Above is a basic illustration of a scenario from a popular television crime drama but completely the opposite. This fast-paced exciting action is solely for entertainment purposes and a travesty of the true nature of computer forensics.While the media is displaying these thrilling dramas, they are significantly tarnishing the primary principles that govern computer forensics.
Computer Forensics in Its True Form
To clear up some of these misconceptions that these farcical scripted televisions shows have created, let us take a deeper look at Computer Forensics. But first let us look at why computer forensics it is essential to fighting crime in modern societies.
Why Is Computer Forensics Important?
As technology advances, electronic devices are being used as an essential element in criminal activities. Hacking, phishing, cyberstalking and identity theft are more popular now than ever before. Electronic devices can also hold evidence in the form of internet history, files and emails needed for criminal investigations. Law enforcement authorities have replied to the increase in computer crimes by applying proven computer forensic techniques. Computer forensics is used to reveal evidence on electronic devices that is required for criminal investigations. Many businesses today look to computer forensics to solve intellectual property theft, fraud investigations, bankruptcy investigations and industrial espionage.
Computer Forensics Miami has expanded significantly over the years in response to the increase in computer crimes in the region. Government authorities are fervent about prosecuting people who participate in computer crimes since they are often accompanied by further criminal schemes. Many organizations have emerged over the years to assist businesses in Miami in the fight against computer crime.
What is Computer Forensics?
Computer forensics, commonly referred to as cyber forensicshas expanded significantly over the years to become one of the most essential sciences utilized for solving crime today. It involves:identifying,analyzing, extracting, recording and preserving information complied and located within a computer systems needed for legal evidence. Investigators are required to keenly follow the key principles of computer forensics to avoid failures in the investigation.
Nearly everything you do on a computer system will leave a trace; in criminal investigations this is referred to as digital evidence or electronic evidence. Digital evidence has to be carefully traced due to its fragility and is unnoticeable by the human eye. Similarly to other traceable evidence such as fingerprints, blood and hairs, digital evidence has to be carefully analyzed extracted, recorded and preserved to safeguard the fidelity of the evidence.
Principles of Computer Forensics That Television Got Wrong
Data Preservation
Computer forensics at its initial stage follows the principles of a physician’s; do no harm. The first step in computer forensic is data preservation. In comparison to other types of traceable evidence, digital evidence has to be duplicated identically to avoid the disruption of the original data which could affect the investigation. Entering information, loading programs, conducting routine checks or simply powering off the computer system can alter the information available on the hard drive. The investigator is expected to:
• Ensure that the original evidence is not disrupted.
• Protect the computer system from viruses
• Ensure that the original data is protected from electromagnetic and mechanical damage.
• Follow proper forensic guidelines to avoid failures in the investigation.
Any mishaps in the above guidelines regarding the preservation of the original evidence may result in the loss of vital information needed for the investigation and may impinge the integrity of the information, making it unacceptable in court.
Acquisition
During the data acquisition process the investigator is expected to:
• Recover information from partially inaccessible devices
• Collect active data from devices
• Recover deleted emails and files
• Retrieve information from unused and inactive areas on the computer.
• Retrieve encrypted and password protected data.
• Collect data from files, e-calendars and contact managers
Generally investigators would power off the computer system and utilize a write-blocker to ensure that the original data is not altered during the ensuing processes. The device that the information is copied to is first pre-wiped then cleaned and tested sequentially to ensure that there is no additional information being hosted on the device.
Traditionally, investigators used devices such as a hard disk drive to duplicate the evidence; however, modern devices with solid state drive memory that cannot be write-protected are getting increasing popular. Due to the volatile nature of these devices, powering off the device may alter the original information. In these situations the investigator has to carry out live acquisition to retrieve the information. To do so the investigator runs a program on the computer to duplicate the evidence to a hard drive. During the process the original state of the computer can be altered, hence, the investigator has to take a detailed record of his actions for the evidence to be permissible.
Despite how the data is acquired, a duplicate of the information is made using proper imaging software. This will provide the investigators with a snapshot of the information located within the media. Taking the images does not affect the integrity of the original data and investigators are not required to reboot the system. After this the computer forensic analysis will commerce.
Computer Forensic Analysis
Data Recovery: This is a vital stage in computer forensic analysis. In this stage the investigator presents a comprehensive report of the evidence applicable to the investigation. The data that is recovered during this process can be categorized as active data, recovered or unused.
• Active Data: This refers to the original information that is available on the hard drive. This is the information that was accessible to the owner of the computer.
• Unused Data: This refers to available “free space” and unassigned sections of the hard drive, including files that make up the parts of the hard drive that is free and the files that have been deleted.
• Recovered data: This refers to specific information and files that were restored after being removed from the active data. Investigators are able to recover some files completely to their original state and can be identified easily. Some files may only be recovered in fragments and may need to be carefully analyzed to restore to normalcy.
Computer Analysis: Aside from recovering data, investigators should also be able to tell if the evidence is damaged, deleted or tampered with. To do so they must scrutinize the information that was recovered (this includes files that were deleted and information from unused or inactive areas on the hard drive) andthe history of the content within the files. This means that they can trace everything that was done on the computer system prior to their discovery. The analysis should include various areas such as:
• The Identification of significant dates and keywords necessary for the investigation.
• Uncovering all activities that took place on the computer system, including internet history and email activities
• Locating copies of all documents drafted
• Validating information in files as well as the time stamp and date.
• A comparison between computer codes needed to determine if the evidence is original or if it has been tampered with.
• A recommendation of what evidence the computer system should contain and the best methods that can be used to locate the evidence.
Review and Feedback
After the analysis is completed the investigators can assist the client in court by:
• Organizing compelling reports to reveal all the evidence that was discovered.
• Presenting information for pleadings and affidavits.
• Sourcing reliable testimonies and credible reports.
By meeting the requirements outlined above, the investigator will be able to complement the case and achieve a conviction. Investigators should strive to meet these requirements from the initial consulting phrase of the investigation to guarantee the best results. Although the review stage is often disregarded due to the unavailability of time and cost for billable work, it can help to improve the quality of the investigation and reduce the overall expenses.
A review of the investigation can be timely and can begin at any time during the investigation. It can include a summary of the successes and the failures that occurred throughout the investigation and how they can be beneficial to future investigations.
View the video below for a visual description of what was discussed earlier:
Bottom Line
Although when compared to CSI Miami this might not be a great way to spend your Saturday night, a solid and impregnable Computer Forensics Miami process is essential to real life investigations. As electronic devices become an essential part of modern society, computer forensics is becoming even more significant to aid in the fight against crime. To properly assemble the puzzle pieces in computer forensics, it is imperative that investigators carefully follow the stages to authenticate, collect, guarantee data preservation and to successfully conduct forensic analysis and review.
No comments:
Post a Comment