According to the International Telecommunication Union (2012), the term computer forensics in its usage portrays the orderly gathering of information and examination of computer-based innovations and technologies to scan for digital evidence. When handling a crime scene, investigators should remember that the documentation of the scene builds a record of the investigation for prosecution purposes. Computer Forensics falls within the domain of digital forensic science, and the goal of an investigator in the realm of computer forensics is to forensically examine a computer to identify, obtain, and analyze digital information found on a computer and its components. The US Department of Justice defines digital evidence as data and information of significant worth to an examination that is domiciled on, got, or transmitted by an electronic gadget. This proof is gained when information or electronic gadgets are seized and secured for assessment (Cole, Gupta, Gurugubelli, & Rodgers, 2015). In this section, this paper will address the components of a computer to photograph during forensic photography, the most emergent action an investigating officer should take upon arriving at a cyber-crime scene, the value of computer’s hard disk in computer forensics, the concern of encryption (Secure Hash Algorithms) in a cybercrime scene investigation, and the restrictions that are there for cybercrime scene investigators on the data they seize while executing a warrant for the contents of hard drive during a crime scene investigation.
Criminological photography is an irreplaceable device in present-day measurable odontological convention, which helps in insightful systems, support of documented information, and to give proof that can enhance lawful issues in court. Investigators at a crime scene set many goals in their quest to achieve the most desirable outcomes in an investigation. One such goal the investigators set is incorporating photography into detective work. For this reason, the proper determination, selection, and execution of the appropriate photography and computer components coupled with proper training as well as correct workflow operations make fusing photography into the field of crime scene investigation an effectively reachable objective (Gouse, Karnam, Girish, & Murgod, 2018). The job of the forensic picture taker is essential as decent expertise in photography together with continued learning of the mechanics and procedures involved is requisite for legal documentation of proof. According to the US National Institute of Justice’s “Guide for First Responders” (2008), other than accounting for the area of crime commission, there is a requirement for an agent to record not just the scene itself, but also the condition of, the power statuses, and the conditions of the computers together with its attached components and accessories such as storage media, portable components such as thumbnails, PDAs, and Internet access devices.
In a crime scene, while searching for digital evidence, an officer should, therefore, photograph the mentioned devices associated with a computer, before and after marking the scene. Computers may be the portable type – the laptop and handheld devices such as tablets and smartphones – or the non-portable type – the desktop computer. The detective should capture images of the computer’s monitor, as is, whether powered on or not. The desktop computer has a monitor (screen) which is detached from the computer’s central processing unit (CPU). If not available in plain view of the officer, they should locate the separate CPU of a desktop computer and photograph it as well. The keyboard for a desktop computer is also detached hardware, although some computer operating systems provide for an on-screen keyboard.
The investigator should locate and capture an image of the keyboard, mouse (pointer), and other equipment connected to the computer’s CPU, including external speakers and recording devices, if any. With a laptop computer, most of the abovementioned components are a single integrated unit. If flapped, the officer should capture an image of the computer in the flapped condition and capture images of the laptop computer when not flapped. The investigating officer should also capture any other devices peripherally attached to the laptop. For handheld computers, the integration of components is even higher with minimal peripheral components. In the case of handheld computers, the forensic photographer should capture the devices wholly from their front and rear.
There are also other non-component parts of value on a computer; these are serial numbers, make (name of the computer e.g., HP), model (e.g., HP ProBook), and model number (e.g., 4440s). Manufacturers usually inscribe the make, model, and model numbers of desktop and laptop computers on the exterior of the devices. The photographing officer should capture the computer’s make, model, and model number as well. For handheld devices, only the make is available in plain view, the model and model number are usually part of the devices metadata and are only obtainable from the devices’s manifest once powered on. Additionally, the investigators should take images of the devices’ serialization on the computer or its peripheral devices. Serial numbers are unique to each device and the devices’ identities. Manufacturers inscribe serial numbers both exteriorly and in the metadata manifest of the device.
If the photographer cannot locate a serial number on the device, they should do so from the device’s metadata and capture it too. Other than serial numbers, computers have light signals, for instance, power-on light, wireless connection light, web connection light, among others. The investigator should locate and capture images of the light signals on the computer for purposes such as showing the power status, the Internet connection status, among others. Another critical aspect of a computer is networking. Networking computers utilize many different cables and transfer equipment such as LAN and WAN cables, power cables, USB cables, VGA cables, HDMI cables, and the like. For an investigating officer, they should photograph such connectors found on and with a computer and take a keen interest in any information printed on the exterior of these connectors. The officer should capture the connectors in situ and then label them appropriately before proceeding to capture images of the connectors with the appropriate labels.
For an officer, as a first responder, the most emergent action upon arriving at a cyber-crime scene is to secure the scene and evaluate it (National Institute of Justice, 2008). In this preliminary phase, the officer should account for their self-safety as well as the safety of all persons at the scene. The investigator should ensure that, in so doing, they remain within the confines of the Police Department’s policy as well as the federal, state, and local laws. For instance, if the first responder feels unsafe, they should call in for back and detest any manner of action that is provocative or that endangers their lives and the safety of the scene. The investigating officer should secure all electronic devices, and these include personal as well as portable devices (National Institute of Justice, 2008). Another immediate act of great importance is barring unauthorized persons from accessing the scene and rejecting any help volunteered by unauthorized persons.
It is the investigating officer’s duty obligation to secure and seal off the scene of felony commission, and partly the fulfillment of this obligation incorporates expelling all people from the scene of a crime and the area in close proximity to the area from which they plan to gather proof. The official, first on the scene, has an obligation to guarantee that the state of the PC and every single electronic gadget stay unaltered. To this end, the officer may draw up a sketch of the scene as they found it with all devices intact and-or take a photograph of the scene from different angles to ensure they capture all the relevant details. Failure to secure the scene can get the scene compromised, and so will the digital evidence be. Evidence that is compromised may be inadmissible in court or it may lead to an undesired outcome of litigation. Also, failing to secure the scene can lead to the alteration of evidence and probably lead to the officer’s harm. Eventually, first responders should ensure that they leave the computer and other electronic appliances powered off according to the National Institute of Justice guidelines if they found it off. Another huge obligation on the shoulders of a first responder immediately they get to the scene is ensuring that any physical evidence that a scene can offer does not get compromised in any way during documentation.
There is an abundance of potential digital evidence on a PC. A large number of these things are obtainable through a manual or logical/computational extraction procedure. While a portion of the proof overlaps with data found on the web, there are a couple of essential sources that are obtainable from the physical gadget instead of on the Internet (Goodison, Davis, & Jackson, 2015). The latter will typically arise from the computer’s hard disk. The hard disk drive of a computer contains the data stored in and by that computer’s use. Some people call the computer’s hard disk its memory, without which, the computer is unusable. The hard disk is indispensable in the functioning of the computer, and it is, therefore, a component of the most value in a cyber-crime scene. All systems and software used on and by a computer coordinate their actions on the hard disk, and as such, even software, networking applications, and IT networks leave vast amounts of data on the computer’s memory (Goodison et al., 2015). The National Institute of Justice (2008) affirms that a computer’s hard drive indeed contains information like email messages, image (and photograph) files, databases, Internet browsing history, financial records, Internet Chat logs, event logs, as well friend lists and itineraries that would be valuable as evidence during investigation and the prosecution of a crime. These facts affirm the top value that hard disks have in a cyber-crime scene.
For instance, when surfing on the Internet, programs and software will frequently keep up transitory Internet documents, cookies, and browsing history (Goodison et al., 2015). Every one of these things is usable in an investigation to decide the user’s online behavior. Intermittent files and records and cookies are regularly utilized by sites themselves to follow Internet users’ activity and store data. Email and different messages might be found on the physical hard disk of the PC too. Even though most email messages remain in the custody of Internet servers, some messaging programs, and software stores earlier messages onto a PC hard drive. All the information above points out that the computer’s hard disk drive archives almost everything that happens on that particular computer, even if it is in the form of caches, temporary files, or shadow copies.
Encryption is a perfect example of privacy-enhancing technology (PET). PET aims at protecting and preserving the privacy of individuals and the confidentiality of personal information (United Nations Office on Drugs and Crime, 2019). Encryption is, therefore, a way of hiding data by locking out any individual who lacks the encryption code that concealed the data. The International Telecommunication Union, in a 2012 report, defines encryption as “a technique of turning a plain text into an obscured format by using an algorithm” (p. 81). The security of many application software today relies on Hash Functions (or Hash Algorithms) to secure user data. Out of different hash functions stems different security properties depending on the individual security requirements of the application software. There are three fundamental security characteristics of hash algorithms; “pre-image resistance, second pre-image resistance, and collision resistance” (AlAhmad & Alshaikhli, 2013, p. 240).
The pre-image resistance is the lack of ability to learn or know the contents of the data input from the data’s hash digest; “For any given code h, it is computationally infeasible to find x such that H(x) = h” (AlAhmad & Alshaikhli, 2013, p. 240). The second pre-image resistance generates similar hash digests by ensuring that there is an inability to learn or to know about the contents of the subsequent pre-image from the given initial pre-image; “for any given input m, it is computationally infeasible to find y ≠m with H(y) = H(m)” (AlAhmad & Alshaikhli, 2013, p.240). The interpretation of the collision resistance arises when two independent and varying input contents result in a similar hash digest; “it is computationally infeasible to find any pair (m, y) such that H(y) = H(m)” (AlAhmad & Alshaikhli, 2013, p. 240). Novak, Grier, and Gonzales (2018) assert that hash verification is a potential hindrance for sifting collectors during the collection of digital evidence. Owing to the said reason, hash verification (and encryption in general) is a significant concern in a cyber-crime scene investigation.
Hash verification involves the use of an electronic or computational signature otherwise called a verification code or a hash to ensure that a disk image is a match of the original evidence disk as postulated above. In the event of cyber-crime scene investigation, a problem arises with disks that have hash algorithms encryption. Existing techniques for hash check rely upon confirming the whole disk and in this way, are incompatible with Sifting Collectors (Novak et al., 2018). Be that as it may, this issue is not restricted to Sifting Collectors; present-day, solid-state drives (SSDs) are frequently incompatible with a hash check because specific SSD locales are precarious and unstable because of maintenance tasks. However, if there were to be a break between sifting collection and modern practice, the drawback of hash verification (and encryption) could get overcome.
Warrants for the contents of a hard drive are typically restricted to the relationship between the evidence and the crime under investigation. Before starting a search, specialists and investigators must guarantee that they submit to material laws or stand the risk of having held onto evidence proclaimed unacceptable at preliminary trials for inadmissibility. There are certain jurisdictions in which exceptional cases may legitimize search and seizure exercises devoid of a warrant, for example, in case of consent/assent, ‘crisis’ fear-based oppressor and terrorist circumstances, plain view principle, searches related with lawful arrests, among others (Brown, 2015). However, the practical search of the information put away on a gadget, as a rule, requires that an investigator produces a warrant in common law nations/jurisdictions.
In conditions where there is a considerable danger of losing proof, for example, where information sanitization and other anti-crime scene investigation measures are active or imminent, a few jurisdictions license law enforcers to play out a restricted hunt of gadgets without a warrant because of the apparent susceptibility of the information and data in these devices (Brown, 2015; Cole et al., 2015). Remote cleaning and erasure apparatuses are packaged preinstalled on numerous mobile devices and accessible for buy as business software or freeware. During warranted action, examiners may likewise find lawfully ensured sources of ESI, for instance, the principle of lawful expert benefit, open intrigue insusceptibility, among others (Brown, 2015). Such legally protected sources of ESI add a layer of unpredictability to the procedure of proof handling, search, and seizure. Numerous specialist examiners experience authoritative postponements, delays, and adjournments in acquiring constitutional power to direct police examinations because of legal uncertainty about cybercrime offenses.
In most western popular governments, authoritative national legislations exist to implement compliance with universal human rights law, such as the rights to privacy and the freedom of expression. In the United States, for instance, there is still equivocalness about the translation of the Fourth Amendment assurances to the digital world realm (Cole et al., 2015). Concerning the Fourth Amendment and digital proof ventures, the plain view exemption and the closed-container guideline has raised substantial attention (Cole et al., 2015). At the point when an agent is leading a pursuit inside the extent of a warrant and runs over contraband material in plain view, the official has the authority to hold onto it. The issue with digital proof is that the degree is at times overbroad (Brown, 2015). With a substantial warrant, the specialist can look through the entire hard drive as though it were a container, and in this way, the majority of its substance is in ‘plain view’ of the officer.
Contingent upon the judge and proof submitted, courts may constrain the extent of such searches. Legitimate position and best practices for enforcing warrants of search and seizure vary altogether across locales and criminal justice systems, including enactment and standards regulating the treatment of electronic evidence during litigation. At the point when police lead search exercises, equipment (hardware components), programs and software, external storage media, and data in binary and printed structure might be seized. It is occupant for examiners to think about the appropriateness of viewing and forensically obtaining information at the scene, i.e., ‘in situ’ and whether the conditions may legitimize physically holding onto the material for further investigation in a research facility. Cole et al. (2015) contend that, ordinarily, evidence from a warranted search is admissible if the testifying witness had firsthand information of the proof if the proof obtained resulted from an automated process or framework, and if the computerized record(s) meet the business records exemption to the Hearsay Rule.
References
AlAhmad, M., & Alshaikhli, I. (2013). Broad view of cryptographic hash functions. International Journal of Computer Science Issues, 10(4 No.1), 239-246. Web.
Brown, C. (2015). Investigating and prosecuting cybercrime: Forensic dependencies and barriers to justice. International Journal of Cyber Criminology, 9(1), 55-119. Web.
Cole, K., Gupta, S., Gurugubelli, D., & Rodgers, M. (2015). A review of recent case law related to digital forensics: The current issues. In Annual ADFSL Conference on Digital Forensics, Security and Law (pp. 95-104). Daytona Beach, FL: Embry-Riddle Aeronautical University, Scholarly Commons. Web.
Goodison, S., Davis, R., & Jackson, B. (2015). Digital evidence and the US criminal justice system: Identifying technology and other needs to more effectively acquire and utilize digital evidence. Web.
Gouse, S., Karnam, S., Girish, H., & Murgod, S. (2018). Forensic photography: Prospect through the lens. Journal Of Forensic Dental Sciences, 10(1), 2-4. Web.
International Telecommunication Union. (2012). Understanding cybercrime: Phenomena, challenges, and legal response. Web.
National Institute of Justice. (2008). Electronic crime scene investigation: A guide for first responders, Second Edition. Web.
Novak, M., Grier, J., & Gonzales, D. (2018). New approaches to digital evidence acquisition and analysis. Web.
United Nations Office on Drugs and Crime. (2019). Cybercrime module 10 key issues: Enforcement of privacy and data protection laws. Web.