Professional Documents
Culture Documents
Gcfi6e Im Ch04
Gcfi6e Im Ch04
Chapter 4
Processing Crime and Incident Scenes
At a Glance
Objectives
Teaching Tips
Quick Quizzes
Additional Projects
Additional Resources
Key Terms
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 4-2
Lecture Notes
Overview
In this chapter, you learn how to process a computer investigation scene. Evidence rules
are critical, whether you’re on a corporate or a criminal case. As you’ll see, a civil case
can quickly become a criminal case, and a criminal case can revert to a civil case. This
chapter examines rules of evidence in the United States, but the procedures apply in
most courts worldwide. Chapter 4 also describes differences between a business (private
entity) and a law enforcement organization (public entity) in needs and concerns, and
discusses incident-scene processing for both types of investigations. This chapter also
discusses how the Fourth Amendment relates to private-sector and law enforcement
digital investigations in the United States. Finally, this chapter explains how to apply
standard crime scene practices and rules of evidence to corporate and law enforcement
computing investigations.
Chapter Objectives
Explain the rules for controlling digital evidence
Describe how to collect evidence at private-sector incident scenes
Explain guidelines for processing law enforcement crime scenes
List the steps in preparing for an evidence search
Describe how to secure a computer incident or crime scene
Explain guidelines for seizing digital evidence at the scene
List procedures for storing digital evidence
Explain how to obtain a digital hash
Review a case to identify requirements and plan your investigation
Teaching Tips
Identifying Digital Evidence
1. Define digital evidence as any information stored or transmitted in digital form. U.S.
courts accept digital evidence as physical evidence, which means that digital data is a
tangible object.
2. Mention that some countries used to require that all digital evidence be printed out to be
presented in court.
3. Describe some of the general tasks investigators perform when working with digital
evidence, including:
a. Identify digital information or artifacts that can be used as evidence
b. Collect, preserve, and document evidence
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 4-3
4. Mention that collecting computers and processing a criminal or incident scene must be
done systematically.
1. Explain that consistent practices help verify your work and enhance your credibility. In
addition, you should comply with your state’s rules of evidence or with the Federal
Rules of Evidence.
2. Mention that evidence admitted in a criminal case can be used in a civil suit, and vice
versa.
3. Describe the importance of keeping current on the latest rulings and directives on
collecting, processing, storing, and admitting digital evidence.
4. Mention that digital evidence is unlike other physical evidence because it can be
changed more easily. The only way to detect these changes is to compare the original
data with a duplicate.
5. Explain that concern when dealing with digital records is the concept of hearsay.
Hearsay is secondhand or indirect evidence, unless it falls under the business-record
exception.
9. Mention that collecting evidence according to the approved steps of evidence control
helps ensure that the computer evidence is authentic.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 4-4
10. Mention that when attorneys challenge digital evidence, often they raise the issue of
whether computer-generated records were altered or damaged after they were created.
11. Explain that one test to prove that computer-stored records are authentic is to
demonstrate that a specific person created the records. For example, the author of a
Microsoft Word document can be identified by using file metadata. Use Figures 4-1 and
4-2 to illustrate your explanation.
12. Mention that the process of establishing digital evidence’s trustworthiness originated
with written documents and the best evidence rule.
13. Explain that the best evidence rule states that to prove the content of a written
document, a recording, or a photograph, ordinarily the original file is required.
14. Explain that the Federal Rules of Evidence allow duplicates instead of originals when it
is produced by the same impression as the original. As long as bit-stream copies of data
are created and maintained properly, the copies can be admitted in court, although they
aren’t considered best evidence.
2. Explain that NGOs must comply with state public disclosure and federal Freedom of
Information Act (FOIA) laws and make certain documents available as public records.
The FOIA allows citizens to request copies of public documents created by federal
agencies.
Teaching For a more complete description of the Freedom of Information Act (FOIA),
Tip visit: www.state.gov/m/a/ips/.
3. Mention that a special category of private-sector businesses includes ISPs and other
communication companies. ISPs can investigate computer abuse committed by their
employees, but not by customers, except for activities that are deemed to create an
emergency situation.
4. Explain that investigating and controlling computer incident scenes in the corporate
environment is much easier than in the criminal environment because the incident scene
is often a workplace.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 4-5
5. Explain that typically, businesses have inventory databases of computer hardware and
software, which help identify the computer forensics tools needed to analyze a policy
violation and the best way to conduct the analysis.
7. Mention that companies should display a warning banner or publish a policy stating that
they reserve the right to inspect computing assets at will.
8. Explain that private-sector investigators should know under what circumstances they
can examine an employee’s computer. Every organization must also have a well-
defined process describing when an investigation can be initiated.
10. Emphasize that employers are usually interested in enforcing company policy, not
seeking out and prosecuting employees. Private-sector investigators are, therefore,
primarily concerned with protecting company assets.
11. Describe the actions to follow if you discover evidence of a crime during a company
policy investigation, including:
a. Determine whether the incident meets the elements of criminal law
b. Inform management of the incident
c. Stop your investigation to make sure you don’t violate Fourth Amendment
restrictions on obtaining evidence
d. Work with the corporate attorney to write an affidavit confirming your findings
1. Mention that to process a crime scene correctly, you must be familiar with criminal
rules of search and seizure. You should also understand how a search warrant works
and what to do when you process one.
2. Explain that law enforcement officers may search for and seize criminal evidence only
with probable cause, which is the standard specifying whether a police officer has the
right to make an arrest, conduct a personal or property search, or obtain a warrant for
arrest.
3. Mention that with probable cause, a police officer can obtain a search warrant from a
judge that authorizes a search and seizure of specific evidence related to the criminal
complaint.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 4-6
4. Explain that the Fourth Amendment states that only warrants “particularly describing
the place to be searched, and the persons or things to be seized” can be issued.
1. Define innocent information as unrelated information often included with the evidence
you’re trying to recover.
2. Explain that judges often issue a limiting phrase to the warrant, which allows the police
to separate innocent information from evidence.
3. Explain that the plain view doctrine states that objects falling in plain view of an officer
who has the right to be in position to have that view are subject to seizure without a
warrant and can be introduced in evidence.
4. Discuss the three criteria that must be met for the plain view doctrine to apply:
a. Officer is where he or she has a legal right to be
b. Ordinary senses must not be enhanced by advanced technology in any way
c. Any discovery must be by chance
1. Mention that preparing for a computer search and seizure is probably the most
important step in computing investigations.
2. Explain that to perform these tasks, you might need to get answers from the victim and
an informant, who could be a police detective assigned to the case, a law enforcement
witness, or a manager or coworker of the person of interest to the investigation.
1. Mention that when you’re assigned a computing investigation case, you start by
identifying the nature of the case, including whether it involves the private or public
sector.
2. Explain that the nature of the case dictates how you proceed, and what types of assets or
resources you need to use in the investigation.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 4-7
1. Explain that for law enforcement, this step might be difficult because the crime scene
isn’t controlled. If you can identify the OS or device, estimate the size of the storage
device on the suspect’s computer and determine how many digital devices you have to
process at the scene.
2. Mention that you should also determine what hardware might be involved, such as PCs
or mobile devices, including smartphones, tablets, Fitbits, and laptops.
1. Explain that the type of case and the location of the evidence determine whether you
can remove computers from the scene.
2. Mention that law enforcement investigators need a warrant to remove computers from a
crime scene and transport them to a lab. In addition, if removing the computers will
irreparably harm a business, the computers should not be taken offsite.
3. Mention the additional complication of files stored offsite that are accessed remotely.
With the popularity of cloud storage, this is becoming a common problem.
4. Explain that if you aren’t allowed to take the computers to your lab, then you need to
determine the resources you need to acquire digital evidence and which tools can speed
up data acquisition.
1. Encourage your students to get as much information as they can about the location and
conditions of the crime scene location.
2. If you have to deal with hazardous materials, keep a tight interaction with your
HAZMAT team and follow the HAZMAT guidelines, including:
a. Protect your safety and health while protecting the evidence
b. Put the target drive in a special HAZMAT bag; the HAZMAT technician can
then decontaminate the bag
c. Check for high temperatures
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 4-8
1. Illustrate situations where you may need the help of specialists. For example, when
dealing with special operating systems, RAID servers, or databases like Oracle.
1. Mention that you should prepare your tools using incident and crime scene information.
2. Use Figure 4-4 and Tables 4-1 and 4-2 to explain how to construct and when to use an
initial-response field kit and an extensive-response field kit.
1. Explain to your students the importance of reviewing all the details about the incident
with the investigation team to produce a coordinated plan of action for collecting and
securing the evidence.
Quick Quiz 1
1. The ISO standard 27037 gives guidance on what procedures countries should have in
place for _____.
Answer: digital evidence
2. A statement made while testifying at a hearing by someone other than an actual witness
is known as _____.
Answer: hearsay
3. ____ records are data the system maintains, such as system log files and proxy server
logs.
Answer: Computer-generated
4. NGOs must comply with state public disclosure and federal _____ laws and make
certain documents available as public records.
Answer: Freedom of Information Act (FOIA)
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 4-9
5. ____ is the standard specifying whether a police officer has the right to make an arrest,
conduct a personal or property search, or obtain a warrant for arrest.
Answer: Probable cause
2. Describe how you can create a security perimeter by using barrier tape and enforcing
legal authority to prevent others from entering the scene.
1. Mention that law enforcement can seize all digital systems and peripherals with a
proper warrant. Private-sector investigators rarely can seize evidence.
2. Explain to your students that seizing digital data must follow standards defined by the
U.S. Department of Justice (DOJ) for both criminal and corporate investigations.
3. Emphasize that when seizing digital data, always consult with your attorney for
guidelines on how to proceed.
1. Mention that the evidence you acquire at the scene depends on the nature of the case
and the alleged crime or violation.
2. List some of the questions that you need to ask your supervisor or senior forensics
examiner in your organization before acquiring digital evidence, including:
a. Do you need to take the entire computer and all peripherals and media in the
immediate area?
b. How are you going to protect the computer and media while transporting them
to your lab?
c. Is the computer powered on when you arrive?
d. Is the suspect you’re investigating in the immediate area of the computer?
e. Is it possible the suspect damaged or destroyed the computer, peripherals, or
media?
f. Will you have to separate the suspect from the computer?
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 4-10
1. Present a list with guidelines for processing a crime scene. The list should include
guidelines for securing the area, dealing with live computers, securely saving files,
properly closing current applications, and shutting down the computer.
2. Illustrate each one of these guidelines with as many examples as you can.
4. Explain that you should also look for information related to the investigation, such as
passwords, passphrases, PINs, and bank accounts. Finally, collect documentation and
media related to the investigation.
5. List the documentation items that students should collect, including the following
material:
a. Hardware, including peripheral devices
b. Software, including OSs and applications
c. All media, such as USB drives, backup tapes, and disks
d. All documentation, manuals, printouts, and handwritten notes
1. Define sparse acquisition as a technique for extracting evidence from large systems. It
extracts only data related to evidence for your case from allocated files, and minimizes
how much data you need to analyze.
2. Explain that one drawback of this technique is that it doesn’t recover data in free or
slack space.
2. Explain that a technical advisor can help you list the tools you need to process the
incident or crime scene. The advisor is the person guiding you about where to locate
data and helping you extract log records or other evidence from large RAID servers. A
technical advisor can also help create the search warrant by itemizing what you need for
the warrant.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 4-11
1. Explain that you should be sure to record your activities and findings as you work. For
this, maintain a journal to record the steps you take as you process evidence.
2. Explain that your goal is to be able to reproduce the same results when you or another
investigator repeat the steps you took to collect evidence.
3. Mention that a journal serves as a reference that documents the methods you used to
process digital evidence.
1. Mention that you must maintain the integrity of digital evidence in the lab as you do
when collecting it in the field.
1. Explain that the media you use to store digital evidence usually depends on how long
you need to keep it.
2. Mention that the ideal media for storing digital evidence used to be CDs and DVDs.
The optimum choice now is solid-state USB drives. You can also store your digital
evidence in magnetic tapes.
3. Explain that magnetic tapes have more capacity and a longer lifespan than CDs and
DVDs, but they are much more expensive as well.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 4-12
1. Explain that to help maintain the chain of custody for digital evidence, you should
restrict access to your lab and evidence storage area. Your lab should also have a sign-in
roster for all visitors. These logs should be maintained for a period based on legal
requirements.
2. Use Figure 4-5 to show that an evidence custody form should contain an entry for every
person who handles the evidence.
3. Emphasize that if you need to retain evidence indefinitely, you must check with your
local prosecuting attorney’s office or state laws to make sure you’re in compliance.
Documenting Evidence
1. Mention that to document evidence, you can create or use an evidence custody form. An
evidence custody form serves the following functions:
a. Identifies the evidence
b. Identifies who has handled the evidence
c. Lists dates and times the evidence was handled
2. Explain that you can add more information to your form, such as a section listing MD5
and SHA-1 hash values. Include any detailed information you might need to reference.
Evidence bags also include labels or evidence forms you can use to document your
evidence.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 4-13
6. Explain that most computer forensics hashing needs can be satisfied with a nonkeyed
hash set, which is a unique hash number generated by a software tool, such as the Linux
md5sum command. A keyed hash set is created by an encryption utility’s secret key.
7. Describe how to use the MD5 function in FTK Imager to obtain the digital signature of
a file or an entire drive. Use Figure 4-6 to illustrate your explanation.
Reviewing a Case
1. This section describes the following general tasks you perform in any computer
forensics case:
a. Identify the case requirements
b. Plan your investigation
c. Conduct the investigation
d. Complete the case report
e. Critique the case
1. Present an example of a policy violation and the steps a digital forensics investigator
should take during the investigation.
2. Define terms like covert surveillance and sniffing tools. Accompany your definitions
with examples.
1. Introduce the M57 Patents case where a computer that was discovered to contain
“kitty” porn was traced back to M57 Patents.
1. Explain that during this phase, you must find out some background information on the
case, including:
a. Who the main players are
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 4-14
1. Use Figures 4-8 through 4-12 to describe how to acquire evidence with OSForensics.
Quick Quiz 2
1. Evidence is commonly lost or corrupted through ____, which involves the presence of
police officers and other professionals who aren’t part of the crime scene-processing
team.
Answer: professional curiosity
2. If a 30-year lifespan for data storage is acceptable for your digital evidence, older _____
systems are a good choice.
Answer: DLT magnetic tape cartridge
3. The _____ is a mathematical algorithm that determines whether a file’s contents have
changed.
Answer: CRC or Cyclic Redundancy Check
4. A(n) ____ is a unique hash number generated by a software tool, such as the Linux
md5sum command.
Answer: nonkeyed hash set
2. Have students analyze and discuss a case where Company A claims its network was
compromised by a connection from Company B network. How should both companies
proceed? Who should be involved?
Additional Projects
1. Have students develop a policy that states a corporate right to conduct investigations on
its computer assets.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 4-15
Additional Resources
1. Freedom of Information Act (United States):
https://foia.state.gov/Learn/FOIA.aspx
3. Search warrant:
https://www.nolo.com/legal-encyclopedia/search-warrants
Key Terms
Automated Fingerprint Identification Systems (AFIS) — A computerized system for
identifying fingerprints that’s connected to a central database; used to identify criminal
suspects and review thousands of fingerprint samples at high speed.
computer-generated records — Data the system maintains, such as system log files
and proxy server logs.
computer-stored records — Electronic data that a person creates and saves on a
computer or digital device, such as a spreadsheet or word processing document.
covert surveillance — Observing people or places without being detected, often using
electronic equipment, such as video cameras or keystroke/screen capture programs.
Cyclic Redundancy Check (CRC) — A mathematical algorithm that determines
whether a file’s contents have changed.
digital evidence — Evidence consisting of information stored or transmitted in
electronic form.
extensive-response field kit — A response kit with all the tools you can afford to take
to the field.
hash value — A unique hexadecimal value that can be used to verify that a file or drive
hasn’t changed or been tampered with.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 4-16
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.