Before Class
[Week 1 DFEH Before Class Activities
In-Class
Introduction to Forensic Science
Definition: Forensic Science is applying scientific methods to find factual answers to legal questions.
Forensic science, also known as criminalistics, is the use of scientific methods to analyze evidence and assist in legal decision-making. It is a vital part of the criminal justice system, and is used to investigate crimes, enforce laws, and protect public health.
-
Role of a Forensic Scientist: They answer questions like:
-
What happened?
- How did it happen?
- Who was involved?
- When did it occur?
-
Locard’s Exchange Principle
Object —>exchange of material <— Object 2
Principle Summary :
- Whenever two objects come into contact with each other, traces of each are exchanged
- Every contact leaves a trace
- This applies to both the people involved the crime scene originally and also the INVESTIGATOR
- As the investigator you want to limit your traces
- Trace evidence can connect a criminal to a crime scene.
FOR EXTRA KNOWLEDGE
” Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects.
All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.”
~Professor Edmond Locard
SOURCE : Youtube
Crime Reconstruction
- Determining the sequence of events leading up to and during a crime.
- Scientific method applied to analyze evidence and determine the most likely hypothesis
What is hypothesis?
A hypothesis is a guess or idea that you can test to see if it’s true. It’s like saying, “I think this will happen because of that,” and then doing an experiment or observation to find out if you’re right
Investigation
- Systematic examination to identify or verify facts related to a crime or incident.
- 5W’s:
- Who: Suspects, victims, witnesses.
- Where: Crime scene and relevant locations.
- What: Description of the crime itself.
- When: Time of the crime and related events.
- Why: Motivation for the crime.
- How: The method used to commit the crime.
- Who: Suspects, victims, witnesses.
Evidence Dynamics
- Definition: Any influence that alters, changes, or hides evidence, intentionally or unintentionally.
- Importance: Understanding evidence dynamics helps reconstruct the crime scene.
- Example: The mechanisms involved in writing data to a hard drive or creating/deleting files.
Digital Forensics
- Using scientifically proven methods to collect, preserve, analyze, and present digital evidence for legal purposes.
- identification of potential evidence sources from digital devices.
- Collect digital raw data by copying the source in a forensically sound manner
- examine the raw data, giving it structure so it is easier to process and understand
- conduct the analysis,
- Present to a court of law or the entity of interest
- Digital Archaeology: Examining digital traces left by human behavior.
- Example: Analyzing a person’s deleted emails, old social media accounts, or search history to understand their activities or motivations.
- Digital Geology: Analyzing traces created by the computer systems (logs, caches, error reports)
- Example: Inspecting server logs and data caches to understand system performance, identify software issues, or detect anomalies that may indicate security breaches or system failures.
Digital Devices, Media, and Objects
- Digital Device: A physical object (e.g., laptop, smartphone, car).
- Digital Media: Storage media within a device (e.g., hard drive, memory).
- Digital Data: Information stored in binary format.
- Digital Object: A discrete collection of digital data. ( multimedia content, or structured data)
Forensic Soundness & Fundamental Principles
- Forensic Soundness: Adherence to established digital forensics principles, standards, and processes.
- Evidence Integrity: Maintaining the original state of evidence.
- Chain of Custody: Documenting the handling and analysis of evidence.
What is integrity?
Evidence integrity means keeping digital evidence exactly as it was when first collected, without any changes. This ensures that the evidence is reliable and can be trusted during an investigation or in court.
Crime Reconstruction in Digital Forensics
Crime reconstruction is the process of figuring out what happened during a crime. Investigators use evidence, like witness stories, physical clues, or digital information, to put together the events and understand how the crime occurred.
- Five-step method for event-based crime scene reconstruction
- Evidence Examination: Identifying relevant evidence.
- Role Classification: Determining the cause/effect of evidence.
- Event Construction & Testing: Identifying and assessing possible events.
- Event Sequencing: Combining events into a chain.
- Hypothesis Testing: Scientifically testing the hypothesis.
Digital Evidence
- Definition: Digital data that can support or refute a hypothesis about an incident or crime.
- Layers of Abstraction: Hiding implementation details to reduce complexity.
- Metadata: Data about data, providing information like timestamps and location.
The Digital Forensics Process
- Identification: Recognizing potential evidence sources.
- Collection: Making a forensically sound copy of data.
- Examination: Extracting potential digital evidence from collected data.
- Analysis: Processing information to determine facts.
- Presentation: Presenting results to stakeholders.
Identification Phase
-
Objective: Detecting and recognizing the incident or crime to investigate.
-
Preservation Tasks: Isolating, securing, and documenting digital devices.
-
Live Systems: Running systems that may lose evidence if shut down.
-
Dead Systems: Non-running systems.
-
Faraday Bag: Shields devices from external RF sources, preventing evidence loss.
-
Maintaining Storage Media Integrity:
- Copy: Create a forensically sound copy of the media.
- Hash Function: Calculate the hash value of both the original and copy to ensure integrity.
-
Documentation: Record details of the copy process.
- Person handling evidence.
- Procedures performed.
- Time and date.
- Original location.
- Method of collection.
- Reasons for collection.
Collection Phase
- Objective: Collecting data from digital devices using forensically sound methods.
- Metadata: Case name, case number, examiners, timestamps, location, etc.
- Evidence Sources: Hard drives, memory, flash drives, external media, networks, etc.
- Data Integrity: Using techniques like write blockers and hash functions to prevent data alteration.
- Hash Function: A mathematical function that creates a unique hash value for each file.
- Hash Function Types: MD5, SHA1, SHA256 (SHA256 is most secure).
- Order of Volatility: Prioritize the collection of evidence based on the likelihood of data loss.
| Type of storage media and data | Typical storage lifespan and longevity |
|---|---|
| System registers, peripheral memory, and caches | Nanoseconds |
| RAM | Ten nanoseconds |
| Network state | Milliseconds |
| Running system processes | Seconds |
| Data on disk (cache) | Minutes |
| Cloud storage | Months to years |
| HDD data storage | Years |
| Floppies and other magnetic tape-based media | Years to decades |
| CD-ROMs, DVDs, print-outs | Decades |
| Read-only memory; flash and SSD data storage | Decades to centuries |
Examination Phase
- Objective: Preparing and extracting digital evidence from collected data sources.
- Triage: Prioritizing which digital evidence to examine first.
- Digital Forensics Data Formats:
- Raw Data: An exact copy of the data source.
- EnCase, SMART, AFF, Prodiscover: Popular forensics file formats.
- Raw Data: An exact copy of the data source.
- Challenges: Large volumes of data, splitting files, recovering deleted data.
- Data Filtering: Removing known files that aren’t evidence (e.g., OS files).
- Known Files Databases:
- Bad Files: Hashes of malware, rootkits, and criminal images.
- Good Files: Hashes of operating system files, application files, etc.
- Timestamp Analysis: Determine clock time, time zone, and how the forensic tool handles time zones.
- Decryption: Decrypting encrypted files if possible.
- Password Cracking Tools: Some forensic tools include these.
- File Parsing and Carving: Extracting files based on their file type from raw data.
- Automation: Using scripts and programs to automate repetitive tasks.
Analysis Phase
- Objective: Processing information to answer investigative questions and determine facts.
- Data Layers of Abstraction: Analyzing data at different levels (e.g., binary, file system, application).
- Evidence Complexity: Varies depending on the type of crime.
- String and Keyword Searches: Finding specific information quickly.
- Search Properties: Phone numbers, SSNs, addresses, file properties, special characters, etc.
- Anti-Forensics: Techniques to make forensic analysis more difficult.
- Anti-forensics techniques :
- Computer Media Wiping: Deleting data to prevent recovery.
- Encryption and Obfuscation: Making data difficult to access.
- Anti-forensics techniques :
- Timelining: Organizing data based on timestamps.
- System and Application Logs: Provide a timeline of events.
- Visual Representation: Using graphs and diagrams to present data visually.
- Link Analysis: Visualizing interconnected objects.
Presentation Phase
-
Objective: Sharing analysis results with stakeholders.
-
Report Contents:
-
Roles and tasks.
- Executive summary.
- Acquisition and analysis methods.
- Visualizations, diagrams, and screenshots.
- Repeatability of analysis.
- Tools used.
- Findings.
- Executive summary.
-
Avoid Text-Only Reports: Use diagrams, graphics, and timelines to improve understanding.
-
Chain of Custody: Documentation supporting evidence integrity.
-
Detailed Documentation: Essential for ensuring evidence admissibility in court.