The courts have generally accepted evidence collected from the Internet as long as its authenticity can be established. Commonly accepted digital forensic methodologies can all be used to identify a three-pronged approach to Internet forensics.
Reports can get long and are often very detailed. While I would like to think that...
For those contemplating starting a Digital Forensics section, review the issues listed below....
Consoles today play an increasing part in even local police investigations across the country. In a presentation to law enforcement, Microsoft made clear that "investigators may participate in Xbox live in undercover operations."
There are two things an investigator can do to gain credibility in the courtroom as an expert witness. One is cross-validation of the tools used. The second is to make sure the investigator has a solid understanding of the evidence and how it was gathered.
As a result of the Android's secure architecture, forensic examiners do not have a built-in mechanism we can use on the phone to extract core user data. Instead, new techniques must be developed which require some interaction with the device. There are four primary ways to approach forensics on an Android device.
When serving as an expert in federal court, the most significant change is that an expert witness need not disclose prior versions of their report, or communications had with the hiring attorney about the report. This eliminates a common technique of cross examination in which the expert's evolving drafts were reviewed with the idea of creating the impression on the jury that the expert was willing to change his or her opinions.
The industry of digital forensics and electronic discovery is still a rather young one. Yet it has been around long enough to develop standards and best practices for handling multiple types of digital files on various mediums. The challenge of taming the land of social media and Webmail—where each platform has its own rules, or no rules at all—is just like taming the Wild West.
When the examiner is ready to investigate a phone, he may have a checklist to make sure that the examination machine is ready. This computer, known as the examination computer can be a laptop or a desktop. The main requirement is that it has at least a Pentium 90 for processing speed and enough RAM to operate the cell phone forensic software.
An interesting and useful way to determine if the system clock has been set back is to sort Event Log records by event record number and observe the times...for each sequential record number, does the generated time for the record increment accordingly?
Social networking sites are great for intelligence gathering on a target, if you are lucky enough to find the “correct” target on the site. The intelligence gathered from social networking sites ranges from dates and times of specific locations (timestamps on pictures), friends and associates, pictures of targets, and others.
The forensic implications of Google Analytics cookies are tremendous. Unlike HTTP cookies, GA cookies provide the forensic examiner with an extensive amount of data on the user of a particular Web browser. Instead of tracking every page reload, which can be misleading to an investigator, GA cookies track just the new sessions.
Apart from the expert report, probably the most important document you are likely to create as an expert witness is your Curriculum Vitae or resume. This is the first document an attorney considering hiring you will look at, and it is the first document an attorney planning to cross examine you will look at in preparation for your examination.
Any actively used information or data by a computer program or hardware device will run through the system's RAM at the time it is being used. So why is RAM analysis not a part of every computer forensic investigation? There are two main reasons.
An important consideration is a triage tool’s intended use. Several different tools may be needed for investigators and examiners to cover potential uses from performing a more in-depth analysis or quickly triaging a number of computers to determine which ones need further analysis.
Cloud computing raises some unique law enforcement concerns regarding the location of potential digital evidence, its preservation, and its subsequent forensic analysis. Further forensic issues concern the potential effect the cloud services could have on the digital data itself and how the forensic examiner can explain all these indiscretions to the court.
Developing the scope of your tool validation plan involves creating a protocol for testing by outlining the steps, tools, and requirements of such tools to be used during the test. This may include evaluation of multiple test scenarios for the same software or tool.
Data reduction—eliminating “known” files, such as operating system and application files, during an investigation—is a critical component of the computer forensics process. If a specific file’s profile and signature match the database of “known” files, that file can be excluded from review, saving investigators valuable time.
Discovery in the capability of iTunes and the interaction with P2P programs might indicate the user’s possible intent, or at least their knowledge, of sharing video files from the iTunes Library on a local network. In a recent child pornography case, two software programs of interest were installed on a suspect’s laptop computer.
The effective use of regular expressions might be the difference in solving a case. That is because regular expressions automate and streamline tasks that would take hours if not days to do. The forensic examiner needs to know how to craft the expressions and invoke the software that will search using the expression.
Attempts to destroy digital evidence are common. Such attempts can be more or less successful depending on the action taken, time available to destroy evidence, as well as the type of storage device (magnetic hard drive, flash memory card, or SSD drive).
Myth: Actions taken by a digital forensics practitioner must not change the data held on a digital device’s storage media if such data is to be relied upon in a court of law. Reality: The Court places no such demand on the digital forensics practitioner.
Templates are easy to create and will end up saving you many hours of work down the road. The template doesn’t have to be set in stone, but just having one will make report writing easier, if for no other reason than because you won’t have to remember to include things that are already built-in.
Despite all of the complications in the analysis of white-box devices, there is a silver lining to this looming grey cloud. While there are tens of thousands of different Chinese-made handsets available today, over 90% of the chipsets used in these devices are built by four major manufacturers: MediaTek, Spreadtrum, Infineon, and MStar.
Cost concerns often outweigh evidentiary and discovery concerns when it comes to scoping out litigation data collection. Not identifying and producing critical data that may be subject to discovery demands can result in sanctions, including adverse inferences, fines, or even the striking of pleadings.
Like computer evidence, it is necessary to have proper legal authority to conduct a forensic examination of cellular phones and handheld devices. Cell phones lawfully may be searched without a warrant only if the search is ‘substantially contemporaneous’ with the arrest.
Maintaining digital evidence longevity entails more than keeping a true copy of a digital object over time. The true copy also must retain its unaltered content in an unbroken chain of custody that addresses data preservation and the accuracy, reliability, and durability of the hardware and software systems involved.
Trackpoints are the Holy Grail in GPS forensics. Almost all GPS devices collect trackpoints but even without trackpoints, GPS devices still hold a significant amount of data. Waypoints and routes will show the location to which the user intended to navigate or has navigated and a timestamp when the location was put into the device.
- Page 1