{"id":369,"date":"2015-10-19T00:14:00","date_gmt":"2015-10-18T16:14:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=369"},"modified":"2023-10-31T00:15:30","modified_gmt":"2023-10-30T16:15:30","slug":"forensics-process","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/369","title":{"rendered":"Forensics Process"},"content":{"rendered":"\n

Before the investigatin<\/strong>
1 build a forensics workstation
2.building investigation team
3.review policies and laws
4.notify decision makers and acquire authorization, ex:\u66f8\u9762\u6388\u6b0a or Email
5. assess risks
6. build a computer investigation toolkit
7. define the forensics investigation methodology
ps:
scan forensics workstation by antivirus scanner before beginning an investigation<\/p>\n\n\n\n

Readiness planning checklist<\/strong>
Define the business states that need digital evidence.
Identify the potential evidence available.
Decide the procedure for securely collecting the evidence that meets the requirement fn a forensically sound manner.<\/p>\n\n\n\n

…<\/p>\n\n\n\n

Investigation team include<\/strong>
attorney
photographer
incident responder
decision maker
incident analyzer
…omit…<\/p>\n\n\n\n


…<\/p>\n\n\n\n

Forensics investigation methodology<\/strong>
1.obtain search warrant
2.evaluate and secure the scene, ex:\u5c07\u73fe\u5834\u62cd\u7167\u6216\u651d\u5f71
3.collect the evidence
ps: ensue that the storage device is forensically clean when the evidence is collected
4.secure the evidence
5.acquire the data
6.analyze data
7.assess evidence and case
8.prepare the final report
9.testify as an expert witness<\/p>\n\n\n\n


…<\/p>\n\n\n\n

Chain of custody<\/strong>
a route that evidence takes from the time you find it until the case is closed or goes to court
A legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory
\u641c\u96c6\uff0c\u904b\u9001\uff0c\u4fdd\u5b58\uff0c\u5206\u6790\u7684\u904b\u7a0b\u4e2d\u4e4b\u4eba\u4e8b\u6642\u5730\u7269\u7684\u8a18\u9304
ex: screenshot<\/p>\n\n\n\n

Point of forms store to maintain a chain of custody<\/strong>
multi-evidence form should be placed in the report file
single-evidence forms should be kept with each hard drive in an approved secure container<\/p>\n\n\n\n


…………………………………………………………………………………………………<\/p>\n\n\n\n

Acquire and analyze data<\/strong><\/p>\n\n\n\n

Make 2 copies and different tool<\/strong>
1.original data —tool1(bit by bit)–> working data1
2.orignal data —tool2(bit by bit)–> working data2
3.check integirty of original data,working data1,working data2 by hash like md5,sha256,…etc
4.preserve orignal data
5.analyze working data1
if working data1 is broken, working data2-> working data1
refer
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=312<\/a><\/p>\n\n\n\n

Recovery below data<\/strong>
lost data
deleted data
…omit…
refer
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=313<\/a><\/p>\n\n\n\n


……………………………………………………………………………………………

Obtain search warrant<\/strong><\/p>\n\n\n\n

reference:
searching and seizing computers and obtaining electronic evidence in criminal investigations.pdf<\/p>\n\n\n\n


Search warrant<\/strong>
a authorization for an investigation is carried out at a location
a legal document allows law enforcement to search at a location
ps:
without a warrent<\/strong>
police can’t seize equipment without a warrent<\/p>\n\n\n\n


Circumstances of searches without a warrant: <\/strong>
destruction of evidence is imminent<\/strong>
a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity
corporate investigations<\/strong>
corporate investigations does not have to get a warrant
so it is typically easier than public investigations that have to get a warrant<\/p>\n\n\n\n

….<\/p>\n\n\n\n

The Fourth Amendment<\/strong>
preventing the police seizing electronic evidence without warrant
ex:
if the police go to suspect room and seized all of her computer equipment without a warrent,
lawyer of suspect can try to prove the police violated by The 4th Amendment<\/p>\n\n\n\n

ps:
The Fourth Amendment
\u4fee\u6b63\u6848\u4fdd\u8b49\u4eba\u5011\u7684\u4eba\u8eab\u5b89\u5168\u53ca\u8ca1\u7522\u514d\u906d\u975e\u6cd5\u641c\u67e5\u548c\u6263\u62bc\u3002\u4fee\u6b63\u6848\u9084\u898f\u5b9a\uff0c\u7121\u5408\u7406\u6839\u64da\u4e0d\u5f97\u767c\u4f48\u641c\u67e5\u4ee4\u548c\u6263\u62bc\u4ee4\uff0c\u800c\u4e14\u53ea\u80fd\u5c0d\u6307\u5b9a\u7684\u5730\u9ede\u9032\u884c\u641c\u67e5\uff0c\u53ea\u80fd\u5c0d\u6307\u5b9a\u7684\u4eba\u548c \u7269\u54c1\u4e88\u4ee5\u6263\u62bc\u3002\u5728\u7f8e\u570b\u65e9\u671f\u6b77\u53f2\u4e0a\u8a72\u4fee\u6b63\u6848\u53ea\u9069\u7528\u65bc\u806f\u90a6\u653f\u5e9c\uff0c\u81f31868\u5e74\u7b2c\u5341\u56db\u689d\u4fee\u6b63\u6848\u901a\u904e\u5f8c\uff0c\u901a\u904e\u7b2c\u5341\u56db\u689d\u4fee\u6b63\u6848\u4e2d\u7684\u6b63\u7576\u6cd5\u5f8b\u7a0b\u5e8f\u689d\u6b3e\uff0c\u8a72\u4fee\u6b63\u6848\u7684\u9069\u7528 \u7bc4\u570d\u624d\u88ab\u64f4\u5c55\u5230\u5dde\u3002\u5b83\u78ba\u7acb\u4e86\u7f8e\u570b\u516c\u6c11\u4e00\u9805\u4e0d\u53d7\u653f\u5e9c\u5b98\u54e1\u548c\u4ee3\u7406\u4eba\u4e0d\u6b63\u7576\u5165\u4fb5\u5a01\u8105\u7684\u7d55\u5c0d\u6b0a\u5229\u3002<\/p>\n\n\n\n

ps:
\u5e38\u898b\u77e5\u540d\u6cd5\u6848\u5982\u4e0b
The Fourth Amendment(\u7f8e\u570b\u61b2\u6cd5\u7b2c\u56db\u689d\u4fee\u6b63\u6848)
The USA Patriot Act(\u7f8e\u570b\u611b\u570b\u8005\u6cd5\u6848)
The USA Freedom Act(\u7f8e\u570b\u81ea\u7531\u6cd5\u6848)<\/p>\n\n\n\n

ps:
silver platter doctrine(\u9280\u76e4\u898f\u5247)<\/strong>
\u4f9d\u8a72\u898f\u5247\uff0c\u53ea\u8981\u806f\u90a6\u5b98\u54e1\u672a\u53c3\u8207\u4fb5\u72af\u88ab\u544a\u4eba\u6b0a\u5229\u7684\u884c\u70ba\uff0c\u5247\u5dde\u8b66\u5bdf\u975e\u6cd5\u53d6\u5f97\u7684\u8b49\u64da\u5728\u806f\u90a6\u6cd5\u9662\u53ef\u4ee5\u88ab\u63a1\u4fe1\u30021960\u5e74\u806f\u90a6\u6700\u9ad8\u6cd5\u9662\u5728\u57c3\u723e\u91d1\u65af\u8a34\u7f8e\u570b\u3014Elkins v. United States\u3015\u4e00\u6848\u4e2d\u63a8\u7ffb\u4e86\u6b64\u898f\u5247\u3002 <\/p>\n\n\n\n

refer
http:\/\/lawyer.get.com.tw <\/p>\n","protected":false},"excerpt":{"rendered":"

Before the investigatin1 build …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[11],"tags":[],"class_list":["post-369","post","type-post","status-publish","format-standard","hentry","category-forensics"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/369","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=369"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/369\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=369"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=369"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}