Digital Forensics - Case Study Example

Digital Forensics Digital Forensics Introduction Investigating computer crimes like that of Mr. IsureDidit, who is suspected of child pornography, can prove to be a tricky affair for an investigating officer due to the technical expertise required and the intricate nature of the internet. However, in the modern world digital forensics have been developed to curb the challenges pertaining to legal evidence stored in computers and other digital storage media devices. The use of computer forensics has been employed to investigate computer crimes like that of Mr. IsureDidit. Computer forensics has been used to solve high profile cases in the USA. In the much publicized case of Sharon Lopatka, computer forensics technology was employed to trace the victim’s killer through her emails. This method is used to examine legal evidence stored in digital media in order to gather, preserve and present facts and opinions about the information retrieved in a suitable manner during a trial in a court of law. During this process of retrieving information to be used as evidence in court, a structured investigation has to be carried out. This is because a chain of well documented evidence has to be maintained in order to reconstruct a clear history of the happenings of the crime and find the person responsible (Margaret, 2014) Case Portfolio Child pornography is an internet crime against children because they are used as sexual objects (Wortley & Smallbone, 2006). I decided to investigate the claims on suspected child pornography which was brought to my attention because children are defenceless and vulnerable beings. Law and morality dictate that it is my duty as a law abiding citizen to protect them from sexual exploitation. For any evidence to be admissible in court the concerned investigating authorities must ensure that due process is followed-computer forensics is not exception to this rule. In order to maintain a balance between a citizen’s right to privacy and the state’s right to violate that right by searching and seizing an individual’s property, one has to use a search warrant (Wegman, 2005). In order to retrieve the incriminating evidence from the storage media I had to apply for a search warrant. The investigating officer prepared an affidavit that described the basis for the crime of child pornography and a search warrant limiting the search to the suspect’s workspace was issued by a competent court. The computer technology and the internet presented potent tools for use in evidence location and collection from Mr. Didit’s laptop. The first step involved examination of the computer’s hard drive for images and messages indicative of child pornography. In addition to searching the computer for sexually explicit images showcasing children, the forensic investigators also followed the digital trail left by the suspect in terms of related pictures downloaded from the internet and shared with other people through various platforms. Evidence collected Digital evidence is information stored in a binary form and can be found on computer hard drives, compact disks, flash disks and so forth. This evidence is commonly associated with the crime committed: child pornography and it is relied on in courts of law. The suspect’s computer and the information it contained will be used as digital evidence. Potential evidence collected in the course of the investigation from the computer system and its components included photos, documents and videos of children being sexually abused or portrayed in a sexually suggestive manner. Information was also retrieved from the internet browsing history, databases; data stored on external devices such as a flash disk as well as, emails and attachments of victimized children sent to diverse parties. Financial records showing the transactions made to acquire video and photos could also not be overlooked during evidence collection. Information retrieved from storage devices will be relied on in court. The following devices were retrieved from the suspect’s workspace; Removable media (compact disk) Thumb drive (flash disk) Hard drives and external hard drives Peripheral devices (mouse, keyboard, web camera and microphone) The above storage devices contain data which can be used as potential legal evidence. The peripheral devices can be sources of fingerprints which be used to identify the user of the computer. The computer hard drives, external hard drives, compact disks and the flash disk contain data such as e-mails and attachments, browsing history, photos, videos, financial records of the suspect and so forth can be reliable evidence during the investigation process and trial of the accused person. (U.S. Department of Justice, 2008) The investigation should be carried out by a highly qualified forensic investigator because digital evidence is fragile and so it must be handled carefully so as not to tamper with the data. In order to preserve its integrity and admissibility in courts (existing standards for the admissibility of evidence must be complied with), digital evidence must be collected, packaged, and transported using special techniques. (U.S. Department of Justice, 2001) The magnitude of child pornography allegations was serious so the suspect’s workspace was considered a crime scene and the computer system and its components were completely sealed off. The immediate surroundings of the computer were not changed. This is because improper handling and examination of the computer would tamper with the data and as a result render the evidence retrieved inadmissible in a court of law. The original data must be preserved at all costs. The investigators took photographs of the workplace. They also seized and secured all non-digital evidence within the vicinity of the crime scene. In order to preserve the original contents of the media storage devices forensic images were made (forensic imaging). This means that all the entire computer hard drivers were duplicated and cloned by a highly qualified forensic examiner to ensure that the images were complete and accurate. The forensic images were to remind investigators of the crime scene and also guide the court in understanding the happenings of the crime scene. Before all the digital evidence retrieved was packaged for transportation, the investigators ensured that every piece of the computer system and to its components was properly documented, labeled, marked, photographed, sketched, and recorded. . The browser history, comprising of URLs of child pornography was also recorded. All record sheets were numbered, signed and dated appropriately to create a comprehensive summary of the investigation. The digital evidence was packed in antistatic bags to protect it from damage resulting from electrostatic discharge. The antistatic bags were then labelled properly. The documented evidence was transported in boxes, while electronic evidence including the computer and media storage devices was kept away from magnets, radio transmitters and other potentially damaging elements. The physical evidence was stored in a secure climate- controlled evidence locker devoid of elements that may cause damage to it. Server back-ups and log files were also preserved for easy reconfiguration of the system when need arises. The investigators also found the following non-digital evidence in the crime scene; Writing pads with possible written passwords Printouts Disks Sticky notes Literature printed from the computer and so forth. These items can also prove to be useful because they may reveal information relevant to the investigation, for example, graphic material on children printed from the computer will serve as proof that the suspect is engaging in child pornography. Pertinent digital evidence relating to the allegations of child pornography might also be found in: photocopy machines, printers, computer chips, mobile phones, wireless access points and so forth (U.S. Department of Justice, 2001) Forensic examination tools The use computer systems and their components as sources of digital evidence in cyber-crimes have been a widely accepted method in modern societies. Digital data can be examined by acquiring and analysing computer systems and their components and other media data storage devices during investigations to retrieve evidence to be used in courts of law. The following tools of analysis were used during the investigation; Peer-to-Peer Analysis (P2P Marshal: This tool of analysis was developed by ATC-NY, a subsidiary company of Architecture Technology Corporation. (National Institute of Justice, 2010) Peer-to-peer networks are the most common means for the illegal acquisition and distribution of child pornography materials. This can be attributed to the fact that the network enables computers to communicate and share files directly with peers on other computers at a very fast speed. Criminals prefer using this network to distribute child pornographic materials because its super fast speed reduces the cost of sharing and retrieving files. Also the network enables them to share graphic documents, photos and videos on child pornography. When the suspect’s computer was seized via a search warrant, a qualified forensic examiner quickly identified the kind and number of files that he had shared through this network. The P2P Marshall discovered file sharing programs installed on the suspect’s computer and this enabled it to retrieve information on peers contacted, files downloaded and shared by the suspect (National Institute of Justice, 2010) Steganography Detection: in his paper steganography: Hiding data within data(2001), Gary Kessler considers steganography to be a really interesting subject because it is the art of hiding information in image and audio files ( mainly because of their large size)without raising any suspicions about its existence. This is because the information/data is usually encrypted in order to make it invisible to unauthorized personnel unless one has the corresponding password. In this era where the cyber-crimes menace has become rampant and widespread, steganography is widely used to store child pornography videos and photos. Steganography can be easily detected through steganalysis. It can be defined as the science of discovering and identifying hidden encrypted information and then retrieving the hidden messages. The investigators used stegdetect program invented by Niels Provos to detect and retrieve hidden images from the suspect’s computer system and its components. Automatic human image detection: during the investigation the Belkasoft Evidence Centre, a program provided by the Belkasoft was used to automatically find child pornography content in pictures and videos files. This program has the ability to detect human faces and child pornography while scanning the media storage devices. The program will then flag and create a list of photos and video files containing child pornographic content which will be used as evidence during the investigation process. After a very thorough examination of the digital evidence found on the suspect’s workplace, the above mentioned tools of analysis provided conclusive evidence that the information retrieved from the media storage devices seized from Mr. Didit’s workspace contained child pornography materials. To ensure that the digital evidence will be admissible in court, the hash value was used to verify that the data retrieved from the computer and other media storage devices had not been tampered with during the evidence collection and examination procedures. A hash value is important in investigations because it is used to verify that the digital evidence is authentic and original. Conclusion Investigating cyber-crimes like that of Mr. IsureDidit, who is suspected of child pornography, can prove to be a tricky affair for an investigating officer due to the technical expertise required and the intricate nature of the internet however computer forensics has been improvised to fill this gap in order to curb the cyber-crimes menace. During criminal investigations digital evidence must be obtained in a legal manner for example through a search warrant and the rules of evidence relating to admissibility must be followed to the core in order to build up a strong case for the prosecution. Expert opinion is needed to prove to the court beyond reasonable doubt that according to the digital evidence retrieved from the suspect’s workspace, the suspect was in violation of the laws prohibiting child pornography. This is because the expert will use his skills to examine the digital evidence retrieved in detail and give a conclusive report about alleged claims of child pornography. In conclusion the above report proves beyond reasonable doubt that indeed the allegations of child pornography against the suspect were indeed the truth. References Investigation, E.C.S. (2001). A Guide for first responders.US Department of Justice, NCJ,187736. Kessler, G. C. (2001). Steganography: Hiding data within data. An edited version of this paper with the title “Hiding data in data”. Windows &.NET Magazine. National Institute of justice. (2010, November 5). Digital Evidence Analysis Tools. Retrieved from http://nij.gov/topics/forensics/evidence/digital/analysis/. Rouse, M. (May,2014). Computer forensics (cyber forensics). Retrieved from http://www.searchsecurity.techtarget.com. Wegman, J. (2005). Computer forensics: admissibility of evidence in criminal cases. Journal of legal, ethical and regulatory issues, 8(1). Wortley, R. K., & Smallbone, S. (2006). Child pornography on the internet. US Department of Justice, Office of community oriented policing. ` Read More