The Key Principles of Cyber Forensics - Essay Example

Cyber Forensics Table of Contents 1.0 Introduction…………………………………………………………………………………4 2.0 Digital Evidence …………………………………………………………………………….5 3.0 Principles of cyber forensics ……………………………………………………………….6 3.1 Standardization ……………………………………………………………………7 3.2 Evidence gathering ………………………………………………………………...7 3.3 Evidence Handling …………………………………………………………………7 3.4 Evidence Access ……………………………………………………………………8 4.0 Threats to data held on Computers ……………………………………………………….8 4.1 Errors and Omissions ……………………………………………………………..8 4.2 Theft ……………………………………………………………………..…………8 4.3 Disgruntled employees ……………………………………………………...……..9 4.4 Supporting infrastructure …………………………………………………..…….9 4.5 Malicious hackers ……………………………………………………………...…..9 4.6 Malicious Codes …………………………………………………………………….9 4.7 Foreign government espionage ……………………………………………………10 5.0 Digital Evidence Investigation Processes ………………………………………………….10 5.1 Preservation ………………………………………………………………………..10 5.2 Location …………………………………………………………………………….11 5.3 Digital Evidence selection …………………………………………………………11 5.4 Analysis ……………………………………………………………………………..13 5.5 Validation …………………………………………………………………………..14 5.6 Presenting digital evidence ……………………………………………………….14 6.0 Cyber Forensics Investigation Techniques ………………………………………………14 6.1 Computer Networks ………………………………………………………………14 6.2 Computer systems …………………………………………………………………15 6.3 Mac Marshal Digital forensic tool ……………………………………………….15 7.0 Importance of crime reconstruction hypotheses and alternative hypotheses..................16 7.1 Alternative Hypothesis ……………………………………………………………16 8.0 Conclusion ………………………………………………………………………………….17 9.0 References…………………………………………………………………………………..18 10.0 Bibliography……………………………………………………………………………….20 1.0 Introduction Increasing globalization and sophistication of the world’s technological infrastructure has dramatically influenced logistics of criminal activities at both local and international levels. With the wide availability of the internet, and English language skills being taught at an early level across the world today, criminals do not need to be physically present somewhere to commit a crime. Modern technology is providing numerous opportunities for criminals whereby today the police frequently chronicle criminal’s application of computerized technology to commit variety of economic crimes and crimes involving malicious destruction of other people’s properties. This particular issue has become so pervasive that it has in return led into specific statutes being designed to address the situation at hand. It is due to this background that computers systems have become an integral part of the investigation process due to their ability to hold huge amount of information. These stored data while of potentially tremendous value during the investigation, prosecution, and prevention of crime, poses unique challenges to detectives and court prosecutors due to their potentially volatile nature that make electronic data very easy to modify hence suspected criminals may take advantage and tamper with the stored information. In a traditional investigation, detectives should have access to relevant evidence and witnesses. There are various components required for successful prosecutions whereby investigators usually photograph and seize physical evidence, create maps and diagrams on crime scenes, document injuries and economic losses, interview witnesses and suspects. This is mainly done because without sufficient evidence, convictions cannot be easily sustained. With the advent of cyber crime, new challenges and tasks have been presented which also alter the tactics and economics of criminal investigations. This particular paper will describe digital evidence, explain on the key principles of cyber forensics while outlining the threats that are held when digital evidence is stored on computers. It will then on proceed and discuss some of the investigation process that are used when conducting digital forensics and finally concluding by outlining the importance of crime reconstruction hypotheses and alternative hypotheses. Cyber forensics is therefore the process of extracting information and data from computer systems while guaranteeing on its accuracy and reliability, in a manner that is legally acceptable via the application of computer technology to the investigation of computer based crime (US-Cert, 2008). 2.0 Digital Evidence This is basically information and data that is valuable in any investigation activity. This particular information and data should be stored, retrieved, or transmitted by the use of electronic device. Whenever a detective is dealing with digital evidence, general forensics and procedural principles should be thoroughly adhered to, this requires that: The process of collecting, securing, and transporting digital evidence should not tamper with the evidence collected The evidence should be examined by a specialist who is purposely trained fro the job All the activities conducted during the seizure, transportation, and storing of digital evidence should be properly documented, preserved and also be available for review. First responders should therefore establish caution whenever seizing electronic devices and they should also obtain legal authority before embarking on their mission. These personnel should consult the prosecuting attorney in order to obtain the appropriate jurisdiction authority so that they ensure that they have the proper legal authority of seizing digital evidence at the crime scene. A lot of precautions need to be considered whenever collecting, preserving and transporting digital evidence. This requires first responders to follow some series of steps at electronic crime scene which may include; Identifying, seizing, and securing all the available digital evidence at the crime scene The crime scene together with the specific location of the evidence should be properly documented Digital evidence should be properly obtained, labeled, and preserved. The digital evidence should be packaged and transported in a safe and secure manner. The first responder should be considerate on everyone’s safety at the crime scene and all the actions and activities being carried out at the crime scene should comply with the respective departmental policy as well as the federal, state, and local laws. After securing people in the crime scene, potential digital evidence should be identified and the digital evidence should be documented, photographed, and secured as soon as possible. Additional measures that may be undertaken by first responder when collecting digital evidence entails: Ensuring unauthorized personnel do not have access to any electronic devices at the crime scene. This is so as to prevent radioactive devices from interfering with the evidence obtained. Refraining from any help or technical assistance from unauthorized personnel. Removing people from the crime scene or the surrounding area where the digital evidence is to be collected Ensuring that the condition of electronic equipment is not tampered with The electronic devices should also be left off if they are already turned off Physical components such as the keyboard, mouse, removable storage, and other related accessories should be properly handled because there is a huge possibility that they might be holding latent evidence such as fingerprints and DNA (Aric, 2010, p.387). According to guidelines for digital evidence collections from various jurisdictions, legal considerations for collecting such evidence should be: Admissible: The digital evidence has to conform to certain legal rules before being presented in a court of law. Authentic: The evidence material should be directly involved with the incident Complete: the evidence gathered should tell the whole story and not just focusing on a particular perspective Reliable: The collection method should be free from any sorts of doubts in relation to their authenticity and veracity Believable: The evidence should be believable and understandable by a court of law. The digital evidence should also be in human readable form and can be quickly produced in the courtroom for authenticity (ICST, 2011, p.34). 3.0 Principles of cyber forensics Cyber forensics is becoming an increasingly important tool towards the fight for online crime. Law enforcement agencies are tracking fraudsters by using their forensic experts to gather evidence over the internet. These fraudsters are know to be devising new skills day in day out, but nevertheless, four principles remain at the heart of cyber forensics. These are; standardization, evidence gathering, evidence handling, and evidence access. 3.1 Standardization Forensics professionals discharge their services across national borders so that they may track and prosecute criminals. With cross border movements, it is very difficult to track such people due to some of the difficulties encountered such as the legislation that differs between the different jurisdictions. This scenario has forced law enforcement agencies to collaborate and work with governments across the world so that principles of cyber forensics may be standardized. 3.2 Evidence gathering The main technique applied in collecting digital evidence should not alter with the data because in order for digital evidence to be successfully applied in a court of law, it has to remain intact with the way it was retrieved because any slight proof that the evidence has been tampered with is likely to deter successful prosecutions. Such a scenario may be avoided by having digital evidence distributed in a number of computers which makes it very difficult to destroy because if digital evidence is destroyed on one machine, it can be successfully traced on another (Eoghan, 2004, p.383; Pachghare,p.358; Steven, 2008,p.268). Apart from copying the evidence on multiple machines, the investigator should also factor tools that they will work with, these may include technical policies, device logs, systems application, and permissions. Serious considerations need to be taken on the type of operating systems being used at the time of the incidence, the disk formats, and location of evidence whether physical or electronic (Joseph,2010 ,p.265). 3.3 Evidence Handling Digital evidence is known to pass through the hands of several investigators during the data analysis process. This requires that the evidence should be carefully documented because it is it integrity that will in the long run build on the validity of the case. Therefore extreme cautionary measures should be taken when handling these evidence and evaluators can implement a chain of custody that will assist in maintaining the evidence by using a set of documentation that provides a chronological history of activities which involves the digital evidence, so that identity and integrity of digital evidence is preserved. Such documentation will contain the names of all the individuals who collected and handled the evidence together with the, time and place and anything that was done on the evidence itself hence providing a logical map of the journey in relation to the digital evidence from its extraction to the courtroom (Joseph, 2010, p. 266). 3.4 Evidence Access Digital evidence has to be protected from any unauthorized access and form of tampering in order to ensure that there is a successful prosecution of criminals. This is so because evidence can be easily lost or corrupted due to professional curiosity involving police officers and other experts who are not part of the crime scene processing team. The presence of such group of people can easily contaminate the evidence either directly or indirectly (Bill, Amelia & Christopher, 2010, p.169). During the international hi-tech crime and forensics conference in October 1999, international principles for cyber evidence were promulgated by the International organization on Computer Evidence. These states that (Michele & Kristin, 2009, p.215): 4.0 Threats to data held on Computers Modern technological systems are vulnerable to a number of threats which if not properly checked can cause damage to forensic evidence and result into significant losses which may even lead to the dismissal of a case. There are number of threats being faced by data held on computer systems which requires the systems users and moreover forensic experts to have some knowledge on the vulnerabilities and threats that they are exposed to. These threats and vulnerabilities include: 4.1 Errors and Omissions These are mainly caused by the data entry clerks whom have to process hundreds of transactions in any single day. This is so because most of the computer applications lack quality control measures making it very difficult to detect input errors and omissions. 4.2 Theft The information stored on computers can be easily altered or completely stolen by insiders or outsiders. This may happen when the criminals have access to codes such as passwords whereby they may remotely log in to the system and tamper with the data or retrieve it completely. This particular data may be forensic evidence that is waiting to be presented in a court of law thereby rendering the case to be dismissed. 4.3 Disgruntled employees These groups of personnel may collude with criminals and sabotage the systems on their behalf. These personnel are usually very familiar with the computers and applications and even know which specific action is likely to cause most damage to the system (Robert Weston; Michelle et al, 2005). Some of the ways in which employees may sabotage data held internally by computers include: Incorrectly entering the data Altering the data Deleting the data Destroying information by using logic bombs Crashing the main operating systems Holding the data hostage Destroying the computer hardware physically 4.4 Supporting infrastructure This becomes a factor when issues such as power failures, loss of communication, tsunami, earthquakes, civil unrest, floods, fire, and lack of transportation services occur. When there is loss of infrastructure, systems downtime occurs in a number of ways whereby employees may not be able to commute to work, even though the computing facilities are intact and properly functioning. 4.5 Malicious hackers These groups of people break remotely into the computer systems for the purpose of compromising on the privacy and integrity of the data. When this is not properly checked, a lot of damage may be inflicted on the data. For instance, this particular data may be evidence of a certain criminal activity, but once there are traces that it was handled outside the courtroom since retrieving it from the scene of crime, then such supporting evidence may end up being dismissed hence rendering the case irrelevant. 4.6 Malicious Codes These include; logic bombs, Trojan horses, worms and viruses among others. These codes may tamper with the data held internally by the systems, by changing their file name extensions hence rendering them unreadable by the previously installed computer applications. These codes also results in systems outages and a lot of man hours being lost in repairing systems. 4.7 Foreign government espionage In some unique cases there are usually threats from foreign governments. For instance, if a certain investigative agency is being believed to be holding some terrorism related information in their systems and they are not willing to share this particular information with lets say the US or UK government, these governments may be forced to target their unclassified systems so that they may further on their intelligence missions (CSL, 1994). 5.0 Digital Evidence Investigation Processes 5.1 Preservation The recovery of digital evidence is very complicated and requires maximum care in order to ensure that the evidence is not inadvertently contaminated or destroyed. Whenever collecting digital evidence, the first responder may just copy the information that is needed or copy everything. Immediately the evidence has been collected, it has to be transported to a forensic laboratory that ensures security and integrity of the held information. This requires investigators to consistently record their activities in a journal because such records enhance the credibility of the evidence (Andrew & Lain, 2007, p.105; Carl, 2006, p.161). The crime scene has to be secured, and any removable media should be catalogued, packed in crash proof containers, and labeled in the correct manner. Investigators should also try to unearth off site storage areas and remote computers where further evidence may be hidden. Computers should not only be shut down, but rather pulling off the plug and taking the whole system to the laboratory and the evidence should not only be properly labeled on the outside, but stored away from magnetic fields (Barry, William, & Catherine, 2009, p. 289). The data has to be preserved and the suspect’s computers data has to be copied by using an imaging tool and first responders should not forget making the suspects hard drive read only by using a write-blocking device (Bill, Amelia, & Christopher, 2010, p.174). There are a number of rules governing digital evidence handling and these are not limited to: No action should be taken by the investigator that will ultimately alter the data that is being held on the computer system or any media that will be relied upon as evidence. Anybody handling digital evidence should be forensic competent and they should also explain the relevance and implications of their actions. Audit trail and record of processes applicable to digital evidence should be well kept and an independent 3rd party should be in a position of handling those same processes and also achieve the same results. Personnel who are heading the investigations should ensure that the various legislations and policies are completely adhered to, and this should apply to information contained internally in the system and people accessing the computer systems should not use any copying device. This is so because before any digital evidence is submitted and accepted in a court of law, it should have varying degrees and pass the admissibility requirements of relevance, materiality, and competence (John, 2009, p.306). 5.2 Location In order to professionally locate digital evidence, the first responder has to identify all the computer files and other digital artifacts that are related with the case in question. There are modern forensic tools that pre-process evidence disk by creating an inverted index that enhances the search of key words. This is so because desktops systems are likely to contain thousands of files while enterprise class systems may contain millions of files (Marwin, 2004, p.99). Immediately potential digital evidence are identified, the investigators may proceed on with the collection phase whereby this will involve having possession of digital devices by either imaging or seizing them as evidence by following outlined civil subpoena, administrative order, or a search warrant. Whenever obtaining digital evidence, there are quite a number of issues that needs to be addressed, these include: The overall safety and security of the crime scene Proper description of the crime scene The digital evidence is being collected under which authority The brief synopsis of the investigation The location of the digital devices and data storage 5.3 Digital Evidence selection The process of identifying digital evidence may be very tricky and investigators have to recognize the computer hardware that contains digital information whereby these same investigators will have to distinguish between relevant and irrelevant information pertaining to the actual crime that was committed, or evidence that has some association with the crime in question. During the raid, systems manuals and other accessories related to the computer systems deployed may provide a clue on the technological systems that are being used (Eoghan, 2004, p.216). The correct hardware has to be identified because there are quite a number of technological products that can contain digital evidence while others cannot. These devices may include; USB storages, memory sticks, magnetic tapes, and compact disks among others. Investigators who find it difficult to access an operating system password may make boot disks that by pass the operating systems and enables copying of hard disks contents into another storage media. Investigators are mandated to select the most appropriate seizure methodology depending on the situation at hand and their technical expertise. First responders may use onsite preview using Linux or windows based bootable CDs to review the contents of a suspect machine in a relatively forensic manner. They may also used techniques that dump the systems RAM so that they may recover information stored there such as passwords, chat sessions and other unsaved documents. Immediately they have selected the evidence, investigators may conduct full disk imaging that creates bit by bit copy of the hard drive on a black drive (Jack, Kevin & Anthony, 2007, p.304). Whenever investigators are conducting their seizure, they also have to consider the following: Internet artifacts such as auto complete entries, internet cache, and cookies Wireless network storage devices USB storage devices I-Pods, DVR’s and PMP’s Social network postings, forums, and blogs Cell phone video, data, and pictures Email accounts Online storage accounts Instant messages and short message services This list may be used as a starting point in obtaining solid digital evidence whereby such information previously has proven to be extremely useful as stand alone evidence (Jack, Kevin, & Anthony, 2007, p.68). 5.4 Analysis According to Eoghan (2004, p.232) Digital evidence has to be properly prepared so that it is acceptable in a court of law. Investigators are mandated to conduct onsite examinations whereby these same personnel may be easily overwhelmed by the huge number of files that exist in a single system. Investigators are required to focus on only the potential useful information whereby they are required to filter out irrelevant, confidential or privileged information. This procedure may be conducted by: Elimination of system files with no relevance to the case at hand Focusing their investigation on the most probable user generated information and data Managing redundant data files which are crucial when dealing with backup tapes Establishing discrepancies between digital evidence examination tools Investigators should therefore properly understand the case that is before them because before they embark on a particular case they have a flexible yet preconceived idea of where and what to search for. For instance, key word used in a child pornography case should not be the same when used in corporate espionage saga like the Enron scandal. This is so because not all the cases have the same level of challenges hence does not require the same level of analysis. Forensic investigators should examine the computer drives for visible evidence such as suspicious executable applications, tools that assist in hiding evidence, encrypting data, and those that destroy files. These applications may then provide more clues to the investigators (Michael, 2007, p.41). During this particular stage it is also possible to determine if items that are present in a suspects machine originated from the compromised systems and also if the items on the questionable system originated from the suspects machine. Investigators have also to keep in mind that digital evidence in some instances may contain unique characteristics that links it to particular choices with exceptional probability degrees. For instance, a digitized photo can be containing a line which is consistent with scratches that can be found on a certain flat bed scanner, or a floppy drive that are having unique patterns at its magnetic media that it uses to write unique patterns in the magnetic media whenever copying any data into it. These unique identification characteristics found in digital evidences may be used in linking up cases, generating a list(s) of suspects and subsequently associating certain crimes with a specific computer hence easier to trace the perpetrators (Eoghan, 2004, p.236). 5.5 Validation After digital evidence has been analyzed on the basis of authenticity, it has to be tested whether it could prove a crime beyond reasonable doubts in a court of law. In validation, the forensic expert may validate the source code and in-case the application developer is unwilling to disclose their source codes, then the first responder may examine the evidence by using another tool in order to ensure that the exact results are consistently obtained (Eoghan, 2004, p.184). 5.6 Presenting digital evidence It is a very crucial aspect when testifying in a court of law. Forensic experts may script direct examination and rehearse it with some of their attorneys before court presentation time so that they accord themselves some opportunity to identify key areas that need considerate attention and also anticipate questions that are likely to be raised by the accused during the court room cross-examination period. It is during this period of cross examination that attorneys may discover the flaws and details that initially were overlooked by the forensic investigator (Eoghan, 2004, p.185). Investigators are advised to always pause before replying to any questions so that they give ample time to the attorney to raise any objections and whenever objections are raise, forensic investigators have to be very careful as to why the attorney has objected before the question is answered. Whenever presenting the findings, investigators are advised to explain how the evidence was handled and analyzed from the beginning. 6.0 Cyber Forensics Investigation Techniques Digital forensic techniques assist in providing a methodological and systematic approach towards gathering crucial information from computer systems and their networks whereby this information may be encrypted and completely hidden making it very difficult to retrieve through the normal procedures. Some of the forensic techniques that are applied may include: 6.1 Computer Networks Packet sniffing: This is basically retrieving data as it flows through the computer network by obtaining critical data packets as they flow. These data usually contain information such as usernames, passwords, and sent & received e-mails among other information. IP Address Tracing: This entail tracing down an IP address right down to its real address where it originated from. It may also involve reverse address lookup that requires the counting of the number of servers lying between source and destination. The ISP server is retrieved, the target IP address is then verified with the ISP whereby ownership information can be easily gathered. Email Address tracing: This may be achieved by analyzing electronic mail headers because they contain source machine name IP address which are found to trace IP addresses. Electronic mail addresses also contain information such as the email server where the electronic mail first originated from, including the date, time and other crucial details. 6.2 Computer systems File structure: In computer machines, file structures are analyzed and scrutinized for malicious files which sometimes may be encrypted or hashed with funny algorithms, these files may later on be processed and decrypted to act as evidence. Storage media: These may be formatted, or information deleted from them. However, with advanced utilities and the right tools, such information can be recovered and in case the information recovered is disguised, then whatever data fragments that are obtained can be assembled together and used to form credible digital evidence. Steganography: This is a techniques used to hide information in images or file formats than the routine format. This makes it extremely difficult to obtain certain information. By using steg analysis and decryption techniques, such information can be easily reconstructed to their original form. Prints: These are hardcopy obtained form a computers printer. 6.3 Mac Marshal Digital forensic tool This is a forensic application that extracts digital evidence from Mackintosh OS X systems that enable forensic investigators to conduct their investigations expediently. The application will scan your Macintosh system while automatically detecting and displaying Macintosh, Windows OS, and virtual machines images. It then executes a number of analysis tools that extracts Mac OS specific forensic evidence that has been developed by the OS and other common applications. The application is in line with forensic best practices and it automatically generates a log of all activities it conducts while producing reports in Rich Text Format, PDF and HTML formats (Marc Marshal, 2011). 7.0 Importance of crime reconstruction hypotheses and alternative hypotheses. Crime scenes present very difficult data visualization problem because in most cases crime scenes have to be examined as fast as possible and returned to their original state. This is known to pose a lot of problems to forensic investigator s who require a lot of time to record as much as they would want. With improvement in computer technology, simulations of crime scenes can be easily developed including developing accurate views of the scene from various positions. This may be achieved by digitising floor plans if the crime scene is inside a building, extruding line segments to generate the building walls, and estimating and refining heights by using rendered models with photographic images. The reconstructed model representing the crime scene should present the views of the scene matching the real environment as much as possible because they will be used in a court of law to represent the real scene (Howard, Murta, & Gibson). 7.1 Alternative Hypothesis Assuming that there is no adequate support for the original evidence, then in such a scenario investigators may develop an alternate hypothesis and replay the attack from the last common state when it occurred. This does not substitute the original evidence but rather provides additional methodological approach of finding additional support for the hypotheses pertaining to a digital crime scene. Inside a court room, results from digital forensic reconstruction may be used to refute certain chain of events whereby proper interpretation may support and enhance more interpretation of evidence (Andre et al.). 8.0 Conclusion The role that cyber forensics is playing in the successful prosecution of today’s criminals is still at the embryonic stage. The integration of computerized technology, cyber forensics, with law enforcement is set for dramatic growth because new technology is providing continued opportunities to perpetrate illegal activities almost instantaneously from remote locations across the world. Law professionals such as judges, attorneys, and other law enforcement organs, have a task ahead of prosecuting people who utilize technology together with its products to undermine the socials rules of acceptable user policy, are finding it hard to tolerate crime in this form and they must strive to elevate their technical professional level in the hope of remaining in the same level with the people they pursue or hope to prosecute. Technology will continue evolving from one form to another, making computer crime an ever present and changing reality. By law enforcement experts being proactive, keeping in touch with technological advancements in relation to theories and techniques which define cyber forensics, these people will be much better prepared for the new challenges of prosecuting tomorrows cyber criminals. 9.0 References Andre Arnes, Paul Haas, Giovanni Vigna, & Richard A. Kemmerer. Digital Forensic Reconstruction and the Virtual Security Test bed Vise. Center for Quantifiable Quality of Service in Communications Systems, Norwegian University of Science and Technology. Andrew Blyth, Iain Sutherland (2007). Proceedings of the Second European Conference on Computer Network Defense, in conjunction with the First Workshop on Digital Forensics and Incident Analysis. Springer publishers. Aric W. Dutelle (2010). An introduction to Crime Scene Investigation, Illustrated edition, Jones & Bartlett Learning. Barry A.J. Fisher, William J. Tilstone, Catherine Woytowicz (2009). Introduction to Criminalistics: The foundation of Forensic Science. Illustrated Edition, Academic Press. Bill Nelson, Amelia Philips, Christopher Steuart (2010). Guide to computer forensics and investigations. 4th Edition, Cengage Learning. Carl J. Franklin (2006). The investigators guide to computer crime, illustrated edition, Charles C. Thomas Publishers. Computer Systems Laboratory (CSL) (1994). Threats to computer systems: An overview, retrieved 5th May 2011 from http://csrc.nist.gov/publications/nistbul/csl94-03.txt Eoghan Casey (2004). Digital evidence and computer crime: Forensic science, computers and the internet. 2nd Edition, Academic press. Institute for Computer Sciences, Social-informatics and Telecommunications Engineering (ICST) (2011). Digital forensics and Cyber Crime: Second International ICST Conference, ICDF2C 2010, Abu Dhabi, United Arab Emirates, October 4-6, Springer Publishers. Jack Wiles, Kevin Cardwell, Anthony Reyes (2007). The best damn cybercrime and digital forensics period, Syngress press. John R. Vacca (2009). Computer and Information Security Handbook, Illustrated edition, Morgan Kauffman. Joseph Migga Kizza (2010). Ethical and Social Issues in the Information Age. 4th Edition, Springer Publishers. MarcMarshal (2011). MacMarshall digital forensic software, retrieved 5th May 2011 from http://www.macmarshal.com/ Marvin V. Zelkowitz (2004). Advances in Computers: Information Security, Academic Press. Michael Sheetz (2007). Computer Forensics: an essential guide for accountants, lawyers, and managers. John Wiley and Sons. Michele C. S. Lange, Kristin M. Nimsger (2009). Electronic evidence and discovery: what every lawyer should know now, 2nd Edition, American Bar Association. Michelle Keeney, J.D, Eileen Kowalski, Dawn Cappelli, Andrew Moore, Timothy Shimeall, Stephanie Rogers (2005). Insider threat study: Computer system sabotage in Critical Infrastructure Sectors. Carnegie Mellon, Software Engineering Institute, Retrieved 5th May 2011 from http://www.secretservice.gov/ntac/its_report_050516_es.pdf Pachghare. Cryptography and Information Security. PHI Learning Pvt. Robert Weston. Computer Forensics: Data Fraud- The internal threat, UK EE Newsletter V2 RW CF retrieved 4th May 2011 from http://www.krollontrack.co.uk/publications/UK%20EE%20Newsletter%20I1%20V2%20RW%20CF.pdf Steven Furnell (2008). Securing information and communications systems: Principles, technologies, and applications. Illustrated edition, Artech house. T.L.J. Howard, A.D. Murta and S. Gibson. Virtual Environments for Scene of Crime Reconstruction and Analysis. Advanced Interfaces Group, Department of Computer Science, University of Manchester, Manchester M13 9PL, United Kingdom, retrieved 5th May 2011 from http://www.cs.man.ac.uk/~gibsons/pubs/spie.pdf US-CERT (2008). Computer Forensics, retrieved 2nd May, 2011 from http://www.us-cert.gov/reading_room/forensics.pdf 10.0 Bibliography Andrew Jones, Craig Valli (2008). Building a digital Forensic Laboratory: Establishing and managing a successful facility, Butterworth-Heinemann. Daphyne Saunders Thomas, Karen A. Forcht (2004). Legal methods of Using Computer Forensics Techniques for Computer Crime Analysis and Investigations, Issues in information systems, Volume V, No 2, retrieved 4th May 2011 from http://www.iacis.org/iis/2004_iis/PDFfiles/ThomasForcht.pdf George L. Paul, Bruce H. Nearon (2006). The discovery revolutions: E-discovery amendments to the federal rules of civil procedure. Heins ABA archive Microfiche Collection, 2nd Edition, American Bar Association. Gilbert Peterson, Sujeet Shenoi (2009). Advances in Digital Forensics V: Fifth IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA, January 26-28, 2009, Revised Selected Papers, Volume 306 of IFIP Advance in Information and Communication Technology Series, International Federation for Information Processing. Springer Publishers. John S. Dempsey, Linda S. Forst (2009). An introduction to policing, 5th Edition, Cengage Learning. Osvaldo Gervasi & Marina L. Gavrilova (2007). Computational science and its applications: International conference, Kuala Lumpur, Malaysia, August 26-29, 2007: Proceedings, Volume 2. Richard Boddington, Valerie Hobbs, Graham Mann (2008). Validating digital evidence for legal argument, Australian Digital Forensics Conference, Edith Cowan University Online, Security research center conferences, retrieved 4th May 2011 from http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1041&context=adf&sei-redir=1#search=%22selecting+digital+evidence%22 Sheldon E. Friedman (2005). The Litigators Guide to Electronic Evidence and Technology. Illustrated Edition, Bradford Publishing Company. Sokratis K. Katsikas, Javier Lopez, Gunther Pernul (2004). Trust and privacy in digital business: First international conference, TrustBus 2004, Zaragoza, Spain, August 30- September, 2004. Proceedings. Springer publishers. Read More