Digital investigation in the organization - Essay Example

Digital investigation in the organization Forensic Digital investigation is often implemented or used after a serious computer crime or fraud has been perpetrated. Digital investigations is however important on a continuous basis and not on need basis, this ensures data and information is always safe and secure and the processes that are employed to manipulate and present this information are monitored. Digital investigation in essence may act as a form of system security and evaluation. On the other hand digital investigations for law enforcement is basically done to gather evidence and information to be used for legislation purposes. Many organizations are in a position to benefit more if they have the ability to gather and preserve digital evidence before an incident occurs and not after the incident has occurred(Robert, 2004). The digital investigation for law enforcement yields digital evidence, the evidence however may involve the use of enhanced system and staff monitoring, physical and procedural ways of securing data to a standard to be accepted as evidence and considered admissible. It also involves technical and appropriate legal advice to staff and employees(Peter, 2003). The law enforcement perspective of the digital forensic investigation tends to disregard what happens to the object or device before the decision is made whether to be accepted as evidence or not. In this context the evidence required is presented by the digital forensic investigation or not presented and therefore the suspect can neither be charged nor prosecuted. This investigation begins when a crime is committed and the investigator avails himself to the crime scene(Robert, 2004). However in the business context the investigation is done on a continuous basis in the form of emails, portable computers, logfiles, and telephone and network traffics among others. Since it is a continuous process, the evidence may be collected before a crime and the evidence used to the benefit of the organization(Robert, 2004). In the recent technological environment the digital investigations are mainly done by the computer forensics analyst. A computer forensic analysthas a vast knowledge in encryption, programming, data recovery, operating system management and computer security. Additionally they are conversant with evidence processing techniques and basic law enforcementfor CFAs in law enforcement field. Those with a bias on organization and business field will have knowledge on management, finance, economics and marketing(forensicanalyst.org, 2012). The role of the CFA The role of a CFA will vary depending on the area of interest however their roles will always include recovery of deleted emails, uncovering passwords and recovery of deleted or encrypted data. The data recovered is used as evidence by law enforcers with investigations and also may be used in court as evidence(forensicanalyst.org, 2012). The role of CFAs in the law enforcement field is to investigate and find evidence of any illegal act. This is achieved by examining personal computers and networks where crimes have been perpetrated. Their roles include recovering emails and photographs and other data and information that have been deleted from the hard drives and presenting them in court and acting as expert witnesses(forensicanalyst.org, 2012). In an organizational or business setting the computer forensic analyst is tasked with protecting systems and providing computer security in areas where attacks have previously been experienced, they also recover lost files and data from storage media, they also provide advice and training to employees and system users on how to handle data and information in a bid to strengthen data security and safety in the organization(Wolfe-Wilson & Wolfe, June 2003). The digital investigation process In order to progress effectively in the field of computer forensic and digital forensic investigation, the process must be presented in a manner that facilitates its implementation in the several organsiastion and in this case at the institution(Yasinsac & Manzano, 2001). The process is aimed at achieving the following goals and objectives(Wolfe-Wilson & Wolfe, June 2003): i) To gather and collect admissible evidence in a legal manner without interfering with business process. ii) Allow investigations to carry on at costs proportionate to the incident or crime perpetrated. iii) To gather evidence deemed to potentially cause crimes and disputes and that they may adversely impact on the institution. iv) Minimize the interruption to the institutions activities and processes. v) To gather admissible evidence legally and without interfering with business The digital forensic investigation process can be achieved by following a series of steps that are aimed at ensuring the evidence collected during the process of investigation are authentic and can be admissible in court as evidence(Robert, 2004). The process is guided by the following key activities in implementing the process: i) Definition of the scenarios that may need digital evidence: In this step the potential impact of a crime and activity is assessed, the vulnerabilities and the impacts it has on the institution. The need for the assessment helps in determining the requirement of the digital forensic investigation(Wolfe-Wilson & Wolfe, June 2003). ii) Identify available sources and different types of potential evidence. At this step the institution looks at the risks and the potential impacts from the system in the institution and determines what might happen to the potential evidence data. This step scopes what evidence may be available from all the systems and applications in the institution(Yasinsac & Manzano, 2001). Potential rich sources of the threats and crime evidence include emails this source of evidence requires adequate and meticulous consideration with regard to storage, auditing, archiving and retrieval. Others which are potential sources of evidence especially from the internet include instant messaging, chat and news rooms, social networks and media, and web based emails that by passes the corporate email. However an impediment to these potential sources of evidence is the data encryption of the traffic(Yasinsac & Manzano, 2001). iii) Determine the evidence collection requirement. At this point the institution is able to identify whether the identified sources of evidence in step two is able to provide evidences against crimes identified in step one of the process. the institution can then decide if there is more need for evidence collection from additional sources to solve particular crimes(Wolfe-Wilson & Wolfe, June 2003). iv) Establish a capability for securely gathering legally admissible evidence to meet the requirement. At this step of the process the institution decides which evidence is relevant to be used to solve potential risks and crimes in the institution within the budget. The determine evidence is then collected from reliable sources and documented and preserved as an authentic record (Peter, 2003). v) Establish a policy for secure storage and handling of potential evidence. The aim is to securely store the collected information for a long term perion to be used at a later date as evidence. A policy for secure storage and handling of potential evidence ensures that the evidence is easily retrieved when and where needed(Robert, 2004). vi) Ensure monitoring and auditing is targeted to detect and deter major incidents. This step is important since its aim is ensuring that the evidence collected is not only used as evidence for prosecution but also as a way of intrusion detection and monitoring technique(Wolfe-Wilson & Wolfe, June 2003). vii) Train staff in incident awareness, so that all those involved understand their role in the digital evidence process and the legal sensitivities of evidence(Robert, 2004). viii) Ensure legal review to facilitate action in response to the incident. In conclusion digital forensic investigation is the institutions capability to use digital evidence when and where required. Its main aim is to increase the institutions capability to gather and use digital evidence while minimizing the costs of particular investigations. In essence DFI complements existing mechanisms of computer and information security(Robert, 2004). References forensicanalyst.org. (2012). Computer Forensic Analyst. Retrieved November 26, 2012, from forensicanalyst.org: http://www.forensicanalyst.org/Computer-Forensic-Analyst.html Peter, S. (2003). A COMPREHENSIVE APPROACH TO DIGITAL INCIDENT INVESTIGATION . Elsevier. Robert, R. (2004). Process for Forensic Readiness. international Journal of Digital Evidence, 3 (4), 5 - 25. Wolfe-Wilson, J., & Wolfe, H. (June 2003). Management strategies for implementing forensic security measures. Yasinsac, A., & Manzano, Y. (2001). Policies to Enhance Computer and Network Forensics. 2001 IEEE Workshop on Information Assurance and Security. New York: West Point. Read More