Comparing Types of Evidence Collection

Assessment Task Detail and Instructions:

Question 1: Evidence types & gathering procedures (60 marks) Using any standards/laws you believe to be appropriate. Compare and contrast the differences between collecting, copying and storing, live and static evidence. Please make the information comprehensible to a varied audience.

 

You should produce a briefing report that: - Outlines the laws/regulations you believe to apply, along with any documentation (20 marks) 

 

Describe the differences between live and static evidence (20 marks)

 

List the ways (with examples/cases) that live and static evidence should be gathered/copied/securely stored (20 marks) Do not talk about what Digital Forensic.

 

What is Transnational Crime? 

• What is transnational crime
• What are the best ways to identify and solve transnational crime
• What do the 3 broad groups mean?
• Can you give a brief idea of what they are?
• What laws do you think cover digital forensics?
• How do you think these laws effect someone and how?
• What is Malware ?

What is Malicious Software?

• Are there any other groups of Malware you can thing of?

• What analysis environments are there in digital forensics?
• Can you give a brief idea of what they are used for?
• Why do you think its useful that you know about them?

• What types of historical artefacts are there?
• What does windows use them for?
• In digital forensics, what do you think we use them for?

Why do we care about Thumbs.db/Cache?

• What digital forensics paper work do you think you will need?

• Why do you think its useful that you know about it?

• Chain of custody is required when the evidence that is sought to be introduced at trial is not unique or where the relevance of the evidence depends on its analysis after seizure.
• This is always in paper form, ideally in pen, so it cant be changed after the fact
• (Digital copies are given to court for easier attempts at reading).
• Chain of custody requires three types of testimony:     

(1) testimony that a piece of evidence is what it purports to be.

• (for example, a computer hard drive or a mobile phone).

(2) testimony of continuous possession by each individual who has had possession of the evidence from the time it is seized until the time it is presented in court.

 

(3) testimony by each person who has had possession that the particular piece of evidence remained in substantially the same condition from the moment one person took possession until the moment that person released the evidence into the custody of another.

• (for example, testimony that the evidence was stored in a secure location where no one but the person in custody had access to it).

• What is required of you during the investigation, how will the investigation be conducted and to what standards and guidelines?
• Investigation aim
• Prove/Disprove
• Standard of Proof
• Criminal – Prove beyond reasonable doubt
• Civil – Balance of Possibilities
• Data to analyze
• Documents, multimedia, Internet History, Communication.

• What types of storage media is there?
• What are they used for?
• In forensics, what do you now, expect to see the most of?

• How many files systems can you think off?
• What are each one of them used for?
• Are they still used today?

• Find out what OWASP is and what their mission statement is.
• Dive into projects OWASP are involved in and how you, can join in (even from a student point of view).
• Research what the OWASP Top 10 is
• Can you give a brief idea of what any exploits are?
• How to do you think its useful that you know about it?

Want to Chat About Something?