Electronic
Evidence
Gathering

5 December 2000

MEETING DETAILS

Place: SunBridge Venture Habitat (Tokyo, Japan)

http://www.sunbridge.com/contact2.htm

Cost: Free for ICA members, 1000 (yen)non-members
Date: Tuesday, December 5, 2000
Time:

6:30pm Doors open
7:00pm Presentation
8:00pm Q & A

Presentation by:

Dr. Henry B. Wolfe (Security Research Group, http://spook.otago.ac.nz/) has been an active computer professional for more than 40 years and specializes in issues of computer security, networking and graphic presentation. He has earned an international reputation in the field of security and regularly performs audits of both business and government organizations. He is a technical advisor for the New Zealand Law Commission with respect to the research necessary for proposed E-Commerce and Computer Misuse laws. Dr Wolfe has an ongoing relationship with the New Zealand Police in the area of computer forensics and other security and surveillance related matters. He occasionally writes about a wide range of security and privacy issues for a number of international security journals and speaks at national and international security conferences on a regular basis.

What's It About?

The need for and effectiveness of forensic evidence gathering techniques in criminal investigation has long been known. The age of the Internet has highlighted the importance of the development and use of forensic techniques as applied to the gathering of electronic evidence. This is a relatively new field of investigative activity.

The presentation: Electronic Evidence Gathering is designed to introduce the audiance to the discipline and detail exactly what can be discovered using various techniques and tools. The technical aspects, while important, do not constitute the entire presentation. Normal forensic investigative techniques must also be observed in order to produce usable results and therefore these will also be addressed in the context of the computing environment and in parallel with the tools and techniques.

Who Should Attend?

IT professionals, attorneys, police and private investigators, prosecutors, their management and supervisors, and those others who have similar duties of investigation and prosecution.

Information Science Department
P.O. Box 56, Dunedin, NEW ZEALAND

________________________________________

Something Old

Computer Forensics:

This is a brand new field of investigation that has and will become more important as time goes on. The Internet has played a large part in the use of forensic techniques to track computer criminals and to help prove their guilt or innocence.

However, this discipline is not confined to computer criminals but covers a much broader arena where all kinds of criminal activity takes place. For example, where the computer is used as a means to communicate about a criminal activity or to store, track or plan things or activities of a criminal nature. The information put forward in this presentation is only now finding its way into professional publications.

The topics covered in this presentation will acquaint the attendee with the terminology and techniques used to retrieve evidence from a PC. We will discuss various surveillance techniques that have been and could be successful in certain circumstances to enable the acquisition of important and relevant evidence. Some of these techniques are legal, some require a warrant to execute legally, and some are completely illegal. Never the less, they are all used to one degree or another in the pursuit of evidence to prove guilt or innocence.

Something New

Data Recovery:

Data resides on a hard drive in many places. Everyone knows that there are files and directories and system files. What most users do not realize is that there is a great deal of left over data stored on their disk drives. This data may be in the form of deleted files (which are not normally overwritten when deleted) or fragments of files not overwritten by new data when it is written to disk. All of this data can be retrieved with the proper tools and can also be analysed for content and relevance to a specific case.

There are also hiding places on a hard disk where data can be placed that might otherwise escape scrutiny. Once again with the proper tools, knowledge and understanding data stored in all of the hiding places can be retrieved for analysis.

Cryptography and steganography are becoming more and more commonly used to protect individual privacy. While encrypted data can be retrieved and scrutinized, most proven crypto-systems provide a degree or protection that cannot be overcome by normal means. There are methods of attack that have proven successful and these will be discussed, however, these methods are not of a crytpo-analytic nature.

Something to Take Away

Tools & Techniques:

Various tools and techniques are available to enable the investigator to acquire and facilitate the analysis of evidence. We will discuss a number of them but in fact are not financially or in any other way tied to any given forensic product or vendor. That does not preclude us from having our favourites and while those preferences may come through in the presentation, they are in no way an endorsement of any product.

Whenever an investigation is undertaken, the outcome will be unknown and, therefore, there can be no assurances that the investigator will produce any useful evidence. The amount of time necessary to properly investigate the contents of any given system, however, will be approximately the same regardless of the outcome. Substitute "costly" here.

Case preparation and maintaining the "Chain of Evidence" are two issues that must be discussed because they are vital to every successful investigation. Questions are welcome and should be asked at any time throughout the formal presentation. At the end you should take away with you an appreciation of what can be retrieved and how it's done.