Independent Expert Witness Use of Computer Forensic - Coursework Example

Independent Expert Witness’s Use of Computer Forensic Computer forensics is the preservation, identification, extraction, interpretation, and documentation of computer evidence including legal processes, integrity of evidence, factual reporting of the information found, and ability to provide expert opinion in a court of law or other legal proceeding as to what was found. A computer forensics investigator is trained in combating crimes ranging from crimes against children to file system recovery on computers that have been damaged or hacked. The computer forensics investigator, also known as a computer forensics specialist, recovers data from digital media that will be used in criminal prosecution. Special care must be taken to ensure that the forensic specialist has the legal authority to seize, copy, and examine the data. Sometimes authority stems from a search warrant. As a general rule, one should not examine digital information unless one has the legal authority to do so. Amateur forensic examiners should keep this in mind before starting any unauthorized investigation. Introduction Computer crime is one of the fastest growing areas of crime in the world. With the internet expanding its boundaries and email becoming the more prevalent way to communicate in business as well as on a personal level, computers have become extremely vulnerable to attack. This has created an increased need for individuals educated in computer forensics or computer forensic investigators. Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums. It is also known as digital forensics. Developments in the world have shown how simple it is to acquire all sorts of information through the use of computers. This information can be used for a variety of endeavors, and criminal activity is a major one. In an effort to fight this new crime wave, law enforcement agencies, financial institutions, and investment firms are incorporating computer forensics into their infrastructure. Computer forensics has different facets, and is not just one thing or procedure. At the basic level computer forensics is the analysis of information contained within and created with computer systems, and techniques and methodologies are used for conducting computing investigations typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved. ( Laubscher, Rabe, Olivier, Eloff. and Venter, 2005) Computer forensics is all about obtaining the proof of a crime or breech of policy. It is about obtaining the proof of an illegal misuse of computers in a way that could lead to the prosecution of the culprit. Reasons to employ the techniques of computer forensics There are many reasons to employ the techniques of computer forensics. First thing is in legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants or litigants. Second one is to analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did. It is needed to gather evidence against an employee that an organization wishes to terminate. It is required to gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering. It is helpful to recover data in the event of a hardware or software failure. Warren G. Kruse & Jay G. Heiser (2001) says that computer security is a crucial aspect of modern information management, and one of the latest buzzwords is incident response. I.e. detecting and reacting to security breaches. Computer forensics offers information professionals a disciplined approach to implementing a comprehensive incident-response plan, with a focus on being able to detect intruders, discover what damage they did, and hopefully find out who they are. Typical forensic analysis includes a manual review of material on the media, reviewing the windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and images for review. Special measures should be taken when conducting a forensic investigation if it is desired for the results to be used in a court of law. One of the most important measures is to assure that the evidence has been accurately collected and that there is a clear chain of custody from the scene of the crime to the investigator. Some of the most valuable information obtained in the course of a forensic examination will come from the computer user. An interview with the user can yield valuable information about the system configuration, applications, encryption keys and methodology. Forensic analysis is much easier when analysts have the users passphrases to access encrypted files, containers, and network servers. Traditionally computer forensic investigations were performed on data at rest. This can be thought of as a dead analysis. Investigators were told to shut down computer systems when they were impounded for fear that digital time-bombs might cause data to be erased. In many cases, information is gathered during a computer forensics investigation that is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files - known by computer forensic practitioners as slack space. Special skills and tools are needed to obtain this type of information or evidence. There are many reasons to employ the techniques of computer forensics: * In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases). * To recover data in the event of a hardware or software failure. * To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did. * To gather evidence against an employee that an organization wishes to terminate. * To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering. There are five basic steps to the computer forensics: 1. Preparation (of the investigator, not the data) 2. Collection (the data) 3. Examination 4. Analysis, and 5. Reporting The investigator must be properly trained to perform the specific kind of investigation that is at hand. Tools that are used to generate reports for court should be validated. There are many tools to be used in the process. One should determine the proper tool to be used based on the case. Examination Process * Computer forensic investigations should always be conducted by a certified computer forensic examiner, using licensed equipment to insure VALIDITY in court and to prevent tainting of the evidence. * Establish a chain of custody. Be aware at all times where any items related to the investigation are located. Use a safe or cabinet to secure items. * Maintain the integrity of the original media. * Catalog all information. This includes active, archival, and latent data. Information that has been deleted will be recovered to whatever extent possible. * Additional sources of information are obtained, as the circumstances dictate. * The information will be analyzed and interpreted to determine possible evidence. * Submit a written report to the client with findings and comments. * If needed, provide testimony at a deposition, trial, or other legal proceeding. Digital evidence can be collected from many sources. Obvious sources include computers, cell phones, digital cameras, hard drives, CD-ROM, USB memory devices, and so on. Non-obvious sources include settings of digital thermometers, black boxes inside automobiles, RFID tags, and web pages (National Institute of Standards and Technology). Special care must be taken when handling computer evidence. As most digital information is easily changed, and once changed it is usually impossible to detect that a change All digital evidence must be analyzed to determine the type of information that is stored upon it. For this purpose, specialty tools are used that can display information in a format useful to investigators. Once the analysis is complete, a report is generated. This report may be a written report, oral testimony, or some combination of the two. Qualities needed for a good forensics professional A good forensics professional needs to be a half-engineer and half-lawyer, and a computer expert to complete the mission. An expert witness is one who is a person is qualified to testify as an expert if he has special knowledge, skill, experience, training or education sufficient to qualify him as an expert on the subject to which his testimony relates. Depending on what your matter is, criminal or civil, the role of an expert witness is to provide testimony based upon facts and the utilization of his / her lifes experience. In the area of criminal law, law enforcement has taken on a role to curb, if not try to eliminate computer crime. A computer forensic investigator investigates computer crime. Usually after detecting that a crime is committed, the law enforcers should issue a search warrant, before the investigation could commence. Computer-based assessment forensics needs permission to collect evidence and analyze the evidence even before one suspect’s misconduct. Boyd & Forster (2004) suggests that special care should be taken to ensure the authentication and integrity of the time and date stamps of the objects in evidence collection. Electronic documents will only stand up in court if the who, what and when they represent are unassailable (Tan, 2001). The first step to convince a jury that only the suspect could have committed the fraudulent transaction is to ensure that the investigation is forensically sound. The investigation process must be documented and be repeatable (Melia, 2002). For computer-based assessments a checklist could be utilized to ensure that all steps in the proposed forensic process are followed. Proper documentation of all forensic activities should also be recorded on a pre-designed form, indicating when, how and by whom the activity is completed. Before working with the computer, the investigator must study the computer user and ensure that he/she can understand the nature of the investigation before beginning of the forensic investigation. Many computer forensic experts fail to do is to understand what they are up against. They often assume that the case is just another case where they mirror a hard drive and let the software do the work. This can prove dangerous when the investigation involves a computer utilized by a highly knowledgeable user who may have installed countermeasures against forensic techniques that can damage or destroy the evidence. Often these types of countermeasures are activated when the user fails to perform some function on the computer. Countermeasures aside, knowing about the user, what they used the computer for and the bigger picture is vital to formulating the search and conducting an intelligent and relevant investigation. This will save time for the investigator and money for the client. The information generated as a result of a computer forensic investigation must follow the standards of admissible evidence just like any other crime. Digital evidence can be contaminated. So, knowledgeable computer forensics investigator would know to follow strict evidence handling protocols, to document each step and to always preserve the chain of custody of the evidence. If such steps are not followed, the original data may be changed or destroyed and may not hold up in court. Once the investigator is ready to begin the investigation and is at the location where the computer in question is, the investigator should always examine the machine and the surrounding work area for evidence. Items like notes that may contain passwords, file names and locations or security instructions are obviously of great value. The investigator should also look for and document any recordable media or removable storage devices such as thumb drives or MP3 players. These may contain data germane to the investigation. Once the area has been searched and documented, the computer forensic investigator must record all open applications if the machine is still active. If the case may require collecting data from the RAM module, significant additional steps are required at this point. This is due to the fact that current RAM chips cannot be analyzed for prior content after erasure and power loss with any real probability of success. Once the applications have been documented, the system should be powered down in a way that is least damaging to data currently in memory and that data which is stored on the hard disk. The hard drives can be duplicated or mirrored. That is better to use some kind of hardware write protection to ensure that no writes will be made to the original drive is vital. Even if operating systems like Linux can be configured to prevent this, a hardware write blocker is the best practice. The image is made to another hard drive or other storage media. Special care must be taken to ensure that the forensic specialist has the legal authority to seize, copy, and examine the data. Sometimes authority stems from a search warrant. As a general rule, one should not examine digital information unless one has the legal authority to do so. Amateur forensic examiners should keep this in mind before starting any unauthorized investigation (Rowlingson, 2004). Evidence collection tools Forensic process employs a key logger to record primary evidence for a potential infringement of assessment regulations. Traditional key loggers record every keystroke and mouse action made by the computer user on which it was activated. Current key loggers have extended functions and record all computer activities including web sites visited, applications accessed, keystrokes, files and folders accessed. Logs create evidence by capturing the nature and duration of the transaction through time and date stamps of the logon sessions and by verifying that the suspected violator’s unique user id and password were used to initiate these logon sessions (Melia,2002). Activate the key logger and logs when preparing the computer lab for the assessment. This captures the actions of the person preparing the lab for the assessment and could be used to verify the reliability and integrity of the evidence captured for learners. Even the CCTV camera should be activated when the computer lab is prepared prior to the commencement of the computer-based assessment. In this way the computer-based assessment forensic process should be more reliable as well as authentic. Forensic process could be highly labor intensive and will delay the results of the computer-based assessment. To overcome this burden, human intervention should be restricted to the minimum in the computer forensic process. The forensic process should be automated as far as possible. In computer forensics, there are three types of data that we are concerned with - active, archival, and latent. * Active data is the information that can be seen. Data files, programs, and files used by the operating system. This is the easiest type of data to obtain. * Archival data is the data which has been backed up and stored. This could consist of backup tapes, CDs, floppies, or entire hard drives to cite a few examples. * Latent data is the information that one typically needs specialized tools to get at. An example would be information that has been deleted or partially overwritten. A computer investigation could entail looking at all of these data types depending on the circumstances (Nelson, Philips, Enfinger, and Steuart, 2007). Once a computer forensics investigator retrieves the necessary information they will prepare very detailed and technical written reports on the collected data that will later be presented in court. Part of the computer forensics investigator job description is to testify in court regarding the information they had recovered and the methods they used to recover that information. Conclusion Computer forensics consulting firms or freelance computer forensic investigators are also hired by large corporations to test the information systems security they have in place. Computer forensic specialists will mimic how a malicious hacker might attempt to gain access to a corporations computer network. Computer forensics is considered to be a new field, and there has not been a consistent range of requirements or qualifications set across agencies. Many individuals gained their training and skills in computer forensics by working in law enforcement or the military. Now many educational institutions are offering computer forensics degrees, and related education has become a minimum requirement to stay competitive in the industry References Boyd, C. and Forster., P. 2004. Time and date issues in forensic computing: a case study. Digital Investigation. Melia, J. 2002. Linkin’ Logs to Fraud: The secret to a successful Computer Fraud investigation is Proper Logging and Audit-Trail Reports. Security Management. [Online]. Available at: http://www.securitymanagement.com/library/001335.html [Accessed 30 March 2005]. National Institute of Standards and Technology. 2004. PDA Forensic Tools: An Overview and Analysis. [online] Available at: http://www.csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdf [Accessed 31 May 2007]. Nelson, B., Philips, A., Enfinger, F. and Steuart, C. (2007) Guide to Computer Forensics and Investigations, 3rd edition, Boston: Thomson Course Technology. R. Laubscher, D. Rabe, M. Olivier, J. Eloff. And H. Venter (2005) Advances in Digital Forensics, Volume 194/2005 (Pages 105-112), Boston: Springer Boston. Rowlingson, R. 2004. A Ten Step Process for Forensic Readiness. International Journal of Digital Evidence, Vol. 2:3. Warren G. Kruse and Jay G. Heiser., 2001. Computer Forensics: Incident Response Essentials: Addison-Wesley Professional. Read More