Forensic Examination of Digital Evidence

More documents

Recommendations

Info

SPECIAL REPORT / APR. 04 —Assess the skill levels of the computer users involved. Techniques employed by skilled users to conceal or destroy evidence may be more sophisticated (e.g., encryption, booby traps, steganography). —Prioritize the order in which evidence is to be examined. — Determine if additional personnel will be needed. — Determine the equipment needed. The assessment might uncover evidence pertaining to other criminal activity (e.g., money laundering in conjunction with narcotics activities). Onsite considerations The following material does not provide complete information on examination of digital evidence; it is a general guide for law enforcement agencies that assess digital evidence at the crime scene. Readers may also want to consult Electronic Crime Scene Investigation: A Guide for First Responders, available at http://www.ojp.usdoj.gov/ nij/pubs-sum/187736.htm. Consider safety of personnel at the scene. Always ensure the scene is properly secured before and during the search. In some cases, the examiner may only have the opportunity to do the following while onsite: ■ Identify the number and type of computers. ■ Determine if a network is present. ■ Interview the system administrator and users. ■ Identify and document the types and volume of media, including removable media. Document the location from which the media was removed. ■ Identify offsite storage areas and/or remote computing locations. ■ Identify proprietary software. 8
FORENSIC EXAMINATION OF DIGITAL EVIDENCE: A GUIDE FOR LAW ENFORCEMENT ■ Evaluate general conditions of the site. ■ Determine the operating system in question. Determine the need for and contact available outside resources, if necessary. Establish and retain a phone list of such resources. Processing location assessment Assess the evidence to determine where the examination should occur. It is preferable to complete an examination in a controlled environment, such as a dedicated forensic work area or laboratory. Whenever circumstances require an onsite examination to be conducted, attempt to control the environment. Assessment considerations might include the following: ■ The time needed onsite to accomplish evidence recovery. ■ Logistic and personnel concerns associated with long-term deployment. ■ The impact on the business due to a lengthy search. ■ The suitability of equipment, resources, media, training, and experience for an onsite examination. Legal considerations ■ Determine the extent of the authority to search. ■ Identify possible concerns related to applicable Federal statutes (such as the Electronic Communications Privacy Act of 1986 (ECPA) and the Cable Communications Policy Act (CCPA), both as amended by the USA PATRIOT ACT of 2001, and/or the Privacy Protection Act of 1980 (PPA)), State statutes, and local policies and laws. If evidence is located that was not authorized in the original search authority, determine what additional legal process may be necessary to continue the search (e.g., warrant, amended consent form). Contact legal advisors for assistance if needed. Evidence assessment ■ Prioritize the evidence (e.g., distribution CDs versus user-created CDs). —Location where evidence is found. —Stability of media to be examined. 9
Page 1 and 2: APR. 04 U.S. Department of Justice
Page 3 and 4: APR. 04 Forensic Examination of Dig
Page 5 and 6: Foreword Developments in the world
Page 7 and 8: Technical Working Group for the Exa
Page 9 and 10: Michael Finnie Forensic Specialist
Page 11 and 12: Contents Foreword . . . . . . . . .
Page 13 and 14: SPECIAL REPORT / APR. 04 Examinatio
Page 15 and 16: SPECIAL REPORT / APR. 04 ongoing tr
Page 17: Chapter 2. Evidence Assessment Prin
Page 21 and 22: Chapter 3. Evidence Acquisition Pri
Page 23 and 24: FORENSIC EXAMINATION OF DIGITAL EVI
Page 25 and 26: SPECIAL REPORT / APR. 04 ■ File c
Page 27 and 28: SPECIAL REPORT / APR. 04 ■ Analyz
Page 29 and 30: SPECIAL REPORT / APR. 04 During the
Page 31 and 32: Appendix A. Case Examples The follo
Page 46 and 47: Appendix B. Glossary The following
Page 50 and 51: SPECIAL REPORT / APR. 04 Computer E
Page 52 and 53: SPECIAL REPORT / APR. 04 Hard Drive
Page 54 and 55: SPECIAL REPORT / APR. 04 Removable
Page 56 and 57: Appendix D. Examples of Request for
Page 64 and 65: Appendix F. Technical Resources Lis
Page 68 and 69:
FORENSIC EXAMINATION OF DIGITAL EVI
Page 70 and 71:
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
SPECIAL REPORT / APR. 04 High Techn
Page 88 and 89:
Appendix H. List of Organizations T
Page 90 and 91:
About the National Institute of Jus
show all

Forensic Examination of Digital Evidence

Create successful ePaper yourself

Delete template?

Save as template?