Significance of the Digital Evidences Collected - Case Study Example

Computer Forensics - Case Portfolio 0 Case Summary The case is based on a criminal incident against child pornography. One of the employee in Widget Corporation namely Mr. Didit has been alleged for developing child pornography during the office premises. As a result, forensic investigation agency has been summoned in order to collect and examine digital evidences from the crime scene. Throughout the investigation process the legality and fairness has been maintained by engaging in best practices for evidence treatment. Various evidences have been gathered from the crime scene in order to judge that the employee is guilty of such a cyber-crime during office work time. 2.0 List of Potential Digital Evidence Digital evidences are regarded as different types of electronic information and are considered as vital proofs for evaluating any criminal incidence. This type of information is stored, received and shared by electronic devices. Digital evidences can exist in several formats such as text, graphics, audio and video among others. The digital evidence has been acquired when the electronic devices are seized. The digital evidence that has been found in the crime scene was WDD hard disk, USB flash drive, compact disk (CDs) and central processing units (CPUs) (see fig 1). Fig 1: Digital Evidences from the Crime Scene 2.1 Significance of the Digital Evidences Collected Hard Disk. Hard disk is basically a read/write storage media which is used for collecting, storing, retrieving and accessing information. It is regarded as vital source of proof for the crime because the system files and other operating files are stored in hard disk. Hence, in order to investigate the crime conducted by Mr. Didit, the hard disk has been sized (see fig 2), as it probably provide certain valuable proof (Mukasey et al., 2008). Fig 2: Seized Hard Disk CD. CD is regarded as the other important digital information source. It is basically a replicate of the original information and is used as permanent storage media. Thus, the information in CD is believed to be of highly important for Mr. Didit to be stored and thus, has been acquired for the purpose of digital evidence (see fig b3) (Mukasey et al., 2008). Fig 3: Seized CD USB Flash Drive. USB flash drive is a small portable and high capacity electronic storage media. Unlike hard disk, USB drives connect to the computer through Universal Serial Bus port. USB flash drive has gained much popularity because of its storage capability and rapid access of data. The USB flash drive can also store information regarding any works and therefore regarded as valuable evidence for this criminal case (Mukasey et al., 2008). Fig 4: Seized Flash Drive CPU. CPU is a case that contains electronic elements such as memory, processor and hard drive among others. CPU contains valuable information, software and programs which are important evidence for any crime scene. Thus, CPUs has also been seized as a purpose of digital evidence gathering (Mukasey et al., 2008). 2.2 Type of Data The main aim of collection of digital information is to obtain important data with minimum degree of modification by the suspect. Basically, any evidence can be classified into four basic type namely real, documentary, testimonial and demonstrative. Real evidences comprise physical objects which can be represented in the court trial such as CDs, storage devices, input and output devices and removable drives among others. Documentary evidences are the printed evidences which comprise log files, database files, written copies, and reports among others. On the other hand, testimonial evidence contains proof of witness which can exist in recorded or written form. Ultimately demonstrative evidence exemplifies other evidence such as pictures or photographs which is helpful in elucidating technical facts or creating proofs. In this case, real and documentary evidences have been collected for the purpose of forensic investigation (Mukasey et al., 2008). The type of data that would be found in such evidences is as follows. Instant messages: In present days, instant messages have become a popular way for communication for people. Several individuals share information and facts through instant messages. Popular applications such as Google Talk, Yahoo Messenger, MSN Messenger and Social Networking sites can provide incredible amount of digital evidence of Mr. Didit (Gubanov, n.d.). Browsing history: Every individual prefers to browse different websites in order to search information regarding any private topic of interest. Thus, digital evidence can be obtained through analyzing the history of browsers used by Mr. Didit. Furthermore, evaluating bookmarked pages, cache memory and temporary files can also provide useful evidences for the forensic investigation (Gubanov, n.d.). Email: Email is the other popular communication method used by people for sharing files and information. Evaluating the emails sent and received by Mr. Didit can reveal any information concerning money transaction or other intimate agreement; thereby help to recognize important parties which might be related with the criminal incidence (Gubanov, n.d.). Electronic files: Apart from instant messages, browsing history and email, other electronic files such as cookies, documents, images, videos, calendars and backups among others will be analyzed. These files can comprise great deal of valuable data and allows to reveal the number of suspects involved in the criminal activity along with their names and locations (Gubanov, n.d.). 2.3 Digital Evidence Preservation The information must be preserved in order to ensure long run access to the digital data. The current technologies allow information to be produced, modified, spread, positioned, deleted and stored easily. This characteristic of digital information can make the evidences vulnerable for any kind of alteration. Hence, preservation of the digital evidences in any readable and accessible formats is vital aspect for forensic investigation. Digital evidence preservation comprises custody of information stuffs along with their connotations. It is hence essential that the preservation methods are capable of understanding and reinventing the original form of evidence, thereby confirming its truth and approachability. Moreover, as innovative digital technologies quickly appear and traditional ones are out-of-date, information that depends on obsolete technology shortly becomes obsolete (Lee at al., 2002). There are several methods of digital preservation such as technology preservation, technology emulation, data movement and encapsulation that would be used for this criminal case investigation. Technology preservation: According to this strategy, the operating system (OS) will be preserved in order to get a clue about the technological platform used by Mr. Didit. It would help to preserve the original atmosphere and therefore will help to understand the behavior of Mr. Didit. Moreover, there are certain digital objects which can only be accessed by restoring the original environment. Technological preservation would also ensure that all files of Mr. Didit are accessible (Lee at al., 2002). Technology emulation: Technology emulation is another preservation method that would be used to protect the information. It comprises preserving the original application and software environment. It would help to imitate the activities of old platform which is appropriate for retrieving any files. Technology emulation would assist in preserving the appearance and functionality of different digital objects of Mr. Didit (Lee at al., 2002). Data movement: Data movement signifies periodic transfer of digital information from one computer system to other. This strategy would be executed by copying digital information to analogue medium in order to ensure long run reliability. Likewise, digital information from diverse formats will also be transformed into controllable and standard formats. Data movement would help to preserve the integrity of digital objects and would retain the capability of forensic departments to recover, display and use them in the era of continually changing technology (Lee at al., 2002). Encapsulation: Encapsulation method would also be used for data preservation. Basically, this strategy helps to deal with the issue of technological obsolescence. Encapsulation would comprise restoring the original application which was used by Mr. Didit in order to create or access various files in future technological platform. It would provide a suitable vessel for transporting any kind of complex component between various platforms (Lee at al., 2002). 2.4 Storing digital information The digital evidences are quite delicate and sensitive to extreme heat, moisture, physical shock, static voltage and magnetic fields. Thus, the collected digital evidences will at first stored according to the organizational strategies. The digital evidences would be put in a safe and climate controlled setting which is not bound by extreme heat and moisture. Furthermore, the digital evidences would also be not exposed to magnetic fields, dust, vibration or any other circumstances so that the data are not damaged or destroyed. Every digital device would be labeled appropriately in order to indicate the type of digital information on that particular device (Mukasey et al., 2008). During digital information collection, there is possibility of loss of valuable evidence such as date and system configuration. Hence, in order to ensure that the digital information is authenticated, it would be evaluated and ensured that the devices are properly powered (Mukasey et al., 2008). 2.5 Protecting Digital Evidence The objective of protecting digital evidence is to ensure that the information has been properly gathered, documented, categorized, marked, verified and inventoried. In order to protect the digital information the every piece of evidences has been packed by antistatic packaging method. Only paper boxes could be used for packaging and any kind plastic components should be avoided since plastic can transport stagnant power and also allow moisture and compression which might damage or destroy the digital evidence. Besides, digital evidence would be packaged in such a manner so that the devices are free from any type of scratches (Mukasey et al., 2008). 2.6 Transferring Digital Evidence While transferring the digital evidence, proper distance would be maintained so that the drives are away from magnetic devices, radio transmitters and emergency lights among others as they can be risky for such valuable data. Additionally, it would also be ensured that the electronic devices are secured throughout transportation in order to avoid damage from shock or tremor. Proper chain of custody would also be maintained for transferring the digital evidences (Mukasey et al., 2008). 3.0 List of Non-Digital Evidences Apart from digital evidences, several non-digital evidences have been found in the workplace of Mr. Didit. Handwritten records, notes and copies could be collected from the crime scene. In such non-digital evidence, vital information can be found such as user name and passwords and important contacts among others. 4.0 Forensic Analysis Tools There are several tools which are used for analyzing the digital evidences. In order to investigate the crime, the following tools could be used. IsoBuster: IsoBuster is a forensic investigation analysis tool which could be used for recovering information from CDs. This tool can demonstrate different tracks, sessions and files stored in the suspected digital media. Thus, this tool would provide an inclusive assessment of every component stored in the CDs collected. Metadata Assistant: Metadata Assistant is the other important forensic analysis tools which could be used in the digital evidence analysis. This tool was manufactured by PayneGroup and it is particularly used for discovering and hidden information stored in word document along with other files. As a result, this tool would possibly expose the confidential information of Mr. Didit. G-Flash: G-Flash is the other important foreign investigation tool which could be used collect necessary evidence. Manufactured by WetStone Technologies, this tool would allow in evaluating the computer system of Mr. Didit in order to reveal hidden secrets. UBS Triage Tool: USB Triage Tool was also manufactured by WetStone Technologies and could be used in forensic investigation. This tool would permit to gather real time information from any running computer system (Solomon et al., 2011). 5.0 Summary of Testimony 5.1 Instruments and Authority for Searching In order to undertake any search, proper guidance must be maintained. Hence, in this case the search would be undertaken after getting search warrants. It will allow to search and seize the digital evidences of Mr. Didit. It is the most preferred method and consistently satisfy the legal requirements of court. With respect to searching evidences, there are two basic warrants namely ‘electronic storage device search warrant’ and ‘service provider search warrant’. The ‘electronic storage device search warrant’ will be used for obtaining the authority of searching Mr. Didit’s workplace (U.S. Department of Homeland Security, n.d.). In several circumstances, electronic devices comprising digital evidences can be gathered by standard seizure instruments. With respect to Mr. Didit’s workplace instruments such as camera, boxes, gloves, writing pads, stickers, markers, antistatic bags and evidence bags could be used for the purpose of searching and seizing (Mukasey et al., 2008). 5.2 Use of Hash Value in Digital Forensics Digital forensic investigation intends to recreate a sequence of occurrences in any criminal incident. In every case of digital forensic investigation, response time is the most critical aspect. Several techniques can be employed in order to screen the digital data quickly and effectively and one of the most reliable techniques is hash-oriented technique. It is habitually used to authenticate information and recognize known components. In general level, hash oriented methods are attractive due to high output ad memory effectiveness. In uses random series of binary information and generate a number in predefined array. Preferably given a set of dissimilar inputs, hash function plans them to different outputs (Roussev, 2009). One of the important properties of hash technique is hash value. Hash value is an outcome of a calculation that can be done on sequence of text, electronic files or storage device components. Hash value is also termed as hash code which is used to recognize and filter duplicate files such as email and various attachments. In the criminal case, hash value can be used in order to confirm that forensic copy was seized effectively (Roussev, 2009). Hash value would be used in the differed phases of electronic evidence evaluation process. First, hash value will be taken about the original hard disks, flash drives and CDs. Within acknowledged practices, an image would be made about the original information resides in those media. The image will be used throughout the forensic investigation in order to preserve the integrity of original information. A hash value would be taken of the imaged data before preceding any investigation. If both the values are equal, the image would be regarded as same as the original and that no changes has been made in the collected digital evidences. After completion of forensic investigation, another hash value would be taken. The three hash values would be evaluated and is required to match in order to prove the authenticity of the information collected in front of the court (Roussev, 2009). 5.3 Report on "Police Hack" Issue There are several legal issues faced by the law enforcement agency and one of the most concerned aspects is the authority of the agency. Thus, in order prove that the law enforcement agency is not a ‘police hack’; proper SOP document will be maintained. SOP document is fundamental for both law enforcement and forensic investigation. Furthermore appropriate document for search warrant must be maintained in order to evaluate the authenticity of the agency. There are several aspects which can be used in order to enhance the bottom line of the agency Spending in documentation: The key for lawsuit against a company is basically embedded in documentations. Thus, the documentations must be accurate, up-to-date and reviewed routinely in order to defend against any type of legal claim (Ashcroft et al., 2004). Applying best practices: In order to reduce the exposure of legal claim, the company would require to apply best practices during collection, storage, protraction and transfer of digital evidence (Ashcroft et al., 2004). Using proper technology for investigation: The use of technology for digital forensic investigation can also help to increase the bottom line of the company in this case. Thus, at a minimum, there is need to have up-to-date knowledge. As a result, it would provide a benchmark for the structure of investigation procedure (Ashcroft et al., 2004). References Ashcroft, J., Daniels, D. J., Hart, S. V. (2004). Forensic examination of digital evidence: a guide for law enforcement. United States: National Institute of Justice. Gubanov, Y. (n.d.). Retrieving digital evidence: methods, techniques and issues. Retrieved from http://forensic.belkasoft.com/download/info/Retrieving%20Digital%20Evidence%20-%20Methods,%20Techniques%20and%20Issues.pdf Lee, K. H., Slattery, O., Lu, R., Tang, X., McCrary, V. (2002). The state of the art and practice in digital preservation. Journal of the Research of the National Institute of Standards and Technology, 107(1), 93-106. Mukasey, M. B., Sedgwick, J. L., & Hagy, D. W. (2008). Electronic crime scene investigation: a guide for first responders. United States: National Institute of Justice. Roussev, V. (2009). Hashing and data fingerprinting in digital Forensics. IEEE Security & Privacy, 49-55. Solomon, M. G., Rudolph, K., Tittel, E., Broom, E., Barrett, D. (2011). Computer Forensics JumpStart. Canada: John Wiley & Sons. U.S. Department of Homeland Security. (n.d.). Best practices for seizing electronic evidence. Retrieved from http://www.forwardedge2.com/pdf/bestpractices.pdf Read More