Digital Forensics Lecture Notes

Flashcards about Digital Forensics

Nigel's work experience at Royal Bank of Scotland (1988 – 2000)

Branch staff, credit/debit cards, Cash/Bullion processing centre, Horwich Service Centre

Nigel's work experience at Lancashire Constabulary (2000 – Present)

Finance Assistant, IT Liaison Officer, Computer Technician, Digital Forensic Technician, Digital Media Investigation Unit, Digital Forensic Investigator/Examiner

What is Digital Forensics?

The process by which information is extracted from data storage media, rendered into a useable form, processed and interpreted for the purpose of obtaining intelligence for use in investigations, or evidence for use in criminal proceedings

Overview of Digital Forensics

Digital Forensics can be used to gather evidence in many criminal investigations

Agencies Powers to Access Communications

Legislations on agencies powers to access communications continues to be debated

The forensic science regulator (ISO 17025)

Requires all digital forensics practitioners undertaking criminal justice work was to be accredited by 2017, but accepts this will be challenging

Encryption and cloud storage

Encryption and cloud storage can inhibit digital forensics investigations but offer security and flexibility to its users.

Rapid development and adoption of technology

Rapid development and adoption of technology is increasing demand for digital forensics services. Methods such a triaging are being used to address this demand.

POLICE AND CRIMINAL EVIDENCE ACT 1984 (PACE)

Sets out to strike the right balance between the powers of the police and the rights and freedoms of the public.

COMPUTER MISUSE ACT 1990 (CMA)

Makes certain activities illegal, such as hacking into other people’s systems, misusing software, or helping a person to gain access to protected files of someone else’s computer.

NPCC GUIDELINES | The 4 Principles - PRINCIPLE 1

Don’t change data which may subsequently be relied upon in court

NPCC GUIDELINES | The 4 Principles - PRINCIPLE 2

In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of there actions.

NPCC GUIDELINES | The 4 Principles - PRINCIPLE 3

An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

NPCC GUIDELINES | The 4 Principles - PRINCIPLE 4

The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

TYPES OF STORAGE MEDIA

CCTV, Desktops, iPads/ Tablets, Laptops, Digital Cameras, External HDD, Mobile Phones, Sim Card, Memory Cards, USB sticks, Dash Cam, Smart TV

REMOVAL AND ACQUIRING OF DATA

Data is extracted, which may involve making a copy of a hard disk, extracting data from a mobile phone, or recovering data from a remote system. Data is then processed to allow an examiner to work on them. This can include decrypting data and recovering files

EXAMINATION OF DATA

Data is analysed and interpreted, which often involves synthesising information from different sources. This may require significant expertise.

KIOSKS

Features bespoke forensic investigation software is being trialled by the Metropolitan Police Service and other forces. It is designed to enable front-line police officers to collect evidence from mobile devices by following a series of on- screen instructions.

TRIAGE

Can be used to determine whether a device should be prioritised for further investigation. It may involve police on the scene assessing whether a device is likely to be useful before seizing it, or making a rapid search of it once seized to decide whether to pass it onto a specialist team.

DIGITAL FORENSIC CHALLENGES - ACCESSING DATA

The data required are not always readily available to investigators. They could be encrypted or stored in the cloud, making access difficult.

DIGITAL FORENSIC CHALLENGES - ENCRYPTION

Is a critical tool for protecting personal or commercially sensitive data. However, in some forms it may hamper digital investigations. Encryption is the process of scrambling data so that it can only be read by an authorised recipient.

DIGITAL FORENSIC CHALLENGES - CLOUD STORAGE

Users’ data and activity records are less likely to be held locally on devices, thus a device may not yield evidence, even if forensic techniques are used.

DIGITAL FORENSIC CHALLENGES - ANTI-FORENSICS

Some criminals are aware of the techniques available to law enforcement and try to hide their digital activity.

CASE STUDY | Operation Colindale

Seven men jailed for drive-by murder of student Aya Hachem

CASE STUDY | Operation Colindale - EXHIBITS

3959 exhibits were generated, of which: 120 phones, 180 digital storage devices, 80,000 hours of CCTV seized, extensive CCTV and telephone enquiries looking at the time before, during and after the incident, 30 vehicles seized

CASE STUDY | Operation Colindale - Verdict

They will serve a total of 216 years between them.