Digital Forensic

profilehuhdishes
Week10Slides1.pptx
Home>Information Systems homework help>Digital Forensic

Violent Crime and Digital Evidence

MSDF 630 – Digital Forensics Evidence

Learning Objectives

The Role of Computers in Violent Crime

Processing the Digital Crime Scene

Investigative Reconstruction

The Role of Computers in Violent Crime

Computers now provide some of the most informative sources of evidence, and are objective witnesses in many violent crimes.

Digital Evidence Found in Violent Crimes

Cybertrails

Mobile Devices

Personal Computers

Private Networks

Intent and Motive

Cybertrails

Criminals often do not realize they are leaving digital trails behind:

Search History

Call Logs

Email

SMS Text Messages

Videos

Audio Recordings

The trails may not belong to the criminal

Victim’s computers

Public systems

Mobile Devices

People carry smartphones with them everywhere. Phones can:

Be used to track you

Record audio and video evidence

Transmit data to other people or connected Internet services

Criminals can use information from the Smartphone to track victims

“Find my iPhone/Droid” apps

GPS metadata on photos

“Spy” apps that notify others of your location

Personal Computers

People store things on their computers that once were only physical

Diaries

Correspondence (email and text messages)

Using a personal computer often leaves digital footprints

Browser history

Internet sites that remember last activities

Lack of security on a computer can open a computer to a criminal

Keyloggers

Spyware

Private Networks

Private companies often keep detailed records on users

Improved customer means they may

Track your activities and preferences

Store payment information

Track location changes

Some data is needed for their business needs

Records of purchases

PII to identify users

Which computers you use to access their site

Intent and Motive

Search history is often used to show the crime was researched

Communication trails can show the history of the criminal and the victim, which may suggest the motive for a crime

The internet sites visited by a criminal can indicate the criminal is predisposed to commit certain crimes.

The internet sites visited by a victim can indicate where the victim was heading or how they met the criminal

Pacemaker Contradicts Testimony

Ross Compton arson case: (Middletown Ohio)

He claimed that he was asleep, but woke to fire in his house.

He said he packed a suitcase and grabbed some things as flames threatened

He used his cane to break a window, escaping with the belongings.

Physical evidence indicated possible arson

The fire started in multiple places

Compton’s clothing and shoes smelled like gasoline

Police obtained a search warrant for his pacemaker data.

Cardiologist testified that pacemaker data did not support the stress that would be expected if Compton’s story were true.

Victim’s Smartwatch Evidence was Key

Neighbors call police about a death of a woman after her gagged daughter-in-law emerges from the woman’s house.

The d-i-l told police that the woman was followed home, had a 20 minute argument with some men at the front door, then was killed.

D-i-l said she did not hear the attack because she was in the kitchen.

Police analyzed the victim’s Apple iWatch and discovered:

The exact time the crime happened, 4 hours earlier that d-i-l stated.

The attack was sudden, and the woman died in minutes after arriving home.

The D-i-l was charged in the woman’s murder.

Processing the Digital Crime Scene

When processing the crime scene, the investigator should collect all possible evidence the investigator is authorized to collect.

Considerations at a Digital Crime Scene

Authorization

Preparation: Make a Plan, Follow the Plan

Crime Scene Survey and Documentation

Enterprise Networks as Evidence

Authorization

Mincey warrants refer to the case Mincey v. Arizona (1978) 437 US 385).

Mincey murdered an undercover narcotics officer

Police collected ~300 pieces of evidence over a four-day search.

SCOTUS found no exigent circumstances and no indication that evidence would be lost, destroyed, or removed during the time required to obtain a search warrant.

Net: Exigent circumstances do not exist solely because the crime was violent.

Preparation: Make a Plan, Follow the Plan

Every investigator should have a SOP (Standard Operating Procedures) for how to conduct an investigation.

The plan must be flexible enough to cover unforeseen situations.

The basics for each kind of situation should be documented.

Crime Scene Survey and Documentation

Digital pictures are very useful in capturing all the details of a crime scene, but diagrams and hand-drawings can often capture the overall “picture” better than a photograph.

Photographs may be useful in identifying things that out of the ordinary and could suggest that a new warrant be issued.

Evidence found at the scene may be useful for both the prosecution and the defense. Both sides must have access to the evidence to evaluate the contents and draw conclusions.

Enterprise Networks as Evidence

Employee use computers all the time in today’s business world.

Employers often authorize some “incidental” personal computer use.

Many employers maintain logs other computer evidence that may also be evidence in a criminal case.

You may not want to rely on the employer’s analysis of the evidence:

They may not have a forensic background, leading to lost or tainted evidence.

They have interest in protecting the organization from liability or negative press.

They could be a friend of the victim and try to protect the victim’s data.

They may be the offender.

Investigative Reconstruction

We’ve discussed the investigative reconstruction aspects We’ll take a look at this again from a violent crime perspective.

Reconstruction Topics

Victimology

Offender Behavior

Crime Scene Characteristics

Victimology

Reviewing the victim’s digital footprint is not blaming the victim.

People often have a different public personae than their private one.

Some personal decisions may provide clues regarding the crime.

Digital evidence can help reveal secrets that placed the victim at higher risk.

Take a big picture approach to the collection and analysis of digital evidence. Individual pieces of evidence may only appear significant when combined to show a pattern of behavior.

Offender Behavior

Criminals may go through great effort to hide digital evidence of their crimes. They may:

hide and destroy evidence,

enlist others to destroy evidence,

stage the crime scene to misdirect investigators, or

stage activities to cover their tracks or establish an alibi

Do not limit the digital investigation to the residence of the suspect.

Examine the digital evidence from public sites the suspect frequented

Look for unprotect Wi-Fi in the area

Crime Scene Characteristics

There are often more than one crime scene:

Where the victim is encountered

Where the crime takes place

Where the crime is discovered

Look at the MO and try to determine why those places were chosen.

Easy access to victims

Low chance of discovery

Emotional/psychological reasons

Not too close to the suspect’s home

Summary

Digital evidence may reveal

investigative leads,

likely suspects,

previously unknown crimes, and

online secrets that put the victim at higher risk.

Digital investigators may be able to use digital evidence to

assess alibis,

confirm witness statements, and

disprove offender statements.