Scribd
Upload
356 views25 pages

Digital Forensics: Processing Crime and Incident Scenes

This document discusses digital forensics and processing crime scenes involving digital evidence. It defines digital evidence as any probative information stored or transmitted digitally that can be used as evidence in court. It then lists over 50 common sources of digital evidence including computers, mobile devices, network equipment, biometric devices, and more. It describes the volatile nature of some digital evidence and standards for properly retrieving and analyzing it according to the Scientific Working Group on Digital Evidence.

Uploaded by

ABC
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
356 views25 pages

Digital Forensics: Processing Crime and Incident Scenes

This document discusses digital forensics and processing crime scenes involving digital evidence. It defines digital evidence as any probative information stored or transmitted digitally that can be used as evidence in court. It then lists over 50 common sources of digital evidence including computers, mobile devices, network equipment, biometric devices, and more. It describes the volatile nature of some digital evidence and standards for properly retrieving and analyzing it according to the Scientific Working Group on Digital Evidence.

Uploaded by

ABC
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

Digital Forensics

Module 3
Processing Crime and Incident Scenes

Dr. Nagaraj S V & Prof Seshu Babu Pulagara VIT


Chennai
2

Digital Evidence

 According to E.Casey “Digital evidence or electronic evidence is any


probative information stored or transmitted in digital form that a party
to a court case may use “

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
3

Digital evidence sources


E-mails
 Digital images /photos
Digital audio
Digital Videos
 ATM transaction logs
 Word processor documents
 Instant messages and their histories
 Files saved from various programs

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
4

Databases
 The contents of computer memory and memory storage devices such as
hard disks, CDs, DVDs, USB drives, digital tapes, floppies
Computer backups
 Printouts
Global Positioning System data
 Logs from electronic door locks

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
5

 Spread sheets
 Web browser logs
 Mobile phone call logs
 Computer programs/software
 Data from handheld devices, peripheral devices (monitors, keyboards,
mouse, memory sticks, thumb drives, zip disks), network devices
 Answering machines

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
6

 Internet chat logs


 CCTV / Digital/ Web cameras
 Debit / credit /prepaid / smart cards
 VOIP devices
 Microphones
 USB / Wi-fi / Bluetooth / NFC devices
 Memory card readers
 Fax machines
 Scanners

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
7

 Network cards
 Hubs
 Modems
 Network switches
 Ethernet cables
 Power supplies
 Wireless access points
 Wireless devices

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
8

 Photocopying machines
 Routers
 IP addresses
 LAN / MAC / Network Interface Card addresses
 Digital audio/video recorders
 MP3 players
 Video game consoles

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
9

 SIM Cards / SIM card readers


 Smart watches
 Satellite phones
 Drones / UAVs
 Sensors
 Electronic pacemakers
 IoT devices
 Biometric identification devices: for fingerprint, hand
geometry, iris, Voice Recognition, and facial recognition

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
10

 Servers
 Magnetic stripe cards
 Virtual machines
 Cloud-based storage
 Network-attached storage
 Telecom equipment
 Cell phone towers
 Skimmers 

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
11

 Social media
 Wearables including activity trackers, body cams
 Automated License Plate Readers
 TASERs
 Smart TVs
 Baby monitors
 Personal digital assistants
 Keyloggers

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
12

 Electric power meters / Smart meters


 Home / building automation systems
 Home security systems
 Video display devices, projectors, monitors
 Tablets
 SD cards / CF Cards
 Computer chips
 Pagers

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
13

 Hard drive duplicators


 Videocassette recorders
 Telephone caller ID units
 Personal Computer Memory Card International Association
(PCMCIA) cards
 RAID devices
 Mobile communication devices
 External data storage devices

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
14

 Videotapes
 Wireless network equipment
 Web sites
 Card readers
 RFID tags

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
15

Digital evidence characteristics


 Can be volatile (e.g. data in RAM)
 Can be altered
 Can be stored in digital form
 May be transmitted in digital form
 Can be erased / deleted/ destroyed

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
16

SWGDE
 Scientific Working Group on Digital Evidence (SWGDE) sets
standards for retrieving, maintaining, and analyzing digital evidence
 https://www.swgde.org

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
17

Exercise
 Identify tasks investigators must perform when working with
digital evidence
 Give examples of situations where original evidence can’t be used
in courts.
 Give examples of situations where additional technical expertise
may be needed.
 What is the initial-response field kit? What does it contain?
 What is the extensive response field kit? What does it contain?

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
18

Exercise
 Attorneys may challenge digital evidence. They may ask
whether digital evidence was altered or damaged. How to
prove that the evidence is authentic?
Hint: The original creator of a Microsoft Word document can
be identified by using file metadata
 Discuss terminology such as Fourth Amendment, warrants,
innocent information, limiting phrase, plain view doctrine

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
19

Exercise
 Discuss the issues involved when collecting evidence from private
sector incident scenes.
 Discuss the issues involved when collecting evidence from public
sector incident scenes.
 Discuss the issues involved in seizing computers and digital devices.
 Give guidelines for processing an incident scene.

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
20

 Discuss the steps involved in securing an incident scene.


 Discuss the following questions to ask when acquiring evidence:
(i) Is the computer switched on when you reach the scene?
(ii) Is it necessary to take the whole computer and all computer
peripherals and media devices in the vicinity?

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
21

 How to shield the computer and media devices from damage, danger,
and destruction while carrying them to the lab?
 Is the suspected perpetrator in the immediate vicinity of the
computer or media device?
 Is it probable that the suspect harmed or ruined the computer and
media devices ?
 Should the suspect be kept away from the computer?

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
22

Storing digital evidence


 Often it becomes necessary to store digital evidence for a long time
 Magnetic tapes can store for several years and are cheaper than other
media such as CDs or DVDs, DVD-Rs, DVD+Rs, or DVD-RWs
 The risk of technology becoming obsolete is high in the computer
field. For e.g. floppy disks are no longer used widely

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
23

Safety tips
 It is safer to have at least two copies of every image to avoid data loss
 It is better to use different tools to produce the images
 Limit access to lab and evidence storage area to prevent loss, damage,
and alteration
 Maintain the chain of custody for digital evidence
 Document the evidence
 Use evidence custody forms

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
24

 Validation of evidence can be done using checksums, hash


functions, cyclic redundancy checks

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai
25

References

 Nelson, Amelia Philips, Christopher Steuart, “ Guide to Computer


Forensics and Investigations”, Fifth Edition, 2015
 Wikipedia

Dr.Nagaraj S V & Prof Seshu Babu


Pulagara, VIT Chennai

You might also like