Evidence Handling If the evidence is there the case is yours to lose.
Evidence First do no harm. Evidence: cannot be altered. cannot be tampered with. cannot be added. reserved for LAPD only.
Evidence ● Admissible ● must be legally obtained and relevant ● Reliable ● has not been tainted (changed) since acquisition ● Authentic ● the real thing, not a replica ● Complete ● includes any exculpatory evidence ● Believable ● lawyers, judge & jury can understand it
Rule #2 Evidence must be reliable. Must be able to prove that evidence has not changed since seizure. Always accounted for.
MD5/File Signature MD5 – Message Digest version 5 A mathematical calculation of the data in a file If one bit is changed the MD5 is vastly different Often referred to the hash code of the file Acts as a unique signature of the file
Rule #2 Reliable evidence. In order to demonstrate that evidence presented in court is identical to that seized in accordance with a search warrant, it is sufficient to show the MD5 file/drive signatures match. Accepted judicial procedure.
File/Drive Signature MD5 hash code of a file/disk/drive is unique to that file/disk/drive The MD5 hash code calculates a number that can prove that the file/drive has not changed. Procedure: 1.Calculate the MD5 code of the seized digital evidence as soon after the seizure as possible. 2.When challenged re-calculate the MD5 code. 3.Compare, if equal then evidence has not changed. Otherwise the evidence is inadmissible.
WinHex The general purpose forensic analysis tool we will use for this course. Excellent professional grade tool. You can download a trial version. It has limited capability, but you can do a lot with it and complete your assignments in the lab. I the license is good for all versions before 2007.
WinHex File Signature Open the application File -> open Find Documents and Settings\UserData\index.dat Select Tools -> Compute Hash Select MD5 (128 bit) Note the hash code or file signature
WinHex
Open File
Open UserData Folder
Index.dat Opened
Calculate MD5 Hash File Signature
File Signature
Protect Your Evidence Be sure you use a write blocker of some kind You can’t trust software, Unless It has been tested and validated Usually by a third party Floppies and tapes have physical protection
Hash of a Floppy Be sure the write protect thingee is open Start WinHex Open floppy Be sure you select the physical device Calculate the Hash
Open Disk
Open Disk Physical Media
Open Floppy Media
Open Floppy
Calculate Disk Signature
Recover File from the Floppy Select possible file After you recover this file Select the physical device Calc hash Compare with the previous hash Have they changed?
Open Partition 1 Double Click
Explore Floppy
Select File
Not For Temp Licensed Users Only Must export to your docs to view Right click on file to recover Choose Recover/Copy … Choose Folder to restore to, click Double click on file
Voila
Re-Calc Hash Recalculate the hash of the floppy The floppy has been accessed The access time of the file should have been changed Hence the hash of the floppy should change Did it?
Lab – Due Be sure that the write protect hole is clear Calculate the MD5 Signature of your floppy Record it. Recover a file and view, include it in your report. Remember Alt – PrtSc and paste it where you want it. Recalculate the hash of the floppy. Are they the same?