BRIEF NARRATIVE DESCRIPTION:

Law enforcement personnel are often charged with seizing computer equipment, and subsequently handling and analyzing the contents of the equipment to ascertain the quantity and quality of evidence that may reside therein. This Course provides law enforcement personnel with the tools to both understand the structure, functionality, and organization of seized personal computers and effectively determine, extract, and analyze evidence that may reside within the disk storage equipment that has been seized.

FUNCTIONAL AREA: The student will know and understand:

• the proper handling of the Personal Computer as evidence,
• the appropriate methodologies for seizing computers, peripherals, and storage media,
• the techniques available in the DOS/WINDOWS environment for analyzing the evidence discovered on that computer equipment,
• the organization of the evidence for most effective presentation to the Court.

The following performance objectives are directed to this functional area:

1. Introduction to Computer Forensics for a DOS/WINDOWS Computer
   
   Learning Goal: The student will understand and have working knowledge of the DOS and Windows directory and file structures, the principle commands available for discovering and viewing the primary disk structural contents, and will additionally understand how the startup and boot processes work to initiate computer processing at power up time.
   
   Performance Objective(s):
   
   1. The student will identify the directory and file structures of a DOS/WINDOWS computer system.
   2. The student will learn how to effectively use the DIR command in DOS, the File Manager program in Windows 3.x, and the Windows Explorer in Windows 95/98.
   3. The student will learn how to recognize and identify standard and non-standard file extensions.
   4. The student will identify and understand the steps involved in the operating system booting process.
   5. The student will identify the most common hardware and software booby traps.
      
   
   
2. Behind the Scenes of Information Storage, Retrieval, and Discard
   
   Learning Goal: The student will understand how to identify and retrieve for viewing any information stored in disk files, as well as how to identify and retrieve for analysis additional evidenciary information that may be explicitly deleted or hidden, or implicitly reminiscent and still available through specialized measures.
   
   Performance Objective(s):
   
   1. The student will identify the possible attributes assigned to file types.
   2. The student will learn methods for discovering and identifying hidden files, hidden disk drives, and hidden partitions.
   3. The student will learn methods for discovering and identifying evidenciary information found within file slack space.
   4. The student will learn methods for discovering and identifying evidenciary information found within disk free space.
   5. The student will identify methods of information erasure that are file oriented, logical drive oriented, and physical disk oriented.
   6. The student will identify methods of recovering information after efforts have been made to conceal or remove evidence.
   7. The student will identify methods used to store Internet activity.
   8. The student will identify techniques for recovery of hidden and automatically deleted Internet access records.
      
   
   
3. Computer Forensics Issues
   
   Learning Goal: The student will understand and have a working knowledge of file types, safe handling techniques for computer equipment, hardware preparation for disk copies, including booby trap avoidance, methods for discovering available electronic file evidence, and fundamentals of warrant application and departmental standard operating procedures.
   
   Performance Objective(s):
   
   1. The student will identify text, graphic, binary, and encrypted files.
   2. The student will identify methods for viewing or reconstructing the information content, when accessible, in these files.
   3. The student will understand and identify hardware preparation for disk copies (mirroring).
   4. The student will identify software alternatives for performing mirroring copies.
   5. The student will identify the installation and usage procedures for software packages that perform mirroring and analysis tasks.
   6. The student will understand the proper precautions to take during the seizure of hardware and software.
   7. The student will understand proper procedures to follow to ensure chain of custody and media protection.
   8. The student will identify steps to take to avoid common hardware and software booby traps.
   9. The student will identify methods for recovering files that have been deleted.
   10. The student will identify methods for restoring logical drives that have been formatted.
   11. The student will identify methods for recovering evidence from formatted or defragmented drives.
   12. The student will identify methods for discovering existing and deleted email messages.
   13. The student will identify methods for discovering what web sites have been visited.
   14. The student will identify methods for discovering what files may have been downloaded onto the target computer.
   15. The student will understand the fundamentals of warrant application.
   16. The student will identify necessary elements of a departmental standard operating procedure.
   17. The student will understand and be able to perform the analytical steps for hardware assessment of the target computer.
   18. The student will understand special considerations and will identify alternative procedures to employ when faced with hard drives and diskettes from a Macintosh computer system.
       
   
   
4. Internet Analysis Mechanisms
   
   Learning Goal: The student will understand and have a working knowledge of Internet browser programs (including how they track web site usage and Newsgroup access) and Internet email programs (including how they send, receive, and store messages).
   

   Performance Objective(s):
   

   1. The student will identify Internet activity as noted in browser cache and history files.
   2. The student will identify past web use through Bookmark analysis.
   3. The student will identify methods for tracking Newsgroup usage.
   4. The student will identify the kinds of information that may be available from Internet service providers.
   5. The student will identify and understand the kind of information that electronically accompanies typical textual Email communications.
   
   

5. Presentation Tips for Reports and Testimony
   

   Learning Goal: The student will understand and have a working knowledge of the minimum reporting requirements and the most effective methodologies for the presentation of the evidence.
   

   Performance Objective(s):
   

   1. The student will be able to prepare case-appropriate, complete and accurate Computer Analysis Reports.
   2. The student will be able to summarize opinions, and present findings in depositions and/or at trial.
   3. The student will be able to explain computer evidence to a judge or lay jury.

   ---

   Back to Main Computer Forensics Law Enforcement Seminar Page