Chapter 4: Processing Crime and Incident Scenes

Law enforcement investigators

________ need a warrant to remove computers from a crime scene and transport them to a lab.

Windows Task Manager

The tools are hidden or disguised as other programs in ________ and process logs.

Digital evidence

This evidence can be any information stored or transmitted in digital form.

Scientific Working Group on Digital Evidence (SWGDE)

Set standards for recovering, preserving, and examining digital evidence

Computer-generated records

Data the system maintains, such as system log files and proxy server logs

Computer-stored records

Electronic data that a person creates and saves on a computer or digital devices, such as a spreadsheet or word processing document

Probable cause

The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest

Scientific Working Group on Digital Evidence (SWGDE)

Set standards for recovering, preserving, and examining digital evidence.

Plain View Doctrine

States that objects falling in the direct sight of an officer who has the right to be in a location are subject to seizure without a warrant and can be introduced into evidence

Initial-Response Kit

should be lightweight and easy to transport

Extensive-Response Kit

should include all the tools you can afford to take to the field

Sparse Acquisition

This technique extracts only data related to evidence for your case from allocated files and minimizes how much data you need to analyze

Technical Advisor

The person guiding you about where to locate data and helping you extract log records or other evidence from large RAID servers

Guidance Software EnCase Enterprise Edition (EEE)

A centrally located server with specialized software that can activate servlets over a network to remote workstations

hearsay

Another concern when dealing with digital records is the concept of _____, which is a statement made while testifying at a hearing by someone other than an actual witness to the event.

Computer-generated records

Data the system maintains, such as system log files and proxy server logs.

Computer-stored records

Electronic data that a person creates and saves on a computer or digital devices, such as a spreadsheet or word processing document.

Probable cause

The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.

Innocent information

This information is often included with the evidence you’re trying to recover.

commingled evidence

When you find this evidence, judges often issue a limiting phrase to the warrant, which allows the police to separate innocent information from evidence.

Plain View Doctrine

States that objects falling in the direct sight of an officer who has the right to be in a location are subject to seizure without a warrant and can be introduced into evidence.

hazardous materials (HAZMAT) teams

Some cases involve dangerous settings, you must rely on the skills of ______ to recover evidence from the scene.

Processing evidence

This evidence usually involves acquiring an image of a suspect’s drive.

crime scene leader

In law enforcement, many investigations need additional staff to collect all evidence quickly. For large-scale investigations, a _____ should be designated.

Initial-Response Kit

* It should be lightweight and easy to transport.
* With this kit, you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible.

Extensive-Response Kit

* It should include all the tools you can afford to take to the field.
* When you arrive at the scene, you should extract only those items you need to acquire evidence.
* Doing so protects your equipment and minimizes how many items you have to keep track of at the scene.

professional curiosity

Evidence is commonly lost or corrupted because of _____, which involves the presence of police officers and other professionals who aren’t part of the crime scene–processing team.

Sparse Acquisition

This technique extracts only data related to evidence for your case from allocated files and minimizes how much data you need to analyze.

Technical Advisor

The person guiding you about where to locate data and helping you extract log records or other evidence from large RAID servers.

Cyclic Redundancy Check (CRC)

A mathematical algorithm that determines whether a file’s contents have changed. Though it is not considered a forensic hashing algorithm.

Message Digest 5 (MD5)

* The first algorithm used for digital forensics.
* It is a mathematical formula that generates a hexadecimal code based on the contents of a file, a folder, or an entire drive.

Secure Hash Algorithm version 1 (SHA-1)

* Developed by the National Institute of Standards and Technology (NIST).
* It has slowly replaced MD5 and CRC-32, although MD5 is still widely used.

Non-Keyed Hash Set

* A unique hash number generated by a software tool, such as the Linux md5sum command.
* It can identify known files, such as executable programs or viruses, that hide themselves by changing their names.

Keyed Hash Set

* It is created by an encryption utility’s secret key.
* It can produce a unique hash set for digital evidence.

sniffing data

Real-time surveillance requires ____ transmissions between a suspect’s computer and a network server.

Network sniffer tools

These tools allow network administrators and others to determine what data is being transmitted over the network.

Guidance Software EnCase Enterprise Edition (EEE)

A centrally located server with specialized software that can activate servlets over a network to remote workstations.