Digital Evidence and Digital Crime - Case Study Example

? Digital Evidence Field Report James Moravec Digital Evidence Field Report Introduction Digital evidence report plays a significant roleof providing accurate information on how digital forensic analysts conduct their fieldwork. The value of digital evidence report underpins the role of digital forensic expert in solving crime using digital evidence. While computer are useful in the digital economy, some users utilize information systems to conduct crime or engage in illegal activities. However, digital analyst with appropriate training can identify, secure, and preserve evidence that could help incriminate suspects. During the process of gathering digital evidence, elaborate documentation is necessary to help identity evidence, and demonstrate policies used in the exercise. In addition, appropriate documentation is essential in the location of evidence found in a crime scene. In relation to documentation, a clear chain of custody helps determine analysts involved in handling of evidence. It also identifies the owners of evidence and persons who receive it, as well as store them (Turkey, 2008). This concept is vital in tracing the movement of evidence from one analyst to another. During a digital evidence fieldwork, an evidence custodian will keep accurate documentation of the evidence and ensure that evidence has tags and stored in secure bags ready for transport. The most vital reason for maintaining chain of custody is ensuring that digital evidence is admissible as evidence (Soloman, 2011, p.55). Concisely, the above tasks transpired during a recent digital evidence fieldwork where I was called to identify, secure, and preserve digital evidence from a suspected corporate user. Observation Last week on 25 November 2012, our department received a request to from a local media firm for a digital evidence analysis. The firms had laid off some of its employees, but it wanted to carry out some forensic analysis of one of the computers, which the firm believed one of the employees used to access child pornography (CP). Being that the firm had filled the request service form, I was assigned the case along with Dorothy, a colleague who had studied Computer Forensic. When we arrived at the media firm, we were directed to the IT room, where the computers, the users returned, were kept. The room had several other pieces of computer hardware such as servers, switches, and network cables. There were some shelves on the right with some five computers. The administrator, who was showing us the computers, pointed at the computers and told us that the suspect used one of the computers. Seeing that we had room to use for the investigation, I agreed with Dorothy what we could carry identify the evidence on it. First, we asked the network administrator to help us identify the suspect computer. To do this, we asked network administrator to produce a list of IP address and associated MAC addresses during the period when the crime is believed to have occurred. Being that the he had prior records, we had the Mac address of the suspect computer, 00:80:R2:45:F7:67. We booted all the computers and indented the computer with the above MAC address. Dorothy documented the model of the computer and the serial number she found underneath the computer. Evidence collection Being that the owner of the computers—the media firm—we were ready to begin collecting evidence of the alleged CP, which was a crime and against the policies of the firm. First, we ensured that no one was around the computer alone except for Dorothy and I as we did not want any disturbance. We opened the computer and using our tools, we run some applications to check if there was any evidence of CP in the suspect computer. The first tool that we used was Retriever, which searched the entire hard drive and located child pornography material in the disk drive. The computer had several files and links of child pornography in the internet history and browser cookies. We did document what the retriever software displayed as the search result. Moreover, we also run, IRC2 a live response tool, that produced several search results. It was evident that the tool had located significant amount of child pornography in the computer. At this point, we documented what he had identified as evidence that the user (employee) was busy watching child pornography in the computer from the internet. The use of tools such as IRC2 and Retriever stemmed from the policies, which stipulated that all digital analyst use correct and appropriate tools. Being that the computer had evidence of child pornography, we proceeded to acquire a digital image of the computer hard drive for further process. As a result, we shut down the computer, unsecured the hard drive from the computer, and connected it to an external disk bay. It was at this point that we used Acronis Disk Director to make an exact copy of the hard drive. This process of making an exact copy of the hard drive was necessary because we did not want to alter the data in the suspect computer. In addition, the copy of the disk could allow use to perform further analysis of the drive. First, we did search for all deleted files using Forensic ToolKit. The toolkit, allowed us to recover files, which the user had deleted from the computer. Surprisingly, the suspect had downloaded child pornography images and videos, using LimeWire, software that had been installed in the computer. Being that the hard disk image contained evidence of child pornography, we did an analysis of the data the hard drive had using timeframe analysis. We inquired from the administrator the time he believes that the user accessed the data. The administrator produced a list indicating the times the user had used the computer. We checked the metadata in the files and verified that the timestamps matched the period when the user used the computer. Another important piece of information was the log files. The log files such as the security log helped identify the time the user accessed the computer. Evidently, the suspect had used his computer to access the child pornography and he had deleted some of the files to conceal the evidence from his computer. Transfer/ Handling of Evidence We had concluded that the user was using his compute to watch, download, and share child pornography, which is a crime. Satisfied that we had the evidence, we tagged the hard drive and stored it the evidence bag. The tag had the serial number of the computer, along with its source. Together with the information of the computer, we placed the tag on the computer hard drive because this was critical in ensuring that all information had correct chain of custody. With the lack of appropriate chain of custody, it would be difficult to prove that the evidence was intact and that no one had tampered it. We documented the information on the tags in our records. Most important, we kept the information in the evidence bags Dorothy had and this allowed use to secure the evidence from damage. Being that we had a hard drive, we did place some padding on the bag to avoid any impact that could damage the hard drive. This was important in ensuring that the hard drive remains readable. Before transferring the evidence to the case manager, we documented several details of the evidence. We ensured that the evidence had correct submission number and we did append our names as the identity of the submitters. We also recorded the data of transfer as 25th November 2012. The case manager who received signed that he had received the evidence and we presented him with a brief description of the evidence. Conclusion Digital evidence is necessary in a digital crime scene for a suspected to be charged with crime. Collecting evidence of pornography in a media firm required the identification of the computer. The computer details were recorded and the hard drive scanned for child pornography. The evidence found were recorded and the computer disk replicated to develop an image for further analysis without altering the disk. The details of the suspect hard drive were recorded and every action documented and the disk stored in a sealed bag. The procedures were necessary to preserve the disk and ensure that evidence was secure. References Soloman, M., Rudolph, K., Tittle, E., Broom, N., & Barnett, D. (2011). Computer Forensics Jumpstart. (2 ed.). Indianapolis, Indiana: Wiley Publishing Inc Turvey, B. E. (2008). Criminal profiling: An introduction to behavioral evidence analysis. Amsterdam: Academic Press/Elsevier. Read More