Download presentation
Presentation is loading. Please wait.
1
Evidence Computer Forensics
2
Law Enforcement vs. Citizens Search must have probable cause –4 th amendment search warrant Private citizen not subject to 4 th amendment Private citizen may be a police agent
3
Role of Evidence Material offered to judge and jury May directly or indirectly prove or disprove the crime has been committed Evidence must be tangible –Electrical voltages are intangible –Hard to prove lack of modification
4
Evidence Requirements Material – relevant to case Competent – proper collection, obtained legally, and chain of custody maintained Relevant – pertains to subject’s motives and should prove or disprove a fact
5
Chain of Custody Who obtained it? Where and when was it obtained? Who secured it? Who had control or possession? How was it moved?
6
Types of Evidence Best –Primary, original documents, not oral Secondary –Copies of documents, oral, eyewitness Direct –Can prove fact by itself –Does not need corroborative information –Information from witness
7
More Types Conclusive –Irrefutable and cannot be contradicted Circumstantial –Assumes the existence of another fact –Cannot be used alone to prove the fact Corroborative –Supporting evidence –Supplementary tool
8
More Types Opinion –Experts give educated opinion Hearsay –No firsthand proof –Computer generated evidence Real –Physical evidence –Tangible objects
9
More Types Documentary –Records, manuals, printouts –Most evidence is documentary Demonstrative –Aids jury in the concept –Experiments, charts, animation
10
Hearsay Rule Exception Business record exemption to hearsay rule –Documents can be admitted if created during normal business activity –This does not include documents created for a specific court case –Regular business records have more weight –Federal rule 803(6) Records must be in custody on a regular basis Records are relied upon by normal business
11
Before the Crime Happens Select an Incident Response Team (IRT) Decide whether internal or external Set policies and procedures If internal, include –IT –Management –Legal –PR
12
Incident Handling First goal –Contain and repair damage –Prevent further damage –Collect evidence
13
Evidence Collection Photograph area Dump contents from memory Power down system Photograph internal system components Label each piece of evidence –Bag it –Seal –Sign
14
Forensics Study of technology and how it relates to law Image disk and other storage devices –Bit level copy (deleted files, slack space,etc) –Use specialized tools –Further work will be done on copy Create message digest for integrity
15
Thing to Look For Hidden Files Steganography Slack Space Malware Deleted Files Swap Files
16
Trapping the Bad Guy Enticement –Legal attempt to lure a criminal into committing a crime –Provide a honeypot in your DMZ –Pseudo flaw (software code) –Padded cell (virtual machine) Entrapment –Illegal attempt to trick a person into committing a crime
17
Liability Company must practice due care Management must practice due diligence Follow the prudent person rule Watch for downstream liabilities
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.