Digital Evidence - Research Paper Example

?Is Digital Evidence collected from volatile source is as valid as that collected from a static source? Is Digital Evidence collected from volatile source is as valid as that collected from a static source? Abstract The rate of information technology development has made the use of digital collection and analysis of digital evidence an uphill task. The technological development is directly proportional to the challenges associated. Evidence collected from volatile and static sources is one of the most vital facets in the dynamic field of computer technology. Innovation has always been on the rise which to a whopping existent has necessitated best practices with a view of meeting industrial needs. Evidence sources in the recent times has shifted from static source as one of the initial steps in evidence collection to adoption of digital source which is quickly driven by the ever changing dynamic computing environment. Evidence from volatile source can be referred to as data that provides a linkage that is significant between the victim and the perpetrator (Wang 2007). It can be gathered from anything that is criminally related such as such as theft of trade secrets, destruction of intellectual property and fraud to the usage of computer. Static source can be referred to as data preserved when the computer is turned off conserved on a computer hard drive or another medium as opposed to volatile source whose storage is in memory and gets lost when the computer is turned off. Introduction There are various ways of collecting digital evidence from the scene of crime. The most prevalent techniques are collecting digital evidence form volatile sources and collecting from static source. Data from volatile source might have key evidence. It is therefore vital that at the scene of crime, the computer remains on. Tools for data collection range from various software such as data recovery, file examination, internet protocol tracking, decryption, authentication and most notably backup. Other notable tools are needed when obtaining data such as hardware imaging tool where bit by bit of data is copied using a method known as a bit stream copy. Data backups are always considered first with a principal objective of retaining the original evidence. Scope Casey (2000) lays out the physical characteristics of digital source where he asserts that it cannot be kept in its original state easily since the computer system records data in binary form that is 0 and 1 where the copied data has user modifications making it difficult to recollect volatile source in its original status. Volatile source can easily be produced hence prone for it being modified or copied raising doubts on its source and integrity. The negative impact posed is the difficulty to deduce directly the relationship between evidence obtained and the suspects as posed to the highly efficient methods such as deoxyribonucleic acid (DNA) or fingerprints that is used for evidence authentication. A computer uses random access memory (RAM) to store volatile data by way of writing current processes in the form of a virtual clipboard for process usage and immediate reference. The information that may be of interest to the investigator include running processes, console executed commands, clear text passwords, unencrypted data, instant messages and the internet protocol addresses. There can be a scenario where an examination of a running system is required involving a computer during investigation. These can be enhanced using home networking technology which allows an investigator to have a small network to facilitate any investigative situation involving a computer. Volatile source data preservation and forensic examination analysis will surely be the way forward for many years to come for digital evidence collection. Investigators ability to collect crucial evidence at the crime of scene ought to be critical most importantly when they are provided crime scene collection skills so as to deal with the challenges and workload brought about by home networking technology. Scenario An investigator is called upon to respond to a homicide occurred on a street corner. There are no witnesses on the crime scene though it identified that the victim was shot once in the chest. A search is then conducted at the victim’s residence in an effort to determine the suspect or motive. It is discovered that the computer is already powered on and is running windows XP operating system. Evidence is booked for forensic examination by following the traditional method of computer evidence collection by way of shutting down the system and collecting the computer. From the above scenario, the collection of volatile source does not necessarily entail the traditional method of computer evidence collection where the system is shut down but essentially collecting the random access memory (RAM) from the running computer which is something the investigator ought to have been trained about. RAM collection ensures instant message traffic between the victim and another individual detailing the kind of activity they were engaged in. The use of instant message traffic would quickly have led the investigator to the suspect. Findings The above scenario depicts collection of volatile source through instant message leading to the arrest of the suspect otherwise the investigator would have had little evidence to tie the suspect to the crime. The different volatile evidence collection training methods would enable investigators develop the necessary skills of evidence collection that may have traditionally been overlooked? Discussion Computer forensics is vital especially from an organizational point of view. A good percentage of technology budgets is located for computer network and security by managers. A methodology for volatile data collection according to computer forensics involves response preparation of incident, documentation of incident, verification of policy, collection strategy for volatile data, setup collection for volatile data and collection process for volatile data. The methodological steps are designed to investigate intrusion cases common to larger networks by the investigator. The date, time and command history for the security incident collection is one of the initial steps volatile data collection processes where an audit trail of date and time would be established as the way of executing the forensic tool or command. Forensic collection activities is then documented to begin command history that will later on show volatile system types and network information. A general guideline is formulated by the aforementioned steps of volatile data collection regarding what an investigator should collect. Precaution has to be taken by the investigators when collecting volatile evidence since computer systems that contain crucial evidence could be destroyed in case the traditional computer evidence collection methods are destroyed. A log of all actions conducted on a running machine ought to be maintained as one of the precautionary measures of preserving digital evidence. Operating system running on the suspect machine identification is vital together with the screenshot of the running system on the suspect machine showing the date and record of the current actual time. RAM from the system should always be dumped to a removable storage device. The precautionary steps allow the on-scene investigator to be to collect data which may have been left as not useful. The dumped RAM captures a large amount of available evidence however minor changes to the system will be made Incase a device is inserted into the running system such as a removable drive into the system instead USB port with a removable drive adds an entry to the Microsoft registry. The overall state of evidence would not be affected as far as forensic examination is concerned. This is attributed to the fact that operating system files change and not the data saved on the system. Evidence gathering must be issued with a warrant from relevant authorities who give authorization for commencement of computer forensics. Monitoring tools that involve security do have legal implications together with safeguarding data requirements that have laws to be followed. These measures ensure lawsuits or regulatory audits are prevented from being dismissed and keep intruders away. Possible evidence is always ensured to be error free from being destroyed, damaged or compromised in any way by the procedures put in place to investigate the computer by ensuring an established and well maintained custody is kept in place (Robbins, 2008). Conclusion Digital evidence bag is the recommended process of ensuring evidence from any source by ensuring maintenance throughout the life of an investigation (Turner,2007).Each forensic tool already executed would be saved by this software application that entails an index, tag and bag files also known evidence units which permits advanced data such intelligent imaging technologies(Turner, 2006).Anything that an organization needs to ensure in terms of efficient handling of incident response kept inside DEB. References Casey E 2012, Digital evidence and computer crime: Forensic science, computers and the internet. San Diego, CA: Academic Press. Icove D Seger K & Vonstorch 2010, Computer crime. O'Reilly & Associates. Kruse W G & Heiser J. G. 2011, Computer forensics: Incident response essentials . Addison Wesley. Masters G & Turner P 2010, Forensic data recovery and examination of magnetic swipe cloning devices. digital investigation, 4 (1), 16-22. Robbins J 2008 , An explanation of computer forensics. Retrieved April 9, 2008, from http://computerforensics.net/forensics.htm Stallings, W. 2011, Cryptography and network security 3/e. Prentice Hall. Turner P 2012, “Applying a Forensic Approach to Incident Response, Network Investigation and System Administration using Digital Evidence Bags”. Digital Investigation , 4 (1), 30-35. Turner P 2011, “Selective and Intelligent Imaging Using Digital Evidence Bags”. Digital Investigation, 3 (1), 59-64. Wang S J 2010, “Measures of Retaining Digital Evidence to Prosecute Computer-Based Cyber-Crimes”. Computer Standards & Interfaces, 29 (2), 8. Brown, Christopher L.T 2011, Computer Evidence Collection & Preservation Hingham, MA: Charles River Media. Carrier Brian 2012, File System Forensic Analysis Boston, MA: Addison-Wesley Professional. Carvey Harlan 2012, Windows Forensics and Incident Recovery Boston, MA: Addison-Wesley Professional. Jones K J and Curtis W Rose 2010, Real Digital Forensics: Computer Security and Incident Response Boston, MA: Addison WesleyProfessional Mandia Kevin, and Chris Prosise 2012, Incident Response:Investigating Computer Crime Berkeley, CA:Osborne/McGraw Hill Colin O’Sullivan 2010, First Responders Guide to ComputerForensics, CERT Training and Education Handbook,CMU/SEI-2005-HB-001 Pittsburgh, PA: Carnegie-Mellon Software Engineering Institute. Read More