The Scope of Job and Role of a Forensic Investigator - Coursework Example

REFLECTION ON THE SCOPE OF JOB AND ROLE OF A FORENSIC INVESTIGATOR By Course: Date: Often held as one of the most demanding and complex jobs, evidently being a forensic investigator demands more than just being available at workplace or a graduate investigator. Typically, Forensic investigations as a career involve the application of documented and controlled diagnostic techniques to identify, gather, examine, and safeguard digital information (My Criminal Justice Careers, n.d.). With the acknowledgement of the delicate nature of digital data and the regulatory obligation to preserve electronically saved information, a forensic investigator has to apply a certain level of dexterity to secure it against destruction or manipulation. For this reason, the central role of any forensic investigator is not only in executing investigation to unearth the truth about a mystery, but also to apply his or her prowess to seize and safeguard obtained evidence. In this reflective report, I will emulate on the role and function of a forensics investigator when performing a forensic investigation and the responsibility that the forensics investigator has for seizing and safeguarding evidence. The report entails two segments: the first one being a topic of Peter’s material and second is on a topic from Nick’s material. I have selected Digital Forensics and Systems Analysis and volatile memory topics from Peter and Nick’s topics respectively. As a result, the objective of this reflective report is to explain the knowledge and experience I have gained in the unit on the role and function of a forensic investigator in reference to my selected topics. SECTION I Digital Forensics and Systems Analysis The module on the role and function of a forensic investigator and particularly the understanding about Digital Forensics and Systems Analysis has been instrumental to me in several ways. Typically, a digital forensic is an investigation process that uses scientific and technological knowledge to examine digital objects and consequently develop and test theories. It can be invoked, in a court of law, to respond to questions about incidences that occurred. Considering the credibility that such evidence demands, I have gained substantial lessons from the unit on digital forensics and systems. Of the many lessons, some of the significant ones include an understanding of the types of digital analysis, digital investigation models, and digital crime scene investigation processes. Types of digital analysis Through this module, I realised that in digital forensic investigations, the investigator often encounters many digital data formats that subsequently demand different models of analysis. Such types of analysis are based on either abstraction, interpretation or layers that as actually part of data system design (Casey, 2010). For instance, a major data I considered was on a hard disk that conventionally is designed to accommodate several interpretation layers. From this hard disk, the investigator will identify that the lowest layer embodies partitions that are used in the process of volume management (Plass, 2011). Consequently, I came to terms with some of the digital types that a forensic investigator encounters. They include media analysis, media management analysis, file system analysis and network analysis among others. The role of an investigator is therefore to analyse data on a partition in a process that involves the extraction of contents of a file to recover any content of deleted data or file. Before this lesson, I had no clue that there is a possibility to recover any deleted data from a system even if it was deleted from recycle bin. But, now I have the knowledge of possibility. Another vital analysis that a forensic investigator looks deeply into is an operating system (Plass, 2011). For a long time, I had understood that since the operating system is what holds the rest of programs in a computer, the there is no likelihood of it being used as an asset to get forensic information. However, from the forensic training I realised that an analysis of the OS can reveal the output data and configuration files of the OS that are crucial for establishing the event that had occurred previously (Casey, 2010). The same revelation is exhibited from image and video analysis. It is common today to see people taking images and videos and sharing them online without much ado of the implication of such act (Abraham, 2006). This was an eye-opener to me for I realised that a forensic investigator will use this videos and images to identify the time and location where it was shot. Comprehensively, from different types of analysis, I learnt that they provide the investigator with fundamental data to facilitate the investigation. Digital investigation models The second lesson after digital analysis types was the tutorial about the digital investigation models that are applied in digital crime scenes. Commonly they are categorised into five core phases: Readiness, Deployment, physical crime scene, digital crime scene, and presentation phases (Carrier & Grand, 2004). As with readiness, it is a phase that includes training of suitable personnel together with the testing of the tools to be used in carrying out the investigation. For instance, having infrastructure readiness enables configuration of the equipment to make sure that the data is available when an incident occurs (Carrier & Grand, 2004). The tutor instructed us that this is one of the phases that are underestimated and more often strains the investigative exercise if not thoroughly considered. Second phase is the deployment that essentially entails ability of the forensic investigator to detect and receive notification where an incident has occurred (Carrier & Grand, 2004). I learned of the implication of this phase in that, if an intruder is detected by an intrusion detection program, the investigator will be alerted using communication and logs of the suspect. To figure the practical aspect of this phase, our tutor divided us into the team formally acknowledged as incident response crew to do a brief analysis of one of the school’s system to assess if it compromised anywhere. However, before analysis, we had to request for additional permission in order to execute full analysis. From the analysis, I realized that even though it is a tedious process, it convenience and data obtained can be used to map the degree of confidentiality a system has. Thirdly, after the forensic investigator has been granted authorization to carry out investigation, next is the physical crime investigation phase where physical objects are examined. One significant lesson from this class is that, it is in this phase that a forensic investigator can correct physical evidence that might link an individual to a computer activity crime suspect (Prosise, Mandia, & Pepe, 2003). Accordingly, this phase engrosses the search for physical evidence that the investigator will use as a resource to reconstruct what might have happened. Consequently, this phase will collect and correlate the psychoanalysis results from more than one digital crime scene and serves as the first step in the forensic proof acquisition (Carrier & Grand, 2004). Early before this lesson, I held that the most important part of crime investigation is the digital crime scene. However, I realized that both physical and digital crime scenes investigation is of significant relevance as far as role and function of the forensic investigator are concerned. Last function of a forensic investigator is digital crime phase by which the investigator will examine the digital data to unearth evidence. One profound lesson from the study of all phases is that they are both dependent on each other and termination of one leads to an entry of the other. Actually the digital scene investigation is a subset of the physical scene investigation and subsequent conclusion in the physical scene conclusions are used in digital investigation. In this phase, I realized that the investigator. I remember the lecturer insisting on the significance of this phase, and we actually spent a great deal of time here than the rest of the phases. At the same time, I recognized that this phase is not only used for system preservation and search of the digital proof but also reconstruction of the past events. Collectively, once the four phases are concluded, the last phase is the preservation stage. At this stage, the result can then be presented in a court of law or any other place where such evidence is needed. For me, learning of the role of a forensic investigator in regard to Digital Forensics and Systems Analysis provided me with crucial tips in understanding the procedural nature of the digital investigation phases. Previously, before this analysis of forensic investigation phases, I thought the investigator can start with any phases as longer as he utilises all phases. Contrary, I realised that the interdependence of the five phases of digital forensic investigation demands ascending coordination, in that the conclusion of the first phase sparks the commencement of the next phase and so forth. Equally, the findings from the digital scene phase and physical scene phase can be utilised interdependently to facilitate the reconstruction of bits and pieces and develop more provable evidence. For instance, I learned that the deployment and readiness phases are fundamentally effective and do not engross technical investigation techniques. However, the deployment phase sometimes invokes legal considerations such as availability of such warrants that are also required in the digital scene inquiry. Consequently, I recognized that physical scene investigation phase matches that presently existing in a hypothetical scene and have been examined in detail through previous investigation involving similar computer crime activity. Conversely, from this study I recognized some of the challenges that the analysis of phases poise. For instance, at the presentation stage, one of the apparent challenges is that the phase included the description of complex terms and ideas in a simple grammar and fashion to non-technical audience. Even though the forensic investigation is not a technical research, any research topic should possess a reconcilable quantitative and qualitative methodology so that the presentation is taken into account. I learned that such considerations should be invoked by a forensic investigator to develop a tool or procedure that is capable of demonstrating guidelines for effectual portrayal of technology. Having explored the scope of work that a forensic investigator undertakes, I now know what as a young aspiring forensic investigator I need to know as far as digital crime investigation is concerned. However, I also realized that to be a successive forensic investigator takes more than just completing any level of academic but demands a huge extent of practise in the field dealing different digital crime scenes. As of the next step, I need to internalise some other deeper roles of investigator in seizing evidence. Such functions include the understanding of the digital scene presentation and documentation, evidence and reconstruction documentation. SECTION II Volatile Memory It is common today to find most forensic investigators laying focus towards emerging fields of science such as volatile memory forensic and perhaps due to their influence on evidence acquisition. Typically volatile memory investigation entails primarily the recovery of data different systems memory was lost when a system was overwritten by any other running program or powered down (Plass, 2011). In relation to role and function of a forensic investigator, volatile memory is a new untapped area of forensic examination that is targeted presently. As I have been contemplating on the reasons why major focus by forensic investigators is in volatile memory, one apparent reason is that they are easy to examine. The fact that these systems can be collected by investigators can be powered down and moved to a station or laboratory makes it easy to exploit the data comprehensively. It has been established that though when shutting PC systems the volatile memory segments are destroyed and unrecoverable (Plass, 2011). However, if the investigator evaluates data in the live state, it has been established that the forensic investigator can get a greater picture of the running stage of a system. I have spent a great deal of time to analyse the role forensic investigator in regard to volatile memory from which I have gained numerous lessons. Significant lessons were from learning about the techniques of memory forensics. From these forensic techniques, I realized that considering the difficulty associated with acquisition data from volatile memory, and most forensic investigators preferred conventional methodology that focuses on hard disks and flash memory (Plass, 2011). Consequently, I established the difference between volatile (Physical memory) and non-volatile which is that the former contains memory of the computer that is temporary and regularly rewritten when executing processes and applications or when the system goes off. Conversely, the latter entails all the executables that the system users might have used on the system (Arasteh, 2008). Because of new modern applications of communications such VOIP, instant messaging, social networks and more others, more data is being stored in temporary storage. I learned that such data is significant for a forensic investigator for it can yield considerable information crucial for establishing a substantial investigation. Why volatile memory in the contemporary forensics? There is an increased reliance on volatile memory forensics and throughout my analysis of the role of a forensic investigator I wanted to find some of the reasons. Thanks to this study, I also got the opportunity to relate with some of the volatile examples that gave me the actual picture of their necessity. I learned that the main reason is due to criminal’s ability to become well versed with systems for they are able to conceal their identity and activities and the availability of many platforms to exercise their criminality. At the same time, their ability to access encryptions, the increase in the size of physical disks, the emergency of RAI D-array, Network attached, and area network storage, all have made the forensic investigator’s job mere difficulty. From the study; I recognized that due to such criminal activity transformation, there has been the need for investigators to invest in understanding the volatile memory if they need to establish substantial evidence to sustain cases. Despite being difficult to handle, most techniques adopted currently by forensic examiners are often geared towards operating systems with the objective to establish the status of systems at present together with any other past status prior to data acquisition. Additionally, the secondary objective is to gather information on malware, viruses, and root kits (Slay & Simon, 2008). This was one of the topics that draw me closer to volatile memory forensics, for I became more certain of what simple computer programs such malwares mean to forensic examiners. I realized that the shift has also been facilitated by the fact that most of the old tools often relied on the use of hashing methods that lead investigators to yielding varied results, making it hard to compare any two files However, with the advent of a ssdeep tool, forensic investigators have been able to resolve the complexities (Plass, 2011; Dolan-Gavitt, 2008). It enables them to locate files that might have had only a few bits of difference when using the hashing method and thus accords forensic examiners the apparent differences in the files crucial for establishing comparisons. Though I had spent some quality time in understanding the scope of work for forensic experts, I never thought that the exercise can be as difficult as having to rely on only very detailed elements. Volatile memory patterns in forensics As regards volatile memory, investigators currently have to focus on the transmission of voice over online platforms. One common communication patterns that are a focus of most forensic investigators is the VOIP technology such as Skype (Thomas, 2004). As established by Pelaez, the converged nature of VOIP technology is what makes it more vulnerable to individuals who may wish to conceal their identity, messages which may be secretly embedded within the payload of voice communication (Arasteh, 2008; Plass, 2011). From the VOIP technology tutorial and its relationship to forensic investigation I learned a number of concepts about such encryption. For instance, I find out that it is possible through incorporation of a technique of embedding undisclosed messages into a different less obvious message by a process called steganography. At the same time, I comprehended that the high bandwidth and speed usage necessary for VoIP communications is the reason why these converged voice and data networks more susceptible to steganographic based attacks (Plass, 2011). Consequently, such high speed makes the work of the forensic investigator difficult as the detection of hidden messages demand knowledge of reading misuse patterns. Nonetheless, forensic investigators with the proper dexterity are able to detect or unearth the undisclosed messages by thoroughly perusing the misuse patterns. These misuse patterns will then illustrate to the assessor how the information mishandling was performed, thus making it possible for a forensic examiner to evaluate how it can be terminated and at last how to trace it once it reoccurs (Pelaez, 2009). From this revelation, I established that there exist two ways in which VOIP’s common protocols (media transfer and signalling) can be manipulated. Therefore, through the VoIP’s signalling protocols, the invader will usually exploit vacant free fields in the DataStream to conceal their messages. In addition, since the data is typically encrypted through the Secure initiation protocols, it is often difficult for forensic investigators to detect signalling protocol misuse. However, in communication transport protocol, the invader embeds messages commonly in real-time protocol media packets while calling. Such careless misuse of patterns is of fundamental significance to forensic examiners. It allows them to exploit structure methods in locating steganographic information (Plass, 2011). Conclusively, from the study of the influence of volatile memory in understanding the role of the forensic investigator, it is apparent that the emergence of novel technologies has made volatile memory a major consideration in communication investigation. I am a witness that there seem to be a particular group of forensic experts interested in the capacity of how to best exploit VOIP technologies as they have become a criminal elements in society. The fact that most of the emergent platforms of communication demand no mandatory requirement to verify credentials authentically when using makes them even more prone to crime activity. Some of these platforms such Skype’s capability to provide full encryption of data to their exploitation has given them immense obscurity. However, with significant endeavours by forensic experts in volatile memory, this anonymity will slowly erode since investigators are now able to extract past information and can reconstruct early conversations. Ultimately, the role of a forensic investigator in unearthing secrecy and seizing evidence is challenging and demand top-notch prowess to survive. Bibliography Abraham, T., 2006, January. Event sequence mining to develop profiles for computer forensic investigation purposes. In Proceedings of the 2006 Australasian workshops on Grid computing and e-research-Volume 54 (pp. 145-153). Australian Computer Society, Inc.. Arasteh, A. R., 2008. Forensic analysis of WIndows physical memory (Doctoral dissertation, Concordia University). Casey, E., 2010. Handbook of digital forensics and investigation. London: Academic. Carrier, B. D., & Grand, J., 2004. A hardware-based memory acquisition procedure for digital investigations. Digital Investigation, 1(1), 50-60. Dolan-Gavitt, B., 2008. Forensic analysis of the Windows registry in memory. Digital Investigation, 5, S26-S32. doi:10.1016/j.diin.2008.05.003 My Criminal Justice Careers, (n.d.). Forensic Investigator Job Description. Available at: http://www.mycriminaljusticecareers.com/forensic-investigator/forensic-investigator-job-description/ [Accessed 3 Feb 2015]. Plass, M., 2011. Volatile Memory Forensics and VoIP. Available at: http://www.academia.edu/4856446/Volatile_Memory_Forensics_and_VoIP [Accessed 3 Feb 2015]. Prosise, Mandia, & Pepe, 2003. Incident response & computer forensics (p. 11). McGraw-Hill/Osborne. Slay, J., & Simon, M., 2008. Voice over IP forensics. In Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop (p. 10). ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering). Thomas, J., 2004. Whos behind your network? [VoIP fraud]. Communications Engineer, 2(6), 42-43. Read More