Gathering, Analyzing, and Presenting Digital Evidence: Computer Forensic Investigators

Abstract

The field of computer forensics involves gathering, analyzing, and presenting digital evidence. In the contemporary digital world, many cases involve unauthorized access to digital information and its use. Crime scene investigation is exemplified by five phases, which are the preservation, survey, documentation, search and collection, and presentation phases. Computer forensic investigators are required to follow the phases sequentially to increase the chances of obtaining high-quality digital evidence. Members of a team investigating a crime to the use of computer systems should adopt professional ethics. For example, they should be objective and show high levels of commitment and diligence in all their professional duties. This paper aims at accomplishing four tasks, which are about providing HCC Partners in Life with computer forensic services that would support a case in a court of law. In this context, I am representing my computer forensics team.

Describe your plan for processing the potential crime/incident scene

My group would prepare a plan that would be important in processing the incident scene for HCC Partners in Life. The firm’s database server and computer networks will be investigated to identify any inconsistencies that could have resulted from the tempering of computer systems. A journal will be needed to document all activities in the investigation (Stephenson & Gilbert, 2013). The scene will be secured, and only authorized persons will access the area. Video recording will be conducted, which will capture events in all directions. Nelson, Phillips, and Steuart (2010, p. 167) note that “investigation of a scene incident should be started by recording the overall scene, and then taking a footage of details within close-up shots, including the back of all computers and the back” of each computer.

Videotaping will be followed by taking images of the scene, which will be applied in obtaining a draft that will be typified by notes on all objects identified in the scene (Stephenson & Gilbert, 2013). One of the rules in computer forensics requires that computers should be turned off so that all digital evidence can be maintained. “Typically, this procedure is still acceptable on Windows and Ms-DoS systems because turning off the power preserves data, but it should be noted that Windows XP/Vista, UNIX, and Linux operating systems should be shut down in an orderly manner” (Nelson et al., 2010, p. 178). If my team does find computers in the organization turned on, then team members will focus on saving data, which will be followed by turning them off, but it will be performed in a very careful way.

Identification of the potential digital evidence will be important in the investigation (Stephenson & Gilbert, 2013). Digital information that can be used as evidence in a court of law will be searched. One member will collect evidence and keep a catalog, but more members might be assigned the tasks on the condition that much data will be collected. Standardized forms will be utilized to maintain evidence in a safe and secure environment. Research has shown that many investigators face the challenge of adopting standards for digital evidence, which can negatively impact outcomes in computer forensic investigations (Nelson et al., 2010).

In the context of HCC Partners in Life, it would be critical to prepare for the search for digital information. The preparation phase involves the steps that are aimed at discovering and reclaiming data that are hidden in computer systems. A forensic analyst can choose the best technique from a wide variety of methods to tag the evidence that would be found on computers. Regarding search preparation, my team of investigators will review several sources of literature, which will include policies, protocols, and procedures (Nelson et al., 2010). However, the team will consider legal implications that might result from the search. For example, some court rulings have stated that some searches are contrary to the provisions of the law. Cybercrime has been attracting many scholars in the recent past for the reason that law enforcement officials encounter many challenges (Nelson et al., 2010). The Fourth Amendment is related to searches and seizures, which will be considered before the start of the investigation in the organization (Jarrett & Bailie, 2012).

The team will adopt steps to seize digital evidence. However, a legitimate search warrant for investigating all computer systems in the firm will support the activity. Because the search will be treated as a legal seizure of information, members of the team will be required to adopt the US DOJ procedures for searching data (Jarrett & Bailie, 2012). Specific evidence will be seized, such as email messages (Jarrett & Bailie, 2012). In the context of criminal investigations, the law requires that all computer drives should be seized and information preserved. Besides, it is worth noting that no evidence will be overlooked (Jarrett & Bailie, 2012; Nelson et al., 2010). Overlooking certain evidence might result in high levels of inefficiencies of investigators.

Some legal proceedings might result from the investigation. Thus, the team will follow the documentation to aid proceedings in a court of law. From the start of the exercise, all team members will be encouraged to record all their activities in a manner that is allowed in the profession. All activities should be conducted and genuine reasons noted so that legal procedures would have a strong foundation (Nelson et al., 2010).

My team will aim at ensuring that appropriate storage of evidence will be adopted. This would lead to high levels of validity and credibility of the data collected. In a case where there is poor storage of data, then legal proceedings might not be successful because it might be argued that some evidence was altered (Nelson et al., 2010).

Discuss how your team will approach and process the database administrator’s computer — considering the potential malware on her system

Within a firm, a database administrator is responsible for installing, configuring, upgrading, monitoring, and maintaining databases, which are important for achieving a company’s goals. My team of forensic investigators will process the database administrator’s computer to identify digital information that was altered to negatively impact the systems of our client. However, potential malware issues will be taken into an account. Malware is a form of software that can disrupt the operations of computers by gaining access to programs. Although malware might be found in the database administrator’s computer and it might hinder the activities of forensic investigators, we might also use malware, such as Regin, to stealthily access information that would be used as evidence in a court of law (Nelson et al., 2010). Specific areas will be analyzed to determine cases of data alterations. The areas will include partitions of the hard drive. For example, it would be important to search for programs in the C drive that might show the history of data manipulations in the computer systems of the firm.

In the field of computer forensics, hard drive imaging implies creating an external backup that contains the same files as those contained in the internal storage device of a computer. The team might choose one of the two methods that are applied in creating hard drive images. First, contents might be transferred to an alternative physical storage device. Second, members of the team might choose to create an entire hard drive backup. Hard drive imaging results in a compressed file that has many copies of files. The compression is important in space conservation and improving outcomes of computer investigations. Once the team attains an image file, members will restore the image to a different drive. Alternatively, files might be retrieved from the image (Nelson et al., 2010). Advancements in the field of information technology have led to the creation and commercialization of software that can be utilized in hard drive imaging. Various hard drive imaging programs are typified by varying capacities of creating file copies. Thus, program capabilities will be considered before selecting the most appropriate software for imaging. The team will use DriveImage XML, which is one of the most used programs for creating images. The software is obtained free of charge and can be applied to any size of a computer hard drive. The following are the steps that would be followed in creating a hard drive image:

1. Members will access the hard drive of the administrator’s computer.
2. The team will assign the task of downloading DriveImage XML to one member.
3. Running of the program will be started using instructions from the manufacturer. By clicking “Backup”, the program will start running.
4. The drive that would be imaged will be selected. Afterward, the “Next” button will be clicked. The program will detect and display a list of devices. Members will be keen to identify drives. The computer of the administrator might contain multiple drives, which should all be imaged.
5. Selection of the destination drive of the image will be made. It might be necessary to uncheck “Split Large Files” because the option is not required when creating images of files.
6. Completion of the image creation process will occur when a team member will click “Next” in the program.
7. The team of investigators will wait until the software completes creating images, which will be compressed into one file. Based on “the processor speed and size of the hard drive being imaged, the process might take about 30 minutes to several hours” (Johnson, 2013, p. 145).

Discuss how your team will approach and process the database server — as this is the location for patient medical records

A database server is a computer with unique software applications that are used to support the operations of other devices of a computer network. In the case of our customer, HCC Partners in Life, it is important to state that patients’ medical records are protected and shared among healthcare professionals to achieve unique care outcomes. Thus, it is clear that many records of patients’ medical information would typify our client’s database. The goal of the investigation is to assess whether the database was manipulated by unauthorized persons for personal and criminal goals. In this context, team members may access the server via a “front-end”, which would be running on the user’s computer (Nelson et al., 2010). Alternatively, the server might be accessed through the “back-end” that supports data analysis and storage. The team will locate the database server and ensure that there would be no manipulations on it. It will not be moved, implying that the chances of data manipulation will be greatly reduced. Besides, it would be essential to limit access to the room housing the server (Nelson et al., 2010). The hard drive of the server will not contain the same features as those in computers for light jobs. It will have larger storage capacities because it supports the analysis and maintenance of many health records of patients. A database server’s hard drive would have two electric motors, an actuator, and a moving coil motor.

The team will use approaches that would enable them to analyze evidence of modification of patients’ files. The areas on the server’s hard drive that would be affected by malware include the partitions containing the system files and partitions that would have other files, such as patients’ records (Johnson, 2013). If medical records were modified, then it would imply that the delivery of appropriate healthcare services to patients would be negatively impacted (Nelson et al., 2010). Thus, the investigation will intend to determine whether malware is responsible for changes in the server. Furthermore, some authorized persons might have accessed the records and altered them (Johnson, 2013).

Assuming that the client has been using a backup of patients’ records, an image of the server’s hard drive will be created and compared with that of the backup. The most recent backup will be used. Patients’ records will be analyzed to detect changes and determine the causes of alterations. Using appropriate software applications, team members will concentrate on determining the dates and time when changes were made (Nelson et al., 2010). There would also be a need to focus on determining the common patterns in alterations of patients’ records, which would go a long way in helping the management of the firm to know the goal of the intruders into the system.

Since DriveImage XML will be used to create an image of the hard drive of the administrator’s computer, it will also be important to use the same program to create an image of the server’s hard drive. The following steps would be followed:

1. DriveImage XML will be downloaded and installed on the team’s computer.
2. Running of the program will be initiated by clicking the “Backup” button.
3. The drive whose image should be created will be selected (the computer will display a list of available drives so that one option can be selected).
4. The destination drive, where the created image will be saved, will be selected. The “Split Large Files” will be unselected for the reason that the option would not be required to create an image.
5. The time required for completion of the image creation process will be determined by the processor speed of our team’s computer, but it might take “about 30 minutes to several hours to complete” (Johnson, 2013, p. 145).

Discuss how you prepare your team to be expert witnesses or support any expert testimony court requirements

The documentation phase of computer forensic investigations involves taking “photographs, sketches, and videos of the crime scene and the physical evidence” (Nelson et al., 2010, p. 540). My team of forensic investigators will adopt proper documentation to obtain adequate information so that important details will be preserved. If digital evidence would not be documented well, then there would be high chances of losing data, which cannot be accounted for by team members. Documentation standards will be followed in the process. The following steps are important in ensuring effective documentation of evidence:

1. Selection of the best materials for recording and storing data.
2. Observation of things at the crime scene, for example, taking images of computers and hard drives.
3. Recording of important data.
4. Storing of materials containing data in safe places.

An expert witness is a person who by training has expertise in a subject and can be relied on in a court of law to give evidence. Some of our team members will be expert witnesses if we collect digital evidence that can sustain a case in a court of law (Nelson et al., 2010). Unlike in the past when the public did not access expert witnesses’ identity and their evidence, the current legal environment across the world no longer protect the privileges (Johnson, 2013). Thus, team members will be adequately prepared to give expert evidence in a court to increase the probability of the case resulting in positive outcomes. The team will use the following steps to prepare members to give testimonies in a court:

1. Familiarizing members with description procedures. Many members of the team have not acted as expert witnesses in the past. Thus, proper orientation will be needed. Several issues will be covered at this level. For example, potential expert witnesses will be told that they would be under oath and they should comprehend questions before they respond to them. If necessary, clarifications should be sought. Besides, a witness should desist from talking at the same time as another person to avoid transcription problems.
2. Explanation of the purpose of the case. Inexperienced witnesses should be told the goal of cases in a simple language. If an individual is not able to answer a query, he or she should be encouraged to explain his or her inability to respond due to the problem of inadequate time.
3. Introducing experts to the players in a case. Our team members will be encouraged to distinguish friends from foes. In other words, expert witnesses are required to know the positions taken by attorneys in a case.
4. Telling expert witnesses that they should not be involved in arguments with counsels. Because expert witnesses give specialized evidence in a court of law, they have tendencies to argue with counsels. However, this should not be the case. In preparing our team members to give testimonies, they will be advised to desist from arguments.

When conducting computer forensic investigations and giving expert opinions in a court, members of the team will adopt professional ethics and responsibilities. Every member should show commitment and diligence when performing various duties. Maintenance of objectivity in computer forensic examinations will go a long way in presenting accurate findings that can be admissible in a court of law (Nelson et al., 2010). Team members will be required to adhere to moral and ethical standards that would ensure that they carry out their duties in a professional manner. Finally, members will behave ethically by examining evidence in the context of the engagement.

References

Jarrett, M., & Bailie, M. (2012). Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. Web.

Johnson, T. A. (Ed.). (2013). Forensic computer crime investigation. Boca Raton, FL: CRC Press.

Nelson, B., Phillips, A., & Steuart, C. (2010). Expert Testimony in High-Tech investigation: In Guide to computer forensics and investigations. Cambridge, MA: Cengage Learning.

Stephenson, P., & Gilbert, K. (2013). Investigating computer-related crime. Boca Raton, FL: CRC Press.