In simple terms, computer or digital forensic evidence analysis is the scientific collection of data that is either retrieved or held by a computer storage device that can be used against a criminal in a court of law. For the information to be used in court it should be collected before it is presentation; therefore, there are a number of recommendations proposed to make sure that information collected meets the intended integrity.
Information collected digitally from computers or media storage applications has protocols that need be followed during the process. The order of collecting digital information mostly determines the life expectancy of information collected (Eoghan, 2004, p. 74). There is a need to change information
…show more content…
In addition some of the programs generating organizations have installed programs that can be used by the investigative agency.
Discussion Board
Some of the most important procedures used in collection of information to be used in a court of law include collecting live data from the RAMs images. Such live recovery of information can be collected from the F-Response which can collect data from the networks of a computer. Information can be collected when the computer is logged on or connected to the network or when the computer is executing (Carrier, 2006, p. 56). The other procedure that can be used in the collection of information for forensic purposes is the encryption of hard disks. Encryption of the hard disk creates logical images that can be collected using the F-Response (Eoghan & Gerasimos, 2008, p. 95). The other important procedure for collection of information is making sure that all data storage devices are kept away from magnets and any other devices that might destroy data stored in them. It is important that the handling individuals obtain the information collection manuals that help them collect information effectively (Eoghan & Gerasimos, 2008, p. 94).
It is important that a financial crime investigator obtains all information generated by the computer by analyzing the caches left in the hard disks. Data recovery from the RAM and any other external drives makes data collected effective and applicable in a court
Specialized techniques for data recovery, evidence authentication and analysis of electronic data far exceeding normal data collection and preservation
There are four basic types of general desktop software applications that crime analysts use to organize data as well
Identifying evidence is the first stage in the process. A laptop, computer monitor, and hard drive are all pieces of evidence that are usually located first. It is critical for the investigator who is identifying and collecting evidence to know what else to look for. Other items that should be identified and collected as possible evidence include external hard drives, floppy discs, CD’s, USB drives, and memory cards. If the investigator isn’t aware what all falls into the category of digital evidence, it is possible that vital evidence may not be collected (Cosic, 2011).
What potential sources of digital evidence do you find at a crime scene? First of all, what is digital evidence? Digital evidence is any information or data of value to an investigation that is stored on, received by, or transmitted by an electronic device. Also, Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Text messages, emails, pictures and videos, and internet searches are some of the most common types of digital evidence. Most criminals now leave a digital trail;
Based upon my extensive knowledge, training and experience, I have reasonably determined that when trying to locate the particular information pertain to the investigation it is general practice to have the electronic storage devices searched by an individual that is well qualified when dealing with computer technology especially in different types of environments. This is key because we need to make sure that all the electronic data is complete and pertains to the search warrant without going beyond the scope of it. To properly examine the electronic data in question it would be more efficient to perform an image copy on the drive where it could be examined at a later time in a laboratory. This is correct for the following
Electronic evidence is very fragile because it can be destroyed or altered very easily, therefore it is imperative that investigators follow very careful all the procedural steps when collecting electronic evidence (Diversified Forensics). Before any electronic evidence is gathered investigators should determine whether there is probable cause that a crime has been committed, or if the crime was committed somewhere else the investigator should determine whether the electronic evidence will aid the investigation process to prove or disapprove the crime, if a warrant is needed it must be obtained prior to collecting the evidence (Diversified Forensics). Hard drives, computers, and other electronic devices must be turned off, unplug all cables,
For this reason, it is imperative that the information gathered is reliable and accurate to ensure the evidence collected can be utilized by the digital forensic investigator for the current case (Ingalls & Rodriguez, 2011). Additionally, cyber incidents require digital forensic investigators to interview various individuals regarding the information needed for the case. According to the National Institute of Justice (2004), interviewing the system administrator, users, and employees of an organization regarding a cyber incident would provide investigators with valuable information; for example, user accounts, email accounts, network configuration, logs, and passwords. Furthermore, for digital forensic investigators to conduct an effective interview, they must have the proper tools and training to employ the interview process. For instance, formal procedures or instructions should be developed and implemented to ensure that the investigator follows a standard during all investigations. Additionally, training should be provided to ensure that digital forensic investigators comprehend by what means to prepare, conduct, and evaluate an interview. Furthermore, resources should be made available for digital forensic investigators to accomplish their tasks; for example, recording devices and references. Also, definitions should be provided to the digital forensic investigators for
A computer forensic investigation typically includes the collection, examination, analysis, and reporting of data. These steps could have been used to extract and preserve the data in the U.S. versus AOL case. Collection involves seizing digital evidence. Examination is where techniques are applied in order to identify and extract data. Analysis is using the data and resources to prove a case (Brecht, 2015). Reporting involves presenting the documentation gathered during the investigation. Investigators use these steps to examine evidence that could be needed in a trial. Following these steps is one way to ensure that the findings are sound and admissible in court. “The purpose of a computer forensic examination is to recover data from computers seized as evidence in criminal investigations (Brecht, 2015)”. Forensic tools are used by investigators to provide their collection, indexing and detailed analysis
Identification: this is identifying the possible containers of computer related evidence, such as hard drives, flash drives, and log files. Meanwhile a computer or the hard drive itself is not evidence but a possible holder of evidence. The information and data to be extracted has to do with the information that is pertinent to the situation in question (Hailey, 2003).
Data is crucial to the success of any company and they are now increasing their efforts in soliciting and retrieving customer data to learn more about their client's preferences, likes, and dislikes. This, among other factors has attributed to a growing field of data science where data scientists learn to collect crucial data. While there are many types of data, this paper will primarily focus on digital data and how digital scientists can retrieve these data to support provide information for the crown or for the defense. This area has received more attention because criminals such as terrorists have realized the effectiveness of using digital devices to aid in their criminal endeavors (Reith, Carr & Gunsch, 2002, p.2). To combat this, law enforcement agencies are now relying on digital scientists to preserve, collect, analysis and interpret "digital evidence derived from digital sources" (Vincze, 2016, p.184) to help prevent cybercrime and prosecute (or exonerate) suspects. The purpose of this paper is then to illustrate why digital forensic is crucial to addressing the new dangers presented in our society by analyzing the strengths and demonstrating why the weaknesses of the field
Just as other forms of evidence, digital evidence must be assured not to get wet, stepped on, driven over, and frozen and so on. Magnetic media of all sorts can be fragile and if not handled with care can be wiped out. this is why officers should take special care to handle the evidence and package it accordingly as not doing so would cost them a case. Third issue that can also affect digital data if not done properly is the turning off or powering down a device. Computers store information on the RAM system which can be erased if not closed properly. As well the computer may have applications, documents, images, or any other data may have been left opened by the user can be erased if the computer is turned off. It is best that the investigator not to commit any action when dealing with an computer such as clicking the mouse, clicking on any files, using the keyboard, or apply any software to the suspects computer
(2006), volatile data is deemed data that is on a powered on system that will be lost when shutdown. One very important source of data that can be collected from a live system is the information contained in random access memory (RAM) like “data files, password hashes, and recent commands” (Kent et al., 2006). Furthermore, digital forensic investigators can also collect further digital information from RAM like slack space, free space, network configuration, network connections, running processes, open files, login sessions, and operating system time.
Next, evidence is collected and analyzed, including tangible evidence such as hard drives and electronic devices, and the digital evidence they contain. Cybercrime investigations for instant messaging rely on instant messaging exchanges, or conversations between people, as digital evidence. The data includes the IM text and the “meta-data” includes other related evidence such as timestamps, length of time the user has been logged on, and more. Then you must seek expert advice if necessary since these crimes can get extremely technical. For crimes relating to
Practitioners make user of what is called a “forensic kit” in order to image or procure the files from the storage devices in possession of the custodian. Reactive responses are also known as “incident response”. As mentioned in a paper by SANS Institute, a good incident response procedure can be broken down into some basic steps [6] – planning and preparation, incident detection, initial response, response strategy formulation, forensic backups, investigation, security measure implementation, network monitoring, recovery and reporting. More details about each step can be found in the paper. To accommodate these requirements, the forensic kit includes various hardware and software that assists in these phases in a collection process. Below are some types of forensic kits that are used in the computer forensic industry
Since the widespread use of computers, computer crime has caused an increase in computer investigations during the twenty first century. Some reasons for investigation include: identity theft, such as stolen social security and credit card numbers, to find evidence of a cheating spouse, to investigate hackers on a computer system, to find evidence of child pornography, and much more.