Other than the two basic types of computer crimes above, what non-computer crimes might a computer forensics examiner get involved with, and how?
A computer forensics examiner may be called upon to provide evidence and advice in a court of law. He or she should always gather and preserve evidence according to Federal Rules of Evidence. The examiner has three basic tasks which include finding, preserving, and preparing evidence (Vacca, 2005). Before logs disappear, digital forensics investigators are required to capture as much information as possible to be presented in court as evidence.
What is the purpose of a standard operating procedure (SOP) in digital forensics? You might also think of this as a systematic approach to the investigation. List five activities that should be in every SOP for digital forensics.
Standard operating procedures (SOPs) are usually the ultimate goal of practitioner-based computer forensic models. Proper SOPs are essential for digital forensic practitioners to perform investigations that ensure validity, legitimacy, and reliability of digital evidence (Peterson & Shenoi, 2009). According to Casey (2007), a SOP is a set of steps that should be performed each time a computer is collected or examined. The activities in every SOP include collecting evidence, preserving the evidence, analyzing the evidence in a consistent and thorough manner, preparing reports based upon the evidence analyzed by each examiner, and documenting cases complete with notes, worksheets, and other documents used by the examiner to support his or her conclusions.
What is the primary difference between government run and corporate run high-tech investigations?
Computer forensics can be either a public investigation or a corporate investigation (Nelson, Phillips & Steuart, 2009). Ordinarily, a public investigation involves government agencies that are responsible for criminal investigations and prosecution. These government agencies range from local, county, and state or provincial police departments to federal regulatory enforcement agencies. While public investigations involve criminal cases and government agencies, corporate investigations deal with private companies, non-law enforcement government agencies, and lawyers. Private organizations are never governed directly by criminal law or Fourth Amendment issues. They are instead governed by internal policies that define expected employee behavior and conduct in the workplace. To some extent, corporate investigations can also involve litigation.
If you are hired to conduct a digital forensics investigation by either side in a criminal or civil action, to what do you owe your allegiance?
If hired to conduct a digital forensics investigation by either side in a criminal or civil action, I will have no choice but to fully represent the interests of my client and defend him or her at whatever cost. This is regardless of whether or not the client in the digital forensics investigation case is on the wrong. As my client’s legal advisor, I have an obligation to protect his or her interests at every stage of the digital forensics investigation till the end (Chow & Shenoi, 2010). The most important thing is to be able to prove that my client requires fair judgment and an opportunity to be heard.
What software or hardware tool must be used in digital media acquisition to protect against inadvertent tainting of evidence by the operating system.
ProDiscover Basic is one of the forensic tools used to write protect any evidence media to ensure that it is not altered (Harvey, 2005). Usually, the program will be started differently depending on the type of operating system in use. When files are deleted, the space they originally occupied become free and can be used for new files that are saved or files that expand as data is added to them. The files that were deleted remain on the disk until a new file is saved to the same physical location, overwriting the old file. With the help of ProDiscover Basic, the deleted files can be retrieved for use as evidence.
Name three different tools that can be used to create bit-stream backup images and identify their strengths.
For the purpose of forensic examination, special forensic software must be used to undertake bit stream imaging. One of tools used is Storage Media Archival Recovery Toolkit (SMART). This tool can acquire digital evidence from a wide variety of devices by creating a true and accurate bit image copy of the original and authenticating the data acquired (Johansson & Maitra, 2003). Its core functions are data acquisition, data authentication, data analysis, and logging as well as reporting. EnCase is another tool used for bit stream imaging. Its core functions include multiple sorting of fields, automated search and analysis of ZIP files and email attachments, file signature and hash library support, and Unicode support. Maresware is a Mares and Company’s forensic software product. It provides an essential set of tools for investigating computer records and securing private information.
How does a collision occur in the context of authenticating images of computer media?
Generally, a collision in the context of authenticating images of computer media occurs when specific blocks of authentication are used as input. Typically, this never happens in the real world. However, there are certain security algorithms that can be trusted to deliver reliable results. The MD5, for example, provides secure mechanisms that avoid the frequency of collisions (Shinder & Cross, 2008). It can, therefore, be relied upon by professionals in the digital forensics field.
Discuss physical security of digital forensics labs, including why physical security is necessary and important.
In order to setup a proper digital forensics function, it is necessary for the digital forensics professional to see to it that the actual equipment that performs the digital forensics investigation is both available and securely kept. Physical security is, therefore, very critical in ensuring that a digital forensic investigation process can be trusted (Shoemaker, Conklin & Conklin, 2011). Moreover, because the gathering of electronic evidence often requires a highly controlled physical environment, the digital forensics professional is also responsible for ensuring that the electrical, thermal, acoustic, and physical security requirements of the digital investigation space are continuously satisfied. In conjunction with this latter responsibility, the digital forensics professional is responsible for making certain that the physical requirements of the digital forensics lab are kept up to date including ensuring that access to the laboratory is restricted to authorized personnel.
Compare and contrast the physical vs. logical architecture of a hard disk.
Generally, different physical organization structures of the disk are held by driver software. One of the tasks of computer operating system is to hide such physical differences from users and application programs by providing a logical interface for file access (Borghoff, 2005). The migration strategy which copies data between media that are of different physical, but of the same logical structure, is called replication. An example would be the migration between a hard disk and a Universal Serial Bus device. When using replication, restriction mechanisms carry data to the new media without problems if the information used by the mechanism does not depend on the physical properties of the access media. Other authenticity features or strict copy protection directly depend on the properties of the data representation or of the physical media themselves.
The Fourth Amendment to the Constitution was designed to guarantee a person’s right to what? How does it do that?
The Fourth Amendment protects Americans from unreasonable police searches and seizures. It is included in the Bill of Rights to place limits on government’s power to interfere with the American citizens. For many years since the Fourth Amendment was adopted, many rules have been established to carefully control when and how searches and seizures are conducted (Smith, 2010). While some people argue that these rules make it too difficult for the police and other law enforcers to catch criminals and win courtroom convictions, others argue the exact opposite.
What is the difference between making a standard copy of a piece of media and making a forensically sound bit-stream backup copy?
Bit stream backups are more thorough than standard backups (Gottschalk, 2012). Unlike standard backups, bit stream backups involve copying every bit of data on a storage device. It is recommended that two such copies of data be made of the original when hard disk drives are involved. Any processing should be performed on one of the backup copies. According to (Vacca, 2005), processing a computer hard disk drive for evidence without a bit stream image backup is like playing with fire in a gas station.
References
Borghoff, U. M. (2005). Long Term Preservation of Digital Documents. Tulsa, OK: Springer.
Casey, E. (2007). Handbook of Computer Crime Investigation: Forensic Tools and Technology. Burlington, MA: Academic Press.
Chow, K. & Shenoi, S. (2010). Advances in Digital Forensics VI: Sixth IFIP WG 11.9 International Conference on Digital Forensics, Hong Kong, China, January 4-6, 2010, Revised Selected Papers. Tulsa, OK: Springer.
Gottschalk, P. (2012). Investigation and Prevention of Financial Crime: Knowledge Management, Intelligence Strategy and Executive Leadership. Burlington, VT: Gower Publishing, Ltd.
Harvey, D. R. (2005). Preserving Digital Materials. Morlenbach, Germany: Walter de Gruyter.
Johansson, T. & Maitra, S. (2003). Progress in Cryptology-INDOCRYPT 2003[: 4th International Conference on Cryptology in India, New Delhi, India, December 8-10, 2003: Proceedings. Berlin, Germany: Springer.
Nelson, B., Phillips, A. & Steuart, C. (2009). Guide to Computer Forensics and Investigations. Boston, MA: Cengage Learning.
Peterson, G. & Shenoi, S. (2009). Advances in Digital Forensics V: Fifth IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA, January 26-28, 2009, Revised Selected Papers. Tulsa, OK: Springer.
Shinder, D. L. & Cross, M. (2008). Scene of the Cybercrime. Burlington, MA: Syngress.
Shoemaker, D., Conklin, W. A. & Conklin, W. A. (2011). Cybersecurity: The Essential Body of Knowledge. Boston, MA: Cengage Learning.
Smith, R. (2010). Fourth Amendment: The Right to Privacy. Edina, MN: ABDO Publishing Company.
Vacca, J. R. (2005). Computer Forensics: Computer Crime Scene Investigation, Volume 1. Hingham, Massachusetts: Charles River Media, Inc.