Forensic In Digital Security Information Technology Essay

Computer forensic is a branch of forensic science that involves largely around computer crimes and legal evidence that pertain and revolve around digital evidence. The main aim of computer forensics is to explain the current state of the digital artifact and to provide analysis on the data as evidence to the court.

Acquisition of evidence from the scene of crime

A police officer or investigator upon receiving the laptop from the parents should first establish if the laptop is switch on or not. If the laptop is running perform a force shutdown by holding down onto the power button and take out the battery. If the laptop is showing clear signs of data of apparent evidentiary value onscreen. The police officer should first seek trained technical personnel who have experience and training in capturing and preserving volatile data before proceeding. The police investigator would also immediately shutdown the laptop through irregular shutdown if there is any sign or indication of activity onscreen indicating data is being overwritten or deleting. Indication of destructive process is being performed on the computer data storage system.

This is to ensure that no further evidence is being lost or being tamper. The investigator would also need to check if there is any disk in the disk drive and take a picture of the disc on the disc drive before putting into the anti static bag. The investigator would next place tapes across all disk drives so that no media would be placed in the disk drives. The investigator would also place tapes on the power button on the laptop. This is to ensure that no the evidence would not be tamper in order to preserve the integrity of the data.

Documentation

If there is cables and wires attached to the laptop. The investigator would also uniquely label, document and take pictures of the wires, cables and devices connected to the laptop. If there is devices attach at the other end of the cables it would also be photographed and documented of it being connected to the laptop. The device, cables and wires would then be individually documented and photographed before putting in the evidence bag.

The documentation of the evidences should also include a detail record of the notebook brand, model, serial number, attachments on the notebook and it current state. The surrounding environment where it was being use should be also photograph as evidence. If the notebook is running photographing the screen help in visually documenting the state of it and what was running upon the initial response. Taking photos of front, side and back of the computer. A photograph of the notebook and the surrounding environment and the devices connected help in the reconstruction of the setup should the notebook need to be taken to the lab for further investigation. Documentation is important as it allow the court to verify that correct forensic procedures are being adopt and undertaken. It also effectively allows the recreation of the activities that are performed during the initial response.

Read also  Machine language

Evidence Custody Form

An evidence custody form is also necessary in order to proof the chain of custody has been in place. As it proof that proper custody of the evidence and the state of the evidence upon custody to proof that proper forensic evidence has been taken place.

Handling Digital Evidence

All potential evidence should be “Bag- and-tag” refers to the process of placing crime scene evidence into bags and tagging them with single or multi evidence form. This help in withholding the chain of custody and also the integrity of the evidence. Evidence should be kept in anti-static bags to prevent damage through electrostatic discharge.

Computer manuals of the laptop if there are any would also be taken for reference in the lab. A copy of the hard disk image will also be created using programs and also generating of a hash sum to check for consistency or integrity in it. The copy data would then be handed to the appropriate party assisting in the investigations. The source copy would be retained in a locked room with limited or restricted access and kept in anti static bags. This is to ensure that there is a chain of command in place and that the source data is always available and not tamper. In order to preserve the main copy evidence and also allow recreation of procedures if necessary.

Transportation

When transporting digital evidence, the investigator or the first responder should take note in preserving of the evidence state. The first responder should always keep digital evidence away from magnetic fields produced by radio transmitters, magnet or any other form of magnetic field that might affect the state of the evidence. Potential hazards like heat, cold, humidity or static electricity should be taken note. While transportation, mobile phones should always be kept in faraday isolation bag.

Storage

Digital evidence should be stored in a secure, climate-controlled environment that is not subject to extreme temperature or humidity that might damage hardware.

Digital evidence should not also be expose to magnetic fields, moisture, dust or vibration that might affect the state of the evidence or destroying it. Evidence custody form should also be use to identifies the evidence, who has handled it and the date.

Hardware resources for analyzing notebook

Hardware Resources

The hardware and tools that needed to analyze a notebook are:

Laptop

Large-Capacity disk drive

IDE ribbon cable, 36 inch

Linux Live CD ( Backtrack 4.0 )

Laptop IDE 40- to 44 pin adapter

Write-blocker

Anti static evidence bag

Evidence log form

Firewire or USB dual write-protect external bay IDE disk drive box

Read also  The Operating System Hardening Issues And Practices Information Technology Essay

Faraday isolation bag ( For cell phone )

Architectural differences between a notebook and desktop

One of the key differences between notebook and desktop are that due to the size of the desktop and it ability to be customized the hardware generally follow a certain guidelines or rules. This make forensic easier on desktop as the tools available are able to process most desktop computers. However with notebooks becoming more common in today society tools that are commonly use for desktop are required to be modified and change.

The main architecture difference is that a notebook being compact and much smaller in size requires hardware to be much smaller, like the motherboard, ram, and hard disk.

Also with some manufacturer installing drivers on their laptop for certain function eg. Webcam, biometric fingerprint scanner set a level of difficulty in investigation as some of this program might not be able to run on a different computer system without the appropriate driver.

The difference in architecture of laptop and computer requires different forensic technique and procedures. The interface of an IDE laptop hard disk for instance due to manufacturer maybe smaller than a normal 40 — pin ATA ribbon connector. As due to the constraint of a laptop size the hard disk might be smaller.

The internal structure of a laptop is much more delicate so it is much harder for the investigator to get the hard disks and component for imaging or storage as evidence.

Smaller size laptop known as netbooks are not installed with a CD Rom drive unlike a desktop computer due to their restriction in size. This further complicate forensic process which certain forensic tools that required live CD are not able to be use. This would require the use of USB thumb drive loaded with the OS in order to extract images and information.

Laptop unlike Desktop computer also does not allow the use of more than one hard disk at the same time. So imaging process of hard disk would take longer time as it cannot be done simultaneously.

Most laptops do not allow the use of CD-Rom and the floppy disk at the same time. Unlike the Computer desktop system this complicates the process of common tools used for desktop.

Forensic Tool for Disk Imaging

FTK Imager and DCFLdd command would be use for imaging.

FTK Imager is a forensic windows based acquisition tool found in various forensic toolkits like HELIX , SANS SIFT Workstation and FTK Toolkit. FTKImager support storage of disk image in EnCase or Smart file format and dd format. With Isobuster technology being built in it, it allows FTKImager to image CD to a ISO/CUE file combination.

DCFLDD is an enhanced version of dd it allows hashing for the transmitted data, wiping of disk with known patterns and verifying that the image is identical to the harddisk, using bits. It can also split into multiple files, logs and data can also be piped into external applications.

Read also  Internet and Web Services

The use of two different imaging software with it generated hash value allow comparison in order to ensure that there is consistency and integrity in the hash value of both image.

Additional evidence for clues to victim whereabouts

It is important to obtain as much information as possible from the surrounding environment as they might be crucial to investigation and solving of the case. As they might be able to provide a clue to the time line, possible password phrases, that might help in aiding the steps in investigations and step.

Additional evidence might include papers with possible password phrases, handwritten notes, blank pads of paper with impression of prior writing on it. Hardwares, software manuals and documentations. Calendars, literature or graphic material these form of materials and article should be treated as possible evidences and preserved in compliance with department policies or protocols.

Preserving integrity of digital evidence

Hashing is a method for reducing large input into a smaller input. Common hashing algorithm like MD5 and SHA-1 are commonly used to check the integrity of the data as evidence for the court.

It is required to have 3 independent checks on the consistency of the image to be computed and recorded for further reference and support as evidence in court. The first check would be against any tool that is running. The second check would be after the disk image duplicate is complete to check that there is consistency in the disk images. The last check would be the consistency of the recipient data image against the source data.

Bad File Headers

In most file the file headers contain identifying information for the computer to recognize it. Image file headers are often manipulated to trick investigator into overlooking it. The user would often change the file header into different format eg. JPEG to DOC file format. If a forensic investigator were to conduct a search on the machine for pictures, he would simply see it as a doc file and skip it.

Another reason is that examining recovered data remnants from file in slack or free space. The file header might be damage and cannot be readable. Thus there is a need to

examined it file header using a HEX editor in order to repair it for it be able to view.

Source

Phillips, Amelia, Nelson, Bill, & Enfinger, Frank. (2005). Guide to computer forensics and investigations. Course Technology Ptr

Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

by National Institute of Justice April 2008

Computer Crime and Intellectual Property Section Criminal Division, United States

Department of Justice. Searching and Seizing Computers and Obtaining Electronic

Evidence in Criminal Investigations. http://www.cybercrime.gov/s&smanual2002.htm

Order Now

Order Now

Type of Paper
Subject
Deadline
Number of Pages
(275 words)