\n\n\n

categories of evidence<\/strong>
computer-genrated(admissible highly): by computer,
ex: log
computer-stored(admissible low): by user,
ex: txt
computer-generated and computer-stored.
ex:
email(head=computer-genrated ,body=computer-store),
pdf,doc(metadata=computer-genrated, content=computer-store)
photo file
ps:
metadata is like created,modified,accessed<\/p>\n\n\n\n

challenges to the authenticity of computer records(evidence)<\/strong>
were records altered,manipulated, or damaged ?
is reliability of the computer program ?
how to indentity of author ?<\/p>\n\n\n\n


ps:
a evidence was found in unrelated crime<\/strong>
plain view doctrine(\u4e00\u773c\u770b\u6e05\u539f\u5247)
\u6309\u7167\u6b64\u9805\u539f\u5247\uff0c\u8b66\u65b9\u5728\u6709\u5408\u6cd5\u6839\u64da\u9032\u5165\u7684\u5834\u6240\uff0c\u7121\u610f\u4e2d\u767c\u73fe\u6709\u95dc\u72af\u7f6a\u7684\u7269\u4ef6\uff0c\u4e26\u4e00\u773c\u8a8d\u51fa\u8207\u72af\u7f6a\u6709\u95dc\uff0c\u53ef\u5373\u6642\u4e88\u4ee5\u6263\u62bc\uff0c\u4e26\u53ef\u5c07\u6b64\u7269\u4ef6\u4f5c\u70ba\u8b49\u64da\u63d0\u51fa\uff0c\u4f46\u8b66\u65b9\u4e0d\u5f97\u4ee5\u6b64\u539f\u5247\u70ba\u501f\u53e3\u64f4\u5927\u641c\u67e5\u7bc4\u570d\uff0c\u4ee5\u5716\u7372\u53d6\u72af\u7f6a\u8b49\u64da\u3002
refer
http:\/\/lawyer.get.com.tw\/Dic\/DictionaryDetail.aspx?iDT=69573<\/p>\n\n\n\n

………………………………………………………………………………………………………………….<\/p>\n\n\n\n

Digital Evidence Examination Process<\/strong><\/h2>\n\n\n\n

digital evidence examination process<\/strong>
1.evidence assessment
2.evidence acquistion
3.evidence preservation(important)
4.evidence examination and analysis
5.evidence documentation and reporting<\/p>\n\n\n\n

ps:
check datetime
ex: check the date and time in the system’s CMOS with the hard drive removed from the suspect PC<\/p>\n\n\n\n

…<\/p>\n\n\n\n

Evidence acquistion<\/strong><\/p>\n\n\n\n

type of evidence acquistion<\/strong>
live collect, ex: memory dump on live computer
static collect, ex: disk dump on poweroff computer<\/p>\n\n\n\n

ps:
the collection should proceed from the most volatile to the least volatile<\/p>\n\n\n\n

searching list for live collect:<\/strong>
process register
virtual and physical memory
network state
running process<\/p>\n\n\n\n

ps:
common evidence sources about RAM<\/strong>
memory
swapfile\/pagefile
hibernate(\u4f11\u7720\u6a94)<\/p>\n\n\n\n

evidence acquisition checklist<\/strong>
1.don’t use the computer for evidence search.
2.photograph all the devices connected to the computer.
3.don’t turn on the system, if it is in off state.
4.if the computer is on, take a photograph of the screen.
5.if the computer is on and screen is blank, move the mouse slowly and take a photograph of the screen.
6. unplug all the cords and devices connected to the computer and label them for later identification.
7. if the computer is connected to the router and modem, unplug the power.<\/p>\n\n\n\n

…<\/p>\n\n\n\n

Evidence preservation<\/strong><\/p>\n\n\n\n

preserving evidence for cell phones<\/strong>
mkae sure that the device is charged if device is turned on
put on the special bag\uff08\u8a0a\u865f\u906e\u655d\u888b\uff09<\/p>\n\n\n\n

…<\/p>\n\n\n\n

Digital examination and analysis<\/strong><\/p>\n\n\n\n

type of extraction for evidence examination:<\/strong>
physical extraction: ex: whole disk
logical extraction, ex: log or file on disk<\/p>\n\n\n\n

ps:
using hash check before and after evidence examination<\/p>\n","protected":false},"excerpt":{"rendered":"

Digital Data challenging aspec …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[11],"tags":[],"class_list":["post-367","post","type-post","status-publish","format-standard","hentry","category-forensics"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=367"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/367\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}