Professional Documents
Culture Documents
Digital Forensics: Processing Crime and Incident Scenes
Digital Forensics: Processing Crime and Incident Scenes
Digital Forensics: Processing Crime and Incident Scenes
Module 3
Processing Crime and Incident Scenes
Digital Evidence
Databases
The contents of computer memory and memory storage devices such as
hard disks, CDs, DVDs, USB drives, digital tapes, floppies
Computer backups
Printouts
Global Positioning System data
Logs from electronic door locks
Spread sheets
Web browser logs
Mobile phone call logs
Computer programs/software
Data from handheld devices, peripheral devices (monitors, keyboards,
mouse, memory sticks, thumb drives, zip disks), network devices
Answering machines
Network cards
Hubs
Modems
Network switches
Ethernet cables
Power supplies
Wireless access points
Wireless devices
Photocopying machines
Routers
IP addresses
LAN / MAC / Network Interface Card addresses
Digital audio/video recorders
MP3 players
Video game consoles
Servers
Magnetic stripe cards
Virtual machines
Cloud-based storage
Network-attached storage
Telecom equipment
Cell phone towers
Skimmers
Social media
Wearables including activity trackers, body cams
Automated License Plate Readers
TASERs
Smart TVs
Baby monitors
Personal digital assistants
Keyloggers
Videotapes
Wireless network equipment
Web sites
Card readers
RFID tags
SWGDE
Scientific Working Group on Digital Evidence (SWGDE) sets
standards for retrieving, maintaining, and analyzing digital evidence
https://www.swgde.org
Exercise
Identify tasks investigators must perform when working with
digital evidence
Give examples of situations where original evidence can’t be used
in courts.
Give examples of situations where additional technical expertise
may be needed.
What is the initial-response field kit? What does it contain?
What is the extensive response field kit? What does it contain?
Exercise
Attorneys may challenge digital evidence. They may ask
whether digital evidence was altered or damaged. How to
prove that the evidence is authentic?
Hint: The original creator of a Microsoft Word document can
be identified by using file metadata
Discuss terminology such as Fourth Amendment, warrants,
innocent information, limiting phrase, plain view doctrine
Exercise
Discuss the issues involved when collecting evidence from private
sector incident scenes.
Discuss the issues involved when collecting evidence from public
sector incident scenes.
Discuss the issues involved in seizing computers and digital devices.
Give guidelines for processing an incident scene.
How to shield the computer and media devices from damage, danger,
and destruction while carrying them to the lab?
Is the suspected perpetrator in the immediate vicinity of the
computer or media device?
Is it probable that the suspect harmed or ruined the computer and
media devices ?
Should the suspect be kept away from the computer?
Safety tips
It is safer to have at least two copies of every image to avoid data loss
It is better to use different tools to produce the images
Limit access to lab and evidence storage area to prevent loss, damage,
and alteration
Maintain the chain of custody for digital evidence
Document the evidence
Use evidence custody forms
References