Analysis of the practice of investigating high-tech crimes shows that, in most cases, the information contained in electronic media is used as evidence in criminal cases. The latter is most often seized in the course of investigative inspections, seizures, searches, other investigative actions, and operational and investigative activities. Objects of forensic science are storage mediums that are not part of other devices and which fulfill the function of information storage as the main one. These include external hard disk drives, including those connected via USB interface; optical data storage media (CD, DVD, Blu-ray disks); various designs of flash memory cards (Lehto and Neittaanmäki 44). In the course of investigative actions, such as almost obsolete data carriers such as floppy disks (flexible magnetic disk drives), magnetic tape drives (streamer cassettes), magneto-optical disks, and disks for Zip-drives may also be found. In addition, electronic data carriers are internal hard magnetic disk drives installed using computer technology. It is on such devices, which are part of the servers of companies and employees’ personal computers that there is most often information of particular interest for the investigation.
Recently, storage of large volumes of computer data in so-called cloud storages, located on remote network servers, has become increasingly widespread, which must be taken into account when searching for forensically relevant information. It is also necessary to keep in mind that most modern electronic digital devices are equipped with various types of flash memory cards. Criminals may intentionally conceal relevant information by writing it to a flash card placed in a device that may not recognize the information. For example, a photo frame hanging on the wall may have a memory card on which, along with photo files, other files not playable by this device are recorded. Textual information may be encrypted or covertly placed in other types of files using steganography methods, which will require the use of cryptanalysis and steganalysis algorithms in laboratory conditions during specialized expertise.
Criminalistics distinguishes four stages in the handling of digital data in the process of investigation: identification, collection, retrieval, and preservation of the information acquired. The first step involves finding and recognizing relevant evidence and documenting it. This stage prioritizes the collection of evidence-based on the value and variability of the evidence. The second step consists of collecting the devices containing digital data that may serve as evidence. These media are then analyzed in a forensic laboratory or agency to collect and analyze digital evidence (Lehto and Neittaanmäki 67). This process is referred to as a collection of static data. The basic principle behind the implementation of the third stage is that digital data must be retrieved as an integral massive. As part of the preservation phase, it is essential to ensure the integrity of the digital data by means of an evidence preservation system. Additional steps in the media handling are analysis with specialized programs as well as reporting of the work performed.
As part of this investigation, computer analysis was performed on copies of hard drives seized from the laboratories. The computer forensics was conducted under the U.S. Attorney’s Office’s supervision per all accepted computer forensics methodologies. As a result of the examination, a report was drawn up describing all the crimes identified during the work with the seized information. In this case, the specialists performed all the necessary steps in working with digital evidence, including the identification, collection, acquisition, and storage of information and its analysis and report writing.
Work Cited
Lehto, Martti, and Pekka Neittaanmäki. Cyber Security: Critical Infrastructure Protection (Computational Methods in Applied Sciences). Springer, 2022.