Literature Review : Anti Forensics

Digital forensics (sometimes Digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime.[1][2] The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover all devices capable of storing digital data and is now used to describe the entire field.[1] The discipline evolved in a haphazard manner during the 1990s and it was not until the early 2000s that national policies were created.

Imagine that you are investigating a case where the suspect is believed to have deleted information from his or her computer that might be evidence. Where would you look for this evidence?

A big problem with digital evidence is, that the suspects can hide the evidence on any location on the Hard Drive. That means a judge, a police office or a forensic analyst can impossible predict where exactly the evidence is located on the Hard Drive. That implies, that the forensic analyst have to search through the entire Hard Drive to find the evidence

A computer forensic investigation typically includes the collection, examination, analysis, and reporting of data. These steps could have been used to extract and preserve the data in the U.S. versus AOL case. Collection involves seizing digital evidence. Examination is where techniques are applied in order to identify and extract data. Analysis is using the data and resources to prove a case (Brecht, 2015). Reporting involves presenting the documentation gathered during the investigation. Investigators use these steps to examine evidence that could be needed in a trial. Following these steps is one way to ensure that the findings are sound and admissible in court. “The purpose of a computer forensic examination is to recover data from computers seized as evidence in criminal investigations (Brecht, 2015)”. Forensic tools are used by investigators to provide their collection, indexing and detailed analysis

Digital crime has been on the increase due to the increasing use of computer and internet. This has led the investigators with another method of fighting this crime. This is Computer Forensics, a process of going into computer hard drive and capturing basic information the user believed it has been erased.

Data is crucial to the success of any company and they are now increasing their efforts in soliciting and retrieving customer data to learn more about their client's preferences, likes, and dislikes. This, among other factors has attributed to a growing field of data science where data scientists learn to collect crucial data. While there are many types of data, this paper will primarily focus on digital data and how digital scientists can retrieve these data to support provide information for the crown or for the defense. This area has received more attention because criminals such as terrorists have realized the effectiveness of using digital devices to aid in their criminal endeavors (Reith, Carr & Gunsch, 2002, p.2). To combat this, law enforcement agencies are now relying on digital scientists to preserve, collect, analysis and interpret "digital evidence derived from digital sources" (Vincze, 2016, p.184) to help prevent cybercrime and prosecute (or exonerate) suspects. The purpose of this paper is then to illustrate why digital forensic is crucial to addressing the new dangers presented in our society by analyzing the strengths and demonstrating why the weaknesses of the field

Just as other forms of evidence, digital evidence must be assured not to get wet, stepped on, driven over, and frozen and so on. Magnetic media of all sorts can be fragile and if not handled with care can be wiped out. this is why officers should take special care to handle the evidence and package it accordingly as not doing so would cost them a case. Third issue that can also affect digital data if not done properly is the turning off or powering down a device. Computers store information on the RAM system which can be erased if not closed properly. As well the computer may have applications, documents, images, or any other data may have been left opened by the user can be erased if the computer is turned off. It is best that the investigator not to commit any action when dealing with an computer such as clicking the mouse, clicking on any files, using the keyboard, or apply any software to the suspects computer

When watching criminal shows on the television, how do you think the crimes are committed? There are many ways that crimes that can be committed. For example, there are shows about murder, robbery, rape, genocide and so much more. Most crime based shows portray real life situations and its processes that the crime scene investigations have to go through in order to solve the case, but producers also attempt to fabricate and accelerate the forensic analysis to get an answer. Also, crime based television shows always have captivating plots and the characters as well as the action are like life

From data acquisition, the investigator should move to the process of extracting data. He or she should use special computer forensics software tools to extract important data from various computer devices and networks. The process of extracting data requires the investigator to be knowledgeable about where to search data in the system and the kind of questions to ask (Rogers, 2003). After extracting data, the investigator proceeds to the process of data analysis. By this time, the investigator will probably be having thousands of files. He or she should use computer forensic tools and techniques to analyze the files in order to generate data which is more relevant and concise (Rogers, 2003). The last step of the process of computer forensics involves reporting the analyzed data. The investigators should ensure that the data, which is supposed to be reported, is complete, understandable, and defendable. This will ensure that the final data presented is credible (Rogers, 2003).

Competency means mastery, the state in which an individual or organization can provide services in accordance with the law, rules of ethics, and the expectations of all stakeholders. The value of competency can actually be quantified, as organizations seek to measure the effects of their failures via cost accounting (Brett, n.d.). In law enforcement, we cannot put a price on professional competency. Human lives are at stake, as is the credibility and efficiency of the entire criminal justice system. The value of competency therefore cannot be estimated and must be continually re-evaluated and assessed. As a Detective working in the field of Forensic Identification, I must always be aware of the core competencies of my profession and ensure that I am fulfilling those core competencies every day.

Digital forensics has been responsible for putting away thousands and thousands of criminals. Ranging from simple crime computer crimes to child pornography. To get quality evidence that can be admissible in court there are steps that are needed in preparing a computer investigation. There are also requirements for data recovery, as well as procedures for corporate investigations. “Digital forensics has become prevalent because law enforcement recognizes that modern day life includes a variety of digital devices that can be exploited for criminal activity, not just computer systems. While computer forensics tends to focus on specific methods for extracting evidence from a particular platform, digital forensics must be modeled such that it can encompass all types of digital devices, including future digital technologies” (Reith, Carr, and Gunsch, 2002).

Having digital forensic capabilities is very important in this era we are in. At our company, we have an in house forensics team that consists of a senior forensic investigator, project manager, computer forensic examiner, legal counsel, IT specialist, and three lab assistants.

Forensically wiping the hard drive simply means that all areas of the disk being used are written with on a single character and overwriting every file that had been stored on the drive previously. The drive needs to be forensically wiped before images are written to it or the images can be tainted by data that is left over on the drive. Tainting of the drive will affect the hash value and call into question the validity of the data. A hash is compared to a fingerprint with no two hashes being alike except for the identical files. Hashing puts a digital signature for the data which ensures the integrity of the file due to any type of modification of data can be detected.

The three items that I would collect would be the external hard drive, the laptop, and the USB thumb drive. It’s important to remember that you ”must use caution when collecting, packaging, or storing digital devices to avoid altering, damaging, or destroying the digital evidence. Avoid using any tools or materials that may produce or emit static electricity or a magnetic field as these may damage or destroy the evidence” (Mukasey, 2008). The first item that I would collect as digital evidence would be the external hard drive. It may contain all types of evidence such as: files, logs, pictures, recordings, or even video logs. Before collecting it as evidence I would take pictures of the hard drive, making sure to get the manufacturer and serial numbers, and then document it. Once complete, I would seal it in an anti-static bag and label that as well. The second item that I would collect would be the laptop. This could have all of the same type of information that the hard drive has and also may contain copies, pictures, or the source code itself from “Product X.” The laptop may show whether or not he was sharing files or trade secrets with outside sources, or even if he were attempting to crack passwords so as to get into systems that weren’t available to

The aim of this report is to investigate where and how anti-forensic tools work as well as looking at the challenges forensic investigators are faced when such tools are used. After anti-forensic tools are used certain artefacts will be left behind, this report will also cover the procedures and difficulties when trying to uncover these artefacts as well as the tools used to find them.