[Abstract]
The purpose of this document is to provide a basic understanding of computer forensics by identifying five technology-related challenges that digital forensics investigators are faced with. Also included within this document are solutions to resolve each of the challenges. This document is intended for anybody looking to gain a basic knowledge or understanding of computer forensics and challenges investigators face.
[Content]
With the use of technology today there may be a time that criminal investigative services may be required in order to collect data as evidence for criminal prosecution. The criminal investigative services will most likely use computer forensic investigators to gather the evidence to be used. Even though computer forensic investigators may be proficient at their jobs there are still challenges that they are faced with in order to perform their job efficiently and effectively. Even though there are a number of challenges there are also solutions or methods that can aid investigators to gather the evidence they need.
One major challenge that may be encountered is the credibility and proficiency of the technician gathering the evidence. Technicians need to stay up to date on the latest operating systems, data collection procedures, and any additional software that may be utilized in the collection process. In the event a technician is not current on a particular software application or operating system, training courses or certifications may need to be obtained in order to maintain a level of proficiency according to policy and procedures. Technicians also need to gather evidence in accordance with any written policies or standard operating procedures. By following company guidelines, technicians minimize the ability to be discredited.
Standardization of the procedures for gathering evidence, handling evidence, transporting evidence, access to evidence, and even documentation of evidence poses a real challenge for forensic investigators. Prior to embarking on any incident response, technicians need to be current on any company standardization practices to ensure everything from obtaining evidence down to the documentation of evidence is being handled and documented consistently according to company policies. By following standardization practices a technician minimizes the ability to have evidence withdrawn from a case because it is the forensic investigators job to gather the evidence in a proper manner to be used against a defendant in a court of law.
Proper gathering of evidence can be a major challenge for forensic investigators. Forensic investigators need to be thorough in the gathering of evidence and ensure they do not leave anything behind (Kruse & Heiser, 2002). They also need to ensure they mark or tag any evidence as it leaves a crime scene so that it does not get lost in transit. A method for gathering and tagging evidence is by creating a list of every piece of evidence before it leaves the crime scene, ensure everything at the crime scene is gathered, and then upon arrival of where the evidence will be stored validate every piece of evidence was received. The evidence list may need to be verified by more than one person in order to maintain absolute integrity of the evidence that was gathered. By properly marking any and all evidence at a crime scene and then verifying all of the evidence this ensures all evidence is properly gathered and received just as it was when it was at the crime scene so that further investigations can take place on the evidence that was gathered.
Another major challenge that can be faced is the mishandling of evidence. When evidence is being gathered it needs to be treated as evidence and should be secured at all times. Only authorized personnel should have access to the evidence to prevent the possibility of tainting the evidence. By maintaining a written record or log of who is in current possession of the evidence, how the evidence was collected, and from what piece of equipment or hardware the evidence was collected from will ensure the evidence is being handled in accordance to policies, procedures, and with best practices in mind. This will ensure the evidence was handled in the correct manner, by the correct people, and in accordance with any laws.
Lastly the use of anti-forensic tools or encryption can pose a major challenge for forensic investigators. Anti-forensic tools can change header information of files found on a computer making files appear to be a different type of file which could cause a forensic investigator overlook critical evidence (Strickland, 2009). Encryption can also be a major challenge to forensic investigators because encryption uses a key to hide or conceal information on a computer system or during transit of information. It is a forensic investigator’s job to present the evidence gathered in the state it was when the crime was being performed. In order to return the evidence back to the state it was previously in a forensic investigator many need to use software applications or hash checking applications to do so.
In conclusion, due to the relatively new age of computer forensic investigative services there are many challenges that can be faced by a forensic investigator. By an investigator maintaining a current, up-to-date, technical proficiency in conjunction with following all company policies, procedures, and standardization practices an investigator greatly increases their ability to gather evidence in a proper fashion. Investigators also need to thoroughly document and handle evidence in a proper manner to include gathering and tagging all evidence so that a proper investigation can be conducted.
References
1. Kruse, W & Heiser, J. (2002). Computer Forensics Incident Response Essentials. Indianapolis, IN: Lucent Technologies
2. Strickland, Jonathan (2009). How Computer Forensics Works. Retrieved March 29, 2009, from Howstuffworks “How Computer Forensics Works” Web site: http://computer.howstuffworks.com/computer-forensic.htm/printable