I

The Personal Computer As Evidence

Expanded Course Outline

An 8 Hour Course of Instruction

Important Background Information for a DOS/WINDOWS Computer
1. Using the Directory and File Structure
2. Investigating with DIR, the File Manager, or the Windows Explorer
  1. Understanding File Extensions
  2. Recognizing Standard and Unique Extensions
3. Understanding the Booting Process
  1. Specifying Hardware Booby Traps
  2. Defining Software Booby Traps
Behind the Scenes
1. Defining Attributes
  1. Read-Only, Hidden, System, …
2. Discovering Hidden Files
  1. At the C: Prompt in DOS
  2. In the Windows 3.1 File Manager
  3. In the Windows 95-98 Explorer
  4. In the Windows NT
  5. With 3^rd Party programs (e.g. Norton Utilities)
3. Understanding Slack Space
4. Understanding Free Space
5. Understanding Hidden Disk Drives and Drive Partitions
  1. How to Discover Their Existence
  2. How to Analyze Their Contents
6. What Really Happens During Information Discard
  1. Deletions - File Oriented
  2. Formatting - Drive Oriented
  3. Defragmentation - Drive Oriented
  4. Automatic Internet Storage Mechanisms
    1. Email Retention
    2. Graphic Image Retention
    3. URL Web Site Retention
Computer Forensics Issues
1. Recognizing Types of Files: Text, Graphic, Binary, Encrypted
  1. Viewing Contents of These Files
  2. How to Reconstruct File Contents When Possible
2. Mirroring and Analytical Procedures
  1. Understanding the Mechanisms
  2. Obtaining Alternative Analytical Software
  3. Step by Step Procedures to Follow
    1. Using "Expert Witness" Software
    2. Using "Safeback" Software
    3. Using Shareware/Freeware
    4. Understanding Tradeoffs in the Software
3. Hardware and Software Precautions to Take
  1. Initial Handling of Computer Systems and Storage Devices
  2. Safe Handling Techniques for Computers, Peripherals, and Storage Media
  3. Chain of Custody Issues
4. Avoiding Booby Traps
  1. Step by Step Avoidance Measures - Hardware
  2. Step by Step Avoidance Measures - Software
5. Recovering Data After Attempted Information Discard
  1. Deletions - File Oriented
  2. Formatting - Drive Oriented
  3. Defragmentation - Drive Oriented
  4. Automatic Internet Storage Mechanisms
    1. Email Retention
    2. Graphic Image Retention
    3. URL Web Site Retention
6. Legal and Effective Seizure Steps
  1. CAVEAT: Exercise Caution & Why
  2. USDOJ Seizure Protocols
    1. Issues in Warrant Creation
    2. Preventing the Loss of a Warrant
  3. Creating General Procedures in Your Dept.
7. Analytical Steps for Hardware Assessment
  1. Determining All the System Parts
  2. Documenting System Components and Connections
  3. Deconstructing the System
  4. Looking for Additional Devices and Storage Media
8. Dealing With MacIntosh Computers
  1. Understanding Structural Differences
  2. Using Alternatives for Mac Capture and Analysis Software
  3. Considerations in Mac Hardware Mirroring
Internet Analysis Mechanisms
1. Investigating Browser Cache Files
2. Using the Browser History Files
3. Exploring Computer and Web Usage Through Bookmark Analysis
4. Tracking Newsgroup Usage
5. Understanding How the Other Side Obtains Information About You
  1. When you visit their web site
  2. When you send them an email
  3. When you visit a Chat Room
  4. When you join or post to a Newsgroup
6. Discovering Email-Related Information
  1. Understanding the Headers
  2. Determining the Origin/Sender of the Email
  3. Revealing Fake IDs in the Email Transmission
  4. Backtracking to the Service Provider
Presentation Tips for Reports and Testimony
1. What to Include in Your Computer Analysis Reports
  1. Fundamental Protocols for Documentation
  2. Options for Organizing Computer Evidence
2. What to Expect in Depositions and Trial Testimony
3. How to Present Computer Evidence to a Lay Jury

Back to Main Computer Forensics Law Enforcement Seminar Page