Introduction
The main objective of computer forensics is to examine the validity of electronic evidence in a manner that is acceptable in a court of law. The basic procedures involved in computer forensics are the identification, preservation, recovery, analysis and preservation of digital evidence gathered.
Computer forensics does not play a significant role in alleviating computer crime but also an integral process in civil proceedings that involves the application of techniques and practices aimed at the establishment of a legitimate examination trail (Blackley et al., 2003).
This paper outlines the steps required in making electronic evidence acceptable in court, the various crimes, and incidents involved in electronic forensic investigations and the importance of security and computer policy applications.
In addition, the paper provides an overview of the techniques used in obtaining evidence from the internet and web resources, the types of evidence that can be recovered from electronic and computer resources, and the importance of documentation and chain-of-custody in the judicial process.
Steps necessary to make electronic evidence acceptable in court
The practices involved in the examination of digital evidence and evidence collected because of computer forensics investigation are usually the same. The admissibility of digital evidence in a court of law is impeded by the fact that most digital evidence is collected without legal authority. This implies that digital investigation is problematic in making collected evidence acceptable in a law court (Brenner, 2007).
With the chief objective of acquiring and analyzing digital evidence, there are three fundamental steps in making the collected evidence acceptable in a law court: evidence acquisition, authentication and relevance, and analysis.
A typical example to illustrate this is during the seizure of a suspect’s hard drive, a copy of the hard drive is made, after which it is analyzed to ascertain relevance to the court case and identify potential evidence such as deleted files (Bunting, 2007).
Evidence acquisition for electronic evidence varies depending on the type of evidence. The significant challenge is acquiring electronic evidence to ascertain its location. For instance, some computer forensic processes require the examination of data stored in hard drives and log files, which are stored in the Random Access Memory of the computers.
There is standardized procedure in gathering electronic evidence, implying that the investigator must deploy suitable evidence collection methodology in order to secure the electronic evidence. It is also imperative that the investigator must collect the evidence in its raw state to not to temper the integrity and value of the evidence.
Integrity and value of the evidence play a significant role in making electronic evidence acceptable in a law court. Some of the steps involved in collecting digital evidence include the chain of custody, identification, preservation, and finally transport and storage.
The chain of custody serves to protect the evidence and ensure that the evidence was not subjected to alteration and modification during the period that the evidence was in custody. Identification of evidence requires immense expertise concerning computer hardware and digital media (Clarke, 2010).
It is essential to collect the evidence immediately after its identification in order to avoid modification of the evidence due to subsequent computer usage. Duplication and imaging are sometimes done in order to facilitate a systematic analysis of the evidence. The forensic investigators have the responsibility of ensuring that the duplicating utility does not alter or introduce new features into the originally collected evidence.
Duplication of evidence is bound to affect the admissibility of evidence in a court; this implies that the forensic investigators have to ensure that the copy is an exact replicate and a valid one. Also, they must ascertain the repeatability of the imaging process (Clarke, 2010).
The second step in making digital evidence admissible in a law court is authentication of the evidence. This entails ensuring that the gathered evidence represents the exact copy during the time of identification of the crime. In this context, the forensic investigators have responsibility of ensuring that the collected evidence is from a computer or any digital media that was available at the crime scene during identification of the crime.
The evidence must not be altered or destroyed in order to prove its authenticity. One vital technique used in evidence authentication is time stamping, whereby the duplicated evidence is compared with the original copy of the evidence (Cowen, 2009).
A third step in making electronic evidence acceptable in a court of law is to evidence analysis. This involves using validated tools that are not bound to taint the evidence collected. Some of the most common activities during evidence analysis include searching the database files for any pertinent data, searching and recovery of deleted files and noting the changes in the system states (Cowen, 2009).
Report generation accompanies the analysis process whereby all the steps involved during the computer forensics investigation processes are documented in a manner that they depict the relevance of the evidence to the case. The report generated must be able to counter any legal challenges in the courtroom (Kruse & Heiser, 2002).
Crimes and incidences involved in computer forensics investigation
Various kinds of crimes and incidences warrant the deployment of computer forensics investigation in order to uncover the offenders and the nature of crime. One of the most common crimes that require computer forensics is network intrusion and hacking crimes. These entail gaining unauthorized access to people’s networks and computer systems.
Hacking and network intrusion are typical examples of violation of computer security policies (Kruse & Heiser, 2002). The main objective behind hacking and network intrusion is to steal and modify information without the knowledge of the owner. The application of computer forensics, in this case, is to examine the log trails in order to identify the nature of information stolen and trace the hacker.
It is therefore essential for network administrators to have prior knowledge of computer forensics in order to counter hacking and network intrusion crimes. In addition, network and information systems administrators require fundamental computer forensics skills in order to enhance the survivability of an organization’s network (Kruse & Heiser, 2002).
The second kind of crime involved in computer forensics investigation is cyber terrorism, whereby an attacker uses a computer attack to government agencies with the aim of destroying or modifying critical information concerning the activities of such agencies.
Cyber attackers may be influenced politically or socially depending on the context of the attack. In most cases, it entails the use of the internet resources to administer such attacks. Computer forensics, in this case, serves to identify the nature of the crime, the motive of the attacker and possibly trace the source of the attack.
The third type of crime associated with computer forensics is computer fraud, which refers to deceitful misrepresentation of information with the intent of gaining benefit from such actions. Fraud is diverse and entails the use of false identities to instill identity theft, consumer-based frauds and other cybercrimes (Cowen, 2009).
Computer fraud can be initiated in various ways, with the first approach being modifying of computer data without authority. This needs minimal technical knowhow; it is mostly evident in cases whereby by data entry staff input the wrong data intentionally or modifying the data before entry into a computer system.
The second manner in which computer fraud can be initiated is through destroying or modifying the output with the intent of hiding unauthorized computer-based transactions.
Deletion and modification of stored information is also a way of initiating computer fraud. Another common type of computer fraud is misusing computer software for dishonest purposes. The detection of such crimes requires computer forensics (Newman, 2007).
Crimes that result to loss of computer information and affecting the integrity of such information warrant the deployment of computer forensics in attempt to determine offender and the nature of the crime. Computer viruses are a typical example of such crimes. The creation and spread of computer viruses are illegal.
Computer forensics serves to identify the source of computer viruses, the objectives of creating the malicious code and the individual behind it. Other crimes that require computer forensics include phishing frauds, which involves posting links that appear to be somewhat trusted and requesting users to input their personal information (Ross, 2000).
Computer forensics also play a significant role in detecting sex crimes and child pornography carried using the internet and other web sources. Computer forensics can also be applied in crimes relating to intellectual property theft (Newman, 2007).
Importance of security and computer use policies
Computer use and security policies are an integral part of ensuring information systems security within an organization. With the increasing internet use, organizations have the need to implement various security policies in order to guarantee the security and integrity of their data within and outside the organization’s environment.
The first importance of computer use and security policies is that it ensures confidentiality breach of data in an organization (Newman, 2007). Confidentiality is a computer security concept that aims at alleviating releasing of information to individuals and systems that have no permission to access such files.
Computer use and security policies ensure confidentiality by limiting the access to critical information in the organization’s information system. This implies that effective computer use and security policies are essential in ensuring privacy of information deemed critical and confidential to the organization or any individual (Vacca, 2005).
Computer use and security policies ensure the integrity of information. Data integrity is ensured when the information cannot be edited due to limited access to the data, and in cases whereby the data has been modified, it is easy to identify and track the changes made to the data.
Computer use and security policies foster data integrity by limiting the personnel and their respective access rights to an organization’s database. Integrity can be implemented through formulation of administrative and logical control policies when accessing information a database (Wall, 2007).
Physical controls and separation of duties are essential in ensuring that data integrity and confidentiality are maintained in an organization.
Another important aspect of computer use and security policies is facilitating availability of information. Information availability means that the data should be available when its use is needed. Availability of data is achieved through the implementation of security control policies aimed at protecting the various access channels and ensure that computer systems are functionally as expected.
Security policies facilitate availability through detecting of the various intrusion programs that may impede the functionality of computer systems and network within an organization (Newman, 2007).
Accountability is an essential concept in the information systems of organizations. Accountability means that individuals are answerable for any operations that take place in the information of an organization.
For instance, if a network administrator is the only one who has the access rights of modifying the database, he is the one accountable for cases relating to modification, or he breached confidentiality by issuing his credentials to allow the modification of information. It is, therefore, evident that computer use and security policies play an essential role in ensuring accountability in an organization (Wall, 2007).
Another importance of implementing computer use and security policies is that it helps to mitigate the costs associated with data losses, computer crimes, and computer security problems. Computer crimes are significantly increasing resulting to loss of valuable data and electronic sabotage.
Due to this, organizations that have not implemented effective computer security policies and strategies are more vulnerable to risks associated with computer security. The present state of the internet filled with malicious users, untrusted links, and employees warrants the deployment of effective computer security policies to protect an organization’s information assets.
The costs associated with network breaches and information disclosures are high, this means that preventive strategies such as computer use and security policies are a requirement in order to mitigate such costs. It is therefore important for organizations to deploy appropriate computer security policies as a risk management strategy against confidentiality breaches, data losses and integrity and ensuring accountability (Wall, 2007).
Techniques used to obtain evidence from the internet and web resources
Computer forensics significantly relies on the internet and other web resources for gathering evidence regarding computer crimes. It is important to ascertain the admissibility and relevance of evidence before embarking on evidence collection strategies.
The techniques deployed during evidence collection must ensure that they do not tamper or alter the digital evidence. There are no standard procedures used by investigators to collect the evidence from the internet. However, there are standard guiding principles that can be applied in order to collect evidence over the internet and other web resources as described below (Blackley, Peltier, & Pelitier, 2003).
The first approach of collecting evidence from the internet is to put into consideration the order of volatility of the evidence. With this regard, the investigator should first gather evidence from sources that are more volatile and proceed to sources that less versatile.
For instance, sources that are more volatile can be temporary internet files, registers and the routing table. Sources such as archival media and physical configuration are less volatile and should be considered last (Ross, 2000).
It is essential to incorporate evidence collection steps that facilitate the gathering of transparent and reproducible evidence. With this regard, the first stage is to identify the evidence by listing the various systems involved and a detailed description of the incident.
The next procedure is to establish the admissibility and relevance of the evidence and establish the volatility rank of the various system elements and potential sources of evidence. It is essential to eliminate any elements in the network that may introduce changes in the evidence. The next procedure is to collect the evidence putting to consideration their order of volatility.
Documenting each procedure and the evidence collected is essential since it eliminates the possibility of the collected evidence being challenged in a court of law in admissibility grounds. Generation of checksums and deployment of cryptographic signs is important because it helps in the preservation of evidence and creating of audit log of the computer crime (Ross, 2000).
Archiving evidence is another important technique in collecting evidence from the internet and web resources. Archiving involves the securing the evidence and documenting the necessary procedures during evidence collection. Computer forensic investigators should use the common storage devices and access to archived evidence should be limited.
This implies that the evidence security measures should be deployed in order to facilitate the detection of any unauthorized access of the evidence. There are diverse set of tools required for collecting evidence in various operating systems platforms. For instance, it is vital for a forensic investigator to have an application program used for evaluating the processes, the system state and carrying out bit-to-bit duplication.
Also, the investigator should have application programs for creating checksums and digital signatures, applications for creating images for analysis and scripts to facilitate the evidence collection process through automation. It is important to put into consideration the authenticity of the evidence collection tools and application programs in order to alteration of evidence (Ross, 2000).
Types of evidence that can be recovered from computer and electronic devices
Computer and electronic devices are potential sources of evidence for a criminal case proceeding. Some of the digital devices that can hold evidence include hard drives, flash memories, Personal Digital Assistants (PDAs), printers, mobile phones, and floppy drives. One of the types of evidence that can be collected from electronic devices and computer systems is physical evidence.
Physical evidence is broad an entails all the material evidence such as digital cameras, storage media, video footages and audio trails, which attempt to provide a link between the offender and the criminal case at hand. It is imperative for forensic investigators to gather physical evidence that can be reproduced.
The most common type of physical evidence that can be gathered from a computer and digital storage media is documentary evidence, which refers to evidence in the form of business logs, manual, printouts, and files that are computer-generated.
Therefore, during evidence collection, the computer forensic investigator has the responsibility of collecting all the available physical evidence such as the computer system itself, the documentations, and systems logs (Vacca, 2005).
Computers can provide computer-generated evidence, which are divided into four basic categories: visual output, printed evidence, film, and audio footage, which can be stored on optical disks and hard drives. A legal drawback of computer-generated evidence is that it is perceived to be hearsay by most of the legal courts (Clarke, 2010).
Computers and electronic devices can also provide digital evidence, which refers to information regarding a criminal case that can be used during a trial in a court case. Digital evidence is broad an entails any files that the computer and other electronic devices generate during the course of their usage.
For instance, emails, histories and logs of internet browsers and network activities respectively, and documents such as notepads. Digital evidence is somewhat similar to the traditional physical evidence but has an added advantage of being difficult to extinguish and its duplication is easy (Brenner, 2007).
Another type of evidence that properly configured electronic devices and computer systems provide is log evidence. Logs are trails of activity on computer system such as network activities and operating system activities.
Within the context of computer forensic investigation, logs play an important role in facilitating the integrity of evidence, normalization, data reduction, and time stamping. This means that log files serve as a potential source of evidence during the analysis of computer crimes activities (Cowen, 2009).
Importance of documentation and chain-of-custody in the forensic process
Documentation is an integral step in any forensic investigation process. This means the computer forensic investigation procedures should put into consideration the documentation of all the people involved during the process and the roles they played during the evidence collection phase.
A chain-of-custody represents the chronological account of the investigation procedures; as a result, they are used in ensuring accountability during the investigation process.
Documentation and chain-of-custody reveal all the steps undertaken in identifying and collecting evidence and reports the conditions put into consideration to make the evidence relevant to the case at hand. In addition, the chain-of-custody provides all the activities undertaken in ensuring security of evidence and storage (Ross, 2000).
The first significant importance of documentation and chain-of-custody in the forensic process is that it helps in ascertaining the admissibility of digital evidence in a court of law.
Documenting all the procedures and people involved during an investigation is one of the key requirements in ensuring integrity of evidence; this means that presenting evidence with chain-of-custody increases the admissibility of forensic evidence (Vacca, 2005).
Another importance of documentation and chain-of-custody is that it helps the evidence to withstand any legal challenges regarding the originality of the collected evidence during the judicial process. This is fostered through ensuring accountability of the personnel responsible for handling the evidence and a record of all the conditions that the evidence was initially collected.
In a court of law, it is a requirement that the chain-of-custody should report all the personnel responsible for handling the evidence and that it should not have been subjected to modification, in other words, the presented evidence should be the one that investigators collected in a crime scene without any discrepancies (Wall, 2007).
The third importance of documentation and chain-of-custody is that it facilitates the analysis of forensic evidence by the investigators. Having a systematic documentation of processes involved in evidence collection makes evidence analysis easier.
In addition, it facilitates the making of jurisdictional judgments easier. This means that documentation and chain-of-custody has a significant role and value in establishing the origins of evidence and its influence on the case at hand. Also, the documentation facilitates the process of criminal scene reconstruction, making the forensic investigation process less difficult (Kruse & Heiser, 2002).
EnCase
EnCase is one of the computer forensics tools developed by Guidance Software. The first use of EnCase is to provide an analysis of digital media for forensic investigations, data investigations, and recovery. Most of the law enforcement agencies consider the EnCase forensic tool as a standard for analyzing digital media during evidence collection.
Some of the services available in the software include data acquisition, parsing of file, and retrieval and recovery of data. A typical example where EnCase was used in the criminal court was the case of BTK killer, whereby EnCase was used for data recovery (Bunting, 2007). EnCase forensic was developed for computer forensic practitioners who want to collect evidence in a repeatable manner.
Product features and functionalities of EnCase Forensic tool
One of the most outstanding features of EnCase Forensic is that has inbuilt automated tools aimed at speeding up the forensic investigation process. Some of the automation tools include EnScript, which enables user to write scripts and at the same time use prebuilt scripts. It also has an Active Directory for extracting data and recovery partitions used in the recovery of deleted files (Bunting, 2007).
The EnCase forensic tool comes with analysis features such as hash analysis, a log parser used in the study of Windows events, analysis of digital file signature and a file finder, which is used to detect and extract files in unallocated disk spaces.
The EnCase facilitates reporting through generation of automatic reports. This is done through providing a list of all the Uniform Resource Locators and the respective dates that the sites were visited by a user. Besides, the EnCase supports the generation of log reports and incidence response reports (Bunting, 2007).
The EnCase forensic tool has features that can facilitate the investigation and probe processes on email and internet. Some of these tools are used for analysis of browser history and providing email support. Other features of the EnCase forensic tool include bookmark features, searching and data acquisition support. The starting price for purchasing EnCase Forensics tools is $ 9995.
How EnCase facilitates the forensic investigation process
EnCase functions by generating an exact copy of the authentic digital media gathered in a crime scene. After the creation of a copy in binary form, EnCase does the verification through generation of hash values that are used in revealing when the collected evidence has been tampered with.
EnCase can be customized in order to facilitate the automation of investigative processes that may be consuming too much time. Report generation is an essential aspect of the EnCase that makes the whole investigation process easier (Kruse & Heiser, 2002).
References
Blackley, J. A., Peltier, J., & Pelitier, T. (2003). Information Security Fundamentals. New York.
Brenner, S. (2007). Law in an Era of Smart Technology. Oxford: Oxford University Press.
Bunting, S. (2007). EnCase Computer Forensics, Includes DVD: The Official EnCE: EnCase Certified Examiner Study Guide. John Wiley and Sons.
Clarke, N. (2010). Computer Forensics. New york: IT Governance Ltd.
Cowen, D. (2009). Hacking Exposed Computer Forensics, Second Edition: Computer Forensics Secrets & Solutions. New York: McGraw Hill Professional.
Kruse, W., & Heiser, J. (2002). Computer forensics: incident response essentials. New Jersey: Addison-Wesley.
Newman, R. C. (2007). Computer Forensics: Evidence Collection and Management. New york: Auerbach Publications: Taylor and Francis Group.
Ross, S. (2000). Digital archaeology? Rescuing Neglected or Damaged Data Resources. London: British Library and Joint Information Systems Committee.
Vacca, J. (2005). Computer forensics: computer crime scene investigation, Volume 1. New York: Cengage Learning.
Wall, D. S. (2007). Cybercrimes: The transformation of crime in the information age. New York: Cambridge University Press.