Prepare Yourself to Pass the CHFI Exam

Our free CHFI exam study guide covers topics such as Windows Forensics, Cyber Crime, Digital Evidence and Data Acquisition and Duplication, to name a few. Begin refreshing your memory with our interactive study guide today, or go into more depth with our CHFI certification training course.

In order to successfully earn your CHFI certification from EC-Council, you must ensure that you possess the knowledge required to pass the exam. If you haven’t already completed a CHFI training course, Cybrary’s Computer and Hacking Forensics class can help you with your journey towards becoming a CHFI. However, while helpful, training alone is insufficient for total exam preparation. If you want to guarantee your certification status, you’ll need to use more than one comprehensive, in-depth CHFI study guide—like the one we offer, and we would recommend you find another, or two.

Reporting Detected Cyber Crimes

As soon as a cyber crime is detected, the investigator should contact key law enforcement contacts immediately with these details:


What IT infrastructure was attacked How the attack was implemented Time of the attack Response steps already taken Identity of possible suspect if known What evidence of the crime already exists

How to Prepare Before Cyber Crime Occurs

In what ways can someone prepare before a cyber crime occurs?


Designate a single contact within the organization to whom employees can report possible cyber threats. This point of contact should be prepared with a list of law enforcement contacts with whom he or she has already made contact prior to any attack. The in-house point of contact will also compile a list of the company response team as well as outside vendors that need to be contacted immediately when a security incident occurs.

Key Government Investigative Agencies for Reporting Cyber Crime

What are the key government investigative agencies for reporting cyber crime?


Federal Bureau of Investigation U.S. Secret Service Bureau of Alcohol Tobacco and Firearms U.S. Postal Inspection Service U.S. Customs and Immigration Enforcement National Infrastructure Coordinating Center (Department of Homeland Security) National Association of Attorneys General (Computer Crime Point of Contact List) U.S. Computer Emergency Readiness Team (CERT) Internet Crime Complaint Center (IC3)

Why it’s Important to Report Cyber Crime

Why might a company be reluctant to report cyber crimes?


Companies may be reluctant to report when their cyber security systems have failed. They may not want to release sensitive data about the company, and also may fear that their corporate image will suffer. But cyber crimes should be reported. Cyber criminals can be prosecuted only if the crime is reported. Prosecution of one crime can lead to prevention of other cyber attacks, including attacks on critical public facilities. The more individual incidents that are reported to law enforcement, the more likely officials are to uncover–and prevent–large scale attacks.

What is the Enterprise Theory of Investigation (ETI)?

What is the Enterprise Theory of Investigation (ETI)?


Rather than view a criminal act as an isolated crime, law enforcement officials sometimes adopt the Enterprise Theory of Investigation (ETI). This means they view the individual criminal act as more likely to be part of a larger criminal enterprise. In prosecuting it, they seek to bring down a large criminal enterprise at once, rather than focus on a single crime. When forensic investigators are aware of this, they may cooperate with law enforcement officials to help prosecute the entire enterprise.

What’s Contained in a Forensic Report?

A professional forensic report usually has these elements:


It should summarize how the investigation was conducted and show how the data was collected and what business line was affected. It should include supporting data, references, acknowledgements and background necessary to support litigation. It should include the most important conclusions, key observations and all recommendations.

The Need for a Corporate Cyber Investigator

How can you identify when you need a corporate cyber investigator?


Call in a forensic investigator when there has been: A breach of contract Theft of intellectual property Copyright violation Disputes with employees Damages to company property, including IT resources. A forensic investigator ensures that evidence will be collected properly, without tampering or accidental damage. The investigator will compile and process the evidence so that it can be presented in court. The investigator will also help the company prevent future incidents.

Key Aspects of Corporate Cyber Investigations

What kind of dispute does a corporate investigation usually stem from?


A corporate investigation usually stems from a dispute between two companies. No laws may have been broken. The most common example is when a company suspects industrial espionage. The cyber investigator may be called on to present the evidence in the course of extensive litigation. At the same time, the company's operations should go on as normal during the investigation. After the investigation, the company should take steps to avoid future incidents and litigation.

What are a Corporate Investigator’s Responsibilities?

What type of roles and responsibilities does a corporate cyber investigator usually have?


In taking on a case, a forensics investigator should be prepared to tackle a range of responsibilities, including: Assessing the legal and financial fallout from the incident Finding the culprit Prosecuting an outside criminal or punishing an inside violator Identifying any legal restrictions on the company response Protecting company reputation and dealing with public relations fallout Notifying officers, customers and investors about the incident Informing employees Advising on conflicts with other companies that result from the incident

How Can a Cyber Investigator Stay Current?

What types of things should a cyber investigator do to stay up-to-date with the latest threats?


A cyber investigator can access several categories of resources for the latest information. Cyber investigators most frequently learn about the latest threats and trends in the field by participating in cyber discussion groups, joining networks of forensics experts and by following news and feeds of computer forensics. There are also journals of forensics investigators and other sources for case studies.

Types of Evidence in Cyber Investigations

What type of evidence is collected in a cyber investigation?


These are examples of evidence that can be collected by a cyber investigator and used in an investigation and presented in court if necessary: Contacts on a suspect’s computer Records of movements Records of internet searches Encrypted files Stolen corporate secrets Emails with other suspects and accomplices

What are the Elements of a Cyber Investigation?

The steps involved in conducting a cyber investigation are as follows:


Identify the crime and survey the preliminary evidence Obtain a search warrant, if needed Send first responders to protect any evidence Seize evidence and transport it to a forensic library Create copies of any evidence using a two bit stream Create a MD5 checksum Establish a chain of custody for evidence Store the evidence securely Analyze evidence and prepare a report Submit the report to company officials Be ready to testify in court

Using an Experienced Investigator for Digital Crime

Why is it so important to use an experienced investigator when trying to solve digital crime?


If the computer crime is investigated by someone who is not technically experienced, it is almost guaranteed that the evidence will be damaged and therefore not usable in a court of law. As a result, the cyber criminal will go unpunished. Therefore, whenever possible, an experienced digital forensic investigator should be used.

Who are Cyber Criminals?

A cyber criminal can be located inside the target organization or will mount the attack from outside. The crime must be intentional, not an accident. Most cyber criminals are part of…


…a large organized crime organization with a sophisticated hierarchy. The organization often creates botnets and sells or rents them. They can be hired to write malware, to hack into financial institutions, and engineer a denial of service effort against a target. Government national security officials are concerned about the involvement of organized crime organizations in cyber warfare.

Common Types of Cyber Crime

Cyber crime is any illegal act in which a computer or a computer infrastructure is the target; when a computer is used to commit a crime, or when a computer contains evidence of the crime. There are many types of cyber crimes. The most common are as follows:


Identity theft Fraud Viruses, spam and malware Bringing down a network, or denial of service Hacking to steal personal confidential data Credit card fraud Child pornography Extortion Software theft

What is Computer Forensics and Why is it Important?

Computer forensics is the investigative process of collecting, preserving and studying data from computer systems, networks and related devices so that the information can be presented in a court of law when a crime has occurred. It is important because…


…security breaches of computer systems are an everyday occurrence resulting in huge economic losses. When the security of a corporate or government computer system is compromised, hard evidence is needed so that criminals responsible for breaking into the system can be identified and prosecuted in a court of law. Computer forensics investigators follow methods and procedures designed to collect, analyze and safeguard evidence before it can be destroyed.

Forensics Readiness and the Step-by-Step Process

When a computer security incident has been reported, forensics investigators need to be ready to respond immediately in order to prevent possible destruction of evidence. Forensics readiness dictates a step-by-step response, as follows:


Establish in advance a process for detecting an incident Know the computer system Identify potential evidence Establish how evidence will be collected, handled and stored securely Train staff to handle and preserve evidence Document all investigative steps Establish procedures for reviewing the incident

When was Forensics Invented and How has it Changed?

Although computers are relatively new, the science of forensics dates back to the 1820s, when investigators began using fingerprints to investigate crimes. After that, forensic investigators collected and examined unique identifying characteristics in blood samples, ballistics and even documents to link criminals to crimes. Later, sophisticated forensic laboratories were developed to study evidence and safeguard it so it could be used in courts. How has computer forensics changed?


Early on, computer forensics investigators were often called in to investigate personal disputes, harassment charges or employee rule violations involving computers. Investigators also collected evidence to be used in lawsuits. More recently, with the increase in computer hacking, forensics investigators are needed to respond quickly by collecting, examining and safeguarding evidence so that criminals can be prosecuted.

What are the Beginning Steps in a Cyber Crime Investigation?

What happens at the very beginning of an incident often determines the outcome. Knowing what to do in the early stages of an investigation will set the stage for what happens next. Here are the basic steps to follow:


Decide if a security breach has occurred Look for clues at the site Do a quick examination of the available evidence Take custody of computers and other equipment Collect other evidence that will be analyzed in the case.

Actions Required Before Starting an Investigation

When a security incident occurs, you need to hit the ground running. Before starting an investigation, make sure you follow these steps:


Set up an investigative work station and a secure place to recover the data Put in place the investigative team Gathered the investigative tools Contacted with the local prosecutor Learned the laws and regulations that govern the conduct of the investigation Finalized the methodology for the investigation

What are the Elements of a Forensics Workstation?

Building a forensics workstation is key preparation for an investigation. The workstation should have the necessary hardware and software to perform these tasks:


Duplicate computer drives, both those on site and in remote locations Validate the image and integrity of files Determine the date and time that files have been created, accessed or modified Identify files that have been deleted Work with media that has been removed from a computer Identify and examine free disk space

How to Build an Investigation Team

There are important decisions to make when assembling an investigation team. At the outset, keep the team small to protect the confidentiality of the investigation and to guard against information leaks. The next steps are to:


Identify the members of the team and give each team member a specific responsibility. Make sure all team members have the necessary clearance and authorization to perform their roles. Choose one team member to be the initial responder to the incident. Designate one team member as the principal technical expert. NOTE: If your organization does not have staff members with the necessary technical skills, hire an experienced trusted investigative team from outside the company.

Who are the Key Actors in a Cyber Investigation?

The complexities of computer forensics require a team that possesses many different skills, including:


Expert witness offers testimony in court Attorney advises team on laws Evidence Manager ensures evidence remains secure Evidence documenter tracks all evidence through the investigation Evidence Examiner/Investigator sorts through the useful evidence Photographer: Incident Responder first on the scene when incident occurs Decision Maker oversees the investigation Incident Analyst

What Physical Evidence should be Collected from the Incident Scene?

Physical evidence at the incident scene includes the following:


All computers and other electronic devices, including peripherals, removable media, cords, cables Publications Items from trash The evidence should be handled carefully to avoid damage, and all items should be tagged with detailed identifying information.

What Actions Are Needed Before Starting an Investigation?

When a security incident occurs, you need to be prepared. Before an investigation, you should have:


Set up an investigative work station Established a secure place for the data Put in place the investigative team Gathered the investigative tools Contacted the local prosecutor Learned the laws and regulations governing the investigation Finalized the investigation’s methodology

What are the Elements of a Forensics Workstation?

Before an investigation begins, the workstation should have the necessary hardware and software to perform these tasks:


Duplicate computer drives, both those on site and in remote locations Validate the image and integrity of files Determine the date and time that files have been created, accessed or modified Identify files that have been deleted Work with media that has been removed from a computer Identify and examine free disk space

What are the Key Elements of Building an Investigative Team?

There are important decisions to make when assembling an investigation team. At the outset, keep the team small to protect the confidentiality of the investigation and to guard against leaks. The next steps are to…


Identify the members of the team and give each team member a specific responsibility. Make sure all team members have the necessary clearance and authorization to perform their roles. Choose one team member to be the initial responder to the incident. Designate one team member as the principal technical expert. NOTE: If your organization does not have staff members with the necessary technical skills, hire an experienced trusted investigative team from outside the company.

Do you Know the Laws and Regulations Governing Investigations?

An investigation that is conducted improperly will not stand up in court. Before beginning an investigation it is important to review the laws…


Review beforehand the Federal and state laws that will apply to the investigation. You should know the legal authorities for conducting the investigation and the specific laws that give you the authority to search for evidence. You should also know your company’s rules and policies that apply to cyber investigations. Ask your legal counsel about any areas of concern that stand out–for example, what constitutes improper handling of the investigation? Pay particular attention to the Electronic Communications Privacy Act (EPCA) and the Privacy Protection Act (PPA).

What are the Relevant Federal Laws and Regulations?

Several key statutes and rules of evidence govern most cyber investigations, including…


18 USC. Section 1029, prohibits fraudulent use of a credit card 18 USC Section 1030, prohibits unauthorized use of a computer to obtain credit card information 18 USC Sections 1361-62 prohibits malicious damage or intent to damage U.S. government property, including electronic equipment or transmissions Rule 402: relevant evidence is admissible in court unless prohibited elsewhere in laws or regulations Rule 901: covers the authentication and identification of evidence Rule 608: governs how evidence about a person’s truthfulness can be introduced into court. Rule 609: allows the admission of criminal history evidence to impeach a witness. Rule 502: governs attorney-client privilege and the protection of an attorney’s work product from being shared with the other side in litigation.

What are Key Rules of Evidence Governing Cyber Investigations?

These are Federal Rules of Evidence every investigator should be aware of:


Rule 614: a judge may call a witness in a trial or question any witness Rule 701: limits the scope of testimony by a non-expert witness Rule 705: relates to expert witness testimony Rule 1002: requires production of the original document at trial Rule 1003: allows duplicate document to be introduced into evidence

How to Obtain Proper Authorization for an Investigation?

Before initiating an investigation, you must make sure that you follow specific steps:


First, make sure that you have sufficient authority. Identify the decision maker in your organization who is responsible for authorizing the response to a security incident. If there are no rules or policies for responding to an incident, and no designated decision maker, identify someone who can authorize the response. Once authorization is received, document all of the actions taken once the incident was reported.

What are the Steps for Conducting a Risk Assessment?

A solid investigation begins with a careful assessment of the risks presented by the security incident. To assess the risks:


Describe the incident and the potential damage Rate the incident according to its severity Determine the data loss or damage to the computer system due to the incident Assess whether other devices and systems are threatened by the incident Seal off communications with other devices to keep the incident from spreading

How to Build a Computer Investigation Toolkit

To gather evidence properly in a computer investigation, investigators need the proper hardware and software to collect data. This toolkit should include:


Laptop with functioning software Operating systems and patches Application software Back-up devices that are write-protected Blank media to download files Networking equipment and cables

What are First Steps in a Computer Forensics Investigation?

Preparation and attention to details will increase the chances of a successful investigation. An investigator should:


Know proper evidence-handling and chain-of-custody procedures Assess the crime scene Collect and secure evidence from the crime scene Turn off all processes that might damage the evidence Determine urgency of the investigation Identify investigative techniques to be used and data required Assemble all available data about the evidence collected, including operating environments and interdependencies

How to Access the Data in a Computer Forensics Investigation

Once the evidence has been seized and secured the investigator has to gain access to it, the next steps are:


Look for ways to unlock the files protected by password or encryption Collect email address and other data that might contribute to the investigation Examine users who accessed files before it was secured, looking at the files that were accessed, when and possible reasons Maintain a chain of custody for the seized material Search for relevant data on seized material through key words.

What is the Methodology for Conducting a Cyber Crime Investigation?

Follow this step-by-step model to conduct a proper investigation:


Obtain a search warrant Assess the crime scene and secure it from tampering Gather the evidence including computers and other materials at the scene Protect the evidence from tampering Use computer toolkit to acquire data from devices Conduct analysis of the data Evaluate the data to develop the case Draft a final investigation report Prepare to testify as an expert in a trial or litigation

What is Needed to Obtain a Search Warrant?

To obtain a search warrant, you must show “probable cause” that evidence linked to a crime is located in the area to be searched. In addition, other information has to be provided, for example:


The request must specify the area to be searched. Is it for an entire company, a floor of an office, a computer, a car, or a house? When a computer or other device is to be searched, will the search take place onsite or will it be brought to another site for the examination? If the computer is removed, will it be returned to the owner after material is removed? Or will it be held until after the trial?

Can Property be Searched without a Warrant?

In specific situations, a property can be searched without a warrant. These situations include:


When the owner of the property consents to the search voluntarily. When law enforcement authorities believe evidence will be destroyed before a warrant can be obtained from a court.

What are the Best Practices for Forensic Photography?

A forensic photographer has an important role in an investigation. His expertise is required because…


…photographs are needed to establish the scene of the crime, the location and the nature of the evidence. All evidence must be labeled before it is photographed. A digital camera speeds the investigative process because the photographs can be labeled, stored and transmitted easily. Measurements can also be taken using digital images.

Primary Information to Collect at an Incident Scene

When an incident occurs, the following information should be collected and recorded as soon as possible:


Time of the incident Detailed location Whether memory on devices is volatile or non volatile Information on any persons at the scene Name and identification of potential witnesses

What is the Role of the First Responder to an Incident?

The first person to respond to a security incident must complete the following actions:


Gathers and guards as much evidence as possible. Evidence on electronic devices should be gathered and protected. The first responder should follow all applicable laws in collecting and protecting evidence. As soon as possible, the first responder should contact a forensic investigator.

What Types of Evidence Files Should be Collected in an Investigation?

A forensic investigative search should gather all of the following electronic files:


Data Files: From desktop computers and workstations, notebooks, home computers, computers of all staff, handheld devices, file servers, mainframes and minicomputers Backup tapes: system-wide backups, disaster recovery backups, personal backups (diskettes and other portable media) Other media: tape archives, removed and replaced disk drives, portable media including CDs, Zip drives and diskettes

What are the First Steps in Collecting Electronic Evidence?

To begin the electronic evidence collection in an investigation, you need to follow these steps:


Make a detailed list of the systems involved in the incident from which data can be collected Indicate the order of volatility for the systems Note systems’ clock drift Collect any evidence from persons who are involved in the incident Record the electronic serial number of drives and other identifying data in the system Write-protect and run virus scan all media to protect its integrity

What Should be Included on an Evidence Collection Form?

A detailed Evidence Collection Form should be filled out at the time of any search and contain as much information as possible, including:


Date, time and location of the search Persons or Agency conducting the search Case number if available Victim’s full name, if applicable Description of evidence collected Type of offense if applicable Suspect’s name if known

What are the Key Elements of Evidence Management?

The overriding goal of evidence management is to preserve the integrity of the electronic evidence. This can be achieved by:


Keeping the evidence in a secure site where intruders cannot enter Installing an alarm system in the lab Proper handling and documenting of the evidence, including tagging the evidence with unique identification marks, so that it is preserved intact once it has been seized Careful documentation in the investigation log book whenever the evidence is transferred from one party to the other, including recording of date and time, and identification of parties who delivered and received the evidence. These measures will preserve the chain of custody so that the evidence can be presented in a court of law.

What is a Chain of Custody Form?

A Chain of Custody form is a formal document that can be entered into a court of law:


It is used to officially document the collection, storage, handling, testing and disposition of evidence. Its purpose is to guard against tampering with or switching of evidence. It is a legal record certifying that these safeguards have been carried out, signed by those handling the evidence. For each piece of evidence, a chain of custody form lists: Piece of evidence, with brief description When it was collected, where and by whom Notation each time the evidence changes hands, with the person relinquishing it and the person receiving it signing and dating the form.

Duplicating Electronic Evidence

The original digital evidence in an investigation is never used for analysis, in case it is damaged in the process or in handling. Instead…


The original data files are duplicated bit by bit, in a process called data imaging, which creates an exact copy of the original data. The original data is preserved intact and preserved in a secure facility. The duplicate data is sent to the forensic lab for analysis.

Is the Authenticity of the Duplicate Image Guaranteed?

If the data analysis is performed on a duplicate image file, how can investigators and a court be assured that it is the same as the original?


The integrity of the duplicate file is demonstrated by subjecting both the original data file and the duplicate file to an MD5 Hash calculation. This is done before any analysis has been performed on the duplicate file. If the duplicate file has the same Hash value as the original evidence, it demonstrates that the files are the same. This certification has been accepted in Federal Rules of Evidence and is admissible in a court of law. There are several tools available for calculating hash value, including Hash Calc, MD5 Calculator, HashMyFiles and MD5sum.

Can Lost or Deleted Data be Recovered?

What happens when data on a computer subject to an investigation has been deleted or lost?


Several programs exist to recover data that has been lost or deleted from a computer. The recovered data can be used in an investigation. These programs include, Total Recall, Recover My Files, and Advanced Disk Recovery.

How to Analyze Data Gathered in the Investigation

Once data has been collected from targeted computers …


The data must be analyzed to see whether it supports the overall theory of the investigation. The techniques for analyzing the data will vary depending on the type of investigation and the resources and needs of the client. Analysis should shed light on: File content Date and time of file creation and any modifications Identification of users who created, modified or had access to the files Storage location of file A timeline for the creation and any modification of the files The conclusions from the analysis should be presented in order or relevance to the investigation. Data analysis tools are available to sort through and analyze large quantities of data.

How to Assess the Evidence in an Investigation

After the data has been analyzed, it must be assessed to measure its value to the overall investigation.The evidence should be assessed as part of the effort to decide the next steps in the investigation. The assessment should include:


Review of the search warrant or other authorization A careful examination of the digital evidence Review of the hardware and software seized in the investigation Analysis of the digital and factual evidence to determine its relevance to the investigation

How to Document Key Phases of the Investigation

For the investigation to hold up to scrutiny by a court, all of the conclusions must be documented like the following:


The number and types of operating systems examined Content of files The result of matching the files to the installed applications User configuration settings Check-in check-out list of every examination of the data Summaries of all interviews Reports and logs generated during data assessment phase Outcomes of all legal interactions

How to Assess the Overall Case

Once the evidence has been collected, analyzed and evaluated, how can you assess the overall case?


Review the initial investigation request Identify the legal authority for the investigation Review the chain of custody Determine whether there are additional sources of evidence to be tapped Consider using other forensic tools to examine existing evidence Interview users, system administrators and other workers to seek new evidence

How to Gather the Material to Write an Investigation Report

Before writing an investigation report, you should gather and organize the material from all phases of the investigation. To do that, you must follow these steps:


Gather all notes from beginning to end of the investigation List all documentation that is relevant to the investigation List the proposed conclusions Highlight facts that support the investigation conclusions List the evidence that supports the conclusions

What Should Be Included in an Investigation Report?

The Investigation report should be clear and concise and include these elements:


A statement of the purpose of the report Information about the author(s) including background and contact information, and description of their positions and role in the investigation Full summary of the incident, including how it occurred and its impact Complete description of the evidence acquired during the investigation Full summary of the evidence that was analyzed, the procedures, methods or programs used to analyze the data, along with utility reports and log entries produced by the analysis Conclusion stating the findings of the investigation, noting specific evidence that supports the findings, Supporting documents mentioned in the report, including any network diagrams, descriptions of the investigation methodology and complete information about the technologies that used in the investigation

What is the Role of an Expert Witness?

If a crime has been committed and charges are brought in a court of law, an expert witness will be asked to present the results of the investigation to the judge or jury. An expert witness must have through knowledge of…


…the facts of the investigation and related issues, as well as the credentials to inspire trust in a judge or jury. As an expert, the witness must be knowledgeable enough about the technical aspects of the case to evaluate the evidence in the case independently. The expert witness’s role is to assist the attorneys, the judge and or the jury in understanding the investigation. The expert witness must be familiar with the legal procedures of the court in order to be comfortable in a courtroom setting. The expert witness must be prepared for questions from the opposing lawyers, who may try to discredit the expert witness’s testimony.

Why is Professional Conduct Important to an Investigation?

An investigation is only as good as its investigators, who should maintain the highest professional standards including:


Examining all of the facts present at the incident scene Discarding any bias in order to maintain the integrity of the investigative process Maintaining the confidentiality of the investigation Keeping current on changes in hardware, software, network technology and forensic applications Protecting the evidence chain of custody

What are the Priorities in Investigating a Company Policy Investigation?

Millions of dollars can be wasted when employees misuse company computer systems by surfing the internet, sending personal emails and using computers for personal tasks. An investigator may be asked to trace this kind of employee misuse. If violations are found and documented, the employee in question should…


…be educated about company policy. If the problem persists, the company may decide to take further action. Meanwhile, the investigator should ensure that disruptions to company operations are minimized during the investigation.

What is the Fourth Amendment to the U.S. Constitution?

The Fourth Amendment to the U.S. Constitution protects citizens from …


…“unreasonable searches and seizures” without “probable cause.” Later, U.S. courts ruled that a warrantless search could take place if a person did not have a “reasonable expectation of privacy.” A computer under a person’s control was considered private as if it were “a briefcase or a file cabinet.” Just as law enforcement could not search someone’s briefcase without a warrant, so they could not search their computer without one. However, individuals give up their right to privacy over the contents of their computer when they relinquish control of the computer to third parties. The Fourth Amendment does not apply to searches conducted by private parties who are not agents of the government, unless the private search is done with the knowledge or participation of a government official.

What are the Exceptions to the Search Warrant Requirement?

In certain circumstances, the government can search computers without a warrant:


Consent: when a person gives direct consent to have their files searched Lawful Arrest: police have a right to search the area around a suspect when they are lawfully arrested International searches: A warrant is not needed for government officials to search computer systems outside the United States, although U.S. law enforcement officials usually consult a law enforcement agency in the country where the search is being conducted. Inventory Searches: Searches that take place not to look for evidence but to ensure that there are no dangerous or harmful objects and to protect law enforcement from liability for lost or stolen items. The items found are inventoried. Border searches: Searches of persons coming into or leaving the United States do not require a warrant or a finding of probable cause. Exigent Conditions: Searches can be conducted without a warrant when there is a danger that evidence will disappear or be destroyed before a warrant can be secured from a court. In cases of computer crimes, there is a danger that data will be erased through normal maintenance, or will otherwise be lost.

Who Can Give Consent for a Warrantless Computer Search?

Giving Consent for a Warrantless Computer Search:

The consent exception for a warrantless search has many variations…


One key issue is whether a third party can give consent to a search of someone else’s files. Courts have ruled that a spouse may give consent to search all of a couple’s joint property. Also, parents may give consent to search their child’s property if the child is under 18 but not after that. In the case of computer systems, a system administrator may give permission to search an individual’s files on the system. Also, if a computer is in common use, another user may give consent to have the computer searched.

What is the Implied Consent Exception for Warrantless Searches?

The legal doctrine of Implied Consent allows for a search without a warrant, even when there is no explicit consent:


When there is no written or even verbal consent for a search, government investigators may still have the right to search without a warrant. Signing on to a government or corporate computer systems, for example, often includes a notice that the user is waiving their right to privacy while using the system. This is implied consent to search the user’s files on the system.

What are the Rules Governing Workplace Searches of Computers?

Searching a workplace computer without a warrant can present legal problems, such as:


Federal privacy laws apply as well as the Fourth Amendment protection against unreasonable searches. For private workplaces, employees are afforded privacy protections as if they were in their homes. Employees can assume a reasonable expectation of privacy unless a company official with authority over the workforce consents to a search of the offices. Workers in public sector workplaces also enjoy a reasonable expectation of privacy, although there often is implied consent when employees log on to a government computer system. In addition, courts have said any warrantless search must be work-related.

What are the Steps in a Computer Search with a Warrant?

Even with a search warrant, searching and seizing an office computer can be difficult. Starting with these steps will help to ensure successful investigation…


Put together a team that includes a technical expert, an agent overseeing the case, and the prosecutor who will handle the case in court. Research the target computer system thoroughly before drafting a warrant or even devising a strategy for the case. Draft the warrant request and background affidavit carefully, describing the object of the search, the strategy and any questions of law likely to come up. Formulate an overall plan for the search, as well as a backup plan, based on knowledge about the target computer system.

What is the Impact of the Electronic Communications Privacy Act on Investigations?

The Electronic Communications Privacy Act (EPCA) is designed to prevent unauthorized government access to private electronic communications. This Act requires…


…a search warrant before investigators can access stored electronic information, such as emails. If the government incidentally collects the information of innocent parties in the course of its computer search, those parties whose information was seized can file civil actions against the government. Investigators who incidentally seize information belonging to innocent third parties should act to protect the integrity of the information in order to avoid violating the EPCA.

When are Multiple Warrants Recommended in a Cyber Investigation?

A federal search warrant usually applies only to territory in the jurisdiction of the District Court issuing the warrant. Investigators embarking in a search of a computer network may not know in advance where all the files are located…


…it may be located on computer systems in another District. In instances where agents suspect data may be stored in more than one district, investigators should consider seeking warrants for several districts to ensure that the evidence collected in the search is admissible in court.

What is a Sneak and Peek Warrant?

Sneak and Peek Warrant:

A sneak and peek warrant allows law enforcement to conduct a search before notifying a suspect. In cyber investigations, a sneak and peek warrant–also called a delayed notification warrant–gives investigators…


…the opportunity to examine and seize evidence on a suspect’s computer before the suspect has a chance to destroy it. Following the search, law enforcement officials are expected to provide notice of the search to the suspect within a “reasonable” period of time, although this can be extended by the court for good cause. Law enforcement officials should seek prior approval from the court if they plan to make copies of the seized files on the target computer without informing the suspect.

How Should Investigators Handle Privileged Documents?

During a search, investigators must be careful if they come across privileged documents, because…


Communications with clergy, as well as documents related to legal and medical issues are considered privileged and not subject to a search. So investigators should take precautions when conducting a search that might result in the seizure of files containing this information. Investigators should devise a strategy for reviewing seized files so that no privileged documents are compromised or breached.

What are the Key Steps in Drafting a Warrant and Affidavit?

Two documents are required in order to obtain a search warrant from a Magistrate Judge. Those are documents are:


The draft warrant describes the area to be searched and the property to be seized. The warrant must accurately describe in detail any computer hardware that is to be seized. If the investigators are only seeking information likely to be found on the computer system, the warrant should describe the information being sought rather than the hardware. The second document, the Affidavit, presents “probable cause”—how the property or information to be seized is related to a crime or wrongdoing. The affidavit also presents the strategy for the search, including the techniques that will be used to search for the information, and how the investigators propose to protect unrelated documents that may coexist with the targeted documents. The Affidavit should also address how investigators propose to deal with any practical problems that may arise when searching the computer onsite, and include a plan for removing the computer from the site, if that is necessary.

What Network Providers Are Covered by the Electronic Communications Privacy Act?

The Electronic Communications Privacy Act (ECPA) restricts law enforcement access to two types of network service providers:


Electronic communications services, through which customers send and receive electronic communications. Remote computing services, which provide storage or processing services. Investigators seeking access to stored email, account records or subscriber information from these providers have to meet strict privacy requirements in the ECPA.

What Requirements Must the Government Meet to Compel a Company to Produce Data?

To compel a company to provide customer information under ECPA, a government agency must…


Issue a subpoena Obtain a state court order Produce a search Federal warrant The act allows companies to voluntarily disclose privileged information under certain circumstances, such as when the information is requested by the National Center for Missing and Exploited Children, or when a government entity believes there is an “emergency involving danger of death or serious physical injury.”

What are Possible Strategies for a Computer Search?

There four possible approaches to seizing evidence from a computer:


Examine the computer onsite and print out a hard copy of targeted files Create an electronic copy of the targeted files, still onsite Create a duplicate electronic copy of the entire storage disk while still onsite Remove the computer to an offsite secure location in order to create an electronic copy of the storage disk The key factor in choosing a strategy is whether the entire storage device is being used for commission of a crime, or only specific files stored on the device. If the entire device is suspect, investigators will likely detail that allegation in the search warrant request and propose removing the device to a secure location where it can be examined.

How Does the Privacy Protection Act Impact Cyber Investigations?

The Privacy Protection Act presents legal challenges to cyber investigations, such as:


The Privacy Protection Act prohibits search and seizure of materials under the control of a news organization unless the writer is suspected of a crime or there is a life-threatening circumstance. If investigators believe a journalist or news organization may have information in the computer system related to a crime, they may not seize the computer files to look for the evidence because it is protected by the First and Fourth Amendment. However, when investigators are searching a suspect’s computer and incidentally seize material protected by the Privacy Protection Act, they will not necessarily be subject to prosecution.

Should Investigators Communicate with Service Providers before Issuing a Warrant?

Before issuing subpoenas, warrants or court orders to a network provider to produce evidence for an investigation. Investigators or law enforcement agents should direct the network service providers to:


Preserve the evidence that is being sought. Refrain from disclosing the evidence request to their customer, unless the government agency is otherwise required to give prior notice to the customer.

What is a Pen/Trap and Trace Order?

Law Enforcement agencies use Pen/Trap and Trace Orders when…


…seeking to intercept electronic communications, both incoming and outgoing, in connection with the target of an investigation. A warrant is required to obtain Pen/Trap and race Orders. Under most conditions, law enforcement officials are only allowed to capture the phone numbers or computer addresses of those sending and receiving the communication. To obtain the Pen/Trap and Trace order, law enforcement must show how the information sought is related to an ongoing criminal investigation. An additional warrant, with more stringent probable cause requirements, is required in order to intercept the body of the phone call or electronic communication.

What is the Primary Purpose of the Wiretap Statute?

The law commonly referred to the Wiretap Statute…


…is designed to protect citizens against unauthorized government surveillance. Under the statute, it is illegal to intentionally, or purposefully, intercept, disclose, or use the contents of any wire, oral, or electronic communication, which includes email. Violating the statute can mean that any information gained from the illegal search can be kept out of any criminal proceeding. It also can result in civil or criminal penalties. However, government agents are usually protected from liability for “reasonable” decisions made in good faith.

What Kind of Evidence Standard is Applied to Computer Records?

Even though computer records may be considered reliable, investigators are still required to meet standard evidence tests. When introducing computer evidence into a trial, investigators need to meet the standard “authentication” rule of evidence, proving that…


…the files are what the government says they are. Authentication of computer records may be challenged on the grounds that they were altered or damaged after they were seized, or by questioning the validity of the computer program that generated the files. Challenges may also focus on the identity of the author of the records. Investigators need to consider these challenges when they initially seize the records by following strict procedures for imaging the files, analyzing them and documenting the chain of custody.

How Does the Hearsay Rule Impact Computer Evidence?

The Hearsay Rule is usually invoked in keeping out witness testimony in a trial. But it can play an important role in connection with computer evidence…


…as the Hearsay Rule does not usually apply to computer-generated records themselves. But if the files to be introduced contain statements by a person that are directly related to the investigation, the statements by the person can be subject to the Hearsay Rule. One exception to the hearsay rule often invoked in a computer investigation is the business records exception, which states that records generated during the normal course of business are considered reliable and can usually be entered into evidence.

What is the Definition of Digital Evidence?

Definition of Digital Evidence

Digital evidence, which is the core of any cyber investigation, takes many forms and can be found in several places…


Digital evidence is evidence stored or transmitted in digital format. It can take the form of: Graphic, spreadsheet, word processing files Audio or video files, Server or other log files Emails Internet browser histories. Investigators can collect digital evidence from: Storage media Network traffic Computer files collected during an evidence search

What are the Challenges in Collecting and Using Digital Evidence?

Challenges in Collecting and Using Digital Evidence

Digital evidence can establish a key link between a crime and the criminal but it is not foolproof…


There are several ways digital evidence can be manipulated: Can be maliciously tampered with Is unstable if not handled carefully Cannot always be traced Can be lost if computer is turned off Can be erased remotely or overwritten

What is Anti-Digital Forensics?

Criminals and hackers have extensive methods for hiding digital evidence from investigators. Anti-Digital Forensics (ADF) is the name given to techniques used to wipe out data to hide it from investigators. These efforts can make data recovery and collection difficult, time-consuming or even impossible. The major types of ADF mischief are:


Wiping by over-writing files numerous times Hiding data under other files Using malicious code to cause data recovery software to malfunction Obscuring data by user numerous remailers to wipe out email header information.

Why are Rules of Evidence Important?

It is best to know the Rules of Evidence even before beginning an investigation because:


The Rules of Evidence determines whether a piece of evidence can be considered by a judge or jury deliberating a case. Knowing beforehand whether certain evidence will be allowed in court could affect the conduct of the investigation, so it is better to know the rules in advance. The Federal Rules of Evidence are extensive and the product of years of legal decisions by courts. In addition, states may have their own rules. The final decision on whether a piece of evidence is within the Rules is made by a judge. It is made before the evidence is introduced into the case.

What are the Different Types of Digital Data?

Different Types of Digital Data

Investigators need to know which data files are permanent and which are temporary…


Volatile memory: Needs power to remain in the system; disappears when computer is turned off. Includes logged-on users, open files, network information and command history. Non-volatile memory: Used for secondary storage and persists when power is turned off. Includes hidden files, swap files registry settings, unused partitions and events logs. Transient data: Lost when computer is turned off. Includes open network connection, user logout, programs in memory and cache data. Fragile data: Information temporarily saved on the hard disk, it can be altered or erased. Includes access dates on files and last-access timestamps. Temporarily accessible data: Stored on the hard drive and accessible for limited time. Includes encrypted file information Active data: Data used for daily operations. Accessible. Archival data: Manages long-term storage Backup data: Copy of system data that can be accessed at time of recovery after system crash or other disaster Residual data: When a file is deleted, computer tags the deleted space as residual data; file can be retrieved until space is reused. Metadata: Contains record for a document, including format, and information about the file’s creation and any modifications

What is the Best Evidence Rule?

In general, only the original of a document, photograph or recording may be used as evidence. The Best Evidence Rule guards against the introduction of a copy of the original that has been damaged, altered or tampered with. A duplicate will be allowed into evidence only if the original evidence:


Was destroyed in a fire or flood Was destroyed in the normal course of business Is being held by a third party

What are the Major Topics Covered by the Rules of Evidence?

Several major issues figure prominently in any discussion about the Rules of Evidence:


Admissibility: Rule determines whether testimony or evidence can be introduced into evidence Admissibility of duplicate evidence: when duplicates can be allowed as evidence Hearsay Rule: In general, a statement that was not made in court cannot be used in the trial Exceptions to the hearsay rule: When hearsay rules can be waived

What is the International Organization on Computer Evidence?

Because of the global nature of cyber crimes, an international organization helps cyber investigators. The International Organization on Computer Evidence…


…founded in 1995, provides a venue for law enforcement officials from around the world to share information on cyber threats and computer forensics. Members share information at conferences and can communicate directly with other member agencies. The organization also establishes global principles for the proper handling of computer evidence. This significantly increases the odds that evidence originating in another country will be admissible in U.S. courts.

What is the Scientific Working Group on Digital Evidence?

U.S. law enforcement and investigative agencies join forces to fight cyber crime. Federal and state law enforcement and investigative agencies, including the U.S. Secret Service and Federal Bureau of Investigation (FBI) form the nucleus of…


…the Scientific Working Group on Digital Evidence (SWGDE). Its mission is to forge cooperation and discussion on digital evidence issues, share best practices and ensure quality and consistency in the forensic field. The organization has established standards it hopes will be adopted by all forensic organizations, including a recommendation that all law enforcement organizations adopt Standard Operating Procedures (SOPs) for the collection, handing, examination and transfer of digital evidence, and that these SOPs be reviewed annually.

What are SWGDE’s Standards for Handling Digital Evidence?

SWGDE has issued three basic evidence-handling standards investigative agencies should follow:


An agency must use the hardware and software for seizing and examining evidence Investigators must record in writing all actions related to evidence seizure, storage, examination and transfer. The log must be available for review and for use in any court testimony. If an action has the potential to alter, damage or destroy the original evidence, it must be undertaken by qualified technicians according to prescribed procedures.

What Types of Evidence Files are Found on Computers and Other Devices?

Investigators can look for evidence on three types of files when searching computers:


User-created files: Document or text files, address books, database and spreadsheets, image and graphic files, Internet bookmarks and favorites User–protected files: Compressed and encrypted files, password protected and hidden files, and files hidden within other files Computer-created files: Backup and log files, temporary files, swap files, system and configuration files, printer spool files, cookies and history files

How Can Investigators Search Various Storage Devices?

To find files on various storage devices, investigators have to know where to look. The four places that are investigators should look are:


Hard Drive: Data stored magnetically in different file formats: Evidence can be in text, video, picture, database, multimedia and program files. Thumb Drive: Removable storage device connects using USB port. Evidence can be found in text, graphics image and 0picture files. Memory Card: Removable storage device used in cameras, PDAs and computers. Data preserved when power turned off. Evidence can be found in event and chat logs, text, picture and image files and Internet browsing history. Removable, portable storage devices: CDss, DVDs, Tapes and Blu-ray are all used to store digital information in text, praphics, multimedia and video files.

What Kind of Evidence is Found on Access Control Devices?

Access control devices are used to add extra security to access buildings and computers and other electronic devices. Authenticating the information on these devices provides…


…evidence in the form of the information about the user, configurations and permissions. Smart Card: a device that contains an encryption key or password and electronic certificate. Dongle: Copy protection device that attaches to computers to control access to an application. Biometric scanner: Controls access by identifying physical characteristics of a user.

What Other Devices Have Potential to Store Evidence?

Almost any electronic device can offer potential evidence for an investigation. Some examples:


Telephone answering machines Digital cameras Modems Handheld devices Pager Printer Telephone Copier Digital watches Scanners Global Positioning Systems (GPS) Fax machines Credit card skimmers

What Kind of Evidence Can be Found in Network Devices?

Network devices provide significant potential for evidence collection. Examples of these network devices are below:


LAN card and Network Interface Card (NIC): Evidence is found in the Media Access Control (MAC) address Routers, Hubs and Switches: These devices connect separate computers or networks. For routers, evidence is found in the configuration files. For hubs and switches, evidence is found embedded in the devices. Servers: Evidence is found in the computer. Network cables and connectors: Evidence is found on the devices.

What are the Recommended Steps in an Evidence Assessment?

The evidence assessment phase takes place before any evidence has been collected. Start by reviewing the scope of the case and examining the search warrant, if one has been issued…


List evidence sources by priority: where it is to be found and how stable is it? and then, Decide whether the evidence will be documented in place by photographs or other means. Check for electromagnetic interference in areas where the evidence will be stored. Evaluate the condition of the evidence after it has been moved, packed or stored. Determine whether continuous power is needed to avoid data loss on electronic devices.

What are the Steps in Preparing for Evidence Acquisition?

Steps in Preparing for Evidence Acquisition:

Even after the initial assessment, more preparation is required before collecting the evidence:


Estimate the impact of the security incident and the investigation on the business and then, Create a detailed map of the computer network affected by the incident and include details of how it night be affected by the incident List possible outcomes for any legal actions and communication about the incident with outside parties Draft a proposed action plan Review and preserve any reports and logs produced during the assessment phase Prepare summaries of interviews with users and network administrators

When Collecting Evidence, What Areas and Devices Should be Searched?

Depending on the nature of the crime, investigators may have different areas they want to search. They need to think carefully about where to search while drafting the search warrant…


Does a crime involve counterfeit documents? Evidence might be found on a scanner or printer. A hacker might store hidden stolen files on his computer A dealer in illicit narcotics might store incriminating information in spreadsheets on a personal electronic device A person sending threatening letters might have copies on a computer.

Precautions When Seizing Evidence?

When a law enforcement official is seizing evidence they should:


Confiscate storage media as well as computers Seize and books associated programs associated with the crime Prevent suspects from touching the devices to be seized. Take care not to turn off power to the device.

What are the Preliminary Steps in Copying a Seized Storage Device?

When preparing to copy files from a seized storage device, investigators should:


Perform the operation on the investigator’s computer and then, Ensure that the investigator’s device recognizes the seized device when the two devices are attached Make sure that the investigator’s storage device is completely clean Use write protection software on both the hardware and software on the original computer and storage disks to preserve the evidence

What is a Bit-Stream Copy?

Bit-stream copies are useful in investigations because they are…


…an exact replica of the files and hard drive being seized. The copying process transfers each bit from the original disk being seized to the same spot on a new storage medium, preserving any evidence intact. Bit-stream backups need to be made for all disks and hard drives seized as part of the evidence. The computers being seized should not be operated until these copies have been made.

Why are Precautions Necessary in Evidence Acquisition?

If evidence is tampered in any way from its original state, it can cause major problems. Digital evidence is…


…fragile and can be damaged or even destroyed if it is mishandled by investigators. Damaged evidence can be challenged in court and rendered unusable. Investigators must take possession of the evidence in a way that protects the original evidence from any damage or tampering.

What are the Steps in Acquiring a Storage Device?

The examiner should follow these steps before collecting evidence from a storage device:


Remove the case from the computer to allow access to the storage devices or hard drives Make sure the devices are protected from magnetic fields and static electricity Identify the devices that are to be seized Make note of all characteristics and configuration of the drive, including make, model, location, geometry, jumper settings and drive interface. Inventory internal components including sound and video cards, network and personal computer memory cards access card Disconnect storage devices from the motherboard or by disconnecting the data cable to avoid damage to the data.

What are the Steps in Acquiring Evidence from Storage Devices?

Steps in Acquiring Evidence from Storage Devices:

Once a storage device has been removed from the seized computer, examiners can begin acquiring the evidence by:


Examine the storage device to determine whether all space is accounted for, including host-protected areas Acquire the electronic serial number of the drive and other accessible host-specific data Copy the evidence to the examiner’s storage device using either duplication software, forensic software or a dedicated hardware device Compare the original to the duplicated version sector-by-sector to verify that the original data has been successfully acquired.

What are the First Steps in Collecting Evidence in an Investigation?

After the original storage disk has been copied exactly, examiners can begin collecting the evidence from the duplicate:


Decide whether to collect the evidence directly from the target computer or over a network. Collecting from the computer directly gives the examiner more control over the computer and the data. Other factors to consider are the need for secrecy, the time frame of the investigation and the nature of the evidence. Prepare accurate documentation of the evidence being collected. Decide whether the investigation will be online or offline. In an offline investigation, evidence is analyzed on a bitwise copy of the evidence. In an online investigation, analysis is performed on the original evidence.

How is Evidence Properly Identified and Documented?

When collecting evidence, examiners need to record all sources of data to be examined:


Logs from internal- and external-facing network devices Storage devices that need to seized, including disks, storage devices and removable media Internal hardware devices

How is Evidence Collected from Storage Devices?

Follow these steps to ensure the data is preserved and will be usable in court:


Determine whether to remove the storage device from the computer and use the examiner's system to acquire the data. If removing a storage device from a computer, first verify that volatile data has been captured from the disk, then turn off power to the computer before removing the storage device. Create a bitwise copy of the evidence on the storage disk, preserve it in a backup destination, and ensure that the original data is written –protected. Record information about the internal storage devices, including information about the configurations. Verify the data collected and create checksums and digital signatures when possible to establish that the original and the copied data are identical

How is Evidence Collected from a Live Computer?

Useful evidence can be gathered from a live computer. Examiners need to search…


Search: Process register Virtual and physical memory, Network state Processes that are running Tapes, floppy disks, hard disks, CD-ROM Printouts Check: List of open files (lsof) ARP cache Active network connections (netstate)

Suggested forensic tools for collecting data: Guidance Software’s EnCase AccessData’s Forensic Toolkit

How is Evidence Collected from RAM?

How is evidence collected from Random Access Memory?


RAM stores files for an application when the application is running. When the application is closed, information stored in RAM is lost and the space is used to store other files When seeking to collect evidence from RAM do not turn power to the computer off Evidence can be collected from RAM even when the hard disk has been wiped clean: use a utility to copy the RAM contents to a separate storage disk Note: when no RAM space is available for an application, the RAM contents are moved to a temporary swap file. Swap files are frequently overwritten, but an examiner can trace the swap file by searching for a particular file through its headers and footers.

How can Evidence be Collected from a Standalone Computer?

Follow these steps when collecting evidence from an individual computer:


Don’t use the target device to look for evidence Document all the devices connected to the computer using photographs If the system is off, do not turn it on If the unit is turned on, photograph the screen If he computer is on and the screen is blank, move the mouse and photograph the screen Unplug all devices from the unit and label them for later identification If he computer is connected to a modem and router, turn off the power to those devices

Documenting the Evidence through the Chain of Custody?

The Chain of Custody is a legal document that can be introduced into court. What are the functions of the chain of custody?


It is a road map that provides details on exactly how the evidence was collected, analyzed and preserved It documents the original data evidence and the logs It documents the transfer of evidence from one person to another in the investigation

What are the Steps to Preserving Digital Evidence?

Follow these steps to preserve digital evidence:


Seize any floppy disks at the scene in case they contain evidence Place tape on drive slots and power connector to prevent tampering Label and photograph connecting cables and transport with the device Check internal memory in PDA’s and digital cameras Make sure portable devices are charged Hold onto memory sticks and compact flash Transfer fragile data to a non-volatile device Refrain from using on-site hard drive to store fragile data Use virtual memory sparingly to avoid data overwriting Use floppy disk to store small amounts of data Avoid using USB or a firewire drive to for data storage

What are Safeguards when Collecting Evidence from a Victim's Computer?

When a victim’s computer has been penetrated, take these six steps to preserve data:


If victim’s computer is connected to the internet, duplicate the path used by the intruder to collect the data Disconnect the victim’s computer from the internet to prevent further damage When examining data, use a copy of the original data Do not use any program, including anti-virus program on the victim’s computer Take an image of the system if possible Document any changes in the system

How is Evidence from Removable Media Preserved?

All evidence should be clearly identified with permanent markers and placed in static free bags for storage. In addition the following steps should be followed:


For CD’s and DVD’s, note the date, time and initials of examining officials Memory cards should be write protected For reel-to-reel tapes, remove the “write enable” Disk cartridges or removable hard drives should have tape over the notch For cassette tapes, remove the “record” tab For cartridge tapes, align arrows at safe mark

How Should Digital Evidence be Protected from Damage?

Special precautions should be taken to preserve digital evidence from electronic interference, such as:


Electronic evidence can be damaged by magnetic field, dust, and vibration Wear protective gloves when handling the evidence Store electronic evidence in secure, climate-controlled area Use protective bag to protect evidence from wireless signals Store magnetic evidence in anti-static bag

How Can Evidence be Safely Stored?

When preparing to analyze evidence, follow these steps:


Make at least two copies of the evidence and store one in a secure, tamper-free place Keep the chain of custody current and secure and create a check out-check-in list to document visitors to the evidence storage facility Ensure that no unauthorized person has access to the evidence, either in digital or physical form

What are General Principles of Evidence Examination?

General Principles of Evidence Examination:

In any investigation, basic rules of evidence examination are the same…


Ensure examiner of digital evidence is trained for this job Original evidence should not be used for examination Different types of investigations may call for different examination methods

What is the Difference between Physical and Logical Evidence Extraction?

These two types of extraction require different methods. Physical extraction identifies and…


…collects data from the physical drive without the structure of the file system. Logical extraction organizes the seized data based on operating systems, files systems and applications.

Physical Extraction Methods

In order to perform the physical extraction phase, follow these methods:


Search by keyword allows examiner to see data not tied to the particular operating and file systems File carving may also identify files not accounted for by the file and operating system Examination of the partition structure can help identify files systems present and determine whether all of the space on the hard drive is accounted for

What are the Steps in Logical Extraction

Logical extraction removes the data from the drive based on file and operating systems. The following information outlines the steps involved in the process:


Extract file system information to document directory structure, file attributes, names, date and time stamps, size and location. Extract files related to the examination Recover of deleted files Extract password-protected files, encrypted and compressed data Extract file slack Identify unallocated space

What Procedures are Used to Analyze Host Data?

Host data is information about operating systems and applications. To analyze it…


Identify what you are looking for—search for what’s relevant. and then, Look carefully at operating system data, including clock drift, and signs that malicious applications or processes might be running or about to run. Study applications, processes and network connections. Use proper software tools

What Tools are Used to Analyze Storage Media?

Storage media seized during the investigation will contain thousands of files. Use these procedures to extract and analyze the data:


Analyze the data using the bitwise copy of the original evidence and then, Use software to find out whether files are encrypted Uncompress compressed files Diagram the directory structure Identify files of interest Gather configuration data from the registry Search contents of targeted files Examine metadata of targeted files Use file viewer to view contents of the files without the original application

How is Network Data Analyzed?

In addition to analyzing individual files, evidence can be found by looking at these network activities:


Network service logs may reveal key events in the incident Examine packet sniffer or network monitor logs for clues about activities on the network Look at firewall, proxy server, intrusion detection system and remote access service logs

How is Extracted Data Analyzed?

Interpreting extracted data provides another window onto the original incident. Some procedures to use when analyzing extracted data are:


Timeframe analysis Data hiding analysis Application and file analysis Ownership and possession To understand these results, it may be necessary to examine the request for service, review the legal authority for the search, and re-examine investigative and other leads.

What is Timeframe Analysis?

Using timeframe analysis to determine when things happened in the computer system can be matched with data about the usage times of an individual user. Use these methods:


Review data and time stamps in the file system metadata Review system and application logs Match against user’s computer date and time as found in the BIOS

What are Steps to Follow in Searching for Hidden Files?

Searching for Hidden Files

Using Data Hiding Analysis to search for files can produce important evidence. Some methods for hidden file searches:


Match file headers to file extensions to find any mismatches, which may indicate an intent to hide files Look for files that are encrypted, password protected and compressed; this may indicate intent to conceal data; Use software to search for files hidden within files—steganography

What are Methods for Application and File Analysis?

Elements of Application and File Analysis

Painstaking analysis of files and applications can produce useful information…


Examine file names for patterns Examine individual files Identify operating systems Match files with applications on the system Examine relationships between files—internet searches with cache files, for example, and email files with attachments Scrutinize unknown file types Search users default storage location for files Examine users configuration files

What is the Importance of Ownership and Possession?

Conducting Ownership and Possession Searches

Determine which user created or accessed suspect files…


The key to an investigation may come from placing a user in the system at a time when other evidence presents proof of wrongdoing.

What Should an Evidence Examiner’s Report Include?

Elements of An Evidence Examiner’s Report

An evidence Examiner should keep meticulous notes throughout his search…


Take notes when interviewing investigator Preserve copy of the search authority and chain of custody document Detail each action taken, including date, time, complete description of action and results Note operating system name software and patches.

What is Included in a Final Report of an Investigation?

Elements of Final Report of Investigation

All elements of the investigation need to be summarized in the report, including…


Files related to the original search Other files that support the findings Results of all searches of the system All internet evidence Analysis of any graphical evidence Registration data Data analysis Description of programs related to the investigation Hidden or masked data All supporting materials

What Kinds of Digital Evidence Indicates Online Auction Fraud?

Digital Evidence of Online Auction Fraud

Here’s where to look for evidence of online auction fraud…


Account data at online auction sites Accounting or bookkeeping software Address books Customer information or credit card data Databases Internet browser history of cache files Digital camera software Email, correspondence, notes Financial records

Where Can Evidence of Child Exploitation be Found?

Finding Evidence of Child Exploitation

Here’s where to look for evidence of child exploitation…


Chat logs Date and time stamps Digital camera software Email and other correspondence Games Graphic editing and viewing software Director and file names that describe images Internet logs Images Movie files

Where Evidence of Computer Intrusion Can be Found?

Evidence of Computer Intrusion

Here’s where to look for evidence of computer intrusion…


Address books Configuration files Email and other correspondence Executable programs Internet activity logs IP addresses and usernames Internet relay chat logs Text files with usernames and passwords Source code

What Kinds of Evidence Suggest a Death Investigation?

Evidence of a Death Investigation

Here’s where to look for evidence of death investigation…


Address books Diaries Email and other correspondence Financial records Images Internet activity logs Will and other legal documents Medical records Telephone records

Where Can Evidence of Gambling be Found?

Evidence of Gambling

Here’s where to look for evidence of gambling…


Database of customers and player records Customer credit card information Electronic currency Statistics on sports betting Image players

Where Can Evidence of Extortion be Found?

Evidence of Extortion

Here’s where to look for evidence of extortion…


Date and time stamps Email and other correspondence History log Internet activity log Temporary internet files User names

Where Can Evidence of Economic Fraud be Found?

Evidence of Economic Fraud

Here’s where to look for evidence of economic fraud…


Check, currency and money order images Credit card skimmers Images of signatures False financial forms Fraudulent Identification

Where Can Evidence of Email Threats Be Found?

Evidence of Email Threats

Here’s where to look for evidence of email threats…


Internet activity logs Legal documents Telephone records Background research on victim Email and other correspondence Financial records

Where can Evidence of Narcotics Trafficking be Found?

Evidence of Narcotics Trafficking

Here’s where to look for evidence of narcotics trafficking…


Address book Calendar Databases Drug recipes False identification Email and other correspondence Financial records Prescription forms Internet activity log

Where can Evidence of Prostitution be Found?

Evidence of Prostitution

Here’s where to look for evidence of prostitution…


Address books and calendars Biographies Customer databases False identification Financial records Medical records Web advertising Internet activity log

Where Can Evidence of Software Piracy be Found?

Evidence of Software Piracy

Here’s where to look for evidence of software piracy…


Chat logs Email and other correspondence Image files of software certificates Internet activity logs Serial numbers Software cracking utilities

Where Can Evidence of Telecommunications Fraud Be Found?

Evidence of Telecommunications Fraud

Here’s where to look for evidence of telecommunications fraud…


Cloning software and customer records Electronic serial number /Mobile identification pair records Email and other correspondence Financial records Manuals on how to Phreak Internet activity and telephone records

What are Elements of an Identify Fraud Investigation?

Elements of an Identify Fraud Investigation

Pieces of an identity fraud investigation include…


Hardware and software tools, including digital cameras, credit card readers, credit card generators and scanners Internet activity, including email and newsgroup posting, online orders, online trading information, erased documents, system files and file slack, and activity at forgery sites ID templates, including birth certificates, check cashing cards, digital photo information, drivers license and fictitious vehicle registration,social security cards, electronic and scanned signatures Negotiable instruments, including business and cashiers checks, credit card numbers, counterfeit currency, fictitious court documents, loan documents and sales receipts