1 / 30

Evidence Handling

If the evidence is there the case is yours to lose. Evidence Handling. Evidence. First do no harm. Evidence: cannot be altered. cannot be tampered with. cannot be added. reserved for LAPD only. Evidence. Admissible must be legally obtained and relevant Reliable

priscilla-shaw
Télécharger la présentation

Evidence Handling

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. If the evidence is there the case is yours to lose. Evidence Handling

  2. Evidence • First do no harm. • Evidence: cannot be altered. cannot be tampered with. cannot be added. reserved for LAPD only.

  3. Evidence • Admissible • must be legally obtained and relevant • Reliable • has not been tainted (changed) since acquisition • Authentic • the real thing, not a replica • Complete • includes any exculpatory evidence • Believable • lawyers, judge & jury can understand it

  4. Rule #2 • Evidence must be reliable. • Must be able to prove that evidence has not changed since seizure. • Always accounted for.

  5. MD5/File Signature • MD5 – Message Digest version 5 • A mathematical calculation of the data in a file • If one bit is changed the MD5 is vastly different • Often referred to the hash code of the file • Acts as a unique signature of the file

  6. Rule #2 • Reliable evidence. • In order to demonstrate that evidence presented in court is identical to that seized in accordance with a search warrant, it is sufficient to show the MD5 file/drive signatures match. • Accepted judicial procedure.

  7. File/Drive Signature • MD5 hash code of a file/disk/drive is unique to that file/disk/drive • The MD5 hash code calculates a number that can prove that the file/drive has not changed. • Procedure: • Calculate the MD5 code of the seized digital evidence as soon after the seizure as possible. • When challenged re-calculate the MD5 code. • Compare, if equal then evidence has not changed. Otherwise the evidence is inadmissible.

  8. WinHex • The general purpose forensic analysis tool we will use for this course. • Excellent professional grade tool. • You can download a trial version. • It has limited capability, but you can do a lot with it and complete your assignments in the lab. • I the license is good for all versions before 2007.

  9. WinHexFile Signature • Open the application • File -> open • Find Documents and Settings\UserData\index.dat • Select • Tools -> Compute Hash • Select MD5 (128 bit) • Note the hash code or file signature

  10. WinHex

  11. Open File

  12. Open UserData Folder

  13. Index.dat Opened

  14. Calculate MD5 HashFile Signature

  15. File Signature

  16. Protect Your Evidence • Be sure you use a write blocker of some kind • You can’t trust software, Unless • It has been tested and validated • Usually by a third party • Floppies and tapes have physical protection

  17. Hash of a Floppy • Be sure the write protect thingee is open • Start WinHex • Open floppy • Be sure you select the physical device • Calculate the Hash

  18. Open Disk

  19. Open DiskPhysical Media

  20. Open Floppy Media

  21. Open Floppy

  22. Calculate Disk Signature

  23. Recover File from the Floppy • Select possible file • After you recover this file • Select the physical device • Calc hash • Compare with the previous hash • Have they changed?

  24. Open Partition 1 Double Click

  25. Explore Floppy

  26. Select File

  27. Not For Temp Licensed Users OnlyMust export to your docs to view • Right click on file to recover • Choose Recover/Copy … • Choose Folder to restore to, click • Double click on file

  28. Voila

  29. Re-Calc Hash • Recalculate the hash of the floppy • The floppy has been accessed • The access time of the file should have been changed • Hence the hash of the floppy should change • Did it?

  30. Lab – Due • Be sure that the write protect hole is clear • Calculate the MD5 Signature of your floppy • Record it. • Recover a file and view, include it in your report. Remember Alt – PrtSc and paste it where you want it. • Recalculate the hash of the floppy. Are they the same?

More Related