Crime or accident scene photographers usually capture images in color but also in black and white. The photograph of the skid mark was made during reconstruction at the accident scene to show how and why the ladder had slipped and caused a serious injury to the user. Color pictures are generally preferred because color may be an important aspect of the trace evidence, for example. Thus traces of paint or dye on a piece of evidence may be crucial to linking the evidence with a crime or accident.

Various forces and different countries have different policies in regards to 35 mm film or digital photography. There are advantages and disadvantages to both. Conventional film photographs, even using disposable cameras, have a high resolution, enabling great enlargement should details in a picture need closer examination. Pictures from surveillance cameras are a growing source of evidence for courts, as are pictures taken by bystanders on mobile phones. The former are being used increasingly at accident blackspots, and bystanders may take pictures of events when no police officer or investigator is present, but yet may be critical to a case. Digital photographs usually have an automatic date and time marker on each image, so that authenticity can be verified. Conventional photographs without such marks must be authenticated by the photographer, usually in a witness statement. Pictures of the relative position of objects (as in a Palimpsest) can establish a sequence of events at a crime or accident scene. Due to continued advances in digital technology and software, digital single-lens reflex (DSLR) cameras are increasingly being used by law enforcement agencies.

The images must be clear and usually have scales. They serve to not only remind investigators of the scene, but also to provide a tangible image for the court to better enable them to understand what happened. The use of several views taken from different angles helps to minimise the problem of parallax. Overall images do not have scales and serve to show the general layout, such as the house where the murder is thought to have occurred. Context images show evidence in context, like how the knife was next to the sofa. Close up images show fine detail of an artifact, such as a bloody fingerprint on the knife.

Road traffic incident (RTI) photographs show the overall layout at the scene taken from many different angles, with close-ups of significant damage, or trace evidence such as tire marks at a traffic collision. As with crime scene photography, it is essential that the site is pristine and untouched as far as is possible. Some essential intervention, such as rescuing a trapped victim, must be recorded in the notes made at the time by the photographer, so that the authenticity of the photographs can be verified.

As with all evidence a chain of custody must be maintained for crime scene photographs. Sometimes a CSI (forensic photographer) will process his/her own film or there is a specific lab for it. Regardless of how it is done any person who handles the evidence must be recorded. Secure Digital Forensic Imaging methods may be applied to help ensure against tampering and improper disclosure.[1] Accident scene pictures should also be identified and sourced, police photographs taken at the scene often being used in civil cases.

Crime or accident scene photographs can often be re-analysed in cold cases or when the images need to be enlarged to show critical details. Photographs made by film exposure usually contain much information which may be crucial long after the photograph was taken. They can readily be digitised by scanning, and then enlarged to show the detail needed for new analysis. For example, controversy has raged for a number of years over the cause of the Tay Bridge disaster of 1879 when a half-mile section of the new bridge collapsed in a storm, taking an express train down into the estuary of the river Tay. At least 75 passengers and crew were killed in the disaster.

The set of photographs taken a few days after the accident have been re-analysed in 1999-2000 by digitising them and enlarging the files to show critical details. The originals were of very high resolution since a large plate camera was used with a small aperture, plus a small grain film. The re-analysed pictures shed new light on why the bridge fell, suggesting that design flaws and defects in the cast iron columns which supported the centre section led directly to the catastrophic failure. Alternative explanations that the bridge was blown down by the wind during the storm that night, or that the train derailed and hit the girders are unlikely. The re-analysis supports the original court of inquiry conclusions, which stated that the bridge was “badly designed, badly built and badly maintained”.

Referenced From Forensic Photography

<a href=”http://creativecommons.org/licenses/by-sa/3.0/” target=”_blank”>http://creativecommons.org/licenses/by-sa/3.0/</a>

A number of techniques are used during computer forensics investigations.

Cross-drive analysis
A forensic technique that correlates information found on multiple hard drives. The process, which is still being researched, can be used for identifying social networks and for performing anomaly detection.[6][7]

Live analysis
The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.[8]

Deleted files
A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data.[9] Most operating systems and file systems do not always erase physical file data, allowing it to be reconstructed from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.

Volatile data

When seizing evidence, if the machine is still active, any information stored solely in RAM that is not recovered before powering down may be lost.[5] One application of “live analysis” is to recover RAM data (for example, using Microsoft’s COFEE tool) prior to removing an exhibit.

RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate. The length of time for which data recovery is possible is increased by low temperatures and higher cell voltages. Holding unpowered RAM below −60 °C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination.[10]
Analysis tools
See also: list of digital forensics tools

A number of open source and commercial tools exist for computer forensics investigation. Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review.[4]

referenced from Computer Forensic Article http://creativecommons.org/licenses/by-sa/3.0/

Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.

Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high profile cases and is becoming widely accepted as reliable within US and European court systems.

referenced from Computer Forensic Article http://creativecommons.org/licenses/by-sa/3.0/
http://creativecommons.org/licenses/by-sa/3.0/

Many jurisdictions require PIs to be licensed, and they may or may not carry firearms depending on local laws. Some are ex-police officers, some are former law enforcement agents, some are ex-spies and some are ex-military, some used to work in a private military company, some are former bodyguards and security guards, although many are not. While PIs may investigate criminal matters, most do not have police powers, and as such they cannot arrest or detain suspects. They are expected to keep detailed notes and to be prepared to testify in court regarding any of their observations on behalf of their clients. Great care is required to remain within the scope of the law, otherwise the investigator may face criminal charges. Irregular hours may also be required when performing surveillance work.^[1]

PIs also engage in a large variety of work that is not usually associated with the industry in the mind of the public. For example, many PIs are involved in process serving, the personal delivery of summons, subpoenas and other legal documents to parties in a legal case. The tracing of absconding debtors can also form a large part of a PI’s work load. Many agencies specialize in a particular field of expertise. For example, some PI agencies deal only in tracing. Others may specialize in technical surveillance counter-measures (TSCM), sometimes called electronic counter measures (ECM), which is the locating and dealing with unwanted forms of electronic surveillance (for example, a bugged boardroom for industrial espionage purposes). Other PIs, also known as Corporate Investigators, specialise in corporate matters, including anti-fraud work, the protection of intellectual property and trade secrets, anti-piracy, copyright infringement investigations, due diligence investigations and computer forensics work.^[1]

Increasingly, modern PIs prefer to be known as “professional investigators” or Licensed Private Investigators (LPI’s) rather than “private investigators” or “private detectives”. This is a response to the image that is sometimes attributed to the profession and an effort to establish and demonstrate the industry to be a proper and respectable profession.^[1] However, in 2009 a Toronto Star journalist obtained a private investigator’s licence in Ontario with no training, and reported that other Ontarians had done the same.^[2]

referenced from http://creativecommons.org/licenses/by-sa/3.0/

Criminal Background Investigation, Pre-Employment Background Check, Business Background Check, Employment History Check, Nanny Daycare Provider Check, Address History Check, Tenant Screening, Public Record Retrieval, Genealogy Research, Asset Search, Location Services, Subpoena and Process Services, Due Diligence Locate, Skiptrace Locate, Personal Injury Investigations, Insurance Claims Investigations, Loss Prevention Investigations, Medical Malpractice Investigations, Marital and Domestic Investigations, Investigate Photography – Videography, Personnel Activity Checks, Surveillance Services, Bug Sweeps and Undercover Operations.

Cryptanalysis is also used to refer to any attempt to circumvent the security of other types of cryptographic algorithms and protocols in general, and not just encryption. However, cryptanalysis usually excludes methods of attack that do not primarily target weaknesses in the actual cryptography, such as bribery, physical coercion, burglary, keystroke logging, and social engineering, although these types of attack are an important concern and are often more effective than traditional cryptanalysis.

Even though the goal has been the same, the methods and techniques of cryptanalysis have changed drastically through the history of cryptography, adapting to increasing cryptographic complexity, ranging from the pen-and-paper methods of the past, through machines like Bombes and Colossus computers in World War II, to the computer-based schemes of the present. The results of cryptanalysis have also changed — it is no longer possible to have unlimited success in codebreaking, and there is a hierarchical classification of what constitutes an attack. In the mid-1970s, a new class of cryptography was introduced: asymmetric cryptography. Methods for breaking these cryptosystems are typically radically different from before, and usually involve solving carefully constructed problems in pure mathematics, the best-known being integer factorization.

Types of cryptanalytic attack

Cryptanalytic attacks vary in potency and how much of a threat they pose to real-world cryptosystems. A certificational weakness is a theoretical attack that is unlikely to be applicable in any real-world situation; the majority of results found in modern cryptanalytic research are of this type. Essentially, the practical importance of an attack is dependent on the answers to the following four questions:

What knowledge and capabilities does the attacker need?
How much additional secret information is deduced?
How much computation is required? (What is the computational complexity?)
Does the attack break the full cryptosystem, or only a weakened version?

[edit] Access needed for the attack

Cryptanalysis can be performed under a number of assumptions about how much access the attacker has to the system under attack. As a basic starting point it is normally assumed that, for the purposes of analysis, the general algorithm is known; this is Kerckhoffs’ principle of “the enemy knows the system”. This is a reasonable assumption in practice — throughout history, there are countless examples of secret algorithms falling into wider knowledge, variously through espionage, betrayal and reverse engineering. (On occasion, ciphers have been reconstructed through pure deduction; for example, the German Lorenz cipher and the Japanese Purple code, and a variety of classical schemes).

Other assumptions include:

Ciphertext-only: the cryptanalyst has access only to a collection of ciphertexts or codetexts.
Known-plaintext: the attacker has a set of ciphertexts to which he knows the corresponding plaintext.
Chosen-plaintext (chosen-ciphertext): the attacker can obtain the ciphertexts (plaintexts) corresponding to an arbitrary set of plaintexts (ciphertexts) of his own choosing.
Adaptive chosen-plaintext: like a chosen-plaintext attack, except the attacker can choose subsequent plaintexts based on information learned from previous encryptions. Similarly Adaptive chosen ciphertext attack.
Related-key attack: Like a chosen-plaintext attack, except the attacker can obtain ciphertexts encrypted under two different keys. The keys are unknown, but the relationship between them is known; for example, two keys that differ in the one bit.

These types of attack clearly differ in how plausible they would be to mount in practice. Although some are more likely than others, cryptographers will often take a conservative approach to security and assume the worst-case when designing algorithms, reasoning that if a scheme is secure even against unrealistic threats, then it should also resist real-world cryptanalysis as well.

The assumptions are often more realistic than they might seem upon first glance. For a known-plaintext attack, the cryptanalyst might well know or be able to guess at a likely part of the plaintext, such as an encrypted letter beginning with “Dear Sir”, or a computer session starting with “LOGIN:”. A chosen-plaintext attack is less likely, but it is sometimes plausible: for example, you could convince someone to forward a message you have given them, but in encrypted form. Related-key attacks are mostly theoretical, although they can be realistic in certain situations, for example, when constructing cryptographic hash functions using a block cipher.
[edit] Usefulness of attack results

The results of cryptanalysis can also vary in usefulness. For example, cryptographer Lars Knudsen (1998) classified various types of attack on block ciphers according to the amount and quality of secret information that was discovered:

Total break — the attacker deduces the secret key.
Global deduction — the attacker discovers a functionally equivalent algorithm for encryption and decryption, but without learning the key.
Instance (local) deduction — the attacker discovers additional plaintexts (or ciphertexts) not previously known.
Information deduction — the attacker gains some Shannon information about plaintexts (or ciphertexts) not previously known.
Distinguishing algorithm — the attacker can distinguish the cipher from a random permutation.

Similar considerations apply to attacks on other types of cryptographic algorithm.
[edit] Computational resources required

Attacks can also be characterised by the resources they require. Those resources include:

Time — the number of computation steps (like encryptions) which must be performed.
Memory — the amount of storage required to perform the attack.
Data — the quantity of plaintexts and ciphertexts required.

It’s sometimes difficult to predict these quantities precisely, especially when the attack isn’t practical to actually implement for testing. But academic cryptanalysts tend to provide at least the estimated order of magnitude of their attacks’ difficulty, saying, for example, “SHA-1 collisions now 252″

Bruce Schneier notes that even computationally impractical attacks can be considered breaks: “Breaking a cipher simply means finding a weakness in the cipher that can be exploited with a complexity less than brute force. Never mind that brute-force might require 2128 encryptions; an attack requiring 2110 encryptions would be considered a break…simply put, a break can just be a certificational weakness: evidence that the cipher does not perform as advertised.” [11]
[edit] Partial breaks

Academic attacks are often against weakened versions of a cryptosystem, such as a block cipher or hash function with some rounds removed. Many, but not all, attacks become exponentially more difficult to execute as rounds are added to a cryptosystem,[12] so it’s possible for the full cryptosystem to be strong even though reduced-round variants are weak. Nonetheless, partial breaks that come close to breaking the original cryptosystem may mean that a full break will follow; the successful attacks on DES, MD5, and SHA-1 were all preceded by attacks on weakened versions.
[edit] Academic weakness versus practical weakness

In academic cryptography, a weakness or a break in a scheme is usually defined quite conservatively: it might require impractical amounts of time, memory, or known plaintexts. It also might require the attacker be able to do things many real-world attackers can’t: for example, the attacker may need to choose particular plaintexts to be encrypted or even to ask for plaintexts to be encrypted using several keys related to the secret key. Furthermore, it might only reveal a small amount of information, enough to prove the cryptosystem imperfect but too little to be useful to real-world attackers. Finally, an attack might only apply to a weakened version of cryptographic tools, like a reduced-round block cipher, as a step towards breaking of the full system.[11]

referenced from Cryptanalysis Article http://creativecommons.org/licenses/by-sa/3.0/

Note: Colorado does not require any type of special license to become a private investigator.