Digital Forensics Andrius Chaževskas Forensic Science Centre of Lithuania Digital Information Examinations Department 2022-02-11 1 Useful Information Subject assessment: Practical exercises = individual practical work at home. Laboratory work = a task that everyone will have to complete within 1 hour. LW1 (20%) +LW2(20%)+PE(20%)+Final Exam(40%) = Final Score. Main settlements and lectures, look schedule of Lectures. Lecture material – VMA Moodle (e-mokymai). Remote lectures – Teams. Contact information: [email protected] 2 Course Schedule Main Dates: 2022-04-01, 15.30, UTC+2, Work settlement– LW1. 2022-05-13, 15.30 Work settlement– LW2. 2022-05-27, 15.30 Deadline for practical exercises. 2022-06 (1-30) Final Exam - the exact date will be determined later. 3 Lecture Content We will speak about: • IT experts and specialists, knowledge, duties and responsibilities; • IT examinations - basic steps; • Research objects, memory types, data structures; • Digital information research - basic methods; • Formulation of conclusions, presentation of results. 4 IT Experts & specialists Who can be IT forensic expert or specialist? Persons with special knowledge in information technology field. Depending on the technology and equipment using that technology, the main specializations could be: 1. Network Administration and Security; 2. Mobile Networks; 3. Operating Systems (diff. Specialisation - Windows, Linux, Unix etc.) 4. Mobile device software and hardware developers; 5. Developers and testers of specialized (Accounting) programs; 6. Automotive computer systems specialists; 7. Navigation systems specialists; and very many others ......... 5 IT Experts & specialists The main laws of the Lithianian country specify the concept of expert (specialist) and describe the rights, duties and responsibilities. LR BPK (Criminal Procedure Code of the Republic of Lithuania): Article 84. Expert. 1. A person who has the necessary special knowledge and is entered in the list of experts of the Republic of Lithuania may be appointed an expert. 2. If the list of experts of the Republic of Lithuania does not contain experts of the required specialty, a person not included in this list of experts may be appointed as an expert. 3. If necessary, a person who has the right to be an expert in a Member State of the European Union or in a state with which the Republic of Lithuania has concluded a legal aid agreement may be appointed as an expert. 6 IT Experts & specialists LR BPK (Criminal Procedure Code of the Republic of Lithuania): Article 89. Specialist. 1. A specialist is a person with the necessary specialist knowledge and skills to commission an investigation of objects and to provide an opinion or explanation on matters within his or her competence or to participate in other acts of criminal proceedings. 2. A specialist may be an official of a pre-trial investigation body or a person not working in that body. Specialists who are officials of a pre-trial investigation institution are, in accordance with their duties, warned of liability under Article 235 of the Criminal Code of the Republic of Lithuania for submitting a false conclusion or explanation. Specialists who are not officials of the pre-trial investigation institution shall be warned of their liability under Article 235 of the Criminal Code of the Republic of Lithuania for submitting a false conclusion or explanation in each case when they are invited to participate in the proceedings. 7 Expert research Forensic law (the Republic of Lithuania): Article 3. The basic concepts of this law. 1. Expert examination - an examination performed by a forensic expert or specialist in accordance with the procedure established by the laws of procedure and this Law, which requires special knowledge (forensic examination, examination of objects and consultation). 2. Expertise means in-depth knowledge of a scientific, technical, artistic or other field acquired through education, special training or professional activities, which is necessary for the performance of expert research. 3. Forensic expert - a person who has the qualification of a forensic expert and is entered in the list of forensic experts of the Republic of Lithuania. 4. Forensic examination means an examination commissioned by a court or judge by a forensic expert, in which this expert answers questions requiring special knowledge and the results of which he or she records in the expert report. 8 Rights of a Forensic Expert Forensic law (the Republic of Lithuania): 1. The procedural rights of a forensic expert are determined by procedural laws. (BPK, CPK). 2. A forensic expert shall also have the right: 1) to independently choose the methods of research; 2) in accordance with the procedure established in Paragraph 2 of Article 26 of this Law, to receive samples or catalogs of products, technical documentation and other information necessary for the performance of forensic examinations; 3) to request additional materials necessary for the expert examination directly from the persons appointing or ordering the expert examinations; 4) to participate in the actions of the proceedings, if the material necessary for the forensic examination is thus obtained. 9 Rights of a Forensic Expert Forensic law (the Republic of Lithuania). When A forensic expert has no rights. 3. A forensic expert shall not have the right to independently collect or take materials necessary for the forensic examination, but have not been provided to him in accordance with the procedure established by procedural laws. 4. An expert of a forensic institution shall not have the right to engage in the private activity of a forensic expert, to consult the parties to the proceedings on a contractual basis and to provide conclusions on issues arising to them which require special knowledge. 10 Duties of a Forensic Expert Forensic law (the Republic of Lithuania): Procedural duties of a forensic expert are established by procedural laws. 2. A forensic expert must also: 1) to perform forensic examinations and other expert examinations in accordance with the competence, scientifically confirmed, universally recognized and reliable or accredited examination methods; 2) refuse to address issues outside his or her competence and perform tasks that do not require special knowledge; 3) to guarantee a thorough and impartial examination of all submitted data; 4) to protect the objects submitted for research. A forensic expert shall be liable for their loss or damage in accordance with the procedure established by law; 5) to protect state, service, commercial and professional secrets, not to publish the data of expert examinations without the permission or consent of the person who assigned or ordered the expert examination. 11 Liability of a Forensic Expert LR BPK (Criminal Procedure Code of the Republic of Lithuania): Article 87. Duties and responsibilities of the expert 1. The expert must appear in the court and give an impartial opinion on the questions referred to him. 2. An expert who fails to appear in court without good reason or refuses to perform his or her duties without a legitimate reason may be subject to the coercive procedural measures provided for in Article 163 of this Code. 3. An expert shall be liable for the submission of a false conclusion in accordance with Article 235 of the Criminal Code of the Republic of Lithuania. 12 Liability of a Forensic Expert & Specialist Article 235 of the Criminal Code of the Republic of Lithuania: 1) Anyone who has made a false complaint, statement, report of a criminal offense or given false testimony shall be questioned as a witness or victim, or provided an incorrect conclusion or explanation as an expert or specialist, or misrepresented or knowingly misinterpreted during the pre-trial investigation and / or before a court or the International Criminal Court or another international judicial body, punishable by public works or a fine, or a restriction of liberty, or an arrest, or imprisonment for up to two years. 3) A person who has committed an act referred to in paragraph 1 of this article by accusing a person of having committed a serious or very serious crime, shall be punishable by a fine or restriction of liberty, or arrest, or imprisonment for up to five years. 4) A victim or witness shall not be liable for giving false testimony if he or she was entitled by law to refuse to testify but was not made aware of this right before the questioning. 13 Forensic Science Centre of Lithuania • FSCL is an institution acting under the Ministry of Justice since 1958 • Digital Information Examination Department since 1995 • 14 forensic IT experts per Lithuania • The main task of IT Department is to carry out forensic IT examinations required by courts, pretrial investigation institutions and other state agencies. 14 IT Examinations in Lithuania IT research clients Courts Forensic Science Prosecutor's office Centre of Lithuania (Ministry of Justice) Pre - trial investigation agencies (Ministry of Interior) 15 IT Examinations in Lithuania Special Forensic Science State Security Investigation Centre of Lithuania Department Service (Ministry of Justice) Criminal Customs service (FM) MOD Special Investigation dep Pre-trial investigation institutions (Ministry of Interior) State Border Guard Lithuanian Police Lithuanian Cyber Service officers with special IT Police preparation Lithuanian Police investigators Financial Crime Investigation Service 16 IT Examinations Information technology expertise - identifies, restores, finds data related to the investigated event, located in the digital information storages of devices; determine the circumstances and role of operation of computer hardware and software in the event of an investigative event: 1. Research of device Hardware; 2. Research of device Software; 3. Search and analysis of digital information stored by user in various digital information media (storage). 17 Classic IT Examination Main four steps (stages): • Device (object) identification; • Digital information acquisition; • Digital information analysis; • Reporting the revealed data for the customers (investigators, courts). 18 More detailed steps 1. Review and Identification of Evidences 2. Digital Data acquisition 3. Primary Review 4. Evidence Processing 5. Review Findings 6. Additional Analysis (deep examination) 7. Report creation (conclusions) 19 Managment of Digital Forensic Case 1. Request; 2. Registration; 3. Object Identification (technical report); 4. Analysis; 5. Return the exibit; 6. Close the case. Source: https://www.interpol.int/content/download/13501/file/INTERPOL_DFL_GlobalGuidelinesDigitalForensicsLaboratory.pdf 20 Model of Digital Forensic Analysis 1. Acquisition; 2. Examination; 3. Analysis; 4. Presentation. Source: https://www.interpol.int/content/download/13501/file/INTERPOL_DFL_GlobalGuidelinesDigitalForensicsLaboratory.pdf 21 Objects Devices (objects). The main objects of IT examinations are the devices that have possibility to store digital information. Depending on the type of memory and the ability to read the digital information in it, objects are divided into: • Classic Objects; • Mobile Devices. 22 Classic Objects • Computers (desktops, notebooks). • Hard disk drives, Solid-State drives. • SD and others external memory cards. • USB stiks. • CD, DVD disks. 23 Mobile Devices • Mobile phones. • Tablet PCs. • GPS navigation devices. • Card readers (Scimmers). • Listening and tracking equipment. • Communication blocking equipment. • Drones. 24 Classification of Devices Standard device is the device that could be easily identified by examiner and all data that stored in device memory could be acquired and analyzed using forensic hardware and software tools. Not standard device is the device that could be hardly identified. Also the digital data acquisition or analysis could be complicated for the not standard device. 25 Some Statistics 40 % - Classic objects; 60% - Mobile Devices. 26 None Standard Evidences Hard identify and acquire. 27 None Standard Evidences Home made skimming device. 28 None Standard Evidences Home made - listening equipment 29 None Standard Evidences Damaged iPhone – 72 hours in the water. 30 None Standard Evidences Devices with encrypted information. 31 None Standard Evidences Surveillance (listening) equipment. 32 None Standard Evidences Signal Jammers. 33 Identification of Objects Real casea – burned mobile phone. 34 Identification of Objects Back cover of phone. 35 Identification of Objects Device body. 36 Identification of Objects Founded the identification number – 8500T 37 Identification of Objects Identified device – SAMSUNG GT-S8500 Wave 38 Review procedure All exhibits (evidences) must been reviewed, identified, marked and after acquisition placed in the secure place. A chain of evidence (chain of custody) must be established ensuring traceability of handling of digital exhibits from the beginning of IT examination till the time when the exhibits will be returned to the courtroom (or to investigator). It is important to keep records of all accesses to digital exhibits made through the examination. 39 Technical records The FSCL laboratory is using technical records for describing the items of evidences, to capture the serial numbers, models and the state of evidences. 40
Enter the password to open this PDF file:
-
-
-
-
-
-
-
-
-
-
-
-