Gcfi6e Im Ch04

Guide to Computer Forensics and Investigations, Sixth Edition 4-1
Chapter 4
Processing Crime and Incident Scenes
At a Glance
Instructor’s Manual Table of Contents

 Overview
 Objectives
 Teaching Tips
 Quick Quizzes
 Class Discussion Topics
 Additional Projects
 Additional Resources
 Key Terms
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Lecture Notes
Overview
In this chapter, you learn how to process a computer investigation scene. Evidence rules
are critical, whether you’re on a corporate or a criminal case. As you’ll see, a civil case
can quickly become a criminal case, and a criminal case can revert to a civil case. This
chapter examines rules of evidence in the United States, but the procedures apply in
most courts worldwide. Chapter 4 also describes differences between a business (private
entity) and a law enforcement organization (public entity) in needs and concerns, and
discusses incident-scene processing for both types of investigations. This chapter also
discusses how the Fourth Amendment relates to private-sector and law enforcement
digital investigations in the United States. Finally, this chapter explains how to apply
standard crime scene practices and rules of evidence to corporate and law enforcement
computing investigations.
Chapter Objectives
 Explain the rules for controlling digital evidence
 Describe how to collect evidence at private-sector incident scenes
 Explain guidelines for processing law enforcement crime scenes
 List the steps in preparing for an evidence search
 Describe how to secure a computer incident or crime scene
 Explain guidelines for seizing digital evidence at the scene
 List procedures for storing digital evidence
 Explain how to obtain a digital hash
 Review a case to identify requirements and plan your investigation
Teaching Tips
Identifying Digital Evidence
1. Define digital evidence as any information stored or transmitted in digital form. U.S.
courts accept digital evidence as physical evidence, which means that digital data is a
tangible object.
2. Mention that some countries used to require that all digital evidence be printed out to be
presented in court.
3. Describe some of the general tasks investigators perform when working with digital
evidence, including:
a. Identify digital information or artifacts that can be used as evidence
b. Collect, preserve, and document evidence
c. Analyze, identify, and organize evidence

d. Rebuild evidence or repeat a situation to verify that the results can be
reproduced reliably
4. Mention that collecting computers and processing a criminal or incident scene must be
done systematically.
Understanding Rules of Evidence
1. Explain that consistent practices help verify your work and enhance your credibility. In
addition, you should comply with your state’s rules of evidence or with the Federal
Rules of Evidence.
Teaching You can review the Federal Rules of Evidence at:

Tip http://federalevidence.com/downloads/rules.of.evidence.pdf
2. Mention that evidence admitted in a criminal case can be used in a civil suit, and vice
versa.
3. Describe the importance of keeping current on the latest rulings and directives on
collecting, processing, storing, and admitting digital evidence.
4. Mention that digital evidence is unlike other physical evidence because it can be
changed more easily. The only way to detect these changes is to compare the original
data with a duplicate.
5. Explain that concern when dealing with digital records is the concept of hearsay.
Hearsay is secondhand or indirect evidence, unless it falls under the business-record
exception.
6. Explain that the business-record exception allows “records of regularly conducted

activity,” such as business memos, reports, records, or data compilations.
7. Describe the following two categories of computer records:

a. Computer-generated records
b. Computer-stored records
8. Explain that computer-generated and computer-stored records must also be shown to be

authentic and trustworthy to be admitted into evidence. Computer-generated records are
considered authentic if the program that created the output is functioning correctly.
9. Mention that collecting evidence according to the approved steps of evidence control
helps ensure that the computer evidence is authentic.
10. Mention that when attorneys challenge digital evidence, often they raise the issue of
whether computer-generated records were altered or damaged after they were created.
11. Explain that one test to prove that computer-stored records are authentic is to
demonstrate that a specific person created the records. For example, the author of a
Microsoft Word document can be identified by using file metadata. Use Figures 4-1 and
4-2 to illustrate your explanation.
12. Mention that the process of establishing digital evidence’s trustworthiness originated
with written documents and the best evidence rule.
13. Explain that the best evidence rule states that to prove the content of a written
document, a recording, or a photograph, ordinarily the original file is required.
14. Explain that the Federal Rules of Evidence allow duplicates instead of originals when it
is produced by the same impression as the original. As long as bit-stream copies of data
are created and maintained properly, the copies can be admitted in court, although they
aren’t considered best evidence.
Collecting Evidence in Private-Sector Incident Scenes
1. Mention that private-sector organizations include small to medium businesses, large

corporations, and non-government organizations (NGOs), which might get funding
from the government or other agencies.
2. Explain that NGOs must comply with state public disclosure and federal Freedom of
Information Act (FOIA) laws and make certain documents available as public records.
The FOIA allows citizens to request copies of public documents created by federal
agencies.
Teaching For a more complete description of the Freedom of Information Act (FOIA),
Tip visit: www.state.gov/m/a/ips/.
3. Mention that a special category of private-sector businesses includes ISPs and other
communication companies. ISPs can investigate computer abuse committed by their
employees, but not by customers, except for activities that are deemed to create an
emergency situation.
4. Explain that investigating and controlling computer incident scenes in the corporate
environment is much easier than in the criminal environment because the incident scene
is often a workplace.
5. Explain that typically, businesses have inventory databases of computer hardware and
software, which help identify the computer forensics tools needed to analyze a policy
violation and the best way to conduct the analysis.
6. In addition, a corporate policy statement about misuse of computing assets allows

private-sector investigators to conduct covert surveillance with little or no cause, and
allows them to access company systems without a warrant.
7. Mention that companies should display a warning banner or publish a policy stating that
they reserve the right to inspect computing assets at will.
8. Explain that private-sector investigators should know under what circumstances they
can examine an employee’s computer. Every organization must also have a well-
defined process describing when an investigation can be initiated.
9. Mention that if a private-sector investigator finds that an employee is committing or has

committed a crime, the employer can file a criminal complaint with the police.
10. Emphasize that employers are usually interested in enforcing company policy, not
seeking out and prosecuting employees. Private-sector investigators are, therefore,
primarily concerned with protecting company assets.
11. Describe the actions to follow if you discover evidence of a crime during a company
policy investigation, including:
a. Determine whether the incident meets the elements of criminal law
b. Inform management of the incident
c. Stop your investigation to make sure you don’t violate Fourth Amendment
restrictions on obtaining evidence
d. Work with the corporate attorney to write an affidavit confirming your findings
Processing Law Enforcement Crime Scenes
1. Mention that to process a crime scene correctly, you must be familiar with criminal
rules of search and seizure. You should also understand how a search warrant works
and what to do when you process one.
2. Explain that law enforcement officers may search for and seize criminal evidence only
with probable cause, which is the standard specifying whether a police officer has the
right to make an arrest, conduct a personal or property search, or obtain a warrant for
arrest.
3. Mention that with probable cause, a police officer can obtain a search warrant from a
judge that authorizes a search and seizure of specific evidence related to the criminal
complaint.
4. Explain that the Fourth Amendment states that only warrants “particularly describing
the place to be searched, and the persons or things to be seized” can be issued.
Teaching Visit http://landmarkcases.org/en/landmark/home for descriptions of landmark

Tip cases of the U.S. Supreme Court.
Understanding Concepts and Terms Used in Warrants
1. Define innocent information as unrelated information often included with the evidence
you’re trying to recover.
2. Explain that judges often issue a limiting phrase to the warrant, which allows the police
to separate innocent information from evidence.
3. Explain that the plain view doctrine states that objects falling in plain view of an officer
who has the right to be in position to have that view are subject to seizure without a
warrant and can be introduced in evidence.
4. Discuss the three criteria that must be met for the plain view doctrine to apply:
a. Officer is where he or she has a legal right to be
b. Ordinary senses must not be enhanced by advanced technology in any way
c. Any discovery must be by chance
Preparing for a Search
1. Mention that preparing for a computer search and seizure is probably the most
important step in computing investigations.
2. Explain that to perform these tasks, you might need to get answers from the victim and
an informant, who could be a police detective assigned to the case, a law enforcement
witness, or a manager or coworker of the person of interest to the investigation.
Identifying the Nature of the Case
1. Mention that when you’re assigned a computing investigation case, you start by
identifying the nature of the case, including whether it involves the private or public
sector.
2. Explain that the nature of the case dictates how you proceed, and what types of assets or
resources you need to use in the investigation.
Identifying the Type of OS or Digital Device
1. Explain that for law enforcement, this step might be difficult because the crime scene
isn’t controlled. If you can identify the OS or device, estimate the size of the storage
device on the suspect’s computer and determine how many digital devices you have to
process at the scene.
2. Mention that you should also determine what hardware might be involved, such as PCs
or mobile devices, including smartphones, tablets, Fitbits, and laptops.
Discuss the benefits of having configuration management databases to identify

Teaching
the type of computing system. This is typically the case for corporate
Tip
investigations.
Determining Whether You Can Seize a Computers and Digital Devices
1. Explain that the type of case and the location of the evidence determine whether you
can remove computers from the scene.
2. Mention that law enforcement investigators need a warrant to remove computers from a
crime scene and transport them to a lab. In addition, if removing the computers will
irreparably harm a business, the computers should not be taken offsite.
3. Mention the additional complication of files stored offsite that are accessed remotely.
With the popularity of cloud storage, this is becoming a common problem.
4. Explain that if you aren’t allowed to take the computers to your lab, then you need to
determine the resources you need to acquire digital evidence and which tools can speed
up data acquisition.
Getting a Detailed Description of the Location
1. Encourage your students to get as much information as they can about the location and
conditions of the crime scene location.
2. If you have to deal with hazardous materials, keep a tight interaction with your
HAZMAT team and follow the HAZMAT guidelines, including:
a. Protect your safety and health while protecting the evidence
b. Put the target drive in a special HAZMAT bag; the HAZMAT technician can
then decontaminate the bag
c. Check for high temperatures
Determining Who Is in Charge
1. Describe the differences between private-sector computing investigations and

investigations handled by law enforcement agencies.
Using Additional Technical Expertise
1. Illustrate situations where you may need the help of specialists. For example, when
dealing with special operating systems, RAID servers, or databases like Oracle.
2. Mention that specialists need to be trained in proper investigation techniques to avoid

damaging the evidence.
Determining the Tools You Need
1. Mention that you should prepare your tools using incident and crime scene information.
2. Use Figure 4-4 and Tables 4-1 and 4-2 to explain how to construct and when to use an
initial-response field kit and an extensive-response field kit.
Preparing the Investigation Team
1. Explain to your students the importance of reviewing all the details about the incident
with the investigation team to produce a coordinated plan of action for collecting and
securing the evidence.
2. Mention that a slow response can cause digital evidence lost.
Quick Quiz 1
1. The ISO standard 27037 gives guidance on what procedures countries should have in
place for _____.
Answer: digital evidence
2. A statement made while testifying at a hearing by someone other than an actual witness
is known as _____.
Answer: hearsay
3. ____ records are data the system maintains, such as system log files and proxy server
logs.
Answer: Computer-generated
4. NGOs must comply with state public disclosure and federal _____ laws and make
certain documents available as public records.
Answer: Freedom of Information Act (FOIA)
5. ____ is the standard specifying whether a police officer has the right to make an arrest,
conduct a personal or property search, or obtain a warrant for arrest.
Answer: Probable cause
Securing a Computer Incident or Crime Scene
1. Mention the two major benefits of securing the crime scene:

a. Preserve evidence integrity
b. Keep information about the incident or crime confidential
2. Describe how you can create a security perimeter by using barrier tape and enforcing
legal authority to prevent others from entering the scene.
3. Define professional curiosity and explain its negative effects.
Seizing Digital Evidence at the Scene
1. Mention that law enforcement can seize all digital systems and peripherals with a
proper warrant. Private-sector investigators rarely can seize evidence.
2. Explain to your students that seizing digital data must follow standards defined by the
U.S. Department of Justice (DOJ) for both criminal and corporate investigations.
3. Emphasize that when seizing digital data, always consult with your attorney for
guidelines on how to proceed.
Preparing to Acquire Digital Evidence
1. Mention that the evidence you acquire at the scene depends on the nature of the case
and the alleged crime or violation.
2. List some of the questions that you need to ask your supervisor or senior forensics
examiner in your organization before acquiring digital evidence, including:
a. Do you need to take the entire computer and all peripherals and media in the
immediate area?
b. How are you going to protect the computer and media while transporting them
to your lab?
c. Is the computer powered on when you arrive?
d. Is the suspect you’re investigating in the immediate area of the computer?
e. Is it possible the suspect damaged or destroyed the computer, peripherals, or
media?
f. Will you have to separate the suspect from the computer?
Processing an Incident or Crime Scene
1. Present a list with guidelines for processing a crime scene. The list should include
guidelines for securing the area, dealing with live computers, securely saving files,
properly closing current applications, and shutting down the computer.
2. Illustrate each one of these guidelines with as many examples as you can.
3. Describe the steps to properly bag and tag evidence, including:

a. Assign one person, if possible, to collect and log all evidence
b. Tag all the evidence you collect with the current date and time, serial numbers
or unique features, make and model, and the name of the person who collected it
c. Maintain two separate logs of collected evidence
d. Maintain constant control of the collected evidence and the crime or incident
scene
4. Explain that you should also look for information related to the investigation, such as
passwords, passphrases, PINs, and bank accounts. Finally, collect documentation and
media related to the investigation.
5. List the documentation items that students should collect, including the following
material:
a. Hardware, including peripheral devices
b. Software, including OSs and applications
c. All media, such as USB drives, backup tapes, and disks
d. All documentation, manuals, printouts, and handwritten notes
Processing Data Centers with RAID Systems
1. Define sparse acquisition as a technique for extracting evidence from large systems. It
extracts only data related to evidence for your case from allocated files, and minimizes
how much data you need to analyze.
2. Explain that one drawback of this technique is that it doesn’t recover data in free or
slack space.
Using a Technical Advisor
1. Describe to your students situations in which a technical advisor might be required

when performing a computer investigation.
2. Explain that a technical advisor can help you list the tools you need to process the
incident or crime scene. The advisor is the person guiding you about where to locate
data and helping you extract log records or other evidence from large RAID servers. A
technical advisor can also help create the search warrant by itemizing what you need for
the warrant.
3. Describe the responsibilities assigned to external advisors, including:

a. Know all aspects of the seized system
b. Direct investigators handling sensitive material
c. Help ensure security of the scene
d. Help document the planning strategy
e. Conduct ad hoc trainings
f. Document activities
g. Help conduct the search and seizure
Documenting Evidence in the Lab
1. Explain that you should be sure to record your activities and findings as you work. For
this, maintain a journal to record the steps you take as you process evidence.
2. Explain that your goal is to be able to reproduce the same results when you or another
investigator repeat the steps you took to collect evidence.
3. Mention that a journal serves as a reference that documents the methods you used to
process digital evidence.
Processing and Handling Digital Evidence
1. Mention that you must maintain the integrity of digital evidence in the lab as you do
when collecting it in the field.
2. Describe the steps to create image files, including:

a. Copy all image files to a large drive or a storage area network (SAN)
b. Start your forensics tool to analyze the evidence
c. Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital hash
d. Secure the original media in an evidence locker
Storing Digital Evidence
1. Explain that the media you use to store digital evidence usually depends on how long
you need to keep it.
2. Mention that the ideal media for storing digital evidence used to be CDs and DVDs.
The optimum choice now is solid-state USB drives. You can also store your digital
evidence in magnetic tapes.
3. Explain that magnetic tapes have more capacity and a longer lifespan than CDs and
DVDs, but they are much more expensive as well.
Evidence Retention and Media Storage Needs
1. Explain that to help maintain the chain of custody for digital evidence, you should
restrict access to your lab and evidence storage area. Your lab should also have a sign-in
roster for all visitors. These logs should be maintained for a period based on legal
requirements.
2. Use Figure 4-5 to show that an evidence custody form should contain an entry for every
person who handles the evidence.
3. Emphasize that if you need to retain evidence indefinitely, you must check with your
local prosecuting attorney’s office or state laws to make sure you’re in compliance.
Documenting Evidence
1. Mention that to document evidence, you can create or use an evidence custody form. An
evidence custody form serves the following functions:
a. Identifies the evidence
b. Identifies who has handled the evidence
c. Lists dates and times the evidence was handled
2. Explain that you can add more information to your form, such as a section listing MD5
and SHA-1 hash values. Include any detailed information you might need to reference.
Evidence bags also include labels or evidence forms you can use to document your
evidence.
Obtaining a Digital Hash
1. Define Cyclic Redundancy Check (CRC) as a mathematical algorithm that determines

whether a file’s contents have changed. The most recent version is CRC-32. CRC is not
considered a forensic hashing algorithm.
2. Define Message Digest 5 (MD5) as a mathematical formula that translates a file, a

folder, or an entire drive into a hexadecimal code value, or a hash value. If a bit or byte
in the file changes, it alters the digital hash.
3. Describe the three rules for forensic hashes:

a. You can’t predict the hash value of a file or device.
b. No two hash values can be the same
c. If anything changes in the file or device, the hash value must change
4. Define Secure Hash Algorithm version 1 (SHA-1) as another hashing algorithm

developed by the National Institute of Standards and Technology (NIST).
Teaching Read more about SHA hash functions at: https://csrc.nist.gov/Projects/Hash-

Tip Functions
5. Mention that in both MD5 and SHA-1, collisions have occurred.
6. Explain that most computer forensics hashing needs can be satisfied with a nonkeyed
hash set, which is a unique hash number generated by a software tool, such as the Linux
md5sum command. A keyed hash set is created by an encryption utility’s secret key.
7. Describe how to use the MD5 function in FTK Imager to obtain the digital signature of
a file or an entire drive. Use Figure 4-6 to illustrate your explanation.
Reviewing a Case
1. This section describes the following general tasks you perform in any computer
forensics case:
a. Identify the case requirements
b. Plan your investigation
c. Conduct the investigation
d. Complete the case report
e. Critique the case
Sample Civil Investigation
1. Present an example of a policy violation and the steps a digital forensics investigator
should take during the investigation.
2. Define terms like covert surveillance and sniffing tools. Accompany your definitions
with examples.
An Example of a Criminal Investigation
1. Present an example of a criminal investigation, highlighting the role of a warrant. Use

Figure 4-7 to illustrate your explanation.
Reviewing Background Information for a Case
1. Introduce the M57 Patents case where a computer that was discovered to contain
“kitty” porn was traced back to M57 Patents.
Planning the Investigation
1. Explain that during this phase, you must find out some background information on the
case, including:
a. Who the main players are
b. What digital evidence the police seized at the scene
Conducting the Investigation: Acquiring Evidence with OSForensics
1. Use Figures 4-8 through 4-12 to describe how to acquire evidence with OSForensics.
Quick Quiz 2
1. Evidence is commonly lost or corrupted through ____, which involves the presence of
police officers and other professionals who aren’t part of the crime scene-processing
team.
Answer: professional curiosity
2. If a 30-year lifespan for data storage is acceptable for your digital evidence, older _____
systems are a good choice.
Answer: DLT magnetic tape cartridge
3. The _____ is a mathematical algorithm that determines whether a file’s contents have
changed.
Answer: CRC or Cyclic Redundancy Check
4. A(n) ____ is a unique hash number generated by a software tool, such as the Linux
md5sum command.
Answer: nonkeyed hash set
5. Real-time surveillance requires _____ data transmissions, which allows network

administrators and others to determine what data is being transmitted over the network.
Answer: sniffing
Class Discussion Topics

1. Have students discuss the initial- and extensive-response field kits described in this
chapter. What do they think about the kits? Would they add or remove something from
the kits?
2. Have students analyze and discuss a case where Company A claims its network was
compromised by a connection from Company B network. How should both companies
proceed? Who should be involved?
Additional Projects
1. Have students develop a policy that states a corporate right to conduct investigations on
its computer assets.
2. Have students investigate appropriate warrant wording for a computer investigation

from the local police department.
Additional Resources
1. Freedom of Information Act (United States):
https://foia.state.gov/Learn/FOIA.aspx
2. USA PATRIOT Act:

https://www.justice.gov/archive/ll/highlights.htm
3. Search warrant:
https://www.nolo.com/legal-encyclopedia/search-warrants
4. Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal

Investigations:
http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf
5. Automated Fingerprint Identification System:

https://www.ncjrs.gov/pdffiles1/nij/225326.pdf
6. Covert surveillance software Web sites:

a. www.filesland.com/software/covert-surveillance.html
b. www.deskshare.com/wcm.aspx
Key Terms
 Automated Fingerprint Identification Systems (AFIS) — A computerized system for
identifying fingerprints that’s connected to a central database; used to identify criminal
suspects and review thousands of fingerprint samples at high speed.
 computer-generated records — Data the system maintains, such as system log files
and proxy server logs.
 computer-stored records — Electronic data that a person creates and saves on a
computer or digital device, such as a spreadsheet or word processing document.
 covert surveillance — Observing people or places without being detected, often using
electronic equipment, such as video cameras or keystroke/screen capture programs.
 Cyclic Redundancy Check (CRC) — A mathematical algorithm that determines
whether a file’s contents have changed.
 digital evidence — Evidence consisting of information stored or transmitted in
electronic form.
 extensive-response field kit — A response kit with all the tools you can afford to take
to the field.
 hash value — A unique hexadecimal value that can be used to verify that a file or drive
hasn’t changed or been tampered with.
 hazardous materials (HAZMAT) — Chemical, biological, or radiological substances

that can cause harm to people.
 initial-response field kit — A portable kit containing only the minimum tools needed
to perform disk acquisitions and preliminary forensic analysis in the field.
 innocent information — Data that doesn’t contribute to evidence of a crime or
violation.
 keyed hash set — A value created by an encryption utility’s secret key.
 limiting phrase — Wording in a search warrant that limits the scope of a search for
evidence. It allows the police to separate innocent information from evidence.
 low-level investigations — Corporate cases that require less effort than a major
criminal case.
 Message Digest 5 (MD5) — A mathematical formula that generates a hexadecimal
code, or hash value, based on the contents of a file, a folder, or an entire drive. Used to
determine whether data has been changed.
 National Institute of Standards and Technology (NIST) — One of the governing
bodies responsible for setting standards for various U.S. industries.
 nonkeyed hash set — A unique hash number generated by a software tool and used to
identify files.
 person of interest — Someone who might be a suspect or someone with additional
knowledge that can provide enough evidence of probable cause for a search warrant or
arrest.
 plain view doctrine — When conducting a search and seizure, objects in plain view of
a law enforcement officer, who has the right to be in position to have that view, are
subject to seizure without a warrant and can be introduced as evidence.
 probable cause — Standard specifying whether a police officer has the right to make
an arrest, conduct a personal or property search, or obtain a warrant for arrest.
 professional curiosity — Common cause evidence is lost or corrupted. It involves the
presence of police officers and other professionals who aren’t part of the crime scene–
processing team.
 Scientific Working Group on Digital Evidence (SWGDE) — A group that sets
standards for recovering, preserving, and examining digital evidence.
 Secure Hash Algorithm version 1 (SHA-1) — A forensic hashing algorithm created
by NIST to determine whether data in a file or on storage media has been altered.
 sniffing — Detecting data transmissions to and from a suspect’s computer and a
network server to determine the type of data being transmitted over a network.

Gcfi6e Im Ch04

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Gcfi6e Im Ch04

Uploaded by

Copyright:

Available Formats

Guide to Computer Forensics and Investigations, Sixth Edition 4-1

Instructor’s Manual Table of Contents

 Class Discussion Topics

c. Analyze, identify, and organize evidence

Understanding Rules of Evidence

Teaching You can review the Federal Rules of Evidence at:

6. Explain that the business-record exception allows “records of regularly conducted

7. Describe the following two categories of computer records:

8. Explain that computer-generated and computer-stored records must also be shown to be

Collecting Evidence in Private-Sector Incident Scenes

1. Mention that private-sector organizations include small to medium businesses, large

6. In addition, a corporate policy statement about misuse of computing assets allows

9. Mention that if a private-sector investigator finds that an employee is committing or has

Processing Law Enforcement Crime Scenes

Teaching Visit http://landmarkcases.org/en/landmark/home for descriptions of landmark

Understanding Concepts and Terms Used in Warrants

Preparing for a Search

Identifying the Nature of the Case

Identifying the Type of OS or Digital Device

Discuss the benefits of having configuration management databases to identify

Determining Whether You Can Seize a Computers and Digital Devices

Getting a Detailed Description of the Location

Determining Who Is in Charge

1. Describe the differences between private-sector computing investigations and

Using Additional Technical Expertise

2. Mention that specialists need to be trained in proper investigation techniques to avoid

Determining the Tools You Need

Preparing the Investigation Team

2. Mention that a slow response can cause digital evidence lost.

Securing a Computer Incident or Crime Scene

1. Mention the two major benefits of securing the crime scene:

3. Define professional curiosity and explain its negative effects.

Seizing Digital Evidence at the Scene

Preparing to Acquire Digital Evidence

Processing an Incident or Crime Scene

3. Describe the steps to properly bag and tag evidence, including:

Processing Data Centers with RAID Systems

Using a Technical Advisor

1. Describe to your students situations in which a technical advisor might be required

3. Describe the responsibilities assigned to external advisors, including:

Documenting Evidence in the Lab

Processing and Handling Digital Evidence

2. Describe the steps to create image files, including:

Storing Digital Evidence

Evidence Retention and Media Storage Needs

Obtaining a Digital Hash

1. Define Cyclic Redundancy Check (CRC) as a mathematical algorithm that determines

2. Define Message Digest 5 (MD5) as a mathematical formula that translates a file, a

3. Describe the three rules for forensic hashes:

4. Define Secure Hash Algorithm version 1 (SHA-1) as another hashing algorithm

Teaching Read more about SHA hash functions at: https://csrc.nist.gov/Projects/Hash-

5. Mention that in both MD5 and SHA-1, collisions have occurred.

Sample Civil Investigation

An Example of a Criminal Investigation

1. Present an example of a criminal investigation, highlighting the role of a warrant. Use

Reviewing Background Information for a Case

Planning the Investigation

b. What digital evidence the police seized at the scene

Conducting the Investigation: Acquiring Evidence with OSForensics

5. Real-time surveillance requires _____ data transmissions, which allows network

Class Discussion Topics

2. Have students investigate appropriate warrant wording for a computer investigation

2. USA PATRIOT Act: