170 likes | 276 Vues
Evidence. Computer Forensics. Law Enforcement vs. Citizens. Search must have probable cause 4 th amendment search warrant Private citizen not subject to 4 th amendment Private citizen may be a police agent. Role of Evidence. Material offered to judge and jury
E N D
Evidence Computer Forensics
Law Enforcement vs. Citizens • Search must have probable cause • 4th amendment search warrant • Private citizen not subject to 4th amendment • Private citizen may be a police agent
Role of Evidence • Material offered to judge and jury • May directly or indirectly prove or disprove the crime has been committed • Evidence must be tangible • Electrical voltages are intangible • Hard to prove lack of modification
Evidence Requirements • Material – relevant to case • Competent – proper collection, obtained legally, and chain of custody maintained • Relevant – pertains to subject’s motives and should prove or disprove a fact
Chain of Custody • Who obtained it? • Where and when was it obtained? • Who secured it? • Who had control or possession? • How was it moved?
Types of Evidence • Best • Primary, original documents, not oral • Secondary • Copies of documents, oral, eyewitness • Direct • Can prove fact by itself • Does not need corroborative information • Information from witness
More Types • Conclusive • Irrefutable and cannot be contradicted • Circumstantial • Assumes the existence of another fact • Cannot be used alone to prove the fact • Corroborative • Supporting evidence • Supplementary tool
More Types • Opinion • Experts give educated opinion • Hearsay • No firsthand proof • Computer generated evidence • Real • Physical evidence • Tangible objects
More Types • Documentary • Records, manuals, printouts • Most evidence is documentary • Demonstrative • Aids jury in the concept • Experiments, charts, animation
Hearsay Rule Exception • Business record exemption to hearsay rule • Documents can be admitted if created during normal business activity • This does not include documents created for a specific court case • Regular business records have more weight • Federal rule 803(6) • Records must be in custody on a regular basis • Records are relied upon by normal business
Before the Crime Happens • Select an Incident Response Team (IRT) • Decide whether internal or external • Set policies and procedures • If internal, include • IT • Management • Legal • PR
Incident Handling • First goal • Contain and repair damage • Prevent further damage • Collect evidence
Evidence Collection • Photograph area • Dump contents from memory • Power down system • Photograph internal system components • Label each piece of evidence • Bag it • Seal • Sign
Forensics • Study of technology and how it relates to law • Image disk and other storage devices • Bit level copy (deleted files, slack space,etc) • Use specialized tools • Further work will be done on copy • Create message digest for integrity
Thing to Look For • Hidden Files • Steganography • Slack Space • Malware • Deleted Files • Swap Files
Trapping the Bad Guy • Enticement • Legal attempt to lure a criminal into committing a crime • Provide a honeypot in your DMZ • Pseudo flaw (software code) • Padded cell (virtual machine) • Entrapment • Illegal attempt to trick a person into committing a crime
Liability • Company must practice due care • Management must practice due diligence • Follow the prudent person rule • Watch for downstream liabilities