Attempts to destroy digital evidence are common. Such attempts can be more or less successful depending on the action taken, time available to destroy evidence, as well as the type of storage device (magnetic hard drive, flash memory card, or SSD drive).
Cost concerns often outweigh evidentiary and discovery concerns when it comes to scoping out...
Like computer evidence, it is necessary to have proper legal authority to conduct a forensic...
Myth: Actions taken by a digital forensics practitioner must not change the data held on a digital device’s storage media if such data is to be relied upon in a court of law. Reality: The Court places no such demand on the digital forensics practitioner.
Despite all of the complications in the analysis of white-box devices, there is a silver lining to this looming grey cloud. While there are tens of thousands of different Chinese-made handsets available today, over 90% of the chipsets used in these devices are built by four major manufacturers: MediaTek, Spreadtrum, Infineon, and MStar.
Trackpoints are the Holy Grail in GPS forensics. Almost all GPS devices collect trackpoints but even without trackpoints, GPS devices still hold a significant amount of data. Waypoints and routes will show the location to which the user intended to navigate or has navigated and a timestamp when the location was put into the device.
Locard’s Exchange Principle is often cited in forensics publications, “Every contact leaves a trace.” In the cyber world, the perpetrator may or may not come in physical contact with the crime scene, thus, this brings a new facet to crime scene analysis.
One of the newest weapons is a new technology that combines the power of TrueCrypt (one of the best known and easiest to use encryption programs) with a steganography twist.
Managing management’s expectations by helping them understand the technology’s abilities and limitations can mitigate their reactions to limited or nonexistent examination results.
The importance of accurate, technically competent, and valid examination results cannot be understated. Laboratory accreditation can provide a standard which can ensure confidence in the results obtained from the examination of digital evidence.
Knowing where to look and understanding what can be retrieved to assist in a successful investigation is key to a case’s swift and reliable conclusion. It is for this reason that the mobile phone has become an integral part of any modern day investigation.
Performing digital forensics in the cloud isn't necessarily a new discipline, but the task definitely requires a whole new mindset and some new skills from investigators.
A database of SHA-1 hash values for known child pornography enables law enforcement to monitor Internet traffic for contraband. A suspect's use of client software like LimeWire makes the process of gathering evidence particularly straightforward.
Today's successful fraud examiners must understand the business, leverage technology, have versatile work experience, understand where the information resides, and possess international capabilities.
Data reduction—eliminating “known” files, such as operating system and application files, during an investigation—is a critical component of the computer forensics process.
When you are onsite to collect evidence it is better to collect more than what might be initially needed. The scope of the investigation could easily expand, and it is much harder to obtain network logs or computer artifacts that might have been overwritten.
There are two things an investigator can do to gain credibility in the courtroom: cross-validate the tools used and understand the evidence and how it was gathered.
Developing the scope of your tool validation plan involves creating a protocol for testing by outlining the steps, tools, and requirements of such tools to be used during the test. This may include evaluation of multiple test scenarios for the same software or tool.
Learn how a flasher box works and what it does with the cell phone data before you use it in an investigation. You don't want to risk wiping the data off a suspect phone.
By setting up our computer workstation optimally and paying attention to a few key elements of positioning and alignment we can greatly reduce our chance of an ergonomic injury such as carpal tunnel syndrome or repetitive stress injury.
Cloud computing raises some unique law enforcement concerns regarding the location of potential digital evidence, its preservation, and its subsequent forensic analysis.
An important consideration is a triage tool’s intended use. Several different tools may be needed for investigators and examiners to cover potential uses from performing a more in-depth analysis or quickly triaging a number of computers to determine which ones need further analysis .
There is no requirement or mention in the Federal Rules of Criminal Procedure regarding any time limits for the forensic examination of evidence. Investigators only have to execute (serve) the warrant within ten days after it is issued to avoid it becoming “stale.”
An interesting and useful way to determine if the system clock has been set back is to sort Event Log records.
The cell phone is an ever present source of data that you the investigator need to get your hands on. So each time you respond to or are assigned a case, ask yourself “WTF??”
Checklists are one of the most important things for first responders to have access to when responding to an incident. It can be easy to miss a step or remember a command incorrectly when under fire.
Tools and systems can become inaccurate or even fail with use. This is why forensic accreditations require practitioners across all forensic disciplines to perform some type of routine testing and calibration of the forensic tools and systems used for the capture and analysis of forensic evidence.
The purpose of triage is not to conduct a full analysis. Gathering a little information from key data points early can lead to an accurate assessment of the situation without having to conduct laborious processes.