Digital Evidence Flashcards
(32 cards)
How do we get from the crime scene -> court?
- Search/ seizure, Profiling, Attribution
- Telecoms, Digital forensics, Profiling, Attribution
- CJS
How should you preserve evidence from a crime scene?
- ideally, no data should be altered when seizing digital evidence (ACPO)
- document the entire scene/location from which digital evidence is seized
- collect, label and preserve digital evidence
- package and securely/safely transport evidence
Why should you document a scene?
Zoning for organising and documenting a search
How should you handle standalone computers when seizing them?
- Is it turned OFF/ON - how can you tell?
- If OFF - disconnect computer and bag/tag
- if ON - check and photograph the screen
- are there any signs of data being destroyed?
- look out for the words: delete, format, remove, copy, move, cut, wipe
- are there any signs of active communications - WhatsApp, Chat Rooms
- remove power directly
How should you handle laptops when seizing them?
- portable, more difficult to attribute?
- how can you remove the power?
- it might be ON but sleeping/hibernating
- encryption more likely
How should you handle external drives/disks when seizing them?
- should you seize?
- could they be powered ON?
- how to transport safely?
- how to find them?
- encrypted disks?
How to carry out Attribution?
- timing/location
- ask questions of suspects
- ask questions of witnesses
- note down locations
- receipts for equipment
How should you handle mobile phones when seizing them?
Isolate it from the mobile network:
- turn it off
- turn on airplane mode
- remove SIM
- place in Faraday bag
- check date/time
- check battery level
Turning it OFF may lock you out for good!!
How should you handle wireless routers when seizing them?
- internet operator
- wifi name
- turned on/off
- connected devices -> who’s
- seize?
What is digital profiling?
Patterns of usage
- using data to build a picture of who an individual is
- determine whether data activity is outside of what’s normal for an individual
What digital identifiers can make up a digital profile?
- Services/storage
- Passwords
- User id
- Device bank account
- Device identifiers
- Phone numbers
- Physical addresses
- Account name
- IP Adress
What does attribution do?
Links suspect to device/activity
What is attribution?
- data becomes meaningless if devices/data/activity can’t be attributed to subjects
- the process of linking individuals to devices/data/activity
- we can know a suspect’s mobile phase was in the vicinity of the crime because of cell site analysis work
- what do you need to attribute in this investigation?
Examples of what can be used for attribution
- witness statements
- suspect interviews
- top-up history, shop CCTV
- cell activity/patterns (calling family/friends)
- cell site locations
- digital forensic examinations
- wet forensics (DNA/prints)
- CCTV/ANPR
What historical data can be used to ascertain patterns?
- Who are they regularly calling?
- Where are they regularly going?
- Wwere the physical movements and calling patterns around the time of the incident unusual?
- Can be difficult, especially anonymous accounts
- subscribers/sign up info (IP address used)
- Account reset telephone number/e-mail - reuse of old account/old data?
- Using usernames across other platforms?
- Forensic examination of devices (logged in user, other attributable activity around the time)
What is an email header?
- the part you don’t usually see - embedded within and is a key component that we’re interested in
- contains info to ensure correct delivery
- can be accessed easily but method of accessing the info changes
- examining an extended email header, you work from bottom up looking for the first public IP address after received from
What is a base transceiver station (BTS)?
- coverage divided into 3 cell sector
- each sector has an identifier called Cell Identity (CI)
- 31276
- 31275
- 31274
What is the GSM Core Network?
Base system substation
- Mobile station (mobile phone) -> MS
- BTS -> cell site
- Base Station controller -> BSC
Network switching substation
- Mobile switching center
split into internet, PSTN, SMSC (SMS Service Center) -> MSC
- Equipment Identity Register -> EIR
- Home location register - > HLR
- authentication -> AUC
What is a digital evidence case study?
Soham Murders - solved via cell site
- 4th August 2002
- Holly Wells and Jessica Chapman (10)
- 6 pm -> girls went to buy sweets, leaving the family BBQ. Live cell site monitoring consisted as Police knew Jessica had a phone
5:45 pm - Ian Huntley (caretaker of local school and knew the girls) speaks to them as they pass his house.
What HLR cell site data was recovered in this case?
- The phone switched OFF at 6:46 pm on Sunday 4th August 2002
- Switched off in a ‘controlled fashion’
- Registered at 30 degrees Burrell cell site sector at this time
- Burrell is 3 miles south of Soham
What is computer forensics?
- removable hard disk drive (HDD)
- forensic copy of data is made/verified to make sure it’s an exact copy
- analysis performed on the copy, so original data and evidence is preserved
What types of data are available from computer forensics?
- Dates/times of when files were created/modified
- Users of the computer
- When the computer was first installed
- How often programs were used
- Most commonly opened files
and more …
What types of data are available from computer forensics?
- OS (recycle bin, MRU, Prefetch, jump lists)
- Internet browsing
- Communication
- Media (audio, pictures, video)
- Documents
What is mobile forensics?
- no removable hard disk drive (HDD) but SIM card and possibly memory card
- must be switched on to extract data which will change the data
- different interfaces (USB/Apple Lightening)
