 So today we'll be talking about how we actually conduct digital investigations. The investigation process itself is very, very much like traditional investigations. We're just looking for evidence or we're looking for traces in computers themselves. So today we're going to be talking about what is an investigation process and how can we actually start our investigation. What are we trying to do? So an investigation attempts to support or deny some question that's being posed to the investigator. We have a question, we need to answer that question. So for example, was the computer used to download illegal images? Relatively straightforward question but sometimes very difficult to answer. So the investigation should attempt to answer the question and look for evidence of all reasonable explanations. So we're not only looking to prove that somebody is guilty, we also have to look and see can we prove that they're innocent. Sometimes some cases look like someone is very, very guilty of doing something but once we find an additional piece of evidence it turns out that they're actually innocent. So we have to look for and try to prove all reasonable explanations to answer our question. So a reasonable explanation to was the computer used to download illegal images is a virus downloaded the illegal images. A virus could do some action that is illegal but it might look like the suspect or the person actually did it. So we have to think about one explanation is that the person themselves downloaded these images. Another explanation is that a virus did the same action. One means that the suspect is guilty, one means the suspect is innocent. As an investigator it's our job to make sure we're looking for both of those things. And examiners should be neutral finders of fact. We shouldn't have an opinion about whether somebody is guilty or innocent. We should only look to investigating the computer to find the truth. So it doesn't matter even if I think I don't like how the suspect looks, we don't care about that. We care about what does the evidence tell us. But that's very very difficult because humans we all have bias from our own personal beliefs. So in very very emotional cases for example child exploitation cases you might see a lot of really really bad things on the suspect's computer and that will make you want to blame someone. And the obvious choice to blame is the suspect. Even if the suspect didn't necessarily do it because your emotional state you might attempt to look for evidence that makes the suspect guilty whenever they're actually not. So think about your emotions during investigations and how you can keep those in check. I'll tell you how we can actually keep those in check. And also with investigators, with police officers especially, influence from media really makes a big difference in cases. The media really like to jump to conclusions. So before the police finish investigations the media have already blamed or created suspects themselves because they want to sell stories. But none of that is necessarily based on evidence that the police have found. But whenever the police officers go home at night they're reading these stories and they're thinking yeah maybe this suspect is actually the criminal. So then the media is influencing or making the investigators slightly biased towards particular individuals whenever they probably shouldn't be. They should just be following where the evidence is taking them. And these things are very very difficult to stop because everyone's influenced at least a little bit by the media. Everyone's influenced at least a little bit by their own personal biases. So as investigators we need to try to reduce those biases as much as possible. There's also of course bias from cultural beliefs. So one bias that I have a lot of times in Korea is that Westerners cannot eat very spicy food for example. So Koreans tend to think Westerners can't eat spicy food so they never offer me spicy food but I love spicy food. So this bias is just something that a lot of people think but it's not necessarily true. For spicy food no problem but for investigations where somebody might be sent to prison for a very long time we can't have that. So think about what your biases are and how they influence decisions you make and things you think about especially in investigations. So one way to attempt to reduce these biases is by using a particular method or a particular process for our investigations. And the best method we can use is the scientific method. Scientific method is just a process of investigation. So the scientific method is a standard procedure for developing a theory. It helps increase objectivity because we're following a specific process. The scientific method doesn't care about our biases and there's not really any room to be biased in the scientific method. So it helps to reduce our innate biases and all investigators use the scientific method knowingly or not. Many investigators don't think that they're scientists but they're actually using this process all the time more or less. So today we're talking about the scientific method and how it applies to all investigations. How it can make your investigations easier and more objective. So the scientific method at least a simplified version is first off ask a question like I've already talked about. We already have a question that we need to investigate or we need to answer. Once we have that question then we need to do background research about how couldn't this be true or false? How are we going to answer this question? What do we need to do to answer the question? Then we need to construct a hypothesis or an educated guess about what would make this question true, what would make this question false. Then we need to test our hypothesis, analyze any data that we've collected and then we make conclusions from that and we present these results to usually our boss. So going through this first off asking a question we need to clearly define what is being investigated. So a good investigation question is relatively specific. It doesn't really help me to bring a computer to a digital investigator and say find something illegal. First off that question is completely different in every country because every country has different law. So something is only illegal if there's a law saying it's illegal. So that kind of question is too general. I can't actually make a specific reply to that question. Is there something illegal on the computer? Well it depends on the legislation in the country. It depends on what type of crime you want to look at. We're looking for every type of crime because that's going to be a very difficult investigation. We have to look for all types of data. So the more specific the question is the better. So we need to know what exactly is the investigating member trying to prove and what questions will the defense likely ask. So it's not only about trying to prove that the suspect is innocent but we also need to think about what kinds of questions will the defense ask to make our investigation look like it failed. So the defense will basically try to challenge us and say you are wrong for this, this and this reason. Well we need to preempt those questions essentially and answer their questions accordingly. So once we've asked a question once we have an idea of the specific question we need to answer we need to do background research. We need to find relevant information for example what type of case is it. Child exploitation cases are very very different from hacking cases. So we're going to be looking for different things. Our approach might be a little bit different. The way we start, the way we ask questions will be different for those types of cases. So what type of case is it? What's the profile of the suspect? Profiling suspects can at least give you a little bit more information about whether the suspect is actually capable of committing the crime. Now everyone can commit most types of crimes but it at least helps you gain an idea a little bit about what's going on. So even though it happens sometimes very very old people don't usually download child exploitation material. Sometimes it happens but not a lot. So we might instead be thinking about who else has access to this computer rather than focusing on the primary suspect. Are there any other suspects we can get? So thinking about our primary suspect and what their capabilities are can help us to decide whether we need to widen the pool or whether we can focus on them first. What information or data is available? So do we actually have enough information to be able to answer the question that's been given to us? In digital investigations we normally get forensic disc images or copies of the hard drive and we'll talk about how to do that in later lectures. Sometimes we get mobile devices or now in most cases we get mobile devices because they're connected to computers, they download a lot of information, they have a lot of information about suspects that can be useful to the investigation. Do we actually have access to those? What type of mobile phone is it? If it's a blackberry it might be more difficult to access the information than if it's another type of device. What information are you likely to need to answer the questions posed by the investigating member? So just do I have enough information or data to be able to answer the question that's been asked in a satisfactory way? We'll talk about what it means to be satisfactory in a second. Once we've asked our question and done some background research we can now start to make a hypothesis about what could have happened or how can I answer this question or prove this question. So for example, question, was the computer used by a human to download illegal images? Well, one hypothesis is that a human used a web browser like Internet Explorer to download the images online. Very, very common occurrence or action that people do. Hypothesis two, that a bit torrent client was used instead of a web browser. Now in those cases the two hypotheses were going to be investigating both of them a little bit differently. So with those two hypotheses I'm going to be investigating in different places looking for different traces. Hypothesis three is a defensive hypothesis a virus downloaded the illegal images. So the first two are actually saying the suspect is guilty or likely to be guilty. The third one is saying that the suspect is innocent. So we have to think about not only we're trying to prove the suspect guilty but also that they may be innocent and we need to try to prove that as well. And of course there's going to be many, many more hypotheses that we can generate but we tend to go with the most likely ones first investigate those and see what we find. Then for each hypothesis we need to experiment. So for example in a similar system if I have a Windows 10 computer from a suspect I want to figure out what does it look like if I downloaded legal images using Internet Explorer on Windows 10. Once I understand how Internet Explorer on Windows 10 works and what evidence might be created then I can go look at the suspect's computer look for the same traces and see if they exist. If they exist then it's likely that Internet Explorer was used. So we can ask what traces are created in the system if Internet Explorer is used, if BitTorrent is used if a virus was on there and then investigate. So hypothesis one we can say possible traces are created in temporary Internet Explorer files which is a temporary storage place for Internet Explorer. If we look in that temporary storage place and we find these illegal images then that points to or provides evidence for Internet Explorer being used. If the BitTorrent client is installed and we can see that past torrenting activity was on there then that points to the potential for BitTorrent to have been used to download the images. If we find a virus on the system and no downloads these illegal images well that could also, that's definitely evidence for the defense essentially. So where to find this information? Investigators tend to read a lot of published articles and academic research papers. A lot of academics in digital investigations focus on the technical investigation and basically tell you where to look for certain types of evidence on different systems. Once we actually know where the data will be located then we can analyze the data. Normally we take a forensic disc image of the suspect's computer which we'll talk about later and then we analyze that collected disc image. We can look for traces identified during the test phase. So for example hypothesis three that a virus was on the system we scanned the suspect's computer for viruses using something like virus total with a lot of different virus skinners and we didn't find any viruses. So now we have some evidence that supports that there was not a virus installed on the computer. Hypothesis two, we say no active or deleted traces of BitTorrent clients. We don't have any proof that a BitTorrent client was ever installed or ran on the system so we have no supporting evidence that says that BitTorrent was used to download the illegal images. Hypothesis one, suspicious URLs were found in Internet Explorer history. Suspicious URLs found in Windows registry typed URL in our U list. So we find some traces that Internet Explorer may have been used and we'll talk about what that actually means later. But we find some traces for supporting Internet Explorer. So what conclusions can we actually make from this? Now that we know where traces were found what the traces were and we have support for one hypothesis and really no support for the other two but what conclusions can we make? We have no evidence to support hypothesis three that a virus was used that a virus downloaded the illegal images. Does that mean that there was no virus? No. There could have been a virus it just because of evidence dynamics because of any other reason the virus might have been deleted or otherwise removed. It might have removed itself. It's just very, very unlikely that that virus was there and downloaded those images because we find no evidence to support that it was. So all we can really say is there is no evidence to support that the system was infected by a virus. We looked for the traces that would be associated with a virus being on the system and we didn't find any. So it's still possible but very unlikely that the virus was there. We have some evidence to support hypothesis one that a user used Internet Explorer a browser to download the illegal images. Does that mean that a user used Internet Explorer to download illegal images? No. It's just very likely. So all we can really say is that some evidence supports the Internet Explorer was used by a human to download suspected illegal images. That's as much as we can possibly say because we were not there to witness what actually happened. There are still some other possibilities that could result in the same trace as being created but the user being innocent. It's just very, very unlikely that it was something other than the user in this case. So the second problem we have not only that we can't say exactly or with 100% certainty we just have support or denial of the hypothesis but our second problem is who downloaded the images. This is a big problem for digital investigations is actually saying who did something because we don't necessarily know who was behind the keyboard. Even, for example, somebody else could log in to your Facebook account it looks like it's you but it's not. So how can we actually say who was the person behind the keyboard at the time that some illegal action was done? And how do we associate human with the action? This is one of the biggest issues we have. So no conclusions. Definitely 100% happen. We cannot say anything definitely happened. It's either supported or it's not supported. Found evidence increases or decreases the probability of a hypothesis being true. So we have to find enough evidence to make the probability of one hypothesis much greater than the others. And the normal standard in court is that we accept it beyond a reasonable doubt. So is there any other explanation? If there is, it's probably doubtful and the suspect would probably be found innocent. Finally, once we've done all of this we have to prepare documentation actually write the report for courts, for our boss, for the prosecutors, for everyone else so they can actually use the evidence or the conclusions that we've made and integrate that into the court and the decisions. So we have a couple issues. Never say that a specific user was at the keyboard because unless we have CCTV or some other source or even a camera pointing at them at the time we cannot be definitely 100% sure that a specific user was at the keyboard. And never make a claim that's beyond the scope of your expertise. So for example, indecent images of children. Never say illegal images of a child unless you are trained to actually evaluate whether this is a child or not. Personally, I can't sometimes tell whether something is illegal or not. It's not my job to determine whether it's illegal. It's the prosecution, it's the court. Right, and then finally people often ask me how many hypotheses are enough. So we've already come up with three hypotheses. Generate hypotheses based on essentially your experience. You'll find that some hypotheses are much, much more common or much more likely than others. Focus on those first and while you're investigating those you'll come up with a lot more questions later. So investigation and investigations in science answering one question likely results in many more questions. So that's it for today. Thank you very much.