computer forensic examiner learns about the crime, event, or activity that is being investigated
identify the types of electronic devices that may be involved
prepare tools that may be needed
Preservation
secure the crime scene and any electronic devices
make sure that no one tampers with the scene or electronic devices
must make sure that no one can access electronic devices remotely
make sure that potential digital evidence cannot be altered
includes documenting the crime scene
record the location of all electronic devices
note whether the device is on or off
record the condition of all devices
record the content of any display screens before electronic devices are moved
chain of custody
help prove that evidence is admissible
document shows who obtained evidence, where and when it was obtained, who secured it, and who had control or possession of it
evidence must be reliable
cannot be modified
protects the integrity of evidence
Collection
known as “bag and tag” step
must collect the electronic devices
require special collection, packaging, and transportation in order to preserve potential evidence
collect on/off electronic devices in different ways
cell must be kept on
preserve data stored on it
must be protected from any incoming calls and texts
must use Faraday bags
must collect additional power supply
must document how all electronic devices are configured
cables and peripheral devices need to be tagged
must collect any manuals or other materials about the electronic devices
Examination
make duplicate images of any electronic storage media
called imaging
a forensic duplicate image is not the same as a file copy or system backup copy
includes deleted files, slack space, and areas of the storage media that a normal file copy would not include
is a bit-by-bit copy
use write blockers to create forensic duplicate images
keep examiners from altering the original storage media
can be either hardware- or software-based
make two or more duplicate images of the original storage media
One copy is a working copy
other is a control copy
must be verified against the original storage media
verify the images using a cryptographic equation called an algorithm
apply the algorithm to the original media to create a hash
used to measure the integrity of the original media and the forensic duplicate
Two types of data to collect:
Persistent data is stored on a hard drive or other storage media and is preserved when an electronic device is turned off
Volatile data is stored in memory and exists in registries, the cache, and random access memory (RAM), as well as the connections that one electronic device might have with another while both devices are powered on
is lost when an electronic device is turned off
Information to look for:
File access history
File download history
Internet browsing history
Attempts to delete or conceal files or other data
Email communications
Instant message or internet chat logs
Image files
Files containing Address books or other contact information
Documents containing financial or medical information
produce a report of files or data that might be relevant to the investigation
must use examination procedures that are auditable
Presentation
must be able to report on their findings and describe how they gathered digital evidence
have to explain how they collected this evidence if a case goes to trial
considered expert witnesses when they testify in a court case
Expert witness testimony is governed by the Federal Rules of Evidence
must show that their activities followed a scientific methodology
court assesses this process
test for measuring the reliability of a scientific methodology is called the Daubert test
asks the following questions to determine reliability:
Has the tool been tested?
Is there a known error rate for the tool?
Has the tool been peer reviewed?
Is the tool accepted in the relevant scientific community?
testify about how the tool works
testify about his or her qualifications
testify about the process the examiner used to collect the digital evidence