Computer Forensic questions

Hi

- What Tools would we take during stage of search and collect evidence to ensure the security of these evidence and they not tampered with?

- What is the important characteristics of digital evidences to be used in court proceedings?

thanks
ang3lusAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
btanConnect With a Mentor Exec ConsultantCommented:
Forensic is more of a reactive means to sieve out evidence to aid the investigation establish more leads to join the dots in a case. Agree with both experts that for legally binding responsibility, you probably need to consult your enterprise legal. Technically, forensic is done on cloned version and not on the original device, but we also need to note that sometimes it may be even be live forensic acquisition to grab the volatile evidences.

http://www.csoonline.com/article/220718/how-to-keep-a-digital-chain-of-custody?page=1

Laws dealing with digital evidence are concerned with two issues: integrity and authenticity. Integrity is ensuring that the act of seizing and acquiring digital media does not modify the evidence (either the original or the copy). Authenticity refers to the ability to confirm the integrity of information.

The admissibility of digital evidence relies on the tools used to extract it. In the US, forensic tools are subjected to the Daubert standard, where the judge is responsible for ensuring that the processes and software used were acceptable.

http://en.wikipedia.org/wiki/Digital_forensics#Legal_considerations

The  National  Institute  of  Standards  and  Technology  (NIST)  has  a  dedicated  group working  on  Computer  Forensic  Tool  Testing  (CFTT).   They  develop  test methodologies for a category of tools and conduct tests using specific input cases.  The specification for disk imaging tools was published [15] and the tests were conducted on several different tools. More details and even some test findings on the tool can be found in the CFTT site

http://www.cftt.nist.gov/project_overview.htm

0
 
ang3lusAuthor Commented:
One more question:

why forensic analysis of original devices is only done as a last resort?

thanks
0
 
Dave BaldwinConnect With a Mentor Fixer of ProblemsCommented:
The most important part is that it be done by a trained and reputable technicians, possibly law enforcement personal, under a search warrant if necessary.  It would be the last resort because the devices must be confiscated to preserve the evidence.  For use in court, the "chain of custody" must be preserved and recorded.  http://en.wikipedia.org/wiki/Chain_of_custody

If you're serious about going to court, this is probably not a do-it-yourself thing.  You should talk to the police and maybe a lawyer before you take any action.  You wouldn't want to sabotage your own case.
0
 
ChopOMaticConnect With a Mentor Commented:
I second Dave"s comments. This is not a DIY undertaking.

One mistake can literally ruin your case. There are so many variables involved in answering your questions that I wouldn't know where to begin. Seek out qualified assistance.
0
 
JohnDeckerConnect With a Mentor Commented:
^^Bang on - it's done on a clone with read only attributes so that things like date stamps don't get altered. Microsoft supply forensic software to LE around the world; love to get my hands on it..

If you try a DIY approach you'd get ripped to pieces in court.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.