 So today we're going to talk about electronic evidence. So first off, just defining what electronic evidence is, electronic evidence is data that supports or refutes a hypothesis formulated during an investigation. We'll talk more about digital evidence later in the context of digital forensic investigations, but now I just want to give you an overview of what electronic evidence is and how we use it. The word evidence has a very specific meaning. Not all data on the computer is likely to be evidence. Only specific sections of the data that support or deny a hypothesis will be considered evidence. A major mistake that I hear a lot of people talking about is they believe that all data that we copy from a computer or a phone or whatever, all of that collection of data is evidence. It's not necessarily true. The evidence is just what supports or denies some hypothesis that we're testing. So only certain parts or certain pieces of that data will eventually be evidence that we will submit to court or whatever we're submitting to. Electronic evidence is based on context. So evidence always has to be evaluated in context. So we need to figure out what exactly are we trying to prove or deny. We potentially want to prove that Google Chrome was used to access a website. Well in this case, Google Chrome will probably be relevant. The data relating to Google Chrome will be relevant if we want to prove that Google Chrome was specifically used to access a website. But in another case, imagine that we want to prove the computer was started at a specific time. In that case, Google Chrome will likely not be as relevant to the case. So in one case, Google Chrome is extremely relevant because we want to know something specifically related to it. In the other case, the start time of the computer, we can probably find without reverting to Google Chrome and it's likely not to be related. So we need to think about the context. When is the data relevant to the case? Electronic evidence is data that gives us some type of information related to what we're investigating. So we can have either direct information where the data directly describes the event or information. In this case, it could be something like log files. So we can go through a log file and see exactly what happened and when it happened. So it's giving us direct information. This user logged into the computer at this time. That's directly observable information. Indirect evidence or indirect information can be something like where the data relates to an event or information in a secondary way. And normally what we're looking at are the effects of some cause whenever it's indirect. So in this case, for example, a prefetch file that exists in Windows shows that a program had been previously run. Prefetch itself, unless we examine the actual file, if we just see that the file is there, we know that the program has been run sometime in the past. So we get this kind of secondary information. Just observing that doesn't tell me that the program was run explicitly, but I can infer that the program was run because of the existence of that file. Of course, we can analyze prefetch files and find out more information, but just think about when are we actually inferring information versus when are we explicitly being told information. Electronic evidence in cybercrime investigations. Some types of very common electronic evidence in cybercrime investigations, probably the most common type I would say, are IP addresses, internet protocol addresses. And we talked about them a little bit, or we will talk about them in networking. IP addresses potentially allow the investigator to trace activities back to a specific person. For example, an address or a bank account. If we have an IP address, that is the starting point that lets us know location. And once we know location, we may be able to find account information, and if that account information is accurate, it may lead us to the actual person behind that account. We don't necessarily know if that person is the person who committed the crime, but it's likely that they're related somehow, or they may be related somehow. Another form of electronic evidence that's very, very common in cybercrime investigations are online accounts. So access for email, social media, forums, etc., allow an investigator to identify, again, IP addresses and some communications. So whenever we have access to a lot of different accounts online, like email accounts, most providers also record IP addresses that make those connections. Servers by default usually record the IP addresses making connections to them. So in that case, the investigator can find out potentially information about the user based on their user account, but at a minimum, what IP addresses are associated with that account, which can tell us potentially the country that that user was in whenever it was making these connections, and potentially lead us back to, again, the account that they were using for the local service provider. So IP addresses, online accounts are major sources of information for cybercrime investigations. Bank accounts, internet service accounts, and mobile phone accounts are also very, very commonly used. Again, most of these are usually available for police officers only because you won't be able to, for example, ask for access to somebody else's online accounts. You won't be able to ask for an internet service provider for the subscriber information of somebody who owns a specific IP address. They won't give you that information. These things are for law enforcement only. You will, however, be able to get IP addresses. You can see what IP addresses are connecting to you or your systems and do investigations based on those. Right. So cybercrime often needs to follow financial transactions. So if we can basically follow the money, I think I talked a little bit about before hackers. It's relatively easy to hack, but whenever you try to get the money out, that's whenever most people get caught. So cybercrime often needs to follow financial transactions, and these transactions involve various services, especially banks and phone records, which we can then trace all of those transactions because there's a lot of auditing for any type of financial services. So we can normally trace those audit records back to find out who transferred it, where did it transfer to, and who withdrew the money or exchanged it or whatever they did. Most cybercrime investigations involve a transfer of money, and really that's how we investigate and find most criminals is through the financial transactions. Working with banks is required, which means that it's mostly going to be law enforcement unless the bank is willing to work with an organization. They will probably not work with an individual. They will then do their own investigation if they need to. And working internationally is often required. It's relatively easy to send money internationally nowadays, so we oftentimes have to work with law enforcement or other organizations in other countries, as well as banks. Some cybercrime deals with stolen information like credit cards, usernames, passwords. If we have credit card information or usernames and passwords, some of the criminals will just harvest them and then use them, but most of them will harvest that information and then try to sell it online. So rather than using the credit card information and potentially being traced back to where the person who used it, they just sell that information and then they take the money from those sales. So whenever people are stealing your information, it's normally to gain personal information that they can sell on online forums or sell to marketers or sell to all sorts of people basically. IP addresses may lead to a suspect's infrastructure, but rarely the suspect. Most suspects, especially if they're good at cybercrime, will have infrastructure set up in multiple countries and they will send all of their stolen information to the infrastructure, not necessarily their home address or their home IP address. They still have to transfer that data back to themselves though, so that's normally a way we can track them. Everyone is either used by the suspect or more likely sold on underground markets and tracking money transfers is really one of the best ways to lead to a person because people have to get the money out of the account somehow. And once people actually take the money out, then we know who's been using the account or who's been accessing the account and we can potentially identify anyone who is involved. So that's a little bit on electronic evidence. I will talk more about electronic digital evidence in the second half of the semester when we're talking about digital forensic investigations and we'll go specifically into what types of evidence can we find in computers that can lead us to these suspects, not just an IP address, but what does all of this data mean in the investigation. So that's it for electronic evidence for now, we'll come back to it later. Thank you very much.