Computer forensics is a growing branch in the field of computer science and information technology. Occasionally, organizations, big or small, would require an audit of their information systems (Carrier, 2005). This is where the computer forensic experts come in.
This paper is meant to give a clear understanding of some of the tasks involved in computer forensics. Description of activities and tasks involved in investigation, documentation as well as reporting has been captured in the paper. The last part of the paper is a brief analysis of expert witness’s challenges as well as a sample courtroom scenario.
Types of equipment that should be packed in a field tool kit and the rationale behind the choices
The tool kit for the task should include a number of software and hardware devices. One of the most important equipment is the forensic laptop and power supply. Forensic laptop would definitely contain very important software for carrying out the task while the power supply would serve as an emergency source of power incase of power outage (Vacca, 2002). Digital cameras, case folders, and blank forms are also important. The stated equipment would be used for interview recording of staff as well as other observations made in the field. Cables for data transfer and blank hard drives for storages of data as well as hardware write blockers would be essential for the task ahead. Hard drive duplicators for forensic imaging and data acquisition are also needed for the task (Kruse, & Heiser, 2002). Some other tools that would prove more valuable would include password removal software and equipment. It is important to do have these tools to counteract cases of sabotage or uncooperativeness from staff.
Additional questions for the Supervisor before the operation begins
Who are the people who are in charge of safeguarding the safety of the explosives?
Who authorizes the release of explosives to be used in the field?
Is there a mechanism for explosive acquisition by the company?
Could I get the list of the names of all individuals handling explosives in the company?
Do the company use IT systems in the management of explosives and substances circulations?
Who manages system user accounts in all the company systems?
When is the company allowed to release explosives for use in the field?
Does the company keep all the records pertaining to explosive use?
Who are some of the officers that will be working with me?
Is the suspect found with the cache of explosives an employee of the company?
Brief address to police officers
The operation will begin shortly therefore, I call upon your cooperation as we undertake this task. In order for the success of this task, and to ensure that the culprits are brought to book, I call upon you to cooperate fully and offer any information that might come your way. Take note that in order to get information from the suspect, use of force or harassment might not prove fruitful. I urge you to handle the situation with dignity. Report to me immediately any activity that is suspicious crops up. All computer systems, devices, storage media and any other records should not be touched and should be left as they are until checked by the investigating officer. In case of file deletion that can be noted in any machine, kindly report it to me immediately so that appropriate action can be taken. Ensure that no company staff are in access to computer systems during the investigation. Secure the data centers and ensure that no company staff gets access to the machines there. If not sure of any activity in progress, report the same to me immediately.
Pieces of potential evidence in the scene and evidence that it might contain
From the office picture shown, many devices and documents can be sources of evidence in the investigation. First is the USB flash drive on the desk. The flash drive could contain data that shows payments made or donations of explosives made by the manager to the culprit captured with the explosives. On the hand phone, records might show calls made by the suspect to various people in the last couple of hours or even days. Following of the leads might lead to resolving of the matter. The memory hard drive might also contain important data with regard to explosive records distribution or acquisition by the company. In the same category as the memory, hard drive is the DVD device and note pads on the desk. In addition to be checked are the sticker notes on the computer. The notes might contain some important information that would contribute to the entire task.
Hard drive, DVD, USB flash drive are some of the electronics storage and transfer devices used. The same devices can be used in the storage of company data, such as records of explosive distribution. It is due to this fact that it is important to check them. Sticker notes are also some of the quick reminder objects that can provide valuable information.
Methods employed to “capture” the scene in situ
The first method that could be used to capture this scene is to video tape it. Capturing a video of the scene is advantageous in the sense that the scene can be captured from all angles therefore giving the most accurate scenario of the scene. Video recording of the scene allows sound recording too, therefore audio explanations can be included in the process (Kruse, & Heiser, 2002). The real picture of the scene can therefore be captured in the process and understood clearly.
Photographing the scene is another method that can be employed in the process. Photographs just like video records provide first hand information of the scene, however photographing the scene has a disadvantage in that it is hard to capture all of its angles. Some objects might be blocked by other objects and therefore bring confusion during review.
Describing the scene by taking down notes, is another method through which the scene can be captured. The method is not desirable though due to the variability with which various people can describe an object or a scene. It however has a desirable advantage in that it can offer extra informative information that is hard to comprehend by looking at a photograph.
Step of action on seeing the above window
Considering the speed of the process, the approach taken would vary. If the clean up speed is faster, the first task would be to cancel it in order to prevent the clean up of important documents, or browser histories. However if the process of clean up is slow, the first activity would be to make prove of the same. This can be done by photographing the screen of video recording it. Evidence of such an activity could be useful in reporting and provision of expert opinion to authorities. Whichever task comes fast, the most important thing to do is to stop the process before much data is deleted.
Evidences that can be collected thereafter
After stopping the clean up process, the first task is to check the documents that were being deleted by the system. The evidence that can be collected include temporary internet files, cookies, web browser history which would show the sites visited by the suspect, last download locations, will give an insight on the locations from which the suspect obtained what data. Recent documents can also be used to verify what one has been working on in the last few days or weeks. If the suspect was running any activity or using any document with relation to the case at hand, then the same information can easily be obtained.
Purpose and importance of a chain of custody document for the evidence
A chain of custody events refers to a chronological dcocumentation of actions that depict activities involved in the seizure, custody, control, and analysis of evidence (Carrier, 2005).
Chain of custody document is important in the sense that it is used to show the order in which tasks were done in the field. It is used to determine whether any tampering of evidence might have occurred during the process for the purposes of evaluation evidence accuracy. It helps to establish that the seized evidence is in fact related to the crime in question and hence remove doubt associated with fraudulent planting of evidences. The document can be used to avert or withstand any challenges that can be raised with regard to the authenticity of the evidence collected (Carrier, 2005).
Potential digital evidence not in the office
There is need to check the server logs at the server room. It is important to check also the database logs and user logs in the server room or data center. It is important to check this in order to determine the times at which the suspect might have accessed the company systems. Not only will the time of access be known but also the activity done by the culprit. An example is a task such as changing the records in the database. The logs will provide useful information for examination of these activities. The activity done by the suspect can be used to link to any suspicious release of explosives or unauthorized release of consignment to a particular destination. Some of this information can be very useful in determination of a case.
Questions to ask the System Administrator
Who is in charge of user accounts management in the organization?
Is there any way one can access someone’s account without the owner’s knowledge or the accounts managers’ knowledge?
Has there been any security breach in your systems in the recent past, if so, what was its extent and how was it contained?
Reasons for talking to the suspect
It would be very important to ask the suspect some questions regarding to the digital media collected. This is important as it allows for clarification of some unclear parameters in mind. When adequate information is given, and clarification is sought a clear understanding of the situation is developed. Having a clear comprehension of the situation will help in analysis and reporting. Without proper understanding of the scenario, it is most likely to report wrong information to the authorities.
Important information that can be obtained from the computer before beginning the forensic examination of the hard drive itself
Web browser histories would prove useful indetermination of the sites recently visited by the suspect. The computer stores this information in the history option of the web browser. Opening those sites can be crucial in evaluation what the suspect had been up to in the recent past. Download locations is another place that is necessary to check. If any data was downloaded from a particular site or server, the same will be found.
In order to immediately determine what the suspect was up to some few moments before his arrest, the list of recent documents can help. If one had been working on manipulating some records or accessing some form of documents prior to arrest, the same can easily be determined. This information provides an easy and fast opportunity to analyze information at hand and determine its relevancy to the case.
“MD5” and its significance
MD5 is a cryptographic function used in cryptography to produce a 128-bit hash value. Its main purpose is to check data integrity (Carrier, 2005).
This report is a problem in the sense that it implies an error in the integrity of data in the hard drive. It furthermore signifies failure of data integrity constraints to be met in the data in the hard drive. It could mean that there could have been manipulation of data or some data might have been lost (Carvey, 2005).
Purpose of each of the following folders and potential evidence it might contain
This folder contains all the data or documents that have been deleted. They are documents that are no longer needed for use; however, the same might be needed in the future and hence can be retrieved. Some of the information that can be found here includes documents that the suspect might have deleted from the main folders of other partitions in the hard disk. This information might include records of transactions, reports, draft reports or even letters and memos.
“C:\Program Files” directory:
The program files directory contains program files. These files are used in running out applications that are essential in the task performance. Such programs include office applications programs and other software. The same will be instrumental in determination of the software applications that are mostly used by the suspect. It will aid in the general reporting and determination of a standing point with regard to the investigations.
This folder is a folder that contains all the information stored on the computer desktop. Just like the folders, the information that can be gathered here include documents such as reports, Memos or any other documents that might have been stored in the folder.
The folder named above is used to store documents. It contains all the documents saved by the client or just automatically saved by the system.
Examination on the document in order to determine its owner
In order to determine the owner of the spreadsheet, the first thing is to check the name associated with. In as a much as the name might give some lead, the same cannot be prove enough that can withstand legal challenge in a court of law. It is therefore necessary to determine when the spreadsheet was created. After determining the time it was created, a visit to the system log is done. This is to identify the person who was logged into the system at the time the document was created. By use of user name and password associated with the logged user at that particular time the owner of the document can be identified. Checking of the file metadata can help in determining the time of creation and the associated user who created it.
Metadata and its importance in computer forensics
Metadata is a term used to describe information about data (Carvey, 2005). It actually is data about data. It describes the containers of data and furthermore any individual instances of data.
Metadata is important to computer forensics because it gives a clear indication of the environment and particulars associated with any data. The contents and quality of data can be determined by description of the same. A good example is a description describing the language in which data stored in a database is written in, the tools that were used to create files and when the files were created. Metadata also provides information relating to rights and administrative access to documents and data. This is most useful in determination of the people who has access to data any particular time (Carvey, 2005).
Report on the spreadsheet
Upon investigations on the suspects’ computer having obtained consent from him, a spreadsheet document was recovered from one of the folders. The spreadsheet document was created by use of Microsoft Office Excel, version2007. Upon opening the document, information regarding to the distribution of explosives were indicated. Some columns were marked pending while others delivered. It was noted that the location of delivery was however not indicated against each column. One striking discovery made was the fact that in one of the columns an indication had been made to the effect that the consignment of the explosives had been delivered. The particulars of explosives in question matches the same particulars seized from the terrorist suspect who had earlier been arrested during the week. Investigations were done in order to determine the owner of the document and the time the document was created. This was done by checking on the file metadata, which contains a description of data contained in it. System logs were also checked to verify the person who was logged in at the time the file was created. This investigation led to the revelation that at the time the file was created and any other time it was updated, Mr. Roberts was logged in to the system. The file metadata also showed that the spreadsheet document is owned by Mr. Roberts. To this point, it is my subjective assessment that Mr. Roberts created ad managed the document.
Difference between expert and fact witness
An expert witness is a witness who is admitted by virtue of proven skills or education in particular field and is believed to have expertise in that particular field beyond the comprehension of an average individual and can therefore offer reliable scientific or technological opinion on the matter. A fact witness on the other part is a witness that testifies only by virtue o things seen, tested, heard, touched or smelled. No expertise is needed in any field in order to testify as a fact witness.
Expert witnesses are important in this case because the evidences that would largely be depended on come from the expert. It is to be noted that fact witnesses play little role here because electronic and digital information can be changed without, seeing or application of all other senses that play large role in factual witnesses.
Importance of looking at the jury when answering questions
Facial expressions play an important role in determination of the level knowledge displayed by an individual. Facing the jury will not only help them gauge the leave of confidence they should have on the expert but will also increase confidence ratio in whatever is said. Direct eye contact while expressing oneself can signify deep understanding of whatever is being expressed by the expert witness.
Reason for challenges faced in testifying on digital evidences
Many lawyers and judges are not familiar with computer technology. Previous evidence that held a lot of value in a court of law were evidence that could be seen with the naked eye. However, digital forensics cannot be seen with a naked eye in a court of law. It becomes difficult therefore to explain to the jury the meaning of terms used in the reports presented as well as how some technologies work.
Answer to question about blogs posed by the defense lawyer
To insinuate that my political opinions about the government and the governance of this country influenced my judgment is totally misplaced. I just reported what I found out in the system. The same facts can be attested by any other expert if another investigation is done. Systems logs will always show changes that are made in the systems at any particular time. Any attempt to change any document including the system logs themselves will always be recorded in the system logs. That is what I used in my reporting. To add to that my professional code of ethics as well as my own moral principles does not allow me to use my knowledge to disadvantage others wrongly.
Carrier, B. (2005). File system forensic analysis. New York, NY: Addison Wesley
Carvey, H. (2005). Windows forensics and incident recovery. New York, NY: Addison-Wesley.
Casey, E. (2004). Handbook of computer crime investigation: Forensics tools and technology. Academic Press.
Kruse, W. & Heiser, J. (2002). Computer forensics: Incident response essentials. New York, NY: Addison Wesley.
Vacca, J. (2002).Computer forensics: Computer crime scene investigation. Charles River Media.