964 resultados para forensic computer examination
Resumo:
This research used the Queensland Police Service, Australia, as a major case study. Information on principles, techniques and processes used, and the reason for the recording, storing and release of audit information for evidentiary purposes is reported. It is shown that Law Enforcement Agencies have a two-fold interest in, and legal obligation pertaining to, audit trails. The first interest relates to the situation where audit trails are actually used by criminals in the commission of crime and the second to where audit trails are generated by the information systems used by the police themselves in support of the recording and investigation of crime. Eleven court cases involving Queensland Police Service audit trails used in evidence in Queensland courts were selected for further analysis. It is shown that, of the cases studied, none of the evidence presented was rejected or seriously challenged from a technical perspective. These results were further analysed and related to normal requirements for trusted maintenance of audit trail information in sensitive environments with discussion on the ability and/or willingness of courts to fully challenge, assess or value audit evidence presented. Managerial and technical frameworks for firstly what is considered as an environment where a computer system may be considered to be operating “properly” and, secondly, what aspects of education, training, qualifications, expertise and the like may be considered as appropriate for persons responsible within that environment, are both proposed. Analysis was undertaken to determine if audit and control of information in a high security environment, such as law enforcement, could be judged as having improved, or not, in the transition from manual to electronic processes. Information collection, control of processing and audit in manual processes used by the Queensland Police Service, Australia, in the period 1940 to 1980 was assessed against current electronic systems essentially introduced to policing in the decades of the 1980s and 1990s. Results show that electronic systems do provide for faster communications with centrally controlled and updated information readily available for use by large numbers of users who are connected across significant geographical locations. However, it is clearly evident that the price paid for this is a lack of ability and/or reluctance to provide improved audit and control processes. To compare the information systems audit and control arrangements of the Queensland Police Service with other government departments or agencies, an Australia wide survey was conducted. Results of the survey were contrasted with the particular results of a survey, conducted by the Australian Commonwealth Privacy Commission four years previous, to this survey which showed that security in relation to the recording of activity against access to information held on Australian government computer systems has been poor and a cause for concern. However, within this four year period there is evidence to suggest that government organisations are increasingly more inclined to generate audit trails. An attack on the overall security of audit trails in computer operating systems was initiated to further investigate findings reported in relation to the government systems survey. The survey showed that information systems audit trails in Microsoft Corporation's “Windows” operating system environments are relied on quite heavily. An audit of the security for audit trails generated, stored and managed in the Microsoft “Windows 2000” operating system environment was undertaken and compared and contrasted with similar such audit trail schemes in the “UNIX” and “Linux” operating systems. Strength of passwords and exploitation of any security problems in access control were targeted using software tools that are freely available in the public domain. Results showed that such security for the “Windows 2000” system is seriously flawed and the integrity of audit trails stored within these environments cannot be relied upon. An attempt to produce a framework and set of guidelines for use by expert witnesses in the information technology (IT) profession is proposed. This is achieved by examining the current rules and guidelines related to the provision of expert evidence in a court environment, by analysing the rationale for the separation of distinct disciplines and corresponding bodies of knowledge used by the Medical Profession and Forensic Science and then by analysing the bodies of knowledge within the discipline of IT itself. It is demonstrated that the accepted processes and procedures relevant to expert witnessing in a court environment are transferable to the IT sector. However, unlike some discipline areas, this analysis has clearly identified two distinct aspects of the matter which appear particularly relevant to IT. These two areas are; expertise gained through the application of IT to information needs in a particular public or private enterprise; and expertise gained through accepted and verifiable education, training and experience in fundamental IT products and system.
Resumo:
Multislice-computed tomography (MSCT) and magnetic resonance imaging (MRI) are increasingly used for forensic purposes. Based on broad experience in clinical neuroimaging, post-mortem MSCT and MRI were performed in 57 forensic cases with the goal to evaluate the radiological methods concerning their usability for forensic head and brain examination. An experienced clinical radiologist evaluated the imaging data. The results were compared to the autopsy findings that served as the gold standard with regard to common forensic neurotrauma findings such as skull fractures, soft tissue lesions of the scalp, various forms of intracranial hemorrhage or signs of increased brain pressure. The sensitivity of the imaging methods ranged from 100% (e.g., heat-induced alterations, intracranial gas) to zero (e.g., mediobasal impression marks as a sign of increased brain pressure, plaques jaunes). The agreement between MRI and CT was 69%. The radiological methods prevalently failed in the detection of lesions smaller than 3mm of size, whereas they were generally satisfactory concerning the evaluation of intracranial hemorrhage. Due to its advanced 2D and 3D post-processing possibilities, CT in particular possessed certain advantages in comparison with autopsy with regard to forensic reconstruction. MRI showed forensically relevant findings not seen during autopsy in several cases. The partly limited sensitivity of imaging that was observed in this retrospective study was based on several factors: besides general technical limitations it became apparent that clinical radiologists require a sound basic forensic background in order to detect specific signs. Focused teaching sessions will be essential to improve the outcome in future examinations. On the other hand, the autopsy protocols should be further standardized to allow an exact comparison of imaging and autopsy data. In consideration of these facts, MRI and CT have the power to play an important role in future forensic neuropathological examination.
Resumo:
Based on only one objective and several subjective signs, the forensic classification of strangulation incidents concerning their life-threatening quality can be problematic. Reflecting that it is almost impossible to detect internal injuries of the neck with the standard forensic external examination, we examined 14 persons who have survived manual and ligature strangulation or forearm choke holds using MRI technique (1.5-T scanner). Two clinical radiologists evaluated the neck findings independently. The danger to life was evaluated based on the "classical" external findings alone and in addition to the radiological data. We observed hemorrhaging in the subcutaneous fatty tissue of the neck in ten cases. Other frequent findings were hemorrhages of the neck and larynx muscles, the lymph nodes, the pharynx, and larynx soft tissues. Based on the classical forensic strangulation findings with MRI, eight of the cases were declared as life-endangering incidents, four of them without the presence of petechial hemorrhage but with further signs of impaired brain function due to hypoxia. The accuracy of future forensic classification of the danger to life will probably be increased when it is based not only on one objective and several subjective signs but also on the evidence of inner neck injuries. However, further prospective studies including larger cohorts are necessary to clarify the value of the inner neck injuries in the forensic classification of surviving strangulation victims.
Resumo:
Thesis (Ph.D.)--University of Washington, 2016-08
Resumo:
O presente trabalho apresenta um estudo sobre a efetividade dos Laudos Periciais Criminais de Informática no que diz respeito ao auxílio na formação da convicção do magistrado para elaborar as sentenças. Para tanto, foram realizadas pesquisas nos laudos e nas sentenças que utilizaram esses laudos, buscando encontrar relação entre ambos com vistas a analisar a qualidade do Laudo produzido e sua importância para a decisão judicial e, consequentemente, para a promoção da justiça social. O estudo realizado permite afirmar que o trabalho pericial é relevante, na maioria dos casos analisados, para auxiliar os magistrados em suas tomadas de decisões. O resultado da pesquisa revelou que algumas variáveis que não dependem do trabalho pericial, como os questionamentos formulados pelo requisitante do laudo e o tipo penal, são relevantes para que os exames periciais sejam ainda mais efetivos e auxiliem na promoção da Justiça. Esta pesquisa pode ser um instrumento de gestão da Diretoria Técnico-Científica do Departamento de Polícia Federal no sentido de preencher a lacuna hoje existente, tendo em vista que os peritos criminais federais não possuem feedback sobre o trabalho desenvolvido, ao tempo em que demonstra a importância do trabalho pericial para a comprovação de delitos. Servirá também para auxiliar os gestores no desenvolvimento de metodologia de elaboração de laudos periciais de informática que busquem indicar autoria e materialidade delitiva em seus exames. A sociedade precisa que seus órgãos públicos atuem de maneira a promover justiça social para os cidadãos. Nesse cenário, o laudo pericial de informática é um dos instrumentos que podem auxiliar a efetivação da justiça de forma mais concreta.
Resumo:
A Documentoscopia é a maior área de perícia da Criminalística da PF, respondendo por 24,49% de toda a produção de laudos do Sistema Nacional de Criminalística. Apesar disso, não possui área de concurso ou graduação específicas, e o desenvolvimento das competências da área depende quase que exclusivamente da capacitação oferecida e executada internamente, dentro da instituição e do ambiente de trabalho. Considerando os planejamentos estratégicos da Direção Geral e da Diretoria Técnico-Científica da PF, que manifestaram a importância da valorização de seus servidores por meio da capacitação contínua e da gestão de competências como estratégia para se alcançar suas missões, vê-se a relevância no adequado estudo e desenvolvimento das competências na área da perícia documentoscópica. O presente trabalho tem por objetivo analisar se as competências técnicas dos peritos documentoscópico da Polícia Federal elencadas na matriz da função técnica da PF estão em consonância com as elencadas pela ONU para os examinadores forenses de documentos, e se essas competências estão sendo desenvolvidas nas ações de capacitação oferecidas pela ANP voltadas para a área. Foram identificadas algumas lacunas, ou seja, recomendações da ONU que encontram correspondência nas elencadas na matriz, mas não são desenvolvidas pelas ações de capacitação, além da discrepância quanto à carga horária dos cursos. Algumas sugestões para a minimização ou eliminação dessas lacunas foram colocadas, e outras considerações foram feitas, principalmente voltadas à maior oferta de capacitação, à especialização profissional, à instituição de testes de proficiência e da mentoria.
Resumo:
Computer forensics is the process of gathering and analysing evidence from computer systems to aid in the investigation of a crime. Typically, such investigations are undertaken by human forensic examiners using purpose-built software to discover evidence from a computer disk. This process is a manual one, and the time it takes for a forensic examiner to conduct such an investigation is proportional to the storage capacity of the computer's disk drives. The heterogeneity and complexity of various data formats stored on modern computer systems compounds the problems posed by the sheer volume of data. The decision to undertake a computer forensic examination of a computer system is a decision to commit significant quantities of a human examiner's time. Where there is no prior knowledge of the information contained on a computer system, this commitment of time and energy occurs with little idea of the potential benefit to the investigation. The key contribution of this research is the design and development of an automated process to describe a computer system and its activity for the purposes of a computer forensic investigation. The term proposed for this process is computer profiling. A model of a computer system and its activity has been developed over the course of this research. Using this model a computer system, which is the subj ect of investigation, can be automatically described in terms useful to a forensic investigator. The computer profiling process IS resilient to attempts to disguise malicious computer activity. This resilience is achieved by detecting inconsistencies in the information used to infer the apparent activity of the computer. The practicality of the computer profiling process has been demonstrated by a proof-of concept software implementation. The model and the prototype implementation utilising the model were tested with data from real computer systems. The resilience of the process to attempts to disguise malicious activity has also been demonstrated with practical experiments conducted with the same prototype software implementation.
Resumo:
Computer profiling is the automated forensic examination of a computer system in order to provide a human investigator with a characterisation of the activities that have taken place on that system. As part of this process, the logical components of the computer system – components such as users, files and applications - are enumerated and the relationships between them discovered and reported. This information is enriched with traces of historical activity drawn from system logs and from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work examines the impact of temporal inconsistency in such information and discusses two types of temporal inconsistency that may arise – inconsistency arising out of the normal errant behaviour of a computer system, and inconsistency arising out of deliberate tampering by a suspect – and techniques for dealing with inconsistencies of the latter kind. We examine the impact of deliberate tampering through experiments conducted with prototype computer profiling software. Based on the results of these experiments, we discuss techniques which can be employed in computer profiling to deal with such temporal inconsistencies.
Resumo:
Digital forensics relates to the investigation of a crime or other suspect behaviour using digital evidence. Previous work has dealt with the forensic reconstruction of computer-based activity on single hosts, but with the additional complexity involved with a distributed environment, a Web services-centric approach is required. A framework for this type of forensic examination needs to allow for the reconstruction of transactions spanning multiple hosts, platforms and applications. A tool implementing such an approach could be used by an investigator to identify scenarios of Web services being misused, exploited, or otherwise compromised. This information could be used to redesign Web services in order to mitigate identified risks. This paper explores the requirements of a framework for performing effective forensic examinations in a Web services environment. This framework will be necessary in order to develop forensic tools and techniques for use in service oriented architectures.
Resumo:
Multilayer samples of white architectural paint potentially have very high evidential value in forensic casework, because the probability that two unrelated samples will have the same sequence of layers is extremely low. However, discrimination between the different layers using optical microscopy is often difficult or impossible. Here, lateral scanning Raman spectroscopy has been used to chemically map the cross-sections of multilayer white paint chips. It was found that the spectra did allow the different layers to be delineated on the basis of their spectral features. The boundaries between different layers were not as sharp as expected, with transitions occurring over length scales of > 20 µm, even with laser spot diameters <4 µm. However, the blurring of the boundaries was not so large as to prevent recording and identification of spectra from each of the layers in the samples. This method clearly provides excellent discrimination between different multilayer white paint samples and can readily be incorporated into existing procedures for examination of paint transfer evidence.
Resumo:
Clinical forensic examinations of children suspected of having been sexually abused are increasingly part of the routine of medicolegal institutes. The findings collected from 2005 until 2007 at the Institute of Legal Medicine of the Hanover Medical School were analysed retrospectively. Altogether, 91 children (74 females, 17 males, mean age 8.7 years) were examined. In 87.9% of the cases, the examination had been ordered by the police. In 73.6%, the victim knew the suspected perpetrator well or he was a family member. 40.7% of the children were seen within 72 hours after the alleged abuse. 12.1% of the children had extragenital lesions. In 27% of the victims, marked anogenital injuries were found, which were characteristic of sexual abuse in 9%. In 18 cases (20.2%), swabs were taken for spermatozoa detection. 3 of 17 vaginal smears showed positive test results for sperm up to 21 hours after the incident. No spermatozoa could be detected in 4 anal and 2 oral swabs as well as in one swab taken from the skin of the victim's thigh. In summary, the evaluation shows that early clinical forensic examination of children suspected of having been sexually abused is crucial to document evidence that is highly significant for the investigation and court proceedings. Often suspected sexual child abuse cannot be proved by medical findings alone. Of course, the absence of anogenital injuries does nor rule out sexual abuse.
Resumo:
Medical-forensic examination of sexual assault victims and alleged offenders is a common task of many forensic institutes. In the current study, the results from samples taken at the Institute of Legal Medicine, Hanover Medical School, during a period from 2005 to 2007 were retrospectively evaluated. In total, 292 victims (283 females and nine males) and 88 suspects were examined. At the time of the assault, 41.8% of the victims and 43.2% of the alleged perpetrators were under the influence of alcohol. Injuries were found in 84.9% of the victims and 39.8% of the suspects. Thirty victims (10.3%) reported having been choked or strangled. Cytology was performed in 218 victims. In 81 cases (38.0%), sperm could be detected in vaginal swabs up to 3 days post-assault. In seven (18.9%) out of 37 anal samples, evidence of sperm could be found 24 h post-assault. None of 22 oral samples was positive for sperm. Out of 301 sexual assault cases, 171 could be proved by means of medical-forensic examination. In summary, our evaluation shows that an early medical-forensic examination of both victim and suspect can secure numerous medical findings. Furthermore, persons intoxicated by alcohol, handicapped persons and persons with psychiatric disorders are more vulnerable to become a sexual assault victim.
