According to US-CERT (2008), computer forensics is a discipline that combines law and computer science elements to collect and analyze data from computer systems, wireless communications, networks as well as storage in a manner that that is court of law treats as admissible. Similarly, Rouse (2007) clarifies that it is the use of computer analysis and investigation to collect evidence appropriate for purposes of presentation in any court of law. Its main goal is to carry out planned investigations while at the same time maintaining a well documented chain of evidence to exactly establish what happened and who is accountable. In essence, it is the use of computers to search or collect, preserve and to effectively analyze the information on computer systems so that potential evidence is found and thus used for trial purposes. The process of making use of scientific knowledge to collect, analyze, and to present to the courts is what is termed as forensics. It principally deals with the recovery and the analysis of latent evidence US-CERT (2008). Therefore, computer forensics is the method of identifying, preserving, analyzing, and presentation of digital evidence in a way that is legally acceptable. Basically, it is the application of computer investigation and the analysis techniques to ascertain potential legal evidence.
Even though there are no universally acceptable steps for gathering forensic evidence, the common steps that should be followed are the acquisition, identification, evaluation and presentation. The acquisition entails the tracking or an observation of a live intruder. It is during this stage that an assessment of the extent of live intrusion is undertaken and evidence preserved for the court. Basically, remotely or physically obtain possession of the computer, all network mappings from the system as well as from the external storage devices to facilitate identification (Carrier, 2006).
After the acquisition step, identification follows. It is at this step that the identification of the data that can be recovered is undertaken. This is very crucial in computer forensic for the data to be admissible in court. Also, this step allows the retrieval of data through running various forensic tools and software tools. It is such data that is pertinent for presentation. Basically, the step allows for technical analysis to be undertaken. It permits physical analysis to be taken from both the physical context, logical context, and use or presentation context. The identification step as well gives room for giving own opinion to support the relevance of findings. Basically, after the physically isolating the computer, the digital copy of the hard drive is made. Once the digital copy is made, it should be locked in a in a secure place so that the pristine condition is maintained. In essence, the step is also crucial for content extraction, transaction as well as for making comparison against known data (Doherty and Liebesfeld, 2008).
The evaluation step is as well crucial while gathering forensic evidence. It entails the evaluation of the data or information recovered to establish if and how it can be used against the suspect for prosecution in court. It allows for determination of relevance and presentation of findings. Equally, the step gives room for evaluation chain of custody problems. The last step is that of presentation. It is crucial for presenting evidence discovered.
In essence, the steps that should be followed are the acquisition, identification, evaluation and presentation. The recommendation would be the most efficient since the steps enable data or evidence to be collected and analyzed in a manner that the admissibility in court is guaranteed. For instance, acquisition step facilitates tracking of the intruder and assessment of the degree of live intrusion so that the evidence is later preserved for presentation in court. Similarly, the identification step permits data retrieval through running various forensic tools and software tools. It is at this step that the technical analysis is undertaken. Physical analysis is undertaken both in the physical context, logical context, and use or presentation context. This is crucial for validation of information gathered. Evaluation and presentation steps are as well very crucial in the whole process. This is because; the data cannot be admissible in court unless information recovered is thoroughly evaluated. Without this step, the determination of relevance cannot be accomplished. It is this step that chain of custody problems can be evaluated. Therefore, the recommended steps are; acquisition, identification, evaluation and presentation. The steps allow forensics investigators to collect evidence in a way that is legally admissible in a court case (Doherty and Liebesfeld, 2008).
There are laws that govern seizure of evidence. According to US-CERT (2008), anyone overseeing network security must be aware of the legal implications of forensic activity. There are laws that restrict analysts to carry out examinations. There are laws that restrict network monitoring. There are restrictions on the reading of personal communications. Equally, there are laws that limit the amount of information that can be seized. For instance, the UK’s Computer Misuse Act of 1990 legislate unauthorized access of computer material. There is also the US Electronic Communications Privacy Act which advocates for privacy. The law limits investigators intercept and access of evidence. Thus, the laws allow for protection against unreasonable search and seizure and protection against self-incrimination (US-CERT, 2008).
Carrier, B. D. (2006). Basic Digital Forensic Investigation Concepts. Retrieved 5th October, 2012 from http://www.digital-evidence.org/di_basics.html
Forensic Toolkit: Recognized around the World as the Standard in Computer Forensics Software. Retrieved 5th October, 2012 from http://accessdata.com/products/digital-forensics/ftk
Richard-III, G. G. & Roussev, V. (2006). Next-Generation: Digital Forensics. Communications of the ACM, 49(2), 76-80.
Rouse, M. (2007). Computer Forensics. Retrieved 5th October, 2012 from http://searchsecurity.techtarget.com/definition/computer-forensics
US-CERT. (2008). Computer Forensics. Retrieved 5th October, 2012 from http://www.us-cert.gov/reading_room/forensics.pdf