Role of Computer Forensics and Investigation Report in Criminology - Research Paper Example

Computer Forensics and Investigation Report With the increased globalization and utilization of information technology, criminals have adopted modern techniques in committing various crimes. As such, computer forensics and investigations play an import role of evidence production in criminology. Forensic experts in the field of computer forensics gather and preserve evidential materials from various computing appliances. In this regard, the following discussion explains various terms and gadgets used in computer forensics. One of the commonly used terms in computer forensics is live data acquisition. Live data acquisition is a process in which computer forensic experts make a copy of the digital evidence, from a digital device, by running a program (University at Buffalo, n.d). In this process, data is acquired while the computer belonging to the suspect is on. Live data acquisition is necessitated by particular factors, such as prevention of permanent data loss, disk encryption or significant losses to the affected people, when the computer is switched off. It is noteworthy pointing out that live data acquisition does not guarantee repeatability. On the contrary, static data acquisition involves making a copy of the evidential data when the computer is turned off. Statistic acquisition mainly takes place when storage disk is write-protected by the suspect. Unlike live acquisition, static data acquisition is characterized by high level of repeatability hence the importance placed on this approach (University at Buffalo, n.d). Ideally, forensic experts make a copy of the original data in order to use the copy for further analysis. Physical drive is another commonly used term in computer forensics. Physical drive refers to the hardware component used in most computer gadgets for storing data (Pachghare, 2009). Physical drives can be in form of magnetic tapes or disk drives, which are tangible and can be detached from electronic gadgets. Contrastingly, logical drive refers to the various partitions that exist in the physical drive. In many computers, users partition the existing physical drive into several portions that represent ‘independent’ storage units (Pachghare, 2009). However, these storage units, known as logical drives, are part of the main hard drive in the computer. File Allocation Table (FAT) is an older system used by various operating systems to track data stored in the hard drive. Ideally, data generated by use of computer programs is stored in bytes, which are clustered in different locations on the storage disk (Marshall University, n.d). As such, the FAT system is used to locate specific clusters associated to particular files of interest. By understanding this data storage system, computer forensic experts can collect the relevant evidence from computers with high precision. New Technology File System (NTFS) allows easy location of hidden files unlike the FAT system. It was designed for to replace the older versions and provide high security to the stored data and enhance recoverability of any information in storage systems. In addition, large files in the NTFS are not fractured while storing like in the FAT system. The NTFS has size control of clusters and reduced slack space when compared to the FAT system (Marshall University, n.d). As such, the NTFS provides a more reliable storage mechanism that provides a good platform for computer forensics. In computer forensics, experts usually work from copy of information in order to preserve the original content in the suspects’ computers. As such, the collected evidence is stored in particular formats that can be further analyzed using various forensic tools. One of the most commonly used storage formats is referred to as the Raw Format. Raw Format represents the first technique used by digital forensic experts to transfer evidential information from suspected digital source. Ideally, the technique involves bit by bit copy from the original storage source to another storage disk with similar capacity or larger. Raw Format technique of storing information bears several advantages and limitations that must be put into consideration by forensic experts before use. One of the major advantages of raw format data storage is that it is faster technique of data transfer (University at Buffalo, n.d). Therefore, experts with limited time can use the technique to collect evidential information. In addition, many tools used for forensic analysis are capable of utilizing raw format data hence the wide applicability of the format. Moreover, it is possible to by-pass insignificant errors from the original source of the data. However, the technique requires more storage space and some information from ‘bad’ sectors maybe lost. Proprietary Format represents the unique formats that have been developed by companies that develop forensic tools. With the increased technological development in the world, different companies have developed technological equipment that suite particular needs in the society. In this regard, technological companies concerned with computer forensics have developed various tools for collecting digital evidence. Examples of proprietary formats include MP3, WMA, RAR and PSD. These proprietary formats are operated under licenses and privacy controls. Proprietary formats also have some advantages and limitations for their use in computer forensics. Some of the advantages associated to proprietary formats include, flexibility in use, such that professionals can choose whether or not to compress data, ability to combine different types of data in an image and ability to disintegrate image data into small portions for storage reasons (University at Buffalo, n.d). However, proprietary formats have a limitation data sharing-incompatibility between tools produced by different companies. Advanced Forensic Formats (AFFs) are used in open source forensic data acquisitions by computer forensics experts. The Advanced Forensic Formats were developed in order to solve some of the challenges presented by the initial formats while carrying out forensic investigations. For instance, the AFTs have no capacity restrictions when transferring the disk to image evidential data. Developed by Basis Technology Corporation, the AFTs have managed to counter many limitations presented by other formats used in data acquisition. Like the other formats discussed, the AFTs have several advantages and very few limitations. Some of the advantages associated with this format include limited requirements for extra storage capacity, capacity to store metadata in the saved images and can be used by various forms of operating systems (University at Buffalo, n.d). The only limitation associated with the AFTs is that many forensic companies have not completely embraced the format and hence few forensic analytic tools are specific for the format. Because of the criticality of evidential information in criminal investigations, additional measures are taken to preserve digital evidence through hashing. Hash values are numerical values generated through algorithmic calculations and assigned to digital files, usually used as evidence (SANS Digital Forensics and Incident Response Organization, 2009). Ideally, hash values assign unique codes to the digital files so that it is easy to verify particular information, which of interest in forensic investigations. It is noteworthy pointing out that hashing electronic evidence is important because of the implications of criminal evidence on the suspect and ensuring that different tools used in the analysis do not alter the original evidence. During forensic investigation, has values are generated for the original data storage, copied image before analysis and the copied image after investigations. All the generated has values are compared to ascertain that there has been no interference on the digital evidence. Examples of hashing tools used in computer forensics include MD-5 and SHA-1. As discussed earlier, physical drive can be divided into several logical drives that can be used as in depended disks. Disk Partitions represent the logical drive found in a computer hard disk (Pachghare, 2009). In reality, different file systems can be used in the various disk partitions. Therefore, while collecting digital evidence, forensic experts analyze each partition in order to identify the files stored and evaluate analytic tools required to examine the disk. Considering that computers store data in file clusters, in most cases, there are some unfilled spaces in the clusters after storing data. The extra space in a cluster after file storage is called Slack Space. In forensic investigations, slack space is usually examined because it contains residual information concerning any stored file (Pachghare, 2009). As such, it is possible to collect information concerning deleted files in a computer system hence the relevance of slack space in digital forensics. Whole Disk Encryption is a process in which full contents of a hard drive are converted into unique codes. Decryption is only achieved by individuals with authorized access into the computer software. During digital forensic investigations, forensic experts use decryption tools to identify the information protected in suspect computers (Pachghare, 2009). Disk encryption is normally used by individuals or organizations for privacy reasons. Diagram-Hard drive Sector- is a small portion of the hard disk used for data storage Cluster- is a storage unit in a hard disk formed by several sectors Track- is a circle surrounding the storage unit in a hard disk. Several tracks are divided into a sector. Disk Platter- is a circular magnetic disk used in data storage. References Marshall University.(n.d). A Forensic Comparison of NTFS and FAT32 File Systems. Retrieved from http://www.marshall.edu/forensics/files/RusbarskyKelsey_Research-Poster-Final-Draft.pdf Pachghare, V. K. (2009). Cryptography and Information Security. New Delhi: PHI Learning. SANS Digital Forensics and Incident Response Organization. (2009). Law Is Not A Science: Admissibility of Computer Evidence and MD5 Hashes. Retrieved from http://digital-forensics.sans.org/blog/2009/01/07/law-is-not-a-science-admissibility-of-computer-evidence-and-md5-hashes/ University at Buffalo. (n.d). Guide to Computer Forensics and Investigations Fourth Edition. Retrieved from http://mgt.buffalo.edu/departments/mss/djmurray/mgs610/ch04.ppt Read More