2009-03-29 – The Kumachan

[Abstract]
The purpose of this document is to provide a basic understanding of computer forensics by identifying five areas in computers and computer applications a forensic investigator can look for digital evidence. Also included within this document are three types of criminal investigations that can utilize the services of computer forensic investigators. Lastly, a description of these three types of criminal investigations can benefit from computer forensics. This document is intended for anybody looking to gain a basic knowledge or understanding of computer forensics and criminal investigations.

[Content]
With as much of technology that is in use today there may be a time that criminal investigative services may be required to collect data as evidence for criminal prosecution. The criminal investigative services may choose to use computer forensic investigators to gather the evidence to be used for prosecution. In order for a forensics investigator to be proficient at their job, they need to know where they can find the evidence they are looking for. The evidence forensic investigators look for is for the purpose of criminal investigation. There are different types of criminal investigations and there are different ways each of these investigations can benefit from forensic investigators.

When digital investigators are looking for evidence there are different areas where they can look. One of the simplest and most obvious place for investigators to look for evidence is on floppy diskettes, CD ROMs, DVD ROMS, Thumb drives, and any other type of removable media (Strickland, 2009). By looking on storage media criminal investigators can get an idea of what type of data is being stored or loaded onto the system. This can prove to be useful in the event that third-party applications are being used to circumvent investigations. By finding an application on a removable storage device, investigators can gather information that may be useful for returning a system back to its original condition when the crime was being committed. It is also possible that storage devices can provide clues or evidence against the suspects that are being investigated.

System storage devices are other places to look for digital evidence. System hard drives can storage mass amounts of data that can be used as evidence, however these mass storage devices may take longer to find the evidence depending on how many different types of applications were used, if anti-forensic software tools were used, and if encryption software was used. System and application log files, as well as, browser history and cache files, e-mails, digital photographs, and global positioning system logs can hold important pieces of data which can identify how the system was being used, what it was being used for, what types of crimes were being committed, and they can also tell an investigator about some of the software applications that were being used on the system (Kennedy, 2006). When a forensic investigator searches a hard drive they may have to use third-party software to search through Meta data that identifies what types of files reside on the system. Meta data is information that is used by the computer to, not only identify what type of file is on the computer, but also what files link to other files. Additional forensic tools may need to be used on a system storage device to look for evidence that is embedded within applications or even hidden. System storage devices can hold critical evidence, however depending on what software was used on the system, the recovery of the evidence can take long periods of time.

Computer memory is a place where forensic investigators can find chunks of data that was stored when the system was being used. As systems use more and more random access memory, this type of memory is used to store data for faster access during the system‚Äôs operation. Since RAM is used to store information when the system is being used, it is clearly a good location to find evidence. Although, RAM is used by the computer it is unlikely that the type of information that is found to be stored in RAM is going to be readable by humans, so forensic applications will most likely need to be used in order to find the critical evidence.

Documentation that has been printed out from a computer system is considered original documentation and is permissible as digital evidence. Under the best evidence rule, many judges allow digital printouts to be used as evidence. Digital printouts are considered original forms of work, as it is unique to the printer that was used when the crime was committed. Some printers even are sophisticated enough to have memory built into them and the memory found in the printer may contain digital evidence for forensic investigators.

There are many different types of criminal investigations, however some types of criminal investigations that can greatly benefit from digital forensics are investigations that involve crimes of: sex, hate, theft, narcotics, wrongfully accused, and even kidnapping. For crimes that involve sex, to include sex with minors, many times chat application log files can hold much evidence against the accused. For a crime of theft a spreadsheet that holds information like, items, serial numbers, locations, and other information can prove to be a great asset. Crimes that involve narcotics can benefit from possible chat log information, but more likely e-mail traffic can prove to be a greater asset for evidence. No matter which criminal investigation is being conducted the investigation can greatly benefit from the use of digital forensics.

In conclusion, there are many types of criminal investigations that can benefit from the use of forensic investigators. Many of the criminal investigations include crimes of sex, narcotics, hate, wrongfully accused, and kidnapping. When digital forensic investigators are being used to gather digital evidence for a criminal case some of the locations where evidence can be found include: printouts, removable storage devices, internal storage devices, application logs, browser history files, browser cache files, e-mail, random access memory, and possibly even printer memory. No matter what type of criminal offense was committed, as long as a computer was utilized to commit the crime, the different types of criminal investigations can benefit from digital investigators gathering evidence to prove the crime was committed.

References
1. Strickland, Jonathan (2009). How Computer Forensics Works. Retrieved March 29, 2009, from Howstuffworks “How Computer Forensics Works” Web site: http://computer.howstuffworks.com/computer-forensic.htm/printable
2. Kennedy, Ian (2006, August). Looking for foul play – digital forensics Part 2. Retrieved March 29, 2009, from Looking for foul play – digital forensics Part 2 Web site: http://www.bcs.org/server.php?show=ConWebDoc.6231

[Abstract]
The purpose of this document is to provide a basic understanding of computer forensics by identifying five technology-related challenges that digital forensics investigators are faced with. Also included within this document are solutions to resolve each of the challenges. This document is intended for anybody looking to gain a basic knowledge or understanding of computer forensics and challenges investigators face.

[Content]
With the use of technology today there may be a time that criminal investigative services may be required in order to collect data as evidence for criminal prosecution. The criminal investigative services will most likely use computer forensic investigators to gather the evidence to be used. Even though computer forensic investigators may be proficient at their jobs there are still challenges that they are faced with in order to perform their job efficiently and effectively. Even though there are a number of challenges there are also solutions or methods that can aid investigators to gather the evidence they need.

One major challenge that may be encountered is the credibility and proficiency of the technician gathering the evidence. Technicians need to stay up to date on the latest operating systems, data collection procedures, and any additional software that may be utilized in the collection process. In the event a technician is not current on a particular software application or operating system, training courses or certifications may need to be obtained in order to maintain a level of proficiency according to policy and procedures. Technicians also need to gather evidence in accordance with any written policies or standard operating procedures. By following company guidelines, technicians minimize the ability to be discredited.

Standardization of the procedures for gathering evidence, handling evidence, transporting evidence, access to evidence, and even documentation of evidence poses a real challenge for forensic investigators. Prior to embarking on any incident response, technicians need to be current on any company standardization practices to ensure everything from obtaining evidence down to the documentation of evidence is being handled and documented consistently according to company policies. By following standardization practices a technician minimizes the ability to have evidence withdrawn from a case because it is the forensic investigators job to gather the evidence in a proper manner to be used against a defendant in a court of law.
Proper gathering of evidence can be a major challenge for forensic investigators. Forensic investigators need to be thorough in the gathering of evidence and ensure they do not leave anything behind (Kruse & Heiser, 2002). They also need to ensure they mark or tag any evidence as it leaves a crime scene so that it does not get lost in transit. A method for gathering and tagging evidence is by creating a list of every piece of evidence before it leaves the crime scene, ensure everything at the crime scene is gathered, and then upon arrival of where the evidence will be stored validate every piece of evidence was received. The evidence list may need to be verified by more than one person in order to maintain absolute integrity of the evidence that was gathered. By properly marking any and all evidence at a crime scene and then verifying all of the evidence this ensures all evidence is properly gathered and received just as it was when it was at the crime scene so that further investigations can take place on the evidence that was gathered.

Another major challenge that can be faced is the mishandling of evidence. When evidence is being gathered it needs to be treated as evidence and should be secured at all times. Only authorized personnel should have access to the evidence to prevent the possibility of tainting the evidence. By maintaining a written record or log of who is in current possession of the evidence, how the evidence was collected, and from what piece of equipment or hardware the evidence was collected from will ensure the evidence is being handled in accordance to policies, procedures, and with best practices in mind. This will ensure the evidence was handled in the correct manner, by the correct people, and in accordance with any laws.

Lastly the use of anti-forensic tools or encryption can pose a major challenge for forensic investigators. Anti-forensic tools can change header information of files found on a computer making files appear to be a different type of file which could cause a forensic investigator overlook critical evidence (Strickland, 2009). Encryption can also be a major challenge to forensic investigators because encryption uses a key to hide or conceal information on a computer system or during transit of information. It is a forensic investigator‚Äôs job to present the evidence gathered in the state it was when the crime was being performed. In order to return the evidence back to the state it was previously in a forensic investigator many need to use software applications or hash checking applications to do so.

In conclusion, due to the relatively new age of computer forensic investigative services there are many challenges that can be faced by a forensic investigator. By an investigator maintaining a current, up-to-date, technical proficiency in conjunction with following all company policies, procedures, and standardization practices an investigator greatly increases their ability to gather evidence in a proper fashion. Investigators also need to thoroughly document and handle evidence in a proper manner to include gathering and tagging all evidence so that a proper investigation can be conducted.

References
1. Kruse, W & Heiser, J. (2002). Computer Forensics Incident Response Essentials. Indianapolis, IN: Lucent Technologies
2. Strickland, Jonathan (2009). How Computer Forensics Works. Retrieved March 29, 2009, from Howstuffworks “How Computer Forensics Works” Web site: http://computer.howstuffworks.com/computer-forensic.htm/printable

Day: March 29, 2009

Areas Digital Forensic Investigators Find Evidence

Related Posts

Challenges Forensic Investigators Face

Related Posts