DF Wk 2 Processing Crime and Incident Scene
Plain View Doctrinev
Objects falling in plain view of an officer who has the right to be in position to have that view are subject to seizure without a warrant and may be introduced in evidence
Three criteria must be met:
1. Officer is where he or she has a legal right to be there
2. Ordinary senses must not be enhanced by advanced technology in any way
3. Any discovery must be by chance
Digital Evidence First Responder (DEFR
Digital Evidence First Responder (DEFR)
Arrives on an incident scene, assesses the situation, and takes precautions to acquire and preserve evidence
Digital Evidence Specialist (DES
Digital Evidence Specialist (DES) •Has the skill to analyze the data and determine when another specialist should be called in to assist
Role of a digital forensics professional
The role of digital forensics professional is to gather evidence to prove that a suspect committed a crime or violated a company policy
Chain of custody
Chain of custody is the Route the evidence takes from the time it is being find until the case is closed or goes to court
It Requires that each transfer of evidence from person to person is documented and proven that nobody else could have accessed that evidence.
This begins from the moment the evidence is collected.
Forensically Sound
Forensically Sound’ - refers to digital evidence when it has been collected, analyzed, handled and stored in a manner that is acceptable by the law , and there is reasonable evidence to prove that that digital evidence was not corrupted or destroyed during investigative processes whether on purpose or by accident
Write blockers
Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands
what is a forensics workstation
A forensics workstation is a specialized computer system designed and configured specifically for conducting digital forensic investigations. These workstations are equipped with the necessary hardware and software tools to safely and effectively analyze digital evidence without altering or contaminating the data.
Hardware Components of a Forensics Workstation
Hardware Components of a Forensics Workstation
1. Hardware Components:
• High-Performance CPU and GPU: Necessary for handling intensive computational tasks and processing large datasets quickly.
• Large Capacity RAM: Sufficient memory to support multitasking and the analysis of extensive digital evidence.
• Multiple Storage Devices: Includes SSDs and HDDs for fast data access and ample storage for large volumes of evidence.
• Write-Blockers: Hardware devices that prevent any data from being written to the storage media being analyzed, ensuring the integrity of the evidence.
• High-Resolution Monitors: For detailed examination of digital artifacts, such as images, videos, and complex data structures.
• Forensic Card Readers: Specialized readers to access data from various types of storage media, such as memory cards and SIM cards.
• Network Isolation: Capabilities to isolate the workstation from external networks to prevent contamination and unauthorized access during analysis.
Digital Forensicsc Software Tools:
Software Tools:
• Forensic Imaging Tools: Software to create exact copies (images) of digital storage devices for analysis, preserving the original data intact (e.g., FTK Imager, EnCase).
• Analysis Tools: Applications to examine, search, and analyze digital evidence, including file recovery, metadata analysis, and timeline creation (e.g., Autopsy, X-Ways Forensics).
• Password Cracking Tools: Utilities to recover or bypass passwords on encrypted files and devices (e.g., Hashcat, John the Ripper).
• Memory Analysis Tools: Software to analyze RAM captures and identify artifacts and malware (e.g., Volatility).
• Network Forensics Tools: Tools to analyze network traffic and logs to trace communications and identify breaches (e.g., Wireshark).
• Malware Analysis Tools: Utilities to dissect and understand malware behavior and code (e.g., IDA Pro, OllyDbg).
• Reporting Tools: Software to compile findings, generate detailed reports, and maintain chain of custody documentation (e.g., CaseNotes, ProDiscover).
evidence Custody Form
•An evidence custody form, aloso kniwn as a chain-of-evidence form , helps to document what has been done with the original evidence and its forensics copies
Types of Evidence Custody Form
Single-evidence form • Lists each piece of evidence on a separate page
Multi-evidence form