Tips
The Lead
Destroyed Evidence: Deleted Files
June 14, 2013 6:59 am | by Yuri Gubanov | Belkasoft | Articles | Comments
Attempts to destroy digital evidence are common. Such attempts can be more or less successful depending on the action taken, time available to destroy evidence, as well as the type of storage device (magnetic hard drive, flash memory card, or SSD drive).
Avoid Under-Collection of ESI
May 16, 2013 9:18 am | Articles | Comments
Cost concerns often outweigh evidentiary and discovery concerns when it comes to scoping out...
Proper Legal Authority Is Necessary for a Cell Phone Examination
May 2, 2013 7:19 pm | Articles | Comments
Like computer evidence, it is necessary to have proper legal authority to conduct a forensic...
Maintaining Digital Evidence Chain of Custody
April 2, 2013 8:00 pm | Articles | CommentsMaintaining digital evidence longevity entails more than keeping a true copy of a digital object...
SUBSCRIBE TO FREE
DFI News EMAIL NEWSLETTER
Live Digital Forensics
June 7, 2013 7:29 am | by Matthew J. Decker, Warren G. Kruse II, Bill Long, and Greg Kelley | Articles | CommentsMyth: Actions taken by a digital forensics practitioner must not change the data held on a digital device’s storage media if such data is to be relied upon in a court of law. Reality: The Court places no such demand on the digital forensics practitioner.
The Solution is in the Chipset
May 23, 2013 10:49 am | Articles | CommentsDespite all of the complications in the analysis of white-box devices, there is a silver lining to this looming grey cloud. While there are tens of thousands of different Chinese-made handsets available today, over 90% of the chipsets used in these devices are built by four major manufacturers: MediaTek, Spreadtrum, Infineon, and MStar.
Evidentiary Value of GPS Devices
March 28, 2013 8:00 pm | Articles | CommentsTrackpoints are the Holy Grail in GPS forensics. Almost all GPS devices collect trackpoints but even without trackpoints, GPS devices still hold a significant amount of data. Waypoints and routes will show the location to which the user intended to navigate or has navigated and a timestamp when the location was put into the device.
Apply Locard’s Exchange Principle to Digital Forensics
March 21, 2013 8:00 pm | Articles | CommentsLocard’s Exchange Principle is often cited in forensics publications, “Every contact leaves a trace.” In the cyber world, the perpetrator may or may not come in physical contact with the crime scene, thus, this brings a new facet to crime scene analysis.
Steganography: A New Weapon
March 14, 2013 8:00 pm | Articles | CommentsOne of the newest weapons is a new technology that combines the power of TrueCrypt (one of the best known and easiest to use encryption programs) with a steganography twist.
Explain What Went Wrong
March 7, 2013 7:00 pm | Articles | CommentsManaging management’s expectations by helping them understand the technology’s abilities and limitations can mitigate their reactions to limited or nonexistent examination results.
Accreditation: A Standard of Acceptability
February 21, 2013 7:00 pm | Articles | CommentsThe importance of accurate, technically competent, and valid examination results cannot be understated. Laboratory accreditation can provide a standard which can ensure confidence in the results obtained from the examination of digital evidence.
Every Contact Leaves a Trace
February 11, 2013 8:00 pm | Articles | CommentsKnowing where to look and understanding what can be retrieved to assist in a successful investigation is key to a case’s swift and reliable conclusion. It is for this reason that the mobile phone has become an integral part of any modern day investigation.
Overcoming Challenges in the Cloud
February 6, 2013 8:59 pm | Articles | CommentsPerforming digital forensics in the cloud isn't necessarily a new discipline, but the task definitely requires a whole new mindset and some new skills from investigators.
Use a Criminal's Tools Against Him
January 29, 2013 8:00 pm | Articles | CommentsA database of SHA-1 hash values for known child pornography enables law enforcement to monitor Internet traffic for contraband. A suspect's use of client software like LimeWire makes the process of gathering evidence particularly straightforward.
5 Must-Have Skills for Fraud Examiners
January 23, 2013 4:58 am | Articles | CommentsToday's successful fraud examiners must understand the business, leverage technology, have versatile work experience, understand where the information resides, and possess international capabilities.
Data Reduction Software Accelerates Investigations
January 8, 2013 8:39 pm | Articles | CommentsData reduction—eliminating “known” files, such as operating system and application files, during an investigation—is a critical component of the computer forensics process.
What Evidence Needs to Be Collected?
December 17, 2012 7:00 pm | Articles | CommentsWhen you are onsite to collect evidence it is better to collect more than what might be initially needed. The scope of the investigation could easily expand, and it is much harder to obtain network logs or computer artifacts that might have been overwritten.
Credibility on the Stand
December 12, 2012 7:00 pm | Articles | CommentsThere are two things an investigator can do to gain credibility in the courtroom: cross-validate the tools used and understand the evidence and how it was gathered.
Develop a Plan for Forensic Tool Validation
December 4, 2012 9:14 pm | Articles | CommentsDeveloping the scope of your tool validation plan involves creating a protocol for testing by outlining the steps, tools, and requirements of such tools to be used during the test. This may include evaluation of multiple test scenarios for the same software or tool.
Take Care When Using Flasher Boxes
November 28, 2012 8:09 pm | Articles | CommentsLearn how a flasher box works and what it does with the cell phone data before you use it in an investigation. You don't want to risk wiping the data off a suspect phone.
Work Smart to Avoid Injury
November 13, 2012 7:00 pm | Articles | CommentsBy setting up our computer workstation optimally and paying attention to a few key elements of positioning and alignment we can greatly reduce our chance of an ergonomic injury such as carpal tunnel syndrome or repetitive stress injury.
Cloud Computing Presents a Unique Forensic Challenge
November 7, 2012 7:00 pm | Articles | CommentsCloud computing raises some unique law enforcement concerns regarding the location of potential digital evidence, its preservation, and its subsequent forensic analysis.
Pick the Right Tool for the Job
October 30, 2012 8:00 pm | Articles | CommentsAn important consideration is a triage tool’s intended use. Several different tools may be needed for investigators and examiners to cover potential uses from performing a more in-depth analysis or quickly triaging a number of computers to determine which ones need further analysis .
Executing a Warrant for Digital Evidence
October 25, 2012 8:00 pm | Articles | CommentsThere is no requirement or mention in the Federal Rules of Criminal Procedure regarding any time limits for the forensic examination of evidence. Investigators only have to execute (serve) the warrant within ten days after it is issued to avoid it becoming “stale.”
Check the System Clock
October 18, 2012 8:00 pm | Articles | CommentsAn interesting and useful way to determine if the system clock has been set back is to sort Event Log records.
“WTF??”
October 11, 2012 8:00 pm | Articles | CommentsThe cell phone is an ever present source of data that you the investigator need to get your hands on. So each time you respond to or are assigned a case, ask yourself “WTF??”
Checklists Are Invaluable to First Responders
October 4, 2012 8:00 pm | Articles | CommentsChecklists are one of the most important things for first responders to have access to when responding to an incident. It can be easy to miss a step or remember a command incorrectly when under fire.
Test Your Tools
September 25, 2012 8:00 pm | Articles | CommentsTools and systems can become inaccurate or even fail with use. This is why forensic accreditations require practitioners across all forensic disciplines to perform some type of routine testing and calibration of the forensic tools and systems used for the capture and analysis of forensic evidence.
Triage Saves Time and Effort
September 20, 2012 8:00 pm | Articles | CommentsThe purpose of triage is not to conduct a full analysis. Gathering a little information from key data points early can lead to an accurate assessment of the situation without having to conduct laborious processes.
