digital evidence

avatar
Created by
javine choudhury

Cards (20)

  • criminal justice system
    includes cps
    magistrates court
    deals with less serious offences
    prove defendant is guilty based on evidence
    call an witnesses
    judge/ jury consider verdicts
    sentencing
    appeals
  • how do you preserve evidence
    dont alter data unless youre competent to do so
    document your actions via notes
    document the entire scene and location
    collect and label
    package and transport
  • recovering a computer
    if off- disconnect, bag and tag
    if sleeping- wiggle mouse only upon agreement
    document where it was seized from
    if on- photograph the scene
    look for words such as delete or remove which can suggest that data is being destroyed
    check for signs of active communications
    remove power
  • recovering a phone
    isolate from mobile network
    check date and time
    check battery level
    airplane mode
    turn off however be aware it can lock you out
    remove sim
    package in faraday bag
  • whats an attribution
    linking data to an individual to build a picture
  • importance of attribution
    data is meaningless unless you can link it to people
  • examples of attributions
    suspects
    witnesses
    CCTV
    receipts
    user id
    ip adress
    top up history
    cell site locations
  • questions to consider for attributions
    who are they regularly calling
    where are they regularly going
    is the movement and calling patterns around the time of the incident
  • whats profiling
    is the activity outside the norm for the individual
  • examples of profiling
    user id
    emails
    phone number
    ip address
  • highway connections
    internet and email
    telecoms
  • internet
    internet to wifi is public
    wifi to device is private
  • emails
    communication patterns, who are they talking to, what are they talking about
    identify individuals
    establish timelines
  • telecoms
    allow us to establish connections to cell towers which can then provide info on suspects whereabouts
  • computer forensics
    HDD hard disk drive
    forensic copy of the data is made
    analysis is performed so original data is preserved
  • types of data available
    commonly opened files
    commonly opened programmes
    which exact files are opened
    which exact programmes are opened
    internet browsing
    installation of computer
    users
  • mobile forensics
    no HDD however theres a sim and memory card
  • manual acquisition
    photograph screen, slow, less data but non is hidden
  • logical
    like a back up, needs to be on the extract data
  • chip and physical acquisition
    deleted and hidden data is recovered, bypasses codes however is expensive and risky