Tools For An Expert 's Deposition

The hard drive is extremely hard to “break into” to view the contents. There is no real easy way to access the information and the investigative options then become very limited.

Specialized techniques for data recovery, evidence authentication and analysis of electronic data far exceeding normal data collection and preservation

Imagine that you are investigating a crime of fraud, where the suspect is creating false documents. Where might you look for evidence on the suspect's computer?

A big problem with digital evidence is, that the suspects can hide the evidence on any location on the Hard Drive. That means a judge, a police office or a forensic analyst can impossible predict where exactly the evidence is located on the Hard Drive. That implies, that the forensic analyst have to search through the entire Hard Drive to find the evidence

Review the information in the text sheet entitled “Overview of Evidence and Digital Forensic Analysis Techniques,” which describes different types of digital forensic analysis techniques, such as disk forensics and e-mail forensics.

Ibrahim Baggili, an assistant Professor of Computer Science at the University of New Haven said this, "Forensic evidence from a smartphone or a computer might be critical to solving a crime (Baggili).” Personal and private information are stored on phones and computers and it is a great tool for a scientist to use when working on a crime.

Identifying evidence is the first stage in the process. A laptop, computer monitor, and hard drive are all pieces of evidence that are usually located first. It is critical for the investigator who is identifying and collecting evidence to know what else to look for. Other items that should be identified and collected as possible evidence include external hard drives, floppy discs, CD’s, USB drives, and memory cards. If the investigator isn’t aware what all falls into the category of digital evidence, it is possible that vital evidence may not be collected (Cosic, 2011).

Electronic evidence is very fragile because it can be destroyed or altered very easily, therefore it is imperative that investigators follow very careful all the procedural steps when collecting electronic evidence (Diversified Forensics). Before any electronic evidence is gathered investigators should determine whether there is probable cause that a crime has been committed, or if the crime was committed somewhere else the investigator should determine whether the electronic evidence will aid the investigation process to prove or disapprove the crime, if a warrant is needed it must be obtained prior to collecting the evidence (Diversified Forensics). Hard drives, computers, and other electronic devices must be turned off, unplug all cables,

For this reason, it is imperative that the information gathered is reliable and accurate to ensure the evidence collected can be utilized by the digital forensic investigator for the current case (Ingalls & Rodriguez, 2011). Additionally, cyber incidents require digital forensic investigators to interview various individuals regarding the information needed for the case. According to the National Institute of Justice (2004), interviewing the system administrator, users, and employees of an organization regarding a cyber incident would provide investigators with valuable information; for example, user accounts, email accounts, network configuration, logs, and passwords. Furthermore, for digital forensic investigators to conduct an effective interview, they must have the proper tools and training to employ the interview process. For instance, formal procedures or instructions should be developed and implemented to ensure that the investigator follows a standard during all investigations. Additionally, training should be provided to ensure that digital forensic investigators comprehend by what means to prepare, conduct, and evaluate an interview. Furthermore, resources should be made available for digital forensic investigators to accomplish their tasks; for example, recording devices and references. Also, definitions should be provided to the digital forensic investigators for

When was the last time she accessed her computer? What is her background in computers, what is her skill level? I need some background on the former employee, her computer habits and activities prior to the files being found on her computer. I must collect digital evidence while keeping the data unaltered, first thing. This data will be used later in the prosecution of the case. This can be done through calculating and recording an evidence file. Next is imaging of the computer media with a write-blocking tool. I must keep the chain of custody. The computer's RAM is examined for evidence. During the examination step, verify and catalog the presence and integrity of the original evidence and any copies. An analysis is made with specialized equipment to find out exactly what's stored on the digital media. This includes a manual review of all materials found on the media, a review of the Windows registry, techniques to crack passwords and retrieve protected data, keyword searches and extraction of email and pictures for further review.

The three items that I would collect would be the external hard drive, the laptop, and the USB thumb drive. It’s important to remember that you ”must use caution when collecting, packaging, or storing digital devices to avoid altering, damaging, or destroying the digital evidence. Avoid using any tools or materials that may produce or emit static electricity or a magnetic field as these may damage or destroy the evidence” (Mukasey, 2008). The first item that I would collect as digital evidence would be the external hard drive. It may contain all types of evidence such as: files, logs, pictures, recordings, or even video logs. Before collecting it as evidence I would take pictures of the hard drive, making sure to get the manufacturer and serial numbers, and then document it. Once complete, I would seal it in an anti-static bag and label that as well. The second item that I would collect would be the laptop. This could have all of the same type of information that the hard drive has and also may contain copies, pictures, or the source code itself from “Product X.” The laptop may show whether or not he was sharing files or trade secrets with outside sources, or even if he were attempting to crack passwords so as to get into systems that weren’t available to

Since the widespread use of computers, computer crime has caused an increase in computer investigations during the twenty first century. Some reasons for investigation include: identity theft, such as stolen social security and credit card numbers, to find evidence of a cheating spouse, to investigate hackers on a computer system, to find evidence of child pornography, and much more.

There are many tools used to try and find data that has been removed from a disk but none of these tools are able to recover data from devices that have been sanitized. The reason for this is that the data contained in the file is overwritten thus making it unrecoverable. Tools such as encase (proprietary) and diskdigger(free) are able to recover files that have been deleted using the normal delete function with encase building up a complete image of the disk and contains much more information that can be used to see how many times anti-forensic tools were run (if installed) because of prefetch files. Diskdigger on the other hand just recovers files that have been deleted and allows them to be restored. There are many tools designed to securely erase data from a hard disk or just to remove a file. These tools include ccleaner, HDD erase and many more. These tools allow for either files to be delete individually by overwriting the space they take up or overwriting all the free space on the drive to remove any traces that files existed on the device. They overwrite the data and contain many different algorithms that offer

A computer forensic technique to examine a hard drive on a computer. Generally, more than one hard drive will compared for incriminating data. For instance, if digital files stored in more than one place, all the hard drives that are connected to a user will be cross examined until some evidence is found to support the crime has been committed. Cross-drive analysis, automatically will identify drives that containing a high concentration of confidential data as well as clusters of drives that came from the same organization. Therefore, cross examine on the hard drives, which Amanda used while working as a Corporate Loan Officer at Texas National Bank will be very useful for investigation. Because, as a Corporate Loan Officer,

It is important that a financial crime investigator obtains all information generated by the computer by analyzing the caches left in the hard disks. Data recovery from the RAM and any other external drives makes data collected effective and applicable in a court