Digital Evidence - SANS Computer Forensics

computer.forensics.sans.org

Digital Evidence - SANS Computer Forensics

DIGITAL EVIDENCE

DIGITAL EVIDENCE

A New Generation in Criminal Investigations


Assistant Attorney General Chris Kelly

Managing Attorney

Cybercrime Division

Massachusetts Office of Attorney General

Martha Coakley

www.maagocybercrime.org

INTRODUCTION


Cyber Crime

Cyber Crime

Changed Definitions, and Law Enforcement Priorities


PRIORITIES - THEN

Phreaking

Hacking

Espionage

Fraud

Email Scams

Auction Fraud

Child Exploitation

Credit Card Theft

EARLY DIGITAL EVIDENCE/

CYBER CRIME PRIORITIES

PRIORITY TARGETS

source: www.wikipedia.com


EMERGING DIGITAL EVIDENCE/

CYBER CRIME PRIORITIES

PRIORITIES – NOW

Most haven’t changed

What is significant is what is

added to the list

Gangs/Organized Crime

Narcotics

Rape

Murder

Terrorism

THE CYBER-CRIMINAL

source: www.wikipedia.com

www.myspace.com


Enhancing Criminal Cases with

Digital Evidence


ZACCARIAS MOUSSAOUI –

“THE 20 TH HIJACKER”

• FBI analysis of his laptop and

computers and the laptop of his

roommate, Mukkarum Ali, and two

computer at University of Oklahoma

• Email, other documents admitted at trial

• Convicted in 2006 of conspiring to kill

Americans – sentenced to the Colorado

Supermax prison for life

CONVICTED WITH

DIGITALEVIDENCE

source: www.wikipedia.com


CONVICTED WITH

DIGITALEVIDENCE

Exhibit FO05521.11 01-455-A

United States v. Moussaoui


COMMONWEALTH v. AARON

JOHNSTON

• Convicted Texas sex offender

• Traveled 2,500 miles to meet a

girl from Boston he met online

• Traveled by bus

• Extradition to Texas in 2008

CONVICTED INTERNET

OFFENDER


INVESTIGATIONS WITH

INTERNET EVIDENCE


source: www.bostonherald.com

CONVICTED WITH

DIGITALEVIDENCE

NEIL ENTWISTLE

• Killed wife Rachel and baby daughter

Lillian

• Arrested in London, 2006 after fleeing

the United States

• Several days of digital evidence

testimony at trial

• Internet history included Google search

“how to kill with a knife”

• Convicted and sentenced to life in prison


INVESTIGATIONS WITH

INTERNET EVIDENCE


COMMONWEALTH v. MARK

ANTHONY

• Convicted sex offender in AZ

• Entices countless young women

• Lives underground

• SJC Opinion

• Pleads after several days of trial

CONVICTED WITH

DIGITALEVIDENCE


CONVICTED WITH

DIGITALEVIDENCE

COMMONWEALTH v. MARK ANTHONY


Source: www.whdh.com


BARBERSHOP

• 14 locations

• 50 hi-tech

investigators

• 33 computers, 44

mobile devices, 400

media

• Citrix network

CONVICTED WITH

DIGITAL EVIDENCE


Source: www.wbztv.com


COMMONWEALTH v. JAMES BENECHE

and JESSICA DEAN

• Beneche and Dean murder Beneche’s former

girlfriend and his son

• Mother’s body dumped near a pond

• Son’s dead body thrown out third story

window in a trash bag when police approach

Evidence included significant AOL email

transmissions

• Other email evidence and web search

offered by MSP forensic examiner

CONVICTED WITH

DIGITAL EVIDENCE

Source: www.boston.com


Meeting New Challenges,

Now and in the Future


• Violent crime

• Sexual assault

• Fraud, larceny and identity theft

• Narcotics and organized criminal activity

• Harassment, stalking, etc.

• Intellectual property theft

• Child Exploitation (‘Butner Study’ Published

at Journal of Family Violence: Volume 24,

Issue 3 (2009), Page 183)

STATE AND LOCAL

CASE PRIORITIES


• Protection of government networks

• Data in the clouds

• Balancing privacy concerns

• American cultural permissiveness

• Licensing of forensic examiners

• Lab certification

• Resources

OTHER ISSUES OF INTEREST

TO LAW ENFORCEMENT


TECHNICAL CHALLENGES

TO LAW ENFORCEMENT

*At the end of 2008 there were more than 3.6 billion mobile subscriptions

worldwide (www.rcrwireless.com)

*Universal functionality of many devices including smart phones, GPS

devices, and game stations

*Surveillance systems – proprietary digital systems

*Encryption

*Users becoming more sophisticated

*Educating judges and lawyers


Closing Issues - Training Model


Closing Issues – New First Responder

Model

‘The Red Flag Method’ of Digital Evidence

Seizure (aka STOP PULLING THE PLUG!)


‘RED FLAG’ MODEL

EXAMPLES

Observe and document the open applications and files on the

desktop for items indicative of active encryption, remote

storage, and open files of evidentiary value.


Standard Network

Cable

8 pin connect

‘RED FLAG’ MODEL

EXAMPLES

Wireless Antenna

(vary in type)


‘RED FLAG’ MODEL

EXAMPLES

DEVICE RECOGNITION

Source: www.pcworld.com


Closing Issues – A Changing Dynamic

in Court


Reverse negative trends and take

advantage of the technology…

More magazines by this user
Similar magazines