The world today is characterized by advancing technologies. The amount of information generated, stored, and distributed using electronic means on a daily basis keeps on increasing. As a result, agencies concerned with security and other regulations have to constantly gather digital evidence to use for law enforcement.
Only people with specific training for digital evidence presentation and investigations are best equipped to conduct the exercise. The definition of digital evidence used here is the information and data of value to an investigation. This data could be kept in equipment.
Alternatively, users can use an electronic device to receive or send the same information. In most cases, digital evidence will be suppressed and it can cross jurisdictional borders faster and easily. Moreover, it is easy to alter, damage and destroy digital evidence, thus it is usually time sensitive.
The use of digital evidence arises when serious criminal investigations like rape, carjacking, child abuse, or exploitation arise. It is also relevant for prosecuting piracy, property crimes and terrorism. The pre and post crime information is crucial for an investigator. Crimes can also be committed entirely through digital means. When crimes like economic fraud or identity theft happen, they leave an electronic trail of information.
Although all evidence could be used in forensic investigations, not all rules accept any type of digital evidence; thus, it is important to first know how the rules apply before proceeding with the presentation of evidence. A typical presentation of digital evidence has to follow four steps of collection, examination, analysis, and reporting with each step having its own requirements.
Hard drives store data and the devices consist of an external circuit board, power connections, and external data. Their technologies determine the type of drive. For example a drive can be SCSI, SATA, IDE 40-pin or IDE 44 pin. Recently, there has been the development of the Solid State Drive (SSD) that does not contain moving parts (Mukasey, Sedgwick, & Hagy, 2008).
The technology of the drive relates to the manner used to store data or the method of connecting to other computer-system parts, like the motherboard. Hard drives could be internal in the computer system or installed externally.
Usually, a typical internal hard drive is converted to an external hard drive by using special cases with connectors. In the same sense, a number of hard drives could be combined to increase the capacity of a computer system or to provide central storage for a network (Mukasey, Sedgwick, & Hagy, 2008).
When handling hard drives, first responders to the scene of investigation must have the right hard drive handling tools, which include antistatic bags and non-magnetic tools (Mukasey, Sedgwick, & Hagy, 2008). Unlike other storage devices that mainly contain usable data that is transferable to other systems and devices, hard drives also have operating systems for a given computer system(Nelson, Phillips, & Steuart, 2010).
Evidence on hard drives
Data stored on a hard drive is volatile in a running computer. Thus, the computer is shut off and the hard drive removed, and then imaged in a different computer. The imaged hard drive will be used to present the evidence and ensure the original data stays intact without any manipulation.
On a hard drive, evidence will be in files created by computer users, which include documents and multimedia content. Apart from files, there is the metadata that can tell the name of the file creator, the date, the owner of computer, the edits made to files, and the last time of access, among other notable information that can help describe events and intentions of a person.
However, timestamps on files stored on hard drives can be changed by specialized software. Therefore, in addition to checking for metadata, there should also be checks for tampering and inconsistencies of data collected (Maras, 2014). Within the hard drive, there are files that are protected by the computer user. Typically, encryption and password protection are the methods used.
The computer also creates files automatically, which include log files, system files, and backup files stored on the hard drive (Maras, 2014). Data on hard drives could also be disguised in different file formats, which give a false impression of the contents of a file.
For example, a movie could be hidden as a word document by changing its file extension. Images can also hold hidden information only accessible by special software. Thus, it is important to access all files collected from hard drives carefully.
Memory cards are small and are mainly used with portable devices like video game consoles and handheld electronic devices. They come in different storage sizes and standard formats, such as smart media card, secured digital card (SD), mini secure card and micro SD card, as well as compact flash card and memory stick (Mukasey, Sedgwick, & Hagy, 2008).
Memory cars use a floating gate method that creates non-volatile memory. Memory cards can have NOR or NAND types of memory. The logical gates named ‘OR’ or ‘AND’ cause a big difference in the architecture of a memory card.
Most flash memory cards will have NAND memory whose lifetime is measured as 100,000 erases per block. The NAND flash systems incorporated in memory cards have been ideal storage devices because they offer low-cost, high-density and high speed program/erase applications (Nelson, Phillips, & Steuart, 2010).
Just like hard drives, memory cards are also subject to corruption during collection, packaging, and transportation or storage. They store digital evidence like passwords, notes, hardware or software manuals, media, and log information, among other types of information. Handling of the evidence requires proper documentations, with labels, and inventory evidence.
During transportation and storage, the memory cards should be put away from magnets and excessive heat, cold, or humidity because these factors cause damage to data integrity. Excessive vibrations should also be avoided.
Assuming that proper procedures are followed for collecting and analyzing memory cards, it is important to also include an audit trail of all related documentations and processes that were applied to the determination of the digital evidence.
This trail should be preserved together with the digital evidence to provide the right context for review during a presentation. For example, a third party examiner will rely on both the actual evidence and its accompanying documentation to achieve the same result as primary investigators.
Not all recovery tools are able to retrieve information in its original form from memory cards. Therefore, one has to first find a reliable tool that whose results would be acceptable to the parties involved in the information extraction.
This applies to data that has already been erased or is damaged in memory cards. Undeleted data only needs to be accessed by conventional means. Still, users might use secure file deletion services to remove evidence of data from memory cards and more powerful recovery tools would be needed in such cases (Al-Hajri & Williams, 2007).
Evidence in memory cards
When used in mobile devices memory cards store emails, sounds, multimedia messages, wap/web browser history, email, calendar items, contacts, and Geo location data. The type of phone or device will affect the format of data storage in the memory card, mainly due to the different firmware and operating systems used by the device.
Problems encountered when retrieving information from memory cards that are still lodged into devices include the need to mimic the device’s functioning system, which can only retrieve live data and cannot recover deleted data.
The use of network features, such as Bluetooth and Wi-Fi to access the memory card data, may also pose access and transferability challenges, as some data is deemed inaccessible through these means. Data collectors must be aware of the limitations of various methods and first consider the impact of the limitation to the collection of evidence before opting to use a given technique (Lesemann & Mahalik, 2008).
Networks consist of two or more computers. They may be linked by wireless connections or data cables. Moreover, entire systems could also be connected to other systems using cables and wireless technologies, like the case of smart traffic grid systems. These networks all contain different network equipment that offer data collection options for digital forensic investigators and assist in presentation of digital evidence.
The emergence of new information technologies, such as cloud computing, has improved the scope of storage that both individuals and business have access to, especially when looked at from a cost point of view. In such scenarios consumption, and delivery of IT occurs via network grids.
An underlying assumption is that users can scale up or down on demand. The cloud mostly exists on the Internet, which by definition is already a collection of computer networks that are internetworked using standardized protocols.
For this paper, networking equipment refers to the computer peripheral devices and equipment that would be used to link computers in a small or medium enterprise setting. In this case equipment will include modem, routers, servers, shared printers, shared scanners, and other shared physical computer resources. Various firms provide commercial computing resources mainly storage and processing services.
Users connecting to these cloud services will be considered as part of networks. The equipment used by the cloud provider to provide remote services such as servers will be considered as network equipment as defined in this paper.
Evidence in networking equipment
Data passing through the network infrastructure such as file access by remote users to a central server leaves metadata within the network equipment. MAC addresses and IP addresses can help to identify devices and computers using a network, and thus act as evidence. Data transfer statistics are usually available from network equipment directly or by connecting the equipment to a computer for review.
The nature of network data access allows evidence collectors to use any part of the network, as long as they have adequate permissions to access every aspect of the network from the initial connection point (Casey, 2011). Network eavesdropping is the most common approach to accessing digital evidence from network equipment.
Investigators can use network monitoring tools to connect to network equipment and then access the same data that the equipment is accessing. The technique known as sniffing allows the investigator to get the information that is travelling through a network. However, it is limited to the information passing through because it cannot access information that already passed through the equipment.
Network equipment can hold and transmit data that resides in physical layers or in network layers, such as TCP/IPO and HTTP traffic (Casey, 2011). So, rather than merely rely on live data, investigators could use the data stored on routers that relate to the data-link layer like the MAC address.
The data would be evidence showing the computers that are attached to the network and characters of the data they transmit. Lastly, it is important to note that access to sniffing and network equipment is often subject to legal regulations.
Challenge for networking equipment
Accessing networking equipment can be a challenge because users may not own the equipment. Equipment and service providers may also be leasing and therefore not liable for prosecution for access or tempering of the capabilities of the equipment (Dykstra, 2013).
Global Positioning Systems
Acquisition and collection of forensic GPS evidence happen to provide evidence to digital investigators. The investigators would be interested in collecting coordinates from a GPS receiver and ensure that the collected data is original and not altered.
Thus, the location of an individual is regarded as sensitive data and it demands careful treatment when the data in inside the GPS device, inside a personal digital assistant, or any other portable device with GPS functionality. Unlike GPS-specific equipment, mobile phones and tablets combine GPS technology with other location based technology like cell-tower positioning.
Thus, it is possible to use the same principle of collecting digital evidence from GPS only gadgets to gather evidence of where the mobile device has travelled. Often, the last 200 cell locations are obtainable, though they may not accurately position the device like the GPS equipment would do. In addition to the hardware of a GPS device, there is also the operating system in place.
Most devices use variations of open source Linux OS. The open source model present in most portable devices allows software developers to incorporate useful applications to the devices to make them more useful to end users.
The operating system manages memory, creates processes and threats, and manages all other networking, file systems, flash management, and RAM file system features of the device (Nelson, Phillips, & Steuart, 2010).
Challenges of GPS systems
When collecting sensitive data from global positioning systems, it might be important to use systems that conceal the data after validating its originality. This works as a way of preventing further corruption of data during the process of evidence presentation.
For example, the system used for collection could encrypt the information to a presentable format that could be saved with timestamps and data provision. The evidence would then be accessible to digital investigators multiple times safely without tampering with its originality.
The presentation of digital evidence from GPS has to follow particular rules and circumstances provided by the guidelines of an overseeing legal authority. The key reason for abiding by the law is as follows: Firstly, individuals have rights to privacy.
Secondly, law enforcers and investigators cannot operate beyond rules governing their work. Therefore, only lawful means of getting and presenting data can be accepted by law. Thus, the process of collection and examination has to be sensitive to enforcement regulations (Casey, 2011).
Evidence in GPS equipment
Portable devices equipped with GPS positioning capabilities save all location-specific information by default on their internal storage. However the storage part is usually accessible only to the system and device technicians. Particular files stored in the device will have cell tower, Wi-Fi information, coordinates, lack connection times and locations and usage patterns of the device.
The information about location can also be part of the metadata on files sent and received or created by the device, as in the case of smartphones used as GPS systems. Other than direct system files, there are specific software files on the device that would contain GPS location when the software uses the same information for its proper functioning.
Sometimes, the relevant files are uploaded to central servers with only the most recent information being on the device. In this case, devices have unique identifiers that allow them to connect and access the data when needed (Sun, 2012).
Another source of GPS information may not be on the device itself, but on the data stored by other devices or networks, which originated for the device of interest.
For example, a satellite navigation system may be providing directions to a driver and the directions provided are stored in a server belonging to a company providing the navigation service. A photo sent from a location enabled gadget to a social network could contain location information, which show exactly when and where a photo was taken (Casey, 2011).
Prioritization of usefulness against Network Intrusion, malware installation, insider file deletion
Hard drives offer evidence of network intrusion because they capture log files of the computer and any user-account related information. Network equipment too would have logs about an intruder’s access, though it may be similar to a legitimate user access. A key part of the evidence would be to show the abnormality of the information contained in the log, such as off-peak access to files and abnormal data requests or transfers.
In cloud computing, mirroring of user activities in different servers can help investigators collect accurate information, even after users delete their history on the network. If network intrusion is done remotely, then the device used to make the intrusion could leave identification data on the network, which would be available in the logs and in the metadata files modified by an intruder stored on network servers and hard drives.
Cloud networks equipment can also contain the history of password changes and encryption standards used for files, which can help to match user privileges or capabilities and available evidence. An intrusion detection system is important to highlight suspicious behavior of users in a network and to collect evidence.
Malware, as malicious software, can exist on any file storage and transfer medium, but it only becomes potent upon installation. For this kind of hazard, the prioritized data sources will be the live system data. This will include information requests and processes conducted by software installed in the system, as well as all network traffic to and from the computer or the device.
The main challenge for detecting malware would be the lack of the right tools at this point with most tools likely to bring out false positives or ignore malware completely (Brand, Valli, & Woodward, 2010). A better method is the use of detection systems installed in the device or computer, which contain signatures of known malware.
Evidence of malware would then be obtainable from the hard drive or the memory card used for storing the files infected. Virtual machines can be used to stimulate malware activity and collect evidence on stored files and metadata.
Malware can affect data presented by network equipment and GPS systems to hide or create false data. Thus, all storage devices used together with or in the network equipment and GPS systems have to be scanned (Brand, Valli, & Woodward, 2010).
Insider file deletion is also a threat to digital evidence. Users can set instructions to delete files after performing unwanted actions. Data sources to prove insider file deletion would be on the hard drive, but not visible.
Deleting files only removes the path, sector, and signatures of the file and actual deletion would only occur after the space on the hard drive or memory card occupied by the file is overwritten. Sometimes, overwriting only happens partially (Cappelli, Keeney, Kowalski, Moore, & Randazzo, 2005).
Software that deletes and overwrites immediately makes it impossible to recover file evidence in some cases. In a network storage device, such as cloud storage, users can only access the service according to their assigned privileges.
While there may be evidence on the network storage of a file that users deleted, the large nature of the file system disks used for networks makes it hard to analyze and collect specific evidence (Capshaw, 2011). Administrators can also delete files permanently by using their privileged access to overwrite files and clear logs on network equipment.
The importance of digital forensics arises out of the fact that a majority of criminals will leave evidence that could be captured and analyzed using appropriate digital forensic procedure. Nevertheless, criminals are getting smarter with their data-hiding techniques. They often use similar technologies to investigators to encrypt data so that it is difficult to read or intercept in transit.
The presentation process begins with the collection, to examine, before moving on to, analyzing, and finally the reporting stage. While investigators use the law and various tools to collect appropriate information, they must be aware of criminal techniques that use tools and protocols to hide evidence.
They must also consider device or equipment handling and access procedures to prevent cases, such as automatic erase of data when wrongful intrusion is detected by a computer system.
Al-Hajri, H., & Williams, P. (2007). The effectiveness of investigative tools for secure digital (SD) memory card forensics. 5th Australian Digital Forensics Conference. Perth: Edith Cowan University – Research Online.
Brand, M., Valli, C., & Woodward, A. (2010). Malware forensics: Discovery of the intent of deception. 8th Australian digital forensics conference. Perth.
Cappelli, D., Keeney, M., Kowalski, E., Moore, A., & Randazzo, M. (2005). Insider threat study: Illicit cyber activity in the banking and finance sector. Carnegie Mellon Software Engineering Institute.
Capshaw, J. (2011, April 1). Computer forensics: Why your erased data is at risk. Web.
Casey, E. (2011). Digital evidence and computer crime. London: Academic Press.
Dykstra, J. (2013). Seizing electronic evidence from cloud computing environments. Web.
Lesemann, D. J., & Mahalik, H. (2008, November). Forensic preservation of handheld devices. ISSA Journal, pp. 22-26.
Maras, M.-H. (2014). Computer forensics cyber criminals, laws and evidence. Burlington, MA: Jons & Barlett.
Mukasey, M. B., Sedgwick, J. L., & Hagy, D. W. (2008). Electronic crime scene investigation: A guide for first responders (2nd ed.). Washington: U.S. Department of Justice – Office of Justice Programs.
Nelson, B., Phillips, A., & Steuart, C. (2010). Computer forensics and investigations (3rd ed.). Boston, MA: Cengage Learning.
Sun, Y. (2012). Geo-location forensics on mobile devices. Xiamen: Meiya Pico Information Company Limited.