Peculiarities of Digital Forensic - Coursework Example

Digital Forensic Definition Forensics is the procedure of using scientific data collection, examining, and giving proof to the courts. Forensics deals mostly with the revival and study of concealed proof. Hidden evidence can take several forms, from fingerprints left on a window to DNA confirmation procured from blood stains to the files on a hard drive. Since computer forensics is a fresh discipline, there is less consistency and reliability across the courts and industry. Consequently, it is yet to be recognized as a prescribed scientific discipline. Computer forensics may be defined as the discipline that merges fundamentals of law and computer science to gather and study data from computer systems, networks, wireless communications, and storage devices in such a way that is acceptable as proof in a court of law. Importance of computer forensics Addition of the skill to practice proper computer forensics will help to make sure the general reliability and survivability of the network is maintained. Any organization can consider computer forensics as an innovative basic element recognized as a ‘defense-in-depth’ strategy to network systems and computer protection. Such as, accepting the lawful and technological features of computer forensics will assist to capture very important information if the network is compromised and will assist to put on trial the case if the intruder is caught. Ignoring the computer forensics the organization is taking a risk by obliterating very important evidence or having forensic proof not allowed in a court of law. In addition, the organization may run a foul of fresh rules that consent regulatory conformity and assign legal responsibility if certain types of data are not effectively protected. Latest legislation holds organizations responsible in civil or criminal court if they fail to defend customer information. Computer forensics is as well significant since it can save organization’s funds. Several administrators are assigning a larger portion of their information technology finances for computer and network protection. Almost all organizations are installing network defense systems, for instance intrusion detection systems (IDS), firewalls, proxies, and the like, those all provide on the defense condition of networks. As per the technological perspective, the major objective of computer forensics is to recognize, gather, save, and examine information in a systematic method that safeguard the reliability of the evidence gathered, consequently it can be used efficiently in a legal case. Computer forensics investigators have to know the kind of latent evidence they are looking for in order to structure their exploration. Offense linking a computer can range across the criminal activities from child pornography to stealing of individual information to destruction of intellectual property. Further, the investigators have to choose suitable tools to use. Files could be deleted, spoiled, or encrypted, and the investigators have to be familiar with an array of techniques and software to avoid additional damage in the recovery procedure (US-CERT n. pag.) The legal context Digital forensic proofs are and have to be well thought-out in light of the lawful background of the subject at hand. This context includes, the jurisdictions concerned; the nature of the case, whether it is civil or criminal; limitations on elements of the case for example searches and seizures; procedural necessities of legal cases; the schedule is frequently discouraging in legal matters and in several cases there is less time to do the things that have to be done concerning to the digital forensic proof; the schedule of the case may as well impact the progression in which evidence is dealt with; expenditure is significant issue since merely limited fund available. And further policies and plans of the case may restrict the approaches that may be taken to the digital forensic evidence; accessibility of witnesses and proof is often limited; conditions frequently restrict the usefulness and applicability of digital forensic proof; earlier declaration of witnesses frequently make condition in that digital forensic proof is applied to prove or disprove those declarations; and notes and other connected materials are potentially subject to subpoena in legal matters, and hence, assumptions on notes, Faxes, and drafts of expert reports in addition to other related material might be ascertainable and used to counter the work of the experts. There are several other analogous lawful related subjects that force the digital forensics procedure and the work of those who take on those procedures. Even as it is the job of the attorneys to limit the labors of the digital forensics evidence personnel in these views, it is the job of the personnel to make out what they are doing and how to do it correctly in the legal context. The processes involved with digital forensic evidence Although there are several other descriptions of the procedures concerned in managing digital forensic evidence (DFE), the viewpoint adopted here will take for granted, without limit, the DFE must be recognized, collected, preserved, transported, stored, examined, interpreted, accredited, perhaps restructured, presented, and, based on court orders, destroyed. A systematic method must be used to meet all these legal standards of the jurisdiction and the case. Data collection To facilitate for use in court, recognized proof must be collected in such a manner as to preserve its reliability all through the procedure, together with the maintenance of information connected to the sequence of safekeeping under which it was collected and conserved. New case rule has recognized that there is an obligation to safeguard digital forensic proof once the holder of that proof is or rationally should be conscious that it has prospective significance in a legal matter. The difficulty with this procedure at present is that the capacity of storage space necessary has become large in many cases and this procedure likely to be highly troublesome of operating businesses that use these computers continuously. Protection of appropriate log files and inspection information is mainly important and must always be identified and conserved. The data for example system crashes and reboots may be crucial to a case since corrupt file content may be created by such events and with no logs to prove what occurred when, that corruption may not be able to be submissive with the need for defense of the clarity of the proof. Analysis, interpretation, and attribution Analysis, interpretation, and attribution of proof are the complex features faced by the majority forensic analysts. In the digital forensics, there are generally only a finite number of probable occurrence series that could have formed proof; but, the real number of possible series might be nearly incomprehensibly huge. In fact, nearly any execution of an instruction by the computing situation holding or creating the proof can have an impact on the evidence. The user identity specified in the log file may be linked with a human or group, and this makes a primary attribution that can then be used as a source for further efforts to attribute to the standard of proof requisite. Of course the presence of this record in an audit trail doesnt mean that the program was ever run at all or that the thing the record indicates ever took place or that the user identified caused the events of interest. There are several probable series of events that might effect in the existence of such a record. For instance, and devoid of restricting the whole probable occurrence series, the record might have been positioned there maliciously, it might be a record created by another program that looks alike to the program being considered, and the record might have been created by Trojan horse acting for the user and various other reasons. The analyst looking for to understand the proof must try to find the different clarification for evidence in trying to know what really happened and how confident they are of the claim they make. It is quite natural for the experts to make leaps and show conclusion that are not reasonable. In networked settings, there are possibly far more sequences of bits that might be pertinent to the issues in the matter within reach. Consequently, there is possibly more evidence accessible, and the study and understanding of that bigger body of proof guides to potential logical and interpretive procedures and products. It can be argued that this raises the difficulty of analysis exponentially, however in reality, the extra evidence be likely to further limit the number of histories that are reasonable so as to keep steadiness of interoperation across the evidence. Reconstruction Generally, the significance of the proof is exact to hardware and/or software. Even as several analysts make the supposition that systems function according to their specifications, in the information technology, anywhere digital forensic evidence initiates, actually, there are few principles and they are freely dishonored every time. Records are frequently at odds with reality, versions of systems and software change at a high rate, and reports of what was in place at a specific time are often inadequate to absent. Legal cases too often come to trial after many years of events occurrence, and proof that might have been available at the time of the event may no longer be existing. In such cases, reconstruction of the mechanisms that created the records might be the only obtainable strategy to decide, to a rational level of conviction, what in fact could and could not have taken place. Suppose a reconstruction is to be considered, added decisions have to be made. Such as, based on the existing information, how can a perfect determination be made about the edition of the hardware, software, and operating system be made, and how significant is it to accurately reconstruct the original condition down to what level of exactness and in what aspect? The answer to these and other connected inquiries are tied closely to the facts at issue in the matter at hand. Presentation Evidence, analysis, interpretation, and attribution, have to finally be presented in the form of professional reports, depositions, and proof. The presentation of proof and its examination, interpretation, and ascription have several challenges, but presentation is simply dealt with to a restricted level in the literature. Presentation is considered more of an art than a science, however there is a large amount of scientific literature on techniques of presentation and their impact on those who watch those presentations (Cohen, n. pag.). Admissibility of digital forensic evidence Evidences have to be pertinent and dependable in order to be allowable in a United States court. The reliability of scientific evidence, for instance the output from a digital forensics tool, is decided by the judge in a pre-trial ‘Daubert Hearing’. The duty of the judge in the Daubert Hearing is to decide whether the fundamental methodology and method used to recognize the evidence was sound, and consequently, the evidence is dependable. The Daubert procedures recognize four common groups that are used as strategy when evaluating a procedure: testing, error rate, publication and acceptance. The Daubert Test is an extension of the Court’s former approach to the admissibility of scientific proof. Before, under the ‘Frye Test’, courts gave responsibility to recognize acceptable procedures on the scientific community using peer-reviewed journals. However, as not every field has peer-reviewed journals, the Daubert Test presented extra techniques of testing the quality of evidence. The strategy will be scrutinized for both information attainment tools and analysis tools. At present, the bulk of digital forensics engages the acquisition of hard disks and analysis of file systems. Consequently, particular attention will be given to these tools and the procedures for copying information from one storage mechanism to another and removing files and other information from a file system image (Carrier, n. pag.). Detection of hidden data During survey and collection stage, investigators use forensic tools and obtain crime-related image from computers in the sight of an offense. There are regular files, deleted files and spoiled files in the image that become necessary to be recovered by tools. Forensic tools can create valid outcome and must present honesty of the obtained information and confirm the result in a court. Therefore the concern of the confirmation of forensic tools is increasing. CFTT proposes the system of testing for confirmation of forensic tools [1]. An unlawful hide’s information relating to crime that by using application or special method downloaded from the internet and Win32 API (Application programming interface). Any person can get simply application or skill regarding that from the internet. Hence, information hiding is becoming more widespread. Attained image may have hidden information. However, it may be exposed or not owing to investigator skill. Information hiding necessitates specific procedure for sensing which depends on cover carrier or ability of computer user. It is feasible to hide a text string or a file in system or data files. Using the feature of system file or loose space from data file format, an unlawful can hide information without any professional skill. Sound or image file is used to hide data by making use of the feature of that. The hidden data remains on standard information in acquired image. Exposure method of hidden information depends on cover carrier. So exposing hidden information, it is necessary that investigators use a tool to have suitable revealing techniques (Kim, et. al). Reliability of the data Data reliability adverts to the exactness and wholeness of computer processed information, given the planned purposes for use. Computer-processed information comprises data entered into a computer system and outcome from computer processing. The description of computer processed information is thus wide-ranging. Information are reliable when they are complete - they contain all of the information elements and records needed for the engagement and precise – when they reproduce the data entered at the source or, if available, in the source documents. Stability refers to the need to get and use information that is clear and well-explained enough to yield analogous results in similar studies. Appraisal of reliability should be completed in the broader situation of the meticulous uniqueness of the engagement and the risk linked with the likelihood of using information of inadequate reliability. Reliability does not assure that computer-processed information’s are error-free. All job performed as the data reliability appraisal must be recorded and incorporated in the engagement work papers. These work papers supposed to be clear regarding the steps the team took and the decision they reached and assessed by staff with suitable expertise (GAO n. pag). E-mail crimes and violations There are various types of e-mail frauds for instance a spoofed email is one that appears to originate from one source however in fact it has been sent from another source. This can as well be termed as E-Mail forging. Yet another e-mail fraud is called as e-mail bombing that refers to sending a large quantity of e-mails to the victim resulting in the victims’ e-mail account or mail servers. Once it has been recognized that a crime has committed by using e-mail it is essential to capture and maintain the proof that is necessary to prove the offence in the court of law. Proof may be attained through an examination of victim’s computer. This may contain the e-mail that the victim has received. With the digital forensic tool it is best to take an image of computer hard disk. As investigator is investigating the victim’s machine it is helpful to get any password wanted to open protected encrypted files. In the majority of cases the IP address of source in the e-mail will link to the host used by the offender (Kumar n. pag.) Work Cited Carrier, B. Open Source Digital Forensics Tools - The Legal Argument September 2003, 13 Dec. 2009 Cohen, F.B., Fundamentals of Digital Forensic Evidence Fred Cohen & Associates and California Sciences Institute. 13 Dec. 2009 Kim,Y., Bang, J., Lee, S., Lim, J. Detection of Hidden Information in Forensic Tools 13 Dec. 2009 Kumar, S.V. Cyber Crime – Prevention & Detection 13 Dec. 2009 US-CERT. Computer Forensics Produced 2008 by US-CERT, 13 Dec. 2009< http://www.us-cert.gov/reading_room/forensics.pdf > United States General Accounting Office (GAO). Assessing the Reliability of Computer-Processed Data October 2002, Applied Research and Methods 13 Dec. 2009 Read More