Evidence - Evidence must meet the three standards of being sufficient, competent, and relevant if it is to be used in legal proceedings.
- There are four different types of evidence: Direct, Real, Documentary, and Demonstrative.
- There are three rules regarding evidence: the Best evidence rule, the Exclusionary rule, and the Hearsay rule.
Collecting Evidence - Evidence must be properly collected, protected, and controlled to be of value during court or disciplinary activities.
- When acquiring evidence, one must be deliberate to ensure evidence is not damaged and operations are not negatively impacted.
- Evidence must be properly marked so that it can be readily identified as that particular piece of evidence gathered at the scene.
- Evidence must be protected so that it is not tampered with, damaged, or compromised.
- Evidence should be transported cautiously to ensure custody of the evidence is maintained and the evidence itself is not tampered with or damaged.
- Evidence should be stored in properly controlled areas and conditions.
- When conducting an investigation on computer components, one must be deliberate and cautious to ensure evidence is not damaged.
Chain of Custody - A chain of custody that accounts for all persons who handled or have access to the evidence must be maintained to prevent evidence tampering or damage.
Free Space and Slack Space - Information can be recorded and possibly hidden in various ways on a computer.Sometimes information will be hidden in either the free space or the slack space of the computer’s disk drive.
- Free space is the space (sectors) on a storage medium that is available for the operating system to use.
- Slack space is the unused space on a disk drive created when a file is smaller than the allocated unit of storage, such as a sector.
Message Digest and Hash - The use of a message digest or hashing algorithm is essential to ensure that information stored on a computer’s disk drives has not been changed.
- A hashing algorithm applies mathematical operations to a data stream or file to calculate a number that is unique, based on the information contained in the data stream or file.
- A message digest is the result of applying the hash function to data. It is also known as a hash value.
- If the information in the data stream or file is changed, a different message digest will result, indicating the file has been tampered with.
Analysis - Forensic analysis of data stored on a hard drive can begin once the drive has been imaged and message digests of important files have been calculated and stored.
- Analysis typically involves investigating the Recycle Bin, web browser and address bar history files, cookie files, temporary Internet file folders, suspect files, and free space and slack space.
- Experience and knowledge are your most valuable tools available when performing computer forensic activities.
|