Digital Forensics in the Criminal Justice System - Case Study Example

? Introduction In present days’ progressive technological environment, ever more information is being generated, stored, processed and shared though digital ways. This necessitates several forensic agencies to enhance the application of digital forensic evidences in order to fight against crime. Digital evidence is valuable evidence and it must be treated in a comparable manner as traditional forensic evidence, i.e. with admiration and caution. However, since the use of digital evidence is different from other physical evidences, the methods of collecting, handling and transferring such information are different. The methods of treating digital information while upholding evidential steadiness and integrity can be observed as a complex procedure, but if dealt with it in appropriate manner, it can generate cost effective outcomes for forensics. Based on this understanding, the essay intends to create a case portfolio regarding the collection of digital evidence along with handling or transferring of digital evidence, methods of preservation of digital evidence, analysis of digital evidence as well as preparation of testimonial for the outcome of such analysis. Digital Evidence Digital evidence is regarded as different kinds of digital information, which can be used as proof in any legal proceeding. This type of information exists in electronic form and can be classified as text file, images, audio, video and any other documents. The collection of digital information can be undertaken by appropriation of storage drives, tapping or observing information movement or making digital duplicates of information held. Even though hard copy of digital information is not considered as digital information, it is regarded as the initial point for smearing the use of digital evidence in the future (7Safe, n.d.). Therefore, the digital evidence noticed at the scene was a hard drive, 2 CD disks, a thumb drive, a telephone, and 3 system units. There is also a card reader, monitors, and a modem; however, those objects are not that useful. Collection of Digital Evidence Any case of trail process regarding criminal activity starts with the collection of evidences. In several jurisdictions, digital information is collected throughout explorations, raids or examinations of computer system. Besides, digital information is also collected by forced discovery in any organization or house. In this case, the collection of digital evidence starts with obtaining search warrants (Cartel Working Group, 2010). CD: CDs are regarded as the copy of original information and certain data might be copied from hard drive to CD. Furthermore since, CD is regarded as an in-volatile storage medium, it is also regarded as a vital evidence for the case, and hence has been collected for digital evidence. Card Reader: The card reader is an important forensic evidence examination tool. The key twist with respect to card reader is that there are certain specific SD cards which are only supported and can be accessed with specific card reader. Due to this reason, the card reader also acted as a key digital evidence for the case. Thumb drive: Thumb drive or flash drive has gained much popularity due to its storage abilities and quick data access capability. Furthermore, because of non-volatile information medium, flash drive can possess valuable evidence for the criminal case. Telephone: The telephone was also seized as a part of digital evidence collection. Telephone can provide important evidence regarding any call made by offender. Thus, evaluation of call records might provide hidden contacts, which might be useful for the case. CPU: Finally, three CPUs were also seized for collecting digital information. CPU contains Random Access Memory (RAM) and internal hard disks which store important files and programs. Hence, digital information from these components of CPU can provide great evidence for the criminal activity. Whether forensic agencies attempt to collect available digital information or just a portion of digital evidence, the key objective of collection is to obtain digital data from computer system with least level of alterations from original data. There are several methodologies through which digital information can be preserved, but using such methodologies requires substantial knowledge and understanding regarding the type of digital information that should be collected for forensic investigation. A few of the most important digital information that has been collected for forensic investigations include instant messages, social networking, website browsers, e-mail and digital components (Gubanov, n.d.). Instant Messages: Instant messages have become a vital way of communication in present days as millions of individuals, irrespective of age, race or gender spend significant amount of time on them. Thus, a considerable amount of digital evidence can be gathered from chat history of instant messaging applications such as MSN Messengers, Yahoo Massager, Google Talk and Skype among others. These are the most popular applications used by people all over the world for communication (Gubanov, n.d.). Social Networking: Nowadays, social networking has also become popular similar to instant messaging method and thus more and more communications are drifting from public and private chat rooms to online social networking. Thus, digital evidence collected from social networking can also be a valuable material for forensic investigators (Gubanov, n.d.). Website Browsers: Internet browsing is a popular activity among present individuals for gathering information on personal subjects. Hence, evaluating browsing history, bookmarked pages, website cache, graphics and stored information can provide important digital evidence and assist in solving apparent crimes and suspicious activities (Gubanov, n.d.). E-mail: Irrespective of a massive increase in the use of instant messaging and social networking, e-mail still is regarded as vital digital information, particularly for corporate world. For business persons, several online and offline e-mail transfers occur between different clients with respect to money transaction, production information and other confidential deals. Thus, monitoring such e-mails can provide essential digital evidence for forensics investigators (Gubanov, n.d.). Digital Components: Several digital components such as texts, programs, images, audio and video files are also regarded as valuable digital evidences for forensic investigators (Gubanov, n.d.). With several types of digital information stored in computer systems, obtaining access to this information is crucial for collection of evidence. There are several data storage devices that can come across whilst collecting digital information. In this context, it can be stated that the most common type of storage device for collecting digital information is hard drive and almost every kind of information about computer activities is stored in the hard drive. Hard drive is a complex and delicate instrument thus in order to collect digital information, the following principles should be maintained (Krogh, 2012). Shock Avoidance: While collecting information from hard drive, two common types of shocks must be avoided namely electrostatic discharge and electric impact. These shocks can remove sensitive information in an instant. Thus, the most basic precaution that can be taken in handling digital information from hard drive is to trace grounded metal before moving sensitive electronic instruments. This is particularly vital in rich atmospheres such as low humidity rooms (Krogh, 2012). Labelling: The other important principle of collecting digital information from hard drive is proper labelling. It is advisable for forensic agencies while collecting digital information from hard drive to label with date, usage and other vital information. The label must indicate the type of digital information available on the hard drive along with the validity of data (Krogh, 2012). Storing: Significant consideration is also required while storing hard drive. The hard drive must be protected from electronic discharge, moisture and heat. However, methods of protecting and storing digital information are subjected to several aspects such as budget and the number of hard drives among others. Hard drives must be stored in protected environments such as in antistatic metallic bags (Krogh, 2012). Testing Integrity: It is also beneficial for forensic agencies to occasionally test the integrity of digital information in the hard drive. It would help to validate the digital data, present in hard drive (Krogh, 2012). Therefore, proper procedures must be used. An investigator should always use gloves to risk contaminating the scene area. The investigator would make sure to take a picture of the scene and also each piece of evidence he or she obtains. The investigator would put the CD disks into cases, labeled, and mark what location the disks were found at. The USB stick would also be obtained and put in a holder, labeled, and mark what location the disks were found at. With the hard drive, located on the desk, it would safely be held only by the sides and put into WiebeTech hard drive storage. The investigator would go through the other 3 system units to remove the hard drives. The investigator would ensure that there is padding down to prevent static electricity and remove each hard drive; following the same steps as the hard drive on the desk. Also, putting the computer in mount only mode and using a write blocker, to make at least two digital copies without tampering with the original evidence. Also, two copies must be made of each cd disk and the USB stick. After that, put the original evidence away. Transport or Handling Digital Evidence In order to make sure that digital evidence is transported or handled in such a manner that guarantees the accuracy and reliability of evidence, the forensic agencies need to establish and maintain active quality system. Following are the criteria that were maintained for handling or transferring digital evidence. Criteria 1: Standard Operating Procedures (SOPs) has been recognized and supported by appropriate case records and accepted process of handling digital evidence. Every forensic agency that handles digital information should maintain proper SOP document, containing organizational policies and processes (Whitcomb, 2002). Criteria 2: Quick technological development is regarded as the trademark of digital evidence with respect to information type, data formats and methods of collection. Thus, up-to-date technologies are used and latest SPOs are followed during forensic evidence collection (Whitcomb, 2002). Criteria 3: Since there are a variety of processes for handling and transferring digital information, only flexible and generally accepted procedures are followed. Criteria 4: Proper hardware and applications that are effective for appropriation and inspection of digital information has been used for digital information collection (Scientific Working Group on Digital Evidence, 2006). Criteria 5: In general, authorizations to support transfer and handling of digital information must be developed in such a way so that with the absence of inventor, other experts can evaluate and understand the digital information and reach at similar assumptions as the inventor. Thus, every activity with respect to handling and transferring digital evidence has been recorded in text and made accessible for appraisal and witness (Whitcomb, 2002). Criteria 6: Any digital evidence only becomes worthy if it can be demonstrated to be accurate and reliable. Thus, any function, which has the possibility to modify, damage and to remove any aspect of original digital evidence, has been identified and ignored by experienced individuals in forensically comprehensive manner (Whitcomb, 2002). In regards to evidence, everything has been annotated. Also, when transporting data a chain of custody form has been filled out each time a piece of evidence is being moved. There must be notes each time evidence is also transported and by who and how. Differentiation of Non-Digital Evidentiary Items Collected Separately Apart from digital evidences described above, there are several non-digital evidences, which exist, in any criminal circumstances. The non-digital evidence comprises such information, which is available in hard copy but is related with digital evidences. While collecting evidences, forensic organizations must differentiate the non-digital evidentiary items with digital evidentiary items. As stated above, digital evidence is such information, which is stored or transmitted, in binary i.e. electronic format. On the other hand, non-digital information exists in paper format, for example written username and passwords, handwritten records, writing pads, manuals for using any application or hardware, information recorded in calendars, published literatures and texts and printed graphics, images and photographs among others. This non-digital information plays a vital part in cases related with criminal offences. Besides, since the significance and characteristics of non-digital information is different than digital-information, it has been collected differently and recovered by proper way as a part of forensic investigation (Chou, 2011). The yellow sticky notes are non digital, yet the notes probably possess the password to the defendant’s voicemail or other relevant information. Methodology of Preservation There are several methods, which can be used in order to preserve digital information. However, certain risks are involved in whichever method is used for the purpose of preserving digital information. Following are the general methodologies which have been used for preservation of digital information. Technology Preservation: Technology preservation is subjected to technical atmosphere that operates the computer system, such as operating system, applications and storage devices. Technology preservation is an effective disaster recovery approach, which can be used, in digital components. This method provides the possibility of coping with digital media uselessness, in other words, this method can prolong the window of availability of digital evidence from obsolete storage media and file formats (Tristram, 2002). Technology Emulation: Technology emulation conglomerates applications and hardware components to replicate every crucial characteristic of computer system with different designs. As a result, this method allows programs and digital media such as hard drive designed for any specific environment, to operate in new environment, thereby preserving the digital evidence. Technology emulation necessitates the creation of emulators, programs that can translate code and instructions from one computing environment to other for appropriate execution (Tristram, 2002). Data Refreshing: Data refreshing is the other vital preservation method which helps to copy digital information from storage media such as hard drive to other similar storage media with no changes in the bit stream. Data refreshing is an essential element of any successful digital evidence preservation methodology. However, it is not regarded as a complete method. This method potentially addresses corrosion and desuetude issues which are associated with storage media (Tristram, 2002). Bit Stream Copying: Bit stream copying is also termed as ‘data backup’ method and it denotes the procedure of creating an exact duplicate of digital evidences. Although it is a necessary element of digital preservation method, bit stream copying itself is not regarded as long-run preservation technique, because it deals only with data loss from storage media failure, computer malfunction, malevolent destruction of information and natural disasters among others (Tristram, 2002). Summary of Analysis Results After collecting and preserving evidence, there is a need to analyze the results of evidence. Before analyzing the digital evidence, it is essential for forensics to make a copy of such evidences in case of any harmful modifications. The actual procedure of analysis begins with developing a sense regarding the places, which require utmost attention. For example, in case of evaluating the crime of piracy, there is a need to look for places where exist music files or video files. On the other hand, in case of evaluating Internet fraud crime, there is a need to look for website history or e-mails. There are several forensic tools, which can be used for analyzing the digital evidences (Solomon et al., 2011). Three of the important forensic tools that were used are described below: File Viewers: File viewers help to generate small images of different file components which exist in hard drive. This tool facilitates to scan the computer directory and analyze the files which match with the investigation criteria. After analysis, file viewers also show the inner components of those files. This tool is quite effective for finding graphics and videos, stored in hard drive (Solomon et al., 2011). Extension Checkers: The other beneficial forensic investigation tool is extension checker. This tool matches the extension of file with real data type. Usually, most of the criminals prefer to hide data by changing the extension name so that causal users cannot open it. This extension checker tool can identify any discrepancies of extensions by comparing with actual header of the file and helping to identify the real extension (Solomon et al., 2011). Unerase Tool: This is an important forensic tool for recovering files which have been deleted by the users. Unerase tool can be used in both DOS and Windows operating system. This tool is used by most forensic agencies to identify and restructure the deleted files (Solomon et al., 2011). The above tools are useful for analyzing the digital evidences and after analysis there is a need to summarize the key points, which would be made in court trial. A random list of the key outcomes of analysis of digital evidences can make the judges confused, thus, there is a further need to organize the evidences in a suitable way for proper investigation. Final Testimonial Preparation Material After summarizing the result of analysis of digital evidences, there is a need to testify the digital evidence in court. When a legal case moves to court, the forensic investigators are required to involve in two key phases namely direct inspection and cross inspection. In direct inspection, lawyers ask questions which permit witnesses to provide testimony. In this case, the defense lawyer might ask to tell precisely what has happened in the case. Furthermore, the defense lawyer might also question whether law has been maintained while collecting information. Apart from these, the defense lawyer might desire to clarify the reason behind taking certain activities while collecting and transferring evidence. Thus, the legal experts should deliver a list of direct inspection questions, which can be used in courts. Besides, proper records of digital information collection process must be maintained. The line of questions provided by opposing committee is regarded as cross inspection. The objective of cross inspection is to weaken the testimony provided by forensic investigators or agencies on digital evidences. Hence, as a part of final testimonial preparation, there is a need to understand the criminal case. After understanding the general evidences about the case, there is a requirement to comprehend the approach for arguing over the criminal case, on the basis of collected digital evidences and outcome of analysis. Since the key objective of court trial is to deliver a medium for unbiased individuals to decide the party triumphs in conflict, it is vital for final testimonial preparation to understand their job during court trial (Solomon et al., 2011). Conclusion From the collection of digital information to testimony in the court, it is a long-term process and there is requirement of utmost care and attention. Standard procedures and principles must be maintained in every phase of investigation as digital information has several aspects, which provide both advantages and disadvantages for forensic agencies. With the rapid advancement of technologies, the digital forensic agencies must keep up with the new procedures of evidence collection along with analysis. At present, several forensic agencies have a lack of resources, which can help the criminals to escape and conceal secretive information. Thus, in order to make the digital forensic investigation more effective, up-to-date knowledge about the functioning of different hardware and software along with training is required so that the challenges of forensic investigation can be overcome. References 7Safe. (n.d.). Good practice guide for computer-based electronic evidence. Retrieved from http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdf Cartel Working Group. (2010). Digital evidence gathering. Retrieved from http://www.internationalcompetitionnetwork.org/uploads/library/doc627.pdf Chou, T. (2011). Information assurance and security technologies for risk assessment and threat management: advances. United States: Idea Group Inc (IGI). Gubanov, Y. (n.d.). Retrieving digital evidence: methods, techniques and issues. Retrieved from http://forensic.belkasoft.com/download/info/Retrieving%20Digital%20Evidence%20-%20Methods,%20Techniques%20and%20Issues.pdf Krogh, P. (2012). Hard drive handling. Retrieved from http://dpbestflow.org/data-storage-hardware/hard-drive-handling Scientific Working Group on Digital Evidence. (2006). Best practices for computer forensics. Retrieved from http://www.oas.org/juridico/spanish/cyb_best_pract.pdf Solomon, M. G. (2011). Computer forensics jumpstart. Canada: John Wiley & Sons. Tristram, C. (2002). Data extinction. MIT Technology Review, p. 42. Whitcomb, C. M. (2002). An historical perspective of digital evidence: a forensic scientist’s view. International Journal of Digital Evidence, 1(1), pp. 1-9. Read More