Computer Forensics: Issues in Preserving Digital Evidence and Forensic Investigation

A big problem with digital evidence is, that the suspects can hide the evidence on any location on the Hard Drive. That means a judge, a police office or a forensic analyst can impossible predict where exactly the evidence is located on the Hard Drive. That implies, that the forensic analyst have to search through the entire Hard Drive to find the evidence

Evidence plays a vital role throughout criminal investigations. Typically, we think of evidence as things such as fingerprints, DNA, and fibers. However, evidence as evolved as the world of technology has expanded. Digital evidence also now plays just as much of an important role as traditional evidence. When beginning an investigation that involves digital evidence, it is important for the investigator to know what evidence to look for. Identification of evidence, collection including transportation of evidence and examination of evidence are the three main aspects of the process.

What potential sources of digital evidence do you find at a crime scene? First of all, what is digital evidence? Digital evidence is any information or data of value to an investigation that is stored on, received by, or transmitted by an electronic device. Also, Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Text messages, emails, pictures and videos, and internet searches are some of the most common types of digital evidence. Most criminals now leave a digital trail;

Electronic evidence is very fragile because it can be destroyed or altered very easily, therefore it is imperative that investigators follow very careful all the procedural steps when collecting electronic evidence (Diversified Forensics). Before any electronic evidence is gathered investigators should determine whether there is probable cause that a crime has been committed, or if the crime was committed somewhere else the investigator should determine whether the electronic evidence will aid the investigation process to prove or disapprove the crime, if a warrant is needed it must be obtained prior to collecting the evidence (Diversified Forensics). Hard drives, computers, and other electronic devices must be turned off, unplug all cables,

For this reason, it is imperative that the information gathered is reliable and accurate to ensure the evidence collected can be utilized by the digital forensic investigator for the current case (Ingalls & Rodriguez, 2011). Additionally, cyber incidents require digital forensic investigators to interview various individuals regarding the information needed for the case. According to the National Institute of Justice (2004), interviewing the system administrator, users, and employees of an organization regarding a cyber incident would provide investigators with valuable information; for example, user accounts, email accounts, network configuration, logs, and passwords. Furthermore, for digital forensic investigators to conduct an effective interview, they must have the proper tools and training to employ the interview process. For instance, formal procedures or instructions should be developed and implemented to ensure that the investigator follows a standard during all investigations. Additionally, training should be provided to ensure that digital forensic investigators comprehend by what means to prepare, conduct, and evaluate an interview. Furthermore, resources should be made available for digital forensic investigators to accomplish their tasks; for example, recording devices and references. Also, definitions should be provided to the digital forensic investigators for

Preservation: Before performing a computer forensics analysis, we must ensure to do everything possible to preserve the original data and media. It involves making a forensic image of the media and conducting our analysis on the copy versus the original.

This means that digital evidence is hard to destroy and that in order to completely remove the evidence from the internet, one must possess a high level of knowledge in the area (Casey, 2011, p.26). This means that criminals who conduct online crimes will always leave online trails and it is up to the digital forensic scientists to retrieve the evidence (Casey, 2011, p.26). This is a strength and it also shows us why digital forensic scientists can play a crucial role as they are the few people that are trained in locating the trail of evidence left behind by the

Digital evidence is defined as being evidence that takes form as electronic data, or information stored in bits and bytes on magnetic media. Digital evidence cane range from photos, videos, text documents, internet activity logs, phone numbers, or any other data that is stored electronically that has involvement with a criminal case. Devices that can hold digital evidence are personal computers, computer media, disks, CDs, DVDs, etc. and cellular phones or similar all into one devices and many other types of devices as well. When preserving digital evidence extreme care must be taken. Investigators are sworn in to never change or altar evidence digital or not. Digital data however is very fragile and extra care is imperative. So the first and foremost concern when dealing with digital data is to preserve all data on the hard disk drive or other computer media in a pristine, unaltered, unharmed and unchanged manner.

Although computer forensics is a relatively young field of crime investigation, it has become a useful area of knowledge. Organizations and companies are finding it necessary to recruit computer and network forensics investigators. These experts can detect and report various computer crimes. The reports of their findings can be used to provide useful evidence in court. This paper discusses various aspects of computer forensics. It is based on a scenario involving a computer, which is suspected to contain evidence on child pornography.

Physical evidence refers to any material that is obtained from tangible objects such as fingerprints, clothing, hairs, fibers, documents, and food items (Vandenberg, 2014). It is only used in about 20% of all criminal cases (Vandenberg, 2014). The most known physical evidence is DNA. DNA has become

Digital evidence is any information stored or transited in digital from that a party can use in a court case that proves or disprove allegations made against an arrestee. Such digital items include pictures, videos, text documents, internet activity, phone numbers, or any other type of data. The three types of digital evidence are Personal Computers, portable storage media such as universal serial bus (USB) memory sticks, compact flash cards, XD media, thumb drives and SD cards. The issue with preserving digital evidence is that if the evidence your collecting could be on a network in multiple locations or even a different part of the state or another state all together an officer would have to obtain another warrant then if it’s out of state

In a world where technology is increasingly becoming the way of life, it was only a matter of time before crime was no longer just in the streets but happening online as well. Criminals now get a new approach to carry out their crimes with the use of computers. Since technology is more like a murder mystery than catching the bad guy in the act, a new discipline of forensics needed to be put into place. This is known as computer forensics. Forensic science is any science used for the purpose of law. In the case of computer forensics it is “the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law” (U.S. Cert, 2008). Meaning if you do something illegal on the Internet it can be found.

Over the years, forensics have played an integral role in solving crimes of all variety. Technological advances have made life easier for society as whole including those in the field of forensics. Digital forensics utilizes the advances in technology such emails, phones, social media, and other ways digital information could be shared in order to help crimes. People have grown so accustomed to phones, tablets, and computers that they often forgot these kinds of technology were not always around to use. The field of forensics has wisely grown with the advances in technology. Crimes have employed forensics to solve crimes for decades, but now with technology more information is available than ever to help assist in crime solving. Technology makes communication a lot easier and allows to talk people from all walks of life. The advances in technology have also allowed business to grow nationwide and worldwide with the ease of emails and phone calls.

This essay will look at a number of features that have been added to windows, from Windows XP to Windows 8 and the effects these changes have made to the recovery of forensic evidence. I will firstly look at selected features that have been added to windows since XP and briefly explain their purpose. I will then look at the changes these feature have had that have made it less likely for the digital forensic scientist to provide useful evidence, and then those that have made it more possible for the digital forensic scientist to provide useful evidence.

In simple terms, computer or digital forensic evidence analysis is the scientific collection of data that is either retrieved or held by a computer storage device that can be used against a criminal in a court of law. For the information to be used in court it should be collected before it is presentation; therefore, there are a number of recommendations proposed to make sure that information collected meets the intended integrity.