--- title: '01 Intro to Forensics' disqus: hackmd --- 01 Intro to Forensics === <style> img{ /* border: 2px solid red; */ margin-left: auto; margin-right: auto; width: 90%; display: block; } </style> ## Table of Contents [TOC] Overview --- - digital forensics - application of comp science and investigative procedures for legal purpose - involves the analysis of digital evidence after proper search authority, chain of custody, validation with math, use of validated tools, repeatability, reporting and possible exper presentation - history - Federal Rules of Evidence (FRE) created to ensure consistency in federal proceedings - FBI comp abalysis and resp team (CART) - 1984 - handle cases with digital evidence - by late 1990s, cart teamed up w department of def comp forensics lab (DCFL) - 4th amendment of US constitution protects our rights to be secure from search and seizure - goal to protect right to privacy and unreasonable intrusions from govt Case Law --- - current laws cannot keep up with rate of tech change - when statutes (law passed by legislative body) dont exist, **case law** used - allow legal counsel to apply prev similar cases to current to address ambiguity in laws - examiners must know recent court rulings on search & seizure in electronic env ### Developing Digital Forensics Resources - supplement knowledge by - developing and maintaining contact with relevant investigative professionals - join comp user grps in pub/priv sectors - Eg. computer tech investigators network (CTIN) to discuss probs examiners encounter - consult other experts ### Digital Investigations - 2 categories - public sector investigations - private sector investigations - the diff - involve govt agencies resp for criminal investigations and prosecution - be familiar with 4th amendment of US constitution - restrict govt search & seizure - dept of justice (DOJ) updates info on comp search and seizure regularly - prib sector investigations focus more on company policy violations - role of digital forensics prof is to gather evidence to prove that suspect commited crime or violated company policy - collect evidence to offer in court/corporate inquiry - investigate suspect comp - preserve evidence on diff comp - chain of custody - route evidence takes from time found until case closed/goes to court ### Following Legal Processes - criminal inves. usually begins when someone finds evidence/witness a crime - witness/victim make **allegation** to police - police interview complainant and writes report - report processed and management decide whether to start inves. or log info in police blotter - **blotter** - historical db of prev crimes #### Entities - digital evidence first responder (DEFR) - arrive 1st at incident scene - assess situation - take precautions to acquire and preserve evidence - digital evidence specialist (DES) - has skill to analyse data - determine when another specialist shld be called in to assist - affidavit - sworn statement of supprt of facts abt/evidence of crime - must include exhibits that support allegation ### Private Sector Investigations - priv sector involve priv companies and laywers who address company policy violations and litigation disputes - Eg. wrongful termination - businesses strive to minimise/eliminate litigation - can involve - E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage - businesses can reduce risk of litigation by publishing and maintaining **policies** employees can read and follow easily - most impt policies define rules for using company's comps and networks - AKA acceptable use policy - can avoid litigation with warning banner to inform users that orgs reserve right to inspect comp systems and network traffic at will - **line of authority** - states who has legal right to initiate inves., who can take possession of evidence and who can have access to evidence  - during priv inves., u search for evidence to support allegations of violations of company's rules/atk on its assets - 3 types of common situations - abuse/misuse of computing assets - email abuse - internet abuse - priv sector's job is to minimise risk to company - distinction between personal & company comp property can be difficult - **bring your own device (BYOD)** env - some state that if u connect personal device to business network, it falls under same rules as company property ### Maintaining Professional Conduct - professional conduct - ethics, morals and standards of behaviour - investigators must - exhibit highest lvl of prof behaviour all times - objectivity - credibility by maintaining confidentiality - attend training to stay current with latest tech changes in comp hardware & software, networking and forensics tools Computer Crime --- - comps contain info that helps law enforcement determine - chain of events leading to crime - evi that can lead to conviction - law enforcement officers shld follow proper procedure when acquiring evi - digital evi can be easily altered by overeager investigator - info can also be pwd protected so need use forensics tools Company Policy Violation --- - employees misuse res can cost company millions of dollars - misuse includes - surfing internet - sending personal emails - using company comps for personal tasks Systematic Approach --- - initial assessment abt type of case investigating - determine preliminary design/approach to case - create detailed checklist - determine res needed - obtain & copy evi drive Summary ---  ###### tags: `DFI` `DISM` `School` `Notes`