Digital Evidence: Understanding The Process and Challenges - Assignment Example

 Digital Evidence: Understanding the Process and Challenges Table of Contents 1. Introduction---------------------------------------------------------------- 2 2. Computer Forensics and Digital Evidence i) Computer Forensics ------------------------------------------2 ii) What is Evidence? ---------------------------------------------3 Digital Evidence-------------------------------------3 Inculpatory and Exculpatory Evidence---------4 iii) Computer Forensic Methodologies Kruse and Heiser Model: 3 A’s Model----------4 KPMG Model------------------------------------------4 Dittrich and Brezinski Model-----------------------5 Yale University Model-------------------------------5 iv) Lifecycle of Computer Forensic Crimes Initial Examination of Crime Scene---------------6 Examination of Physical Evidence--------------- 7 Live Vs. Dead Analysis-----------------------------8 Chain of Custody------------------------------------ 9 v) Jurisdictional and Legal Issues ----------------------------10 vi) Safety of Investigators-----------------------------------------10 vii) Digital Vs Physical Information-----------------------------11 viii) Description of Attacks---------------------------------------- 11 Attempts of Criminals to Conceal Attacks-------- 12 ix) Problems faced by Computer Forensic Investigators-13 x) Tools used in Computer Forensics--------------------------14 Reliability of the software and hardware--------15 3. Conclusion----------------------------------------------------------------15 4. References-----------------------------------------------------------------17 5. Bibliography----------------------------------------------------------------18 Digital Evidence: Understanding the Process and Challenges 1. Introduction: Computers, Internet and various other communication tools have become very popular in the recent years and are now an integral part of everyone’s life making life simpler and easier. Unfortunately, such a rapid growth in technology has encouraged criminals to utilize the same to commit crimes. Traditional and newer forms of crimes are now increasingly being committed with the use of computers (Sahu, 2008, p.85). Computer crimes can be defined as crimes that are committed using the computer as a tool or target of the crime. Some times computers are used to store records or evidence related to the crimes (Shinder & Tittel, 2002, p.5). The rapid increase in cyber crimes is posing serious problems for criminal investigators and law enforcement personnel (Sahu, 2008, p.86). In a computer assisted crime evidence is stored in computers or digital media. This paper deals with the processes and challenges involved in identifying, recovering, securing, examining, analyzing and preparing digital evidence from a crime scene. 2. Computer Forensics and Digital Evidence: i) Computer Forensics: Computer Forensics can be defined as “the collection of techniques and tools used to find evidence in a computer” (Reith, Carr & Gunsch, 2002, p.2). It generally includes three steps. Acquire: Evidence from a crime scene should be acquired without any damage to the original Authenticate: The acquired data should be the same as the original one. Analyze: The information or evidence procured should be analyzed (Lessing, 2008, p.5). Computer Forensics is a comparatively new branch of the crime investigational system and involves collecting digital evidence from the crime scene by the analysis of the computers systems, networks and servers in addition to numerous other digital devices (Sahu, 2008, p.86). ii) What is Evidence? Evidence in any form can be defined as “proof or probative matter that is legally presented at the trial of an issue, by the act of the parties and through the medium of witnesses, records, documents and objects. From a computer related crime scene both physical and digital evidence can be collected. Physical evidence is the computers and its peripherals while digital evidence is the visuals on a monitor, the materials printed using a printer and any other form of digital storage medium (Tipton & Krause, 2007, p.2786). Digital Evidence According to the Standard Working group on digital evidence digital evidence can be defined as “any information on probative value that is either stored or transmitted in a digital form”. Inculpatory and Exculpatory evidence Inculpatory evidence often proves that a person is guilty of the crime while, exculpatory evidence does the opposite or proves that the person is not guilty of the crime (Gladyshev, 2004, p.13). iii) Computer Forensic Methodologies: There are a number of methodologies that have been developed over the years to facilitate computer forensic investigations. They are as follows: Kruse and Heiser Model: 3 A’s Model There are 3 steps in this model. They are Acquire, Authenticate and Analyze. The acquire phase is the methods through which the evidence is collected from the original without any alterations and includes steps such as Handling the evidence Chain of custody Collection and identification Storage and documentation of the evidence. The authenticate phase is verifying whether the original and the acquired evidence is the same and the analysis phase the data collected is analyzed without causing any alterations to it (Mc Combie & Warren, 2003, pp.1-2). KPMG Model: This methdology devised by Rodney McKemmish includes four steps. They are as follows: Identification Preservation Analysis Presentation of digital evidence. The model also includes certain rules. Mckemmish feels that the original digital evidence should be handled minimally and any change in the original should be accounted for. Also the examiner should understand his knowledge limitations and should comply with the rules of the evidence (Mc Combie & Warren, 2003, p.2). Dittrich and Brezinski Model: According to Dittrich and Brezinski the method of forensic examination should follow the steps listed below: A plan should be formulated by the investigators after which the scene of the crime should be reached. The crime scene should be secured to prevent any unwarranted intrusion. After the preliminary steps the layout of the crime scene should be understood and the evidence should be searched for, retrieved and processed (Mc Combie & Warren, 2003, p.2). Yale University Model: This model has been designed by Eoghan Casey. After preliminary considerations by the investigators planning for collecting digital evidence should be done. The collected evidence should be recognized, preserved, collected and then documented. The classification and comparison of the evidence should follow. Casey also recommends 3 types of evidence collection from the crime scene. The entire computer can be seized or just the digital evidence on a computer can be collected leaving out the hardware or a particular portion of the evidence on a computer can be collected. iv) Lifecycle of Computer Forensic Crimes: Initial Examination of Crime scene Once a crime has been reported the criminal investigator needs to conduct an initial examination of the crime scene. After which evidence should be collected. Also it is imperative that a potential suspect in the crime should be removed from the scene as soon as possible to prevent any damage or alteration to potential evidence (Moore, 2005, p.85). No one inside the crime scene should be allowed to touch any electronic devices and infra red connectivity should be cut off. The investigator should first do a manual sketch of the crime scene before anything in the scene is moved from its original place. The place where the crime has taken place should also be photographed. Both the manual drawing (drawn to scale) and the photograph should include the entire layout of the computers and the desks including the exact dimensions. The configuration of all the computers in the network and the configuration of computer through which the crime has been conducted in particular should be noted. The suspect computer’s peripherals, the connections of the peripherals and the computers back plane should also be registered. The display of the computer which the investigator suspects of the crime should be photographed and sketched. The monitor of the suspect computer can be videotaped too. If the CPU of the suspect computer is switched off no attempts should be made to switch it on with out the help of an expert (Moore, 2005, p.87). Any network connections and phone connections should be switched off to prevent damage to the evidence by others this is done (Moore, 2005, p.88). All the files that are running in RAM needs to be saved to the hard disk and then closed out. Also all programs running in the task bar of the computer should be restored to the original size and then photographed (Moore, 2005, p.89). After this the computer should be shut down. The external cover of the computer should be removed and insides of the computer should be photographed and sketched. The internal and external drives should be identified. The drives and removable drives like floppy and compact discs should be removed, labeled and packed separately. All printouts and storage devices should be removed and accounted for. All peripheral devices should be checked and any evidence should be collected (Tipton & Krause, 2007, pp.2799-2800). Also the computer devices should be transported safely in such a manner that the evidence in them is not compromised in any manner. Examination of Physical evidence Physical evidence is the objects that can prove that crime has been committed and the relationship between the crime and the victim. In a computer related crime the CD-ROM, the computer, hard disk are all physical evidence (Carrier & Spafford, 2003, p.6). Physical evidence can be secured in two ways. A forensic copy of the physical evidence can be made or the original computer hardware and media can be seized for forensic analysis (Bag and Tag method) (Johnson, 2005. p.101). The physical evidence is then analyzed and processed using tools available. Live Vs Dead Analysis Live analysis is a newer form of computer forensic analysis while dead analysis is a more traditional one (Lessing, 2008, p.2). Dead analysis is done on a suspect computer that has been switched off as a preventive measure to avoid malicious code to destroy potential evidence (Lessing, 2008, p.7). In dead analysis the suspect computer is switched off the hard disk removed and copied. The copied hard disk is attached to the forensic system for analysis (Lessing, 2008, p.8). The advantages in dead analysis are that the chances of data modification are minimal and volatile data recovery is also possible in some cases (Lessing, 2008, p.9). However the evidence which is crypto graphed and the volatile data available in the networks cannot be analyzed by this method. Also the sheer volume of data that is to be analyzed poses a problem for the investigators. There are no standardized procedures and the evidence got through this method can easily be declared inadmissible by the defense during court proceedings (Lessing, 2008, p.10). Live analysis is often done on a computer system which is switched on during the entire process (Lessing, 2008, p.11). Even volatile data from the networks can be collected with this method and only relevant data is gathered (Lessing, 2008, p.13). However, the analysis has the problem of data modification. The evidence can easily be spoilt using anti forensic kits. Also the analysis generates slurred images and the limited information that is deciphered is also a problem sometimes (Lessing, 2008, p.14). The access to the suspect computers during the complete duration of the analysis is not always possible. The live analysis often becomes impossible due certain operating systems that the suspect computer is running on (Lessing, 2008, p.17). Chain of Custody In any type of criminal investigation the people who handle the evidence in the crime scene need to be accounted for. In other words to prevent any alterations or tampering of the evidence and to trace any such incidents everyone who handles the evidence is documented for. This holds good for digital evidence or computer related evidence. This is done to prevent the defense lawyers to proclaim that the evidence that has been presented in court is not admissible as it has been tampered with. The defense lawyer can argue that the investigators have altered the original evidence in a way to convict the accused. The chain of custody refers to the sequential documentation of various procedures such as seizure, analysis and transfer of evidence. The chain of Custody should include the following: Who obtained the evidence? Where and when the evidence was procured/ Who acquired the evidence and who had the control of the evidence till it was presented in the court? (Tipton & Krause, 2007, p.2787). v) Jurisdictional and Legal Issues related to digital evidence Jurisdiction is the area in which crime has been committed and any adjacent area that the criminal has passed through or any evidence related to the crime is found. Traditional crimes are restricted to a particular area. However, in computer related crimes jurisdiction becomes a big issue as the computer networks scan various countries and computer crimes are normally committed remotely and the identification of place of operation of the criminals is not easy to find out. It is imperative that the fourth amendment of the United States Constitution a search warrant should be issued that should detail the things and places that need to be searched for to retrieve evidence from the crime scene (Moore, 2005, p.76). The computer forensic investigator should comply with all legal and technical aspects while collecting digital evidence. Care should be taken to see that all stipulated procedures are followed while collecting digital data from the crime scene. An illegal collection and presentation of digital data is normally inadmissible in the court of law (Shinder &Tittel, 2002, p.587). Only when the digital evidence is collected correctly and properly is it admissible in court and has greater chances of convicting the attacker. vi)Safety of Investigators It is always advisable to ensure that the physical safety of the criminal investigators. A “protective sweep” is conducted by security personal to rule out any safety problems for the investigators. The safety of the investigating officers and other individuals in the crime scene are very significant. The investigative officers should check the area for any dangerous material, smells and weapons. All physical threats should be minimized and any people whom the investigator thinks would be harmful are impounded by the investigators (Travis & Rau, 2000, p.12). vii) Digital Vs Physical Information Computer aided crimes are now solved based on the digital evidence or digital information. There are certain significant differences between digital and physical information (Kerr, 2007, p.222). Physical information is normally gathered from the crime scene only. However, digital evidence can be gathered by the investigators even away from the physical boundaries of the crime scene. Digital evidence is difficult to destroy however; it can be easily altered, duplicated and tampered with. It is more easily available than physical information and offers better insights into the crime scene that physical ones (Barbara, 2007, p.65). The volatility of the digital evidence is one major distinguishing factor. Also the digital information might be available in many different formats and in numerous places. The sheer volume of the digital information, the danger that the information can be easily destroyed and its associated complex technical details are all factors which distinguish it from the physical information (Pollitt, 2007, p.66). viii) Description of Attacks Electronic attacks have now become a common happening in this digital age. Attacks can either be direct physical attacks on the computer systems or network based attacks carried out remotely. The attacker may also come from within the organization or may be from an outsider (Chen & Davis, 2006, pp.1-2). Attacks can be broadly classified as Sniffing attacks, session hijacking, exploits (OS exploits or application exploits), password attacks, denial of service, worms, viruses and spam (Chen & Davis, 2006, p.3.). Attempts of Criminals to Conceal Attacks Computer criminals always leave tracks. The crime can be solved if the tracks are found. However, it is not always an easy task as the criminals always do everything in their power to conceal their tracks. The following are some of the techniques that are generally used in computer related crimes (Marcella & Menendez, 2008, pp.49-83). Spoliation- Destruction or alteration of evidence Encryption: The process of converting evidence into almost unreadable form without expert knowledge. Spoofing: The criminals camouflage their true identity Hijacked Session Attacks: The criminals take over already logged in internet sessions and execute criminal activities. However, it would seem that the original owner of the session is executing the criminal activity. Stenography: The criminals use this method to hold covert communications which can’t be deciphered easily by the investigator. Anti-forensic kits: The criminals use anti-forensic kits which erase files and computer communication records easily. File Compression Techniques: The criminals use file compression techniques to conceal criminal activities and to prevent activating any internal control mechanisms. ix) Problems faced by Computer Forensic Investigators One of the main problems of the computer forensics process is the time consuming activity of creating bit stream copies of the digital evidence for data storage and evidence collection (Mc Combie & Warren, 2003, p.1). There are no standard procedures and training for the investigators to follows during digital evidence collection. This often results in improper evidence collection, analysis and storage (Casey, 2004, p.3). Also digital data is not complete. Digital evidence is obtained as a result of a person instructing the computer to do something. An investigator is able to decipher only partial views of what happened (Casey, 2004, p.16). Digital evidence is circumstantial. Also digital data can be easily altered either intentionally or purposefully. Also an investigator faces a difficulty in convicting a person of a crime with only the digital evidence. Normally additional information is required to convict a person (Casey, 2004, pp.16-17). Also there is no published and accepted literature on digital forensics. This leads to many problems with the admissibility of evidence in the court of law based on the Daubert Guidelines (Johnson, 2005, p.175). In the field of computer forensics the federal resources are limited and there is a dependency on private computer forensic investigators. However, this trend needs to be changed and more federal and state agencies should enhance their skills to investigate computer related crimes (Moore, 2005, p.10). x) Tools used in Computer Forensics Any computer forensics personnel need these following basic tools: Imaging equipment: Imaging equipment allows the investigators to make bit stream copies of hard disks of computers in the crime scene onto any write protected storage device (Shinder &Tittel, 2002, p.585). Drive duplicating units: These tools are used to make an exact copy of the hard disk drive of a computer. Graphic and File Viewer: These tools convert the binary data in the electronic media into images or documents thereby helping the investigator to view the information easily. File Retrieving Utility: This helps the investigator to retrieve information that has been deleted by the suspect without being overwritten (Johnson, 2005, pp.104-106). Forensic Workstations: These comprehensive forensic workstations have computers that facilitate the analysis and reconstruction of the evidence that has been copied using the imaging software (Shinder &Tittel, 2002, p.585). Forensic software: EnCase: User friendly computer forensics program used for comprehensive forensic analysis. Safe Back: This tool is used for copying data from the computer used for the crime (Moore, 2005, p.69). MemoryDump, NotMyFault, Live Response Tool Kit: Live Forensic analysis software tools (Lessing, 2008, p.23). Other tools used in Forensic Analysis: Maresware, DIBs MyCroft, Ontrack, CaptureIt, Smart, Forensic X (Johnson, 2005, p.16). Reliability of the software and hardware The forensic tools are quite reliable. Newer technologies are being developed to enhance the reliability of the tools. Newer technologies in disk copy programs have made it possible for bit by bit disk copy of the suspect disk drive (Moore, 2005). The use of Encase to analyze digital evidence has been accepted by the court in many instances (Moore, 2005, p.72). 3. Conclusion: The advent of computer technology has increased the incidence of computer related crimes. Computer forensics is relatively newer criminal investigative technique that acquires, authenticates and analyzes digital evidence from a cyber crime scene. There are various computer forensic methodologies. Digital evidence is generally stored on different types of magnetic disks. Evidence can either be inculpatory or exculpatory. The investigator generally does an initial examination of the crime scene before examining the physical evidence. The evidence collected is then analyzed either using live or dead analysis techniques. All the processes related to the digital evidence are then documented for. However, digital evidence has certain jurisdictional and legal issues with the investigators also facing certain challenges. There are also certain significant differences between physical and digital information. The investigator’s physical safety is of paramount information. There are different types of cyber attacks and the criminals do everything in their might to cover their tracks. There are a variety of tools and software used for cyber forensic analysis which makes the work of the investigator easy. References: Chen, T.M. and Davis, C. (2006) Digital crime and forensic science in cyberspace. Hershey:Idea Group Inc. Carrier, B. and Spafford, E.H. (2003) Getting Physical with the Digital Investigation Process. International Journal of Digital Evidence. 2,(2). Casey, E. (2004) Digital Evidence and Computer Crime. St.Louis: Academic Press Lessing , M. (2008) Between Life and Death. Retrieved from http://researchspace.csir.co.za/dspace/bitstream/10204/3027/1/Lessing1_2008.pdf. GladyShev, P. (2004) Legal View of Digital Evidence. Retrieved from http://www.gladyshev.info/publications/thesis/chapter2.pdf. Johnson, T.A. (Eds.) (2005) Forensic Computer Crime Investigation. New York: Taylor and Francis. Kerr, O.S. (2007) Digital Evidence and the New Criminal Procedure. In Balkin.J.M., Grimmelmann, J, Katz, E., Kozlovski, N., Wagman,S and Zarsky,T (Eds.) Cybercrime. (pp.221-268). New York: New York University Press. McCombie, S and Warren, M. (2003) Computer Forensics: An Issue of Definitions. Retrieved from http://scissec.scis.ecu.edu.au/conferences2008/proceedings/2003/forensics/pdf/14_final.pdf. Moore, R. (2005) Search and Seizure of Digital Evidence. New York: LFB Scholarly Publishing LLC. Marcella, A.J. and Menendez, D. (2008) A Field Manual for Collecting, Examining and Preserving Evidence of Computer Crimes. New York: Taylor and Francis Group. Pollitt, M.M. (2007)The Digital Crime Scene. In John.J.Barabara (Ed.) Handbook of Digital and Multimedia Forensic Evidence. (pp.65-76) London: Springer. Reith, M., Carr, C. and Gunsch, G. (2002) An Examination of Digital Forensic Models. International Journal of Digital Evidence. 1, (3). Shinder. D.L. and Tittel, E. (2002) Scene of the Cybercrime: Computer Forensics Handbook. St.Louis: Syngress. Sahu, K.B. (2008) Need for an Overhaul in Investigation and Prosecution of Cyber Crimes in India. Retrieved from www.iceg.net/2008/books/2/10_85-88.pdf. Tipton, H.F. and Krause, M. (2007) Information Security Management Handbook. (6th ed.). Florida: CRC Press. Travis, J. and Rau, R.M. (2000) Crime Scene Investigation. Retrieved from www.ncjrs.gov/pdffiles1/nij/178280.pdf Bibliography: Chaski, E.C. (2005) Who’s At The Keyboard? Authorship Attribution in Digital Evidence Investigations. International Journal of Digital Evidence. 4,(1). Carney, M and Rogers, M (2004) The Trojan Made Me Do It: A First Step in Statistical Based Computer Forensics Event Reconstruction. International Journal of Digital Evidence.2, (4). Casey, E. (2002) Error, Uncertainty, and Loss in Digital Evidence. International Journal of Digital Evidence.1, (2). Kearsly, A.J. (1999) Electronic Document Management. Computer Law and Security Report. 15, (3). Marcella, A.J. and Greenfield, R.S. (2002) Cyber forensics: a field manual for collecting, examining, and preserving evidence of computer crimes. Florida: CRC Press. Olivier, M.S. and Shenoi. S. (2006) Advantages in Digital Forensics II. London:Springer. Stephenson, P. (2004) The Application of Formal Methods to Root Cause Analysis 0f Digital Incidents. International Journal of Digital Evidence.3, (1). Smith, R.G., Grabosky, P.N. and Urbas, G. (2004) Cyber Criminals on Trail. Cambridge: Cambridge University Press. Tilstone, W.J., Savage, K. A. and Clark, L.A. (2006) Forensic science: an encyclopedia of history, methods, and techniques. Oxford: ABC-CLIO. Talleur, T. (2002) Digital Evidence: The Moral Challenge. International Journal of Digital Evidence.1, (1). Read More