Challenges Faced by Cyber Forensic Experts in Search of Digital Evidence - Research Paper Example

Cyber Forensics College: Introduction In the management systems’ sphere of experience, where the overarching precaution ethics of discretion, reliability , and accessibility often fail to pay accesibility and integrity (usually in that array of significance), expertise related to system resiliency often dislodge precaution-specific activities (Boddington et al, 2008). Presently, modern day cyber precaution ethics habitually require far-reaching aftermarket standardisation to be accurately successful within management systems fields (Saks & Koehler, 2005). In addition, the operating cost linked with the enhancement of these composite devices (in the existence of exclusive and proprietary resolution), repeatedly have a say in their nonexistence. Like protection expertise, cyber precaution actions and competences also require to be polished to contain the exclusiveness and fine distinction related to management systems (Rowlingson, 2004). As a basic constituent to incident response potential, Casey (2004) argues that cyber forensics allow for the compilation, assesment, scrutiny, and reporting of event information. Cyber forensics is the use of scientifically verified techniques to collect, develop, deduce, and to apply digital proof to give a convincing depiction of cyber crime tricks (Saks & Koehler, 2005). Cyber forensics also comprise of the act of making digital information appropriate for addition into a scandalous investigation (Rowlingson, 2004). Nowadays cyber forensics is a phrase used in combination with regulation enforcement, and is taught as lessons in numerous colleges and universities in the world (Saks & Koehler, 2005). Computer forensics, for some time, has been majorly wellknown, and has grown into an information expertise facility that is quite familiar amongst present day information protection plans (Boddington et al, 2008). The aim of cyber forensics is to prop up the fundamentals of troubleshooting, scrutinizing, recuperation, as well as safeguarding sensitive information. Furthermore, in the incidence of a scandal being performed, computer forensics is also a way to accumulating, scrutinizing, and storing data as proof in a lawsuit (Casey, 2004). While scalable to several information expertise fields, particularly contemporary commercial architectures, cyber forensics are taxing when being practical to cotemporary environments, which do not encompass modern information technologies, or are planned with technologies, which do not present ample data archives or appraisal capacities (Rowlingson, 2004). Moreover, Cohen (2006) asserts that extra intricacy is established if the setting is designed by means of proprietary resolutions and procedures, consequently restraining the simplicity with which today’s forensic techniques can be employed. Purpose Computer forensics has turned out to be a progressively significant tool in the steady fight against cyber crime. Numerous national and worldwide law enforcement organisations embrace specialty cybercrime departments to trail cyber fraudsters, stalkers, terrorists, hackers and pornographers. The organisations install cyber forensic professionals to compile proof over the internet and by probing computer hard drives apprehended through police raids. This paper aims at examining cyber forensics, by looking at the process and its applicability in the contemporary society. The paper also highlights the main challenges faced by cyber forensic experts in search of digital evidence. Audience and Scope This paper is suitable for security experts and managers in charge of development, deployment, as well as improvement of cyber security stance, especially for organisational control systems domains. While intended to be supple enough for reading and utilisation by engineers and system operators, this essay’s anticipated employment is by those setting up cyber safety event rejoinder and/or forensics plans within control architectures environments. On the contrary, the essay’s intention is not substituting a sector-specific approach for generation of cyber forensics plan, but rather offers guidance relating to the specific issues of control systems. This essay could be more appealing to the professionals with experience in the deployment of programs of cyber forensics within the contemporary IT domains who are starting to address issues linked to deployment of strategies of cyber forensic for management systems architectures. It could also be meaningful to CSN (control systems networks) experts in need of guidance in generation of cyber forensic capacity for their systems. Finally, this paper’s scope is not theoretically demanding and can assist in provision of a foundation for the generation or improvement of the existing data resource fortification and revitalisation programs. Literature Review Even as the cyber forensics’ field becomes increasingly popular within the conventional security for some time, its application to diverse control systems is still demanding (Sommer, 1998). With rising interoperability and computational capacity coming to formerly secluded networks, the stipulation of cyber forensics in the control systems has become increasingly vivid (Silverstone & Sheetz, 2007). Besides, the qualitative variations between control systems networks and corporate networks habitually underscore why diverse safety countermeasures are not deployable into the control systems so easily (Schneier, 2000). The control systems have significant necessities linked to (in priority order) integrity of data, accessibility, as well as confidentiality (Boddington et al, 2008). In contrast to the corporate domains, in which priorities repeal, the diverse activities of cyber security in the CSN call for accomodation of systems, which cannot be taken offline at will, may not be modernised swiftly, and may lack the capacity of facilitating sufficient audit and logging functions (Losavio et al, 2006). Undeniably, these rudiments are exceedingly imperative towards the success of a forensic program (Akester, 2004). While all the inadequacies that may be encountered within the control systems, especially from the perspective of a cyber security, may be surmounted by allocations of budgets and expenditures, numerous firms find the price of integrating the functionality of cyber security into their control systems technology extremely high (Saks & Koehler, 2005). Therefore, having the ability of generating such effective programs of security as forensics for the control systems (CS) entail reutilisation of the obtainable practices and methodologies, including those calculated for corporate domains (Etter, 2001). Consequently, the requisite then becomes developing and understanding of the required augmentations or variations towards such verified aptitudes in order to foster applicability to the CSN (Edwards, 2005). According to Saks and Koehler (2005), “forensics” habitually refers to post-incident data gathering or collection and analysis as taken from devices. With the distinct and exceptional nature of CSTs (control systems technologies), there is frequent insufficient information gathered from such countermeasures after a cyber incident or attack (Akester, 2004). In some situations, in which operators/owners are mindful of such pitfalls in commercial safety products, detection aptitudes, and customised signatures specific to CSO (control system operations) are generated and added to the safety devices (Rowlingson, 2004). Conversely, since the nature of CSO can oblige real-time and deterministic data interactions, it is habitually the scenario that these developments either prove worthless or hamper the authentic systems’ productivity. In addition, such improvements are repeatedly set out as exclusive protective activities and are not enlarged to hold up any organisational forensic function (Casey, 2004). There are more challenges associated with forensic examination for the control systems. The diverse field devices employed within the control systems architectures, perchance the boundary of a cyber episode leading into physical penalties, habitually lack any intrinsic capacity for in depth logging (Janes, 2000). In addition, it has been established that devices, which support far-reaching logging, have disabled features in most cases (Akester, 2004). Furthermore, most lack the adequate aptitude of storing sufficient data in order to let analysts meet their forensic obligations. Finally, the multiplicity of the CSTs used in the contemporary society also pose considerable challenges (Edwards, 2005). The operator/owner staff repeatedly lack the essential skills set for collecting, examining, or analyzing control traffic and command (Akester, 2004). In its place, control devices and systems’ owners depend on integrator/vendor personnel for support. Such protocols can precipitate impediments in analysis and resolution of episodes (Casey, 2004), as understanding of exhaustive operations and logging capacities of devices are regulary deserted until later on or concluded “after-the-fact.” While configuration of sytems occurs in order to alert operators within good time, data interpretation and connection to an episode remains reliant on the technical skill level of the end users (Akester, 2004). Certainly, countermeasures can be launched for any or all these challenges, though the expenditure allied to realisation of these alterations to the CSO is habitually too high in terms of testing and time. Moreover, it calls for considerable time and effort from the operator/owner (Boddington et al, 2008). Digital Evidence Digital or electronic evidence refers to any probative data transmitted or accumulated in digital form, which an aggrieved party can use during trial (Casey, 2004). Casey (2004) further argues that a court must resolve whether such information or evidence is pertinent, authentic, founded on hearsay or a copy of the same, or original is acceptable or required respectively. This comes prior to the recognition of such digital facts in a court. Therefore, a law court must rule on the admissability or unadmissability of such digital evidence (Kurose, 2002). According to Saks and Koehler (2005), digital evidence covers any digital information, which can confirm the commitment of an offence or crime. In addition, it should provide a reliable connection between an offence and victim(s), or an offence and its architect (Silverstone & Sheetz, 2007). Edwards (2005) postulates that intrusion detection systems (IDS) rank among the greatest digital evidence sources. IDSs collect data from a collection of system and coordination sources, and evaluate it for any signs of abuse or infringement. IDSs exist in two forms: Network-Based and Host-Based IDS (Akester, 2004). In the host-based IDS, the architecture is utilised in analysis of information originating from computers (hosts). Therefore, host-based IDS are fundamental in detection of insider misuse and attacks. For instance, IDS can detect workers who abuse their organisational priviledges or students who alter their results (Kurose, 2002). According to Akester (2004), hot-based architecture scrutinises such events as the accessed files or folders and the applications executed. Forensic experts use logs in collection of this incident information. Nevertheless, Boddington et al (2008) assert that the policy of auditing is exceedingly imperative because it offers a definition of the actions of end-users, which will lead into incidents records being scribed into event logs, e.g., logging all mission-critical files accesses. The host-based IDS exist in each system and regularly report to centralised control console (Silverstone & Sheetz, 2007). Detection of abuse calls for a comparison of signatures, or predefined misuse patterns with log files’ data. A correlation depicts that security administrators are notified about the possible misuse, or organisations must enact predefined rejoinders to misuse (Boddington et al, 2008). In network-based IDS, the design is employed in analysing network packets. The network-based IDSs are utilised in detection of access attempts, as well as service denial for attempts originating from the outside of such networks (Boddington et al, 2008). This system comprises of sensors installed across a network. Such sensors report to a centralised control console. Akin to the host-based IDS, packet content signatures help in identification of misuse. Such signatures are founded on packets’ contents, headers, as well as traffic flow. Nevertheless, it is noteworthy that encryption shuns exposure of any patterns within the packets’ contents (Akester, 2004). Key Cyber Forensics Principles The elementary computer forensics’ principles can be perceived as regulations governing how digital evidence should be handled in order to facilitate the admissibility of such evidence in courts of law (Vacca, 2002). Instantaneously, Janes (2000) sees that any endeavor of defining such principles remains hard going by the reality that legislation about digital evidence varies from one state to the other. In addition, law enforcement organisations join hands with national governments throughout the globe in standardisation of the practices of the principles governing computer forensics (Kurose, 2002). Therefore, the main headache faced by the law enforcement organisations is standardisation of the principles and standards of carrying out their operations. According to Vacca (2002), teams of computer forensics habitually work throughout national boundaries in order to track down, as well as arraign cyber criminals in courts of law. Akester (2004) asserts that this poses hardships since legislation covering the diverse digitial evidence varies beween jurisdictions. Below are some of the key principles, which such bodies and national governments have settled upon. The first principle is on evidence gathering. The protection of digital facts from any form of interference or unlawful access remains fundamental in order to enhance successful cyber criminals’ prosecutions (Kurose, 2002). Following processing and scrutiny, law enforcement agencies will be assured that digital evidence will be stored carefully in safe environments. A fundamental computer forensics’ principle is that only persons supposed to be forensically proficient should access any original digital evidence in investigation (Vacca, 2002). Therefore, the activity of gathering digital evidence must result into no amendments of the facts in question, wherever feasible (Saks & Koehler, 2005). The second principle is concerned with facts handling. According to Kurose (2002), digital facts pass via many investigating agencies’ hands during data analysis process. Therefore, Akester (2004) advocates for a cautious documentation of all handling, analysis, as well as testing of such digital evidence. Akester (2004) agrees with this view and asserts that all digital evidence handling, from collection via preservation, to analysis, requires a comprehensive documentation to avoid interference with the original evidence. The third and last principle is proof access. The protection of the digital facts from interference and illicit access remains vital in guaranteeing successful cyber criminals’ prosecutions. After processing and scrutiny, digital facts must be circumspectly kept in a safe environment (Saks & Koehler, 2005). According to Kurose (2002), forensically proficient personnel should be the exclusive people allowed access to the original digital proof during and after examination. Therefore, the original digital evidence access must be limited to forensically proficient personnel only (Casey, 2004). Akester (2004) adds that such forensically proficient individuals should also have a legal authority to access such information to avoid interference with such data. Vacca (2002) asserts that each of these principles needs comprehensive elucidation for their appreciation and comprehension. Moreover, deliberations persist concerning their discharge. For instance, questions range on how data alteration should be handled or avoided during such evidence collection sessions as live analysis, in which prevention of alteration could be impossible (Akester, 2004). Moreover, Kurose (2002) poses a challenge requiring the clarification of the meaning of “fully documented” and how investigation details should be recorded. Moreover, there is need of setting out the procedures of determining whether an individual is forensically proficient (Janes, 2000). Examination Processes Used in Preserving, Locating, Selecting, Analysing, Validating, and Presenting Evidence Cyber forensics refers to the procedure of digging out facts and information from the mainframe storage media, and assuring its consistency and correctness (Boddington et al, 2008). Obviously, the challenge of this process is the actual data identification, collection, preservation, and presentation in an acceptable way in courts of law (Akester, 2004). Janes (2000) asserts that electrnic or forensic evidence remains fragile, and with high chances of modifications, particularly due to the ease of doing so. In addition, cyber criminals, thieves, and honest and dishonest personnel conceal, clean, cover up, shroud, encrypt, and obliterate such evidence from the storage media via a range of freeware, shareware, as well as commercially accessible utility programs (Kurose, 2002). A universal reliance on technology joint with the mounting internet existence, as a means and tactical resource, necessitate that the contemporary commercial assets should be well cosseted and fortified (Vacca, 2002). Whenever such assets find themselves under attack, or being misused, infosecurity experts must have the ability to collect electronic proof of such abuse and employ that verification to bring those who abuse the tools to justice (Casey, 2004). While cyber forensics is firmly recognised as an art and science, Kurose (2002) claims that it is still at its infancy stages. With the evolution, mutation, and modification of technology at the contemporary swift rate, the diverse regulations governing cyber forensics’ applicability to auditing, law enforcement, and security fields are changing drastically (Janes, 2000). Almost daily, novel procedures and methods are being formulated to offer inforsecurity experts a more reliable method of finding, collecting, preserving, and presenting electronic substantiation to client administration for prospective employment in cyber criminals’ prosecution. Ashcroft (2001) asserts that internet provides anonymity, while the society has the criminal element ability for using information technology as an effective tool for financial and social communication, thereby requiring those experts responsible of protection of decisive infrastructure resources to develop and have tools of doing so (Akester, 2004). Evidence preservation is the commencement stage of a forensic investigation. This stage helps in recognising the digital evidence’s fragility. Ashcroft (2001) adds that digital proof can be changed, spoiled, or shattered so easily by inappropriate examination and handling. Therefore, preservation stage endeavors at stabalising and isolating evidence scene in order to thwart any corruption, which damages its weight and admissibility (Carrier & Spafford, 2003). The location phase comes second in this process. According to Carrier and Spafford (2003), the location phase entails the location and identification of digital proof for the specified crime or any infringement, which shores up or rebuts hypotheses about the criminal event, using diverse technical apparatus, and investigative procedures in accomplishment of this (Akester, 2004). Selection of evidence comes third. At the selection phase, Carrier and Spafford (2003) claim that investigators dissect the available proof in order to establish what incidents took place in the system, as well as their importance and probative worth towards their case. The analysis of evidence follows. At this phase, the investigators scrutinise all available evidence to determine its applicability in offering facts towards their investigation (Janes, 2000). They must examine both the strenghts and weaknesses of the obtainable facts, to ensure that those under investigations do not easily trash their evidence in a court of law (Carrier & Spafford, 2003). Validation of evidence follows in which the investigators test the available evidence in order to verify its weight and/or validity (Janes, 2000). This establishes whether the declaration drawn from such digital proof can be confirmed. For instance, the claim that deletion of an email message took place would necessitate verification of the deleted file’s existence to specify that deletion occurred at a given time, and that system processes, among other things, did not modify this data. Carrier (2005) asserts that not all security measures existing on host computers are constantly useful towards the investigators since they are more habitually anticipated for monitoring and auditing of the general records’ integrity, as opposed to the specific digital evidence validation. Carrier and Spafford (2003) add that investigators may require to revist the crime scene, as well as selection phases, in order to seek authentication of validity issues. This could also help in development of novel investigation lines as dictated by circumstances. All collated and processed evidence must then be presented to legal practitioners who test every section of the evidence in order to ascertain its applicability and weight in legal argument (Janes, 2000). The legal practitioner may find it necessary to undertake another more unequivocally defined, and repeatable procedure in order to help develop more poise in the facts derived by the investigation process (Ashley & Rissland, 1985). Significance of Crime Reconstruction Hypothesis and Alternative Hypothesis Crime reconstruction refers to the procedure of working out events’ progression before, during, as well as after a felony (Ashley & Rissland, 1985). Crime reconstruction is perchance one of the forensic science features, which mesmerises the public most, since it features in majority of police dramas. It calls for scientific approach, locic, open-mindedness, and experience on the investigating team’s part (Akester, 2004). Moreover, such an investigating team must be ready to put aside any premise, which does not match with the authentic proof offered to them (Janes, 2000). Reconstruction commences when investigating teams take their first walk across the scene of crime. It may be feasible to put up a rough hypothesis of the crime at this initial stage (Saks & Koehler, 2005). Importantly, a hypothesis refers to a general picture or a set of ideas about what may have taken place. Therefore, it cannot be deemed a theory unless it matches all the accessible evidence, as well as the supporting information (Carrier & Spafford, 2003). While investigators form their initial impressions, others record the scene and gather evidence (Diaconis & Mosteller, 1989). According to Carrier and Spafford (2003), scenes of crime differ enormously, from a break-in or petty theft case to a violent crime, which may involve explosions and exchange of fire. Investigation principles remain similar, though time and energy investment into each case will differ depending on the crime’s seriousness (Akester, 2004). Casey (2004) asserts that investors aim at establishing who the involved parties were, the identities of victims, witness, and perpetrators to enhance their investigation and evidence. Moreover, they must require understanding the place, the time, the manner in which, and the reason why such crime occurred (Boddington et al, 2008). Analysis and Discussion In the contemporary technologically advanced society, cyber crime has become exceedingly sophisticated and global in nature. Actually, a domestic cyber infringement can rapidly change into a tortuous, on-line identity theft or international money laundering issue (Cohen, 2006). Therefore, an effective handling of such crimes calls for organisations to identify, as well as force the most comprehensive astuteness, and have the capacity of following that track (Carrier & Spafford, 2003). In most incidents, the appropriate gathering and scrutiny of incident information ropes investigations, reveals illicit activities, as well as advances better-defined countermeasures for security (O’Ciardhuain, 2004). Therefore, via the realisation of information exchange systems, data storage apparatus, as well as complex general computing apparatus, the contemporary networks offer a viable foundation for the creation of an effective landscape employed in supporting effective cyber forensics. Moreover, the contemporary control systems environment is not so easily configured in order to accommodate diverse forensics plans (Carrier & Spafford, 2003). According to O’Ciardhuain (2004), nonstandard legacy architectures and protocols, which may be decades old, pooled with vanished or irregular proprietary technologies has the potential of making the generation and operation of cyber forensics plans anything but easy and smooth processes. Diaconis and Mosteller (1989) built their argument upon such ordinary standardised forensics processes’ rudiments as those allied to the gathering, examination, scrutiny, and exposure of incident data, and offers a foundation for fostering and constructing cyber forensics plans for the diverse environmental control systems. Scholars argue that the diverse and distinct nature of platforms, technologies, as well as owner/operator deployments must be considered in formulation of a supple structure, as opposed to those supporting specific technologies (O’Ciardhuain, 2004; Cohen, 2006; Carrier, 2005). Therefore, every cyber forensic process in investigation of criminal occurences should be based on the prevailing conditions. Collection and analysis of digital proof requires inordinate quantities of resources and time (Nisbett et al, 1983). Moreover, the sheer cases’ volume, and required time for their processing, can have unfavourable impacts upon the investigators’- and legal practitioners also- ability to scrutinize and present a full evidence reconstruction (O’Ciardhuain, 2004). Cohen (2006) claims that failure to trace all obtainable digital evidence happens because relevant evidence location is not constantly evident to amateur enquirers who may end up relying on intuition exclusively. Whereas technically incisive and diligent investigators can recognise, as well as scrutinize much pertinent proof, constraints of time and distinctiveness of crime scenes may nonetheless generate deficient recognition of all useful information, thereby denying crucial facts investigation and scrutiny (Koehler & Thompson, 2006). Partial analysis of the accessible proof during validation phase of the investigation, as well as failure to authenticate the proof can lead into failure of an investigation (Cohen, 2006). Cohen (2006) asserts that error is inevitable in every investigation process, and forensic investigators should deal with dependency of any specific test. Palmer (2002) argues that an array of diverse factors can influence evidence legality, including missing collection tools, taking evidence out of context, misinterpretation of data, failure to expose exculpatory information, bogus or disingenuous evidence, processing errors in system and application, and failure to recognise pertinent facts, among others (Nisbett, & Ross, 1980). Cohen (2006) adds that the digital field prosecution cases’ sophistication habitually fail during trial whereby incompetency ranks high in case reconstruction. Generally, the challenges affecting effective forensics within control systems vary from one incident to the other (Janes, 2000). First, most conventional apparatus and management systems technologies fail to offer effective platforms for gathering of useful data, which could be utilised in post-event security scrutiny. This implies that such systems without such capacity are habitually in operation mode, but lack such competence mode (Mercuri, 2005). Secondly, the contemporary cyber-forensic systems are not constantly entirely extensible to the conventional management systems’ architectures (Flusche, 2001). Thirdly, for such architectures as FW (firewalls), IPS (intrusion prevention systems), and IDS (intrusion detection systems) among others, which use the contemporary cyber-centric procedures and technologies of security, the confederation of the forensic information gathered by such systems cannot be successfully associated with apparatus and management systems logging information (Janes, 2000). The forth challenge is that post-event scrutiny is habitually reliant upon vendor contribution, and any upbeat comprehension of apparatus logging is habitually not needed by the ultimate consumers, or integrated into defense-in-depth strategies (Berk, 1983). For individuals and organisations to address these challenges at the suitable stage, they require guidance for the development of management systems forensic program. Kurose (2002) asserts that such guidance must be completely lithe in order to facilitate their employment into any environment’s control systems irrespective of the used technologies. Furthermore, such guidance should offer direction on the incorporation of the contemporary network protection technologies with the conventionally closed systems, the outcome being an authentic defense-in-depth policy for the architectures of the control systems (Janes, 2000). Vacca (2002) claims that such strategies should integrate technical, operational, as well as managerial issues, which offer an ordered methodology that, when the cumulative is finished, presents a supple but strong safety posture. Conclusion In conclusion, the use of digital proof has become so widespread in legal cases. However, the legal fraternity understanding on how far the conventional ideas of proof can be expanded into the digital field lags behind. Scholars and legal practitioners agree that proof establishes the authenticity of an issue. However, its weight relies solely on scrutiny and verification via the existing legal argument mechanisms. This necessitates the requirement for a handy ‘roadmap,’ which can direct legal practitioners in identification of digital proof pertinent to shore up a case, as well as foster an assessment of its weight. This paper has illustrated that the validation of evidence is a crucial stage in this process, prior to its weight’s evaluation. Moreover, evidence preservation and handling should be held in high esteem since many individuals may work towards contaminating the evidence. Therefore, forensic experts must ensure that they protect digital evidence from any form of contamination to enhance a fair, free, and just judicial process. References Akester, P. (2004). Internet law: authenticity of works: authorship and authenticity in cyberspace. Computer Law & Security Report, 20, 436-444. Ashcroft, J. (2001). Electronic crime scene investigation: A guide for first responders. Washington, U.S.: Department of Justice. Ashley, K., & Rissland, E. (1985). Toward modelling legal argument. Massachusetts: University of Massachusetts. Berk, R. A. (1983). An introduction to sample selection bias in sociological data. American Sociological Review, 48, 386 - 398. Boddington, R., Hobbs, V., & Mann, G. (2008).validating digital evidence for legal argument. Australian Digital Forensics Conference: Security Research Institute Conferences, 1-17. Carrier, B. (2005). File system forensic analysis. Upper Saddle River, New Jersey: Addison-Wesley. Carrier, B., & Spafford, E. H. (2003). Getting physical with the digital investigation process. International Journal of Digital Evidence, 2(2): 1-20. Casey, E. (2004). Digital evidence and computer crime. California: Elsevier. Cohen, F. (2006). Challenges to digital forensic evidence. New Haven: Fred Cohen & Associates. Diaconis, P., & Mosteller, F. (1989). Methods for studying coincidences. Journal of the American Statistical Association, 84, 853 - 861. Edwards, K. (2005). Ten things about DNA contamination that lawyers should know. Criminal Law Journal, 29, 71 - 93. Etter, B. (2001). The forensic challenges of e-crime. Australasian Centre for Policing Research, 3, 1-8. Flusche, K. J. (2001). Computer forensic case study: Espionage, Part 1 Just finding the file is not enough! Information Security Journal, 10, 1 - 10. Janes, S. (2000). The role of technology in computer forensic investigations. Information Security Technical Report, 5, 43 - 50. Koehler, J. J., & Thompson, William. C., (2006). Mock jurors’ reactions to selective presentation of evidence from multiple-opportunity searches. American Psychology-Law Society/Division 41 of the American Psychological Association. Kurose, J.F. & Keith, W.R. (2002). Computer networking. New York: Pearson Education. Losavio, M., Adams. J., & Rogers, M. (2006). Gap Analysis: Judicial experience and perception of electronic evidence. Journal of Digital Forensic Practice, 1, 13 - 17. Mercuri, R. (2005). Challenges in forensic computing. Communications of the ACM 48, 17 – 21. Nisbett, R. E., & Ross, L. (1980). Human inference: Strategies and shortcomings of social judgment. Englewood Cliffs, NJ: Prentice Hall. Nisbett, R. E., Krantz, D. H., Jepson, C., & Kunda, Z. (1983). The use of statistical heuristics in everyday inductive reasoning. Psychological Review, 90, 339-363. Ó Ciardhuain, S. (2004). An extended model of cybercrime investigations. International Journal of Digital Evidence, 3(1): 1-22. Palmer, G. L. (2002). Forensic analysis in the digital world. International Journal of Digital Evidence, 1(1): 1-6. Rowlingson, R. (2004). A ten step process for forensic readiness. International Journal of Digital Evidence, 2(3): 1-28. Saks, M. J., & Koehler J. J. (2005). The coming paradigm shift in forensic identification science. Science, 309, 892 - 895. Schneier, B. (2000). Secrets and lies: digital security in a networked world. New York: Wiley Computer Publishing. Silverstone, H., & Sheetz, M. (2007). Forensic accounting and fraud investigation for non-experts. New Jersey: John Wiley & Sons, Inc. Sommer, P. (1998). Intrusion detection systems as evidence: Recent advances in intrusion detection. London: London School of Economics & Political Science. Vacca, J.R. (2002). Computer forensics computer crime scene investigation. Massachusetts: Charles River Media. Read More