Computer Related Evidence & What is this computer geek going to do now that I have done all the hard work?

Rules We Live By And So Should you 4 Never Alter the Original Media! 4 Findings MUST be Verifiable! 4 Findings MUST be Reproducible!

PROCEDURES What your examiners can do for and with you.

4 Assist Preparing the Search Warrant. 4 Service of the Search Warrant. 4 Gathering the Computer Related Evidence(CRE).* 4 Image and Archive.* 4 Store and Secure Computer Related Evidence. 4 Examine.* 4 Review Findings with you.*

4 Complete a Report in the Format You Need.* 4 Prosecutor and Defense Interviews about the computer related evidence. 4 Testify. 4 Dispose / Clean Evidence.*

What We Will Not Do 4 Take Over Your Investigation!

Gathering Evidence 4 Securing 4 Turning off 4 Documenting 4 Marking 4 Transporting

Imaging and Archives 4 We work from an Image of the Suspect media. 4 Copy is stored on CD-R or Tape.

Examine 4 See The Rule We Live By. 4 Work from the copy with a variety of tools. 4 You have to tell us what is going on.

Review with You 4 What is nothing to me may be everything to you. 4 You (always) know a lot more than me.

Report the Findings 4 A report and Examples in the format you need. –Written, Officer’s Witness Statement. –Spread Sheets Showing file information. –Information Printed, on CD-R, Power Point. –Do live demos’ work? Yes or No

Interviews

4 #1 DO NOT LET ANYONE SHOW YOU WHERE THE EVIDENCE IS ON THE COMPUTER…………… 4 Let them talk about their great computer skills or lack of skill. 4 Ownership and use of each computer. 4 Passwords!

4 Like all interviews you are attempting to gather information. 4 What else would you like to know. –Online service, when used the most, computer at work? AND

Search Warrant VS Consent 4 When you can get a search warrant. 4 Consent- knowingly, freely and voluntarily. with the authority to give the consent.

You Found the”something” Are We Done?

Computer Examinations The Fun Stuff. 4 Proving the WHO, WHAT, WHERE, WHEN, HOW and maybe WHY.

Date and Time Stamps 4 Windows 9x and above tracks three dates and two times. 4 NTSF adds one date and one time 4 Other Operating Systems keep dates and time.

Windows > Properties

EnCase view of Date and Times

Deleted Files 4 DOS / Windows Only overwrites the first character of the DOS Directory.

File Slack & Unallocated Space 4 File Slack, the space between the end of the file and the end of the “Cluster”. 4 Unallocated Space, the space on the disk that is not assigned in the directory. (free space. 4 Both contain left over information.

Header Vs. File Extension 4 File Headers, what is important. 4 4A E B FF D8 FF E0 4 D0 CF 11 E0 A1 B1 1A E ,0,FE FF 09 00,29,4,0, File Extension, what we see. –*.ART, DOC, JPG,XLS

Previewing 4 Lets talk. 4 When to to it. 4 What are you looking for. 4 Tools. 4 Where to look.

Previewing. Lets Talk. 4 Consent 4 Damage to evidence 4 Testifying about it in court 4 Do you stand a chance of finding something. 4 False negative.

Previewing. When to do it. 4G4Group participation.

Previewing, When to do it. 4 Looking for text. –Easy anytime. –Have Examiner prepare EnCase Boot disk with search items. –Other tools. Norton disk editor, DIBS Mycroft V3 and others.

Previewing. When to do it. 4 Images. 4 There are not to many DOS based images viewers. 4 EnCase on laplink. 4 Copy out possible sources.

Previewing. Tools. 4 EnCase Laplink or Network Card. $2K 4 Pre- Search & Digit, NIS and Paul Bright. Free, unsupported. 4 Boot to “safe” DOS disk and copy out interesting items.

Previewing. Where to look. 4 C:\Windows\Temporary Internet File 4 C:\Windows\Recent AKA: –Start > Documents (right click & properties) 4 C:\Windows\History 4 Recycle bin 4 Internet Explorer, Recent and Favorites 4 My Documents > My Pictures ?

Previewing, Where else 4 Looking for Newsgroup Programs. –Free Agent, NewsRover, Outlook. 4 C:\Windows\Temp 4 The Directory in each Volume? –Folder Titled “kid pict” or some other obvious name.

Organizations. 4 CTIN 4 AGORA 4 HTCIA 4 IACIS 4 NWCCC