>> Digital evidence is the foundation for identifying,
capturing, and prosecuting cyber criminals.
What is digital evidence?
It's information stored or transmitted in binary form that may be relied on in court
and it's comprised of both data and metadata.
This could include contact information; evidence of malicious attacks on systems; GPS location
and movement records; transmission records, both authorized and unauthorized; system use
or abuse; account production and use, either authorized or unauthorized;
correspondence records; and content like images and files.
This evidence can potentially answer common questions.
It can gather information about individuals.
Who? Determine events that transpired.
What? Identify which systems and networks were affected.
Where? Construct a timeline.
When? And discover tools and exploits used.
How? Sometimes the evidence can even reveal motivations of the attackers.
Why? Where can you glean this evidence?
Well, different cyber crimes result in different types of digital evidence.
Computer hackers may leave evidence of their activities in log files.
Cyber stalkers use email to harass their victims.
Child pornographers have digitized images stored on their computers.
Host-based information on computing devices can include both volatile data stored in RAM
which is lost when there's no power, and non-volatile data on the hard drive
which stays when there's no power.
Optical discs and removal devices could also contain artifacts and remnants
of significance for the investigator.
Network data can consist of either live traffic, stored communications, or server logs.
It can contain information that might be useful to the forensic investigator.
In fact, there is so much potential information in these log files and stored communications.
Due diligence requires the investigator to look at as much of this information as possible
but the sheer volume makes it nearly impossible to examine each
and every source of data in every case.
This is where keyword searches can come into play.
Searching for words that have significance in a particular case.
Common locations of network data include IDS, IPS, and firewall logs, application logs,
server logs, HTTP captures, FTP captures, and email.
Evidence transmitted over the internet and stored
in the cloud is quite different than a company's network data.
Now you've got third party companies who are in possession of important data on their devices.
These companies like ISP's and major corporations like Microsoft, Apple,
and Google are not too eager to hand over information
to private companies conducting investigations or even for law enforcement agencies.
Sometimes for this reason an undercover officer could initiate a chat conversation
and save the conversation as evidence.
扫一扫
729
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
