Patrick J. Siewert Principal Consultant Professional Digital Forensic Consulting, LLC DCJS # 11-14869

 What Constitutes “digital evidence” & Where is digital evidence stored?  What is a Digital Forensic Examiner & What should they know?  Trends in digital device usage  What does a Digital Crime Scene Look Like?  What should you be on the lookout for?  Digital forensics is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain-of-evidence to find out exactly what happened on a computer device & who was responsible for any disputed activity. Adhering to Accepted Methodologies Structured Investigations Documentation Two Groups:  No One  Everyone . Scientific Working Group on Digital Evidence (SWGDE) . National Institute for Science & Technology (NIST) . International Association of Computer Investigative Specialists (NIST) . Virginia Department of Forensic Science (DFS) . American Society of Crime Lab Directors (ASCLD)  Employee misconduct / Violations of acceptable use policy  Domestic/Custody Disputes  Texting-While-Driving (personal injury)  Stalking  Network intrusion/Malware analysis  Fraud  Copyright infringement / IP theft  Child Pornography/Electronic child sexual exploitation Data is Everywhere!

Mobile= Smart Phone & Tablet Usage  As of January 2014: . 90% of American adults have a cell phone . 58% of American adults have a smartphone . 32% of American adults own an e-reader . 42% of American adults own a tablet computer ▪ NOTE: Many families own more than one device  Think about it… How many Devices are in your home?

The Three “A”s of Forensic Methodology: 1. Acquire the evidence without altering or damaging the source 2. Authenticate that you recovered evidence in the same as in the seized source 3. Analyze the data without altering it.**  Question for discussion… . Have you ever left a company and taken your contacts with you? ▪ Is that considered “intellectual property”

 Our investigations begin with the end in mind… The difference between this… And this! And how this stores data Than this. differently… And the differences between this…

And This…

This… …And How Data is Allocated in this… And this..

This… …And How This Converts to This…

To Somehow Create This: And What Purpose These Serve (no pun intended)…

And How to Effectively Acquire & Analyze Evidence From Them  Windows Registry Artifacts . USB connects, IP logs, etc.  Digital pictures and movies . Pictures & videos can be located anywhere  Text messages in all shapes & forms  Email . Important for domestic cases, white-collar & fraud cases (i.e, Bob McDonnell trial)  Web/Internet artifacts . Social Media Activity, Search History, etc.

 Mobile Device Examples . iPhone/iPad/iPod (Apple) . All Android-Based Phones/Tablets . Legacy/Feature Phones / “Drop” Phones . GPS Devices (external) The Differences Between These Two…

And the Data Contained on Them That Can Help Your Case! The Differences Between This… This…

This… And This. How These Work…

… And More Importantly How to Investigate Them! And What Valuable Evidence Can Help From Sources Such as These…  All Memory is Stored on Flash Chips  All Information is Stored in Sequel Lite Database tables  Depending on device & time frame, deleted items may or may not be available  Other Considerations… . Other valuable data on SIM cards, SD cards (external memory) & From service providers . Encryption is Becoming More Common “out of the box” . Cloud data requires user credentials Some are like this… And some are like this… Or this… Or even this….  Safety! . Be aware of what you need to seize & what power or other considerations may be present  Identify & isolate main suspect(s) from further use of systems  Document existing conditions . Photos, sketches, notes  Use specialized packaging (discussed later)  Maintain & document chain of custody back to secure evidence storage  Consider… . Professional Degrees & Certifications . Professional affiliations . Expert Witness Designation . Have they ever been published re: digital forensics? . Number of examinations / amount of data examined to date . Understanding & explanation of forensic process The Examiner Needs to Explain All of This “Technical Stuff” to Attorneys, C-Suite folks and… …Him/Her…

…And Them! Patrick’s Rule: You can make a cop a geek…

But you can’t make a geek a cop!

…And others like them.

Some lawyers & judges may not know the difference, but opposing forensic expert does!   Where is the Examiner & Who does your exams?  How will you and they store/ secure the Physical evidence?  How will they store/secure the Digital evidence?  How does the examiner keep up-to-date?  Has the examiner been qualified as an Expert? (Even for most of your Infosec friends) PLEASE GO TO: https://forensic4cast.com/forensic-4cast- awards/

And Please VOTE for PRO DIGITAL FORENSIC CONSULTING for DIGITAL FORENSIC BLOG OF THE YEAR!  Questions, Comments, Concerns? Contact Information: Website: ProDigital4n6.com Patrick J. Siewert Principal Consultant : @ProDigital4n6 Professional Digital Forensic Consulting, LLC Email: [email protected] : Phone: 804-588-9877 ProDigital4n6.Blogspot.com

Professional Digital Forensic Consulting, LLC