Introduction - Part 3

Evidence Integrity and Handling




Maintaining the integrity of the crime scene means protecting any potential evidence from being damaged or destroyed and preventing any false evidence from being introduced to the area in question. Maintaining the integrity of a computer system for use in a forensic examination is a similar process in principle. When working with digital image, one needs to maintain the integrity of the files and also demonstrate that the steps taken were effective. Maintaining integrity requires security of the files during transport and storage. Demonstrating integrity uses methods to show that the file has not changed.

Methods for Maintaining Integrity :

1. Written Documentation
SOP documenting the steps required to properly maintain security. This documentation may include chain of custody, if required by agency policy.

2. Physical Security/Environment
Mechanical or physical systems for preventing unauthorized access to data or loss of data, e.g. door locks, security guards, personal control, fire-suppression systems, isolated computer systems.

3. Redundant physical copies
Duplicates of files kept in an alternate location to prevent loss of files in the case of disaster.

4. Logical Security (WAN [wide area network]/LAN [local area network])
Operating system or software-based devices to prevent access to files, e.g. password protection, firewalls.

5. Third-Party Escrowing
This requires transferring files to third parties, which relinquish control. Although it may be appropriate under certain circumstances, the agency must have a viable method for demonstrating integrity that is independent of the vendor and an appropriate contract that clarifies the vendor’s obligations should be in place before any files are transferred.

6. Hashing Function
An established mathematical calculation that generates a numerical value based on input data. This numerical value is referred to as the hash value. Hashing computes a number using a complex formula and is very sensitive to changes in the input values.

7. Visual Verification
The process of confirming the accuracy of an image through visual inspection.

8. Digital Signature
This process is used along with a hash process. The resulting hash is encrypted with a specific private key. File integrity can be verified using the hash value and the source of the signature is validated using the public key. The advantage of a digital signature is that the source of a digital file can be attributed to an individual.

9. Written Documentation
Notes/narrative written by the operator at various steps to document the work flow.

10. Checksums/Cyclical Redundancy Check (CRC)
Checksums are often used in file transfer to verify that the data transfer was successful. Some checksums are as powerful as hashes. It is recommended that those checksums that are not as powerful as hashes be used in concert with other methods (such as hashing or visual verification) to the degree possible.

11. Encryption
This process modifies the content of the files to demonstrate that the file has not been altered. Encryption can be used in concert with other methods.

12. Watermarks
This process modifies the content of the files and can persist as a part of the file. This method is not recommended.

13. Proprietary methods
Methods offered for sale or license by a vendor that controls the source code may not be independently verifiable. Likewise, it may not be possible to validate the methodology independently. Therefore this method is not recommended.



Chain of Custody




Chain of Custody refers to documentation that identifies all changes in the control, handling, possession, ownership, or custody of a piece of evidence. The movement and location of physical evidence from the time it is obtained until the time it is presented in court. It's important to maintain a chain of custody for all kind of evidence. You need to be able to trace the route that evidence takes from the moment you collect it until the time it is presented in court or at a corporate briefing.

When seizing hardware, you will tag it with an evidence tag that documents the date and time, your name, the case number, where you found the item, other facts relevantto the case, and other information depending on the policies and procedures of your investigation team. After you tag the evidence, you will then bag the evidence and give it to an evidence custodian. Some experts call this process "bagging and tagging." An evidence custodian is an individual who is in charge of documenting, transporting, and storing all evidence.

The evidence custodian ensures that evidence is safely transported to an evidence locker, a locked repository for items related to pending cases. Most police departments have employees who are designated as evidence custodians. If this is a civil case, you should still appoint one person to be the evidence custodian.



Report Writing




Report Writing refers to write a complete reprot of all the evidence found on the crime scene. The examiner is responsible for completely and accurately reporting his or her findings and the results of the analysis of the digital evidence examination. Documentation is an ongoing process throughout the examination. It is important to accurately record the steps taken during the digital evidence examination.

All documentation should be complete, accurate, and comprehensive and resulting report should be written for the intended audience. Documentation should be contemporaneous with the examination and retention of notes should be consistent with departmental policies.

Documentation Process :


1. Take notes when consulting with the case investigator and/or prosecutor.
2. Maintain a copy of the search authority with the case notes.
3. Maintain the initial request for assistance with the case file.
4. Maintain a copy of chain of custody documentation.
5. Take notes detailed enough to allow complete duplication of actions.
6. Include in the notes dates, times, and descriptions and results of actions taken.
7. Document irregularities encountered and any actions taken regarding the irregularities during the examination.
8. Include additional information, such as network topology, list of authorized users, user agreements, and/or passwords.
9. Document changes made to the system or network by or at the direction of law enforcement or the examiner.
10. Document the operating system and relevant software version and current, installed patches.
11. Document information obtained at the scene regarding remote storage, remote user access, and offsite backups.


End Of Introduction.

Comments

Post a Comment

Popular posts from this blog

Exif's Image File Directory - Forensics Perspective (Part 1)

Image
Exif IFD Tags Exif data contains different exif tags and each exif tag has its own value (eg. time, data, GPS etc). Exif tags are used to encode additional information related to an image when the image is generated or captured by the digital cameras. NOTE : There are many exif tags in exif's image file directory but I will cover the most important once from which one can find evidences. Tags 1. ExposureTime Exposure time is measured in seconds (eg. 1/500 (0.002 sec)). The main purpose of an exposure time is to describe the brightness of an image or the amount of light a sensor receives. Evidence : You can find out whether the photograhp is taken in brightness or darkness. If the exposure time is around 10 to 30 seconds then you can consider it as a night time photography and if the exposure time is around 1100 to 1125 seconds you can consider it as a day time photography. NOTE : Exposure timings are not always between the above mentioned values, they can set as per the ...
Read more

Introduction - Part 1

Image
Digital Forensics is a branch of forensic science that uses scientific knowledge or methods to gather evidence and solve crimes. It has some scientifically proven methods to preserve, collect, validate, identify, analyze, interpret, document and present the digital evidence. The main aim of a digital forensic investigation is to find facts and recreate the truth of an event. Digital Forensics has three main categories : Acquisition Analysis Presentation 1. Acquisition : Acquisition means collecting the digital media to examine. It includes optical media, hard drives, storage cards from camera, mobile phones, embedded chips from devices etc. The collected evidence should be treated delicately and a duplicate should be made of the collected evidence to maintain the record. 2. Analysis : In this category a media is actually examined with appropriate analysis methods. It includes file content examination, file system analysis, statistical analysis etc. and finally the results a...
Read more

Exif Data - Introduction

Image
Exchangeable Image File Format Exif Data is a metadata that is generated and stored by your camera whenever you take a photo and this data is embedded within your images and includes information about GPS coordinates (location), that is why many websites are stripping the exif data from the uploaded images due to privacy concern. Apart from your GPS coordinates exif stored many sensitive information and some of them are Camera Model Name, Modify Date, Date/Time Original, Create Date, File Source, Camera Firmware Version, Owner Name, Image Type etc. and all this information is then processed by Exif/DCF reader of the website, if not stripped by the server. This type of information is formatted according to the TIFF specification and may be found in JPG, TIFF, PNG, JP2, PGF, MIFF, HDP, PSP and XCF images, as well as many TIFF-based RAW images and even some AVI and MOV videos. The EXIF meta information is organized into different Image File Directories (IFD’s) within an image. Exif...
Read more