Digital Forensic Research Paper
Digital Forensic Methodology
Digital forensics refers to the collection of evidence from a computer for use in a court of law. Since a computer can be used to conduct a crime or become the victim of a crime, the digital forensics methodology defines the various processes that are involved in the collection, analysis, and presentation of evidence collected from a computer. (Garfinkel, 2010) Digital forensics methodology is implemented in various scenarios. Examples of these scenarios include cases of computer fraud, data breaches, and various cyber-attacks. Khaleel (2017) identifies one of the possible issues experienced during the digital forensics methodology as the presence of a high volume of data. The different phases involved in the digital forensics methodology include preparation, extraction, identification, and analysis.
The initial processes in the digital forensics methodology are the preparation and extraction of the evidence. These processes begin with the identification of the scenario from which the evidence is to be collected. The preparation stage involves the identification of the various tools and techniques to be used to collect evidence from the computer. The extraction stage includes the collection of digital evidence from the scenario. After the identification of the scenario from which the evidence is to be collected, those conducting digital forensics are required to confirm that their devices for collecting the data are working properly. The collection of digital evidence involves the creation of an image of the device from which the evidence is collected. The next process involves the confirmation of the integrity of the data obtained from the device. This is in an attempt to avoid collecting data that has been tampered with to influence the outcome in the court of law. Once the data has been extracted, those conducting the digital forensics label the evidence collected and prepare it for the next stage, which is the identification stage. Before proceeding to the next stage, the individuals conducting digital forensics may search for additional evidence from the devices. The lack of additional evidence prompts the beginning of the identification stage. (Carroll, Brannon, and Song, 2008)
The identification stage of the digital forensics methodology involves examining the evidence collected in the previous stage. (Carroll, Brannon, and Song, 2008) The data collected that is relevant to the scenario being investigated is separated from the rest of the data and recorded. In some cases, the examiners might find data not relevant to the scenario being investigated; however, the data might have incriminating evidence that can be used to increase the scope of the scenario. In such cases, the examiners have to repeat the preparation and extraction processes. The evidence examined in the identification stage can be enough to be used as evidence in a court of law. However, in other cases, the evidence might be enough, and this prompts the examiners to begin the analysis stage.
The analysis stage involves a detailed examination of the data to provide a conclusion from the evidence collected. (Carroll, Brannon, and Song, 2008) In this stage, the examiner answers different questions that can be used to provide a more elaborate conclusion of the evidence. Examples of questions answered by the examiners during this stage include the individual responsible for the data, the origin of the data, and the period when the individuals responsible for the data accessed it. Additionally, the examiner determines the relationship between the collected evidence and the scenario for which the evidence was being collected. Similar to the previous stage, when additional information is identified in this stage, the examiners have to go back to the preparation and extraction stages. After the completion of the analysis stage, the examiners proceed to the reporting stage, where the different evidence analyzed is documented and prepared for presentation in a court of law.
Importance of Forensic Tools
Various forensic tools are used to collect and analyze evidence concerning a certain scenario. Forensic tools can be classified into persistent data tools or volatile data tools. An example of the activities performed by forensic tools is the creation of an image of a device from which the evidence is to be obtained. The forensic tools that are used to collect data stored in the devices are classified as persistent data tools, while forensic tools that are used to retrieve and create an image of the data that was not saved in the device are classified as volatile data tools. With the availability of various forensic tools, choosing the right forensic tool requires consideration of different aspects. Some of the aspects considered include a scenario in which the forensic tool will be implemented, the output required from the forensic tool, and the skill level of the examiner who will use the tool to conduct digital forensics. Examples of common forensic tools that can be used in digital forensics include Forensic Toolkit (FTK), and EnCase. Other examples of forensic tools include SANS Investigative Forensic Toolkit, The Sleuth Kit, and Xplico. These various forensic tools have their individual advantages and disadvantages when used to conduct digital forensics.
Hibshi, Vidas, and Cranor (2011) note that the applications of forensic tools are not limited to the collection and analysis of evidence for use in a court of law. The different applications noted include conducting data recovery, debugging as well as reverse engineering various applications for private uses. EnCase is one of the most common forensic tools that can be applied in scenarios involving criminal investigations. A noted benefit of this forensic tool is its ability to be implemented in various departments concerning the investigation. Examples of departments where EnCase can be effectively implemented include computer forensic examiners, narcotic units, and white-collar crime units. The ability of EnCase forensics to support the different sectors involved in the investigation is one of the benefits of this forensics tool. Another benefit of the EnCase forensic tool is the ability to provide reports of the investigation in various formats. While conducting data collection and analysis, the EnCase forensic tool addresses the different components of the image generated, which in some cases can result in new incriminating evidence not related to the scenario being discovered. Another common forensic tool is the Forensic Toolkit (FTK). A benefit of FTK is that it is a volatile data tool, which means that it is capable of analyzing data that might have been deleted. Similar to EnCase, FTK can provide an outcome that can be saved in different formats. Most forensic tools provide forensic examiners with a user interface that is easy to use and reduces the work done during forensic data collection and analysis. Forensic tools are also able to decrypt most of the devices that contain encrypted information. Another major benefit of forensic tools is their ability to support data filtering. Using data filtering features, forensic examiners can look for specific data in the images of the devices.
Hashing in Digital Forensics
Hashing in digital forensics involves the use of the hash function to perform various actions during the digital forensics methodology. Different hash algorithms are supported by different operating systems. Examples of these include MD5, which is supported by the Windows operating system, and the SHA1 algorithm, which is supported by the Mac operating system. The Linux operating system supports various hash algorithms. Examples of these include SHA2-256, SHA2-512, SHA3-256, and SHA3-512. In some instances, when creating a disk image of a device, the disk image might end up being large, which can hinder efficient results from the forensic methodology. To ensure that the information obtained from the methodology is efficient, hash sets are created to reference the various parts of the disk image. (Ruback, Hoelz, and Ralha, 2012) In the Windows operating system, the creation and management of hash sets are supported while in the Mac operating system, the creation and management of the hash sets are not supported.
There are different implementations of hashing in digital forensics. One of the uses of hashing is the ability to search for various files and data in a disk image using hashes and hash sets. The benefit of searching for the files and data using hashes and hash sets is noted when the speed of searching for the files and data in large disk image sizes is increased. Another application of hashes in digital forensics is the use of hash sets to filter the data in the disk image. This process, known as hash elimination, is supported in the Windows operating system. However, the process is not supported in the Mac operating system. A major application of hashing in digital forensics is its use in comparing different files in the disk image. This is useful in two ways in digital forensics. One of the ways is that the identification of similar files and objects in the image makes it possible to remove duplicates. Another benefit is the verification of a file with the original file. Hashing creates a form of digital fingerprint that can be used to identify if two files are identical. Similar to the low possibility of identical fingerprints from different individuals, files that are not identical are also not likely to produce similar hashes. In the case of digital forensics involving evidence presented in a court of law, the use of hashing is particularly important. Hashing the original files obtained from the devices involved in the crime and hashing the files analyzed from the created image are required. This verifies that the evidence obtained from the disk image was not modified in any way.
Protecting Collected Evidence
The process of ensuring that the evidence collected has not been tampered with after the collection process can be conducted using various methods. One of the most common ways of achieving this is maintaining the chain of custody for the collected evidence. The chain of custody records the various individuals who encounter the collected evidence until when it is presented before a court of law. When the proper chain of custody is maintained, and everyone involved with the evidence is properly recorded, then the evidence can be considered to have maintained its integrity from the moment it was collected until when it is presented to the court of law. Another method that can be used to maintain the integrity of the evidence collected is the use of disk imaging. In disk imaging, the forensic examiners create a copy of the original disk and then make use of the copy created to perform an analysis of the data in the disk image. One of the purposes of creating a disk image is to ensure that the contents in the original disk are not tampered with. Another purpose of creating a disk image is to ensure that even when errors occur in the disk image, the original content in the disk is not modified. Therefore, the creation of a disk image can act as a method of ensuring that the evidence collected is not tampered with after the collection process.
The creation and management of hashes and hash sets can also be used to confirm that the evidence collected has not been tampered with after the collection process. As noted before, different files are not likely to have the same hashes. Therefore, if the evidence is modified at any point from when it was collected to the moment when it is presented in the court of law, the use of hashes can confirm that the evidence was modified. This is because modification of the file changes the file, which creates a different hash compared to the hash in the original file. Hence, in addition to providing authentication of the file, hashing also ensures integrity. Shah, Saleem, and Zulqarnain (2017) note that the evidence can be tampered with by individuals not involved in the forensic methodology. Therefore, a proposal that the forensic examiners who analyze the evidence be presented with authentication and authorization cards. Another suggestion to prevent tampering with collected digital evidence is the creation of a digital chain of custody and attaching it to the evidence. (Shah, Saleem, and Zulqarnain, 2017) Evidence that has been tampered with can influence the decision of the court, which leads to wrongful convictions. To avoid this, the integrity of the evidence must be verified.
References
Carroll, O. L., Brannon, S. K., & Song, T. (2008). Computer forensics: Digital forensic analysis methodology. US Att’ys Bull., 56, 1.
Garfinkel, S. L. (2010). Digital forensics research: The next 10 years. digital investigation, 7, S64-S73.
Hibshi, H., Vidas, T., & Cranor, L. (2011, May). Usability of forensics tools: a user study. In 2011 Sixth International Conference on IT Security Incident Management and IT Forensics (pp. 81-91). IEEE.
Khaleel, H. H. (2017). Digital forensics articles and research papers. computer, 1.
Reith, M., Carr, C., & Gunsch, G. (2002). An examination of digital forensic models. International Journal of Digital Evidence, 1(3), 1-12.
Ruback, M., Hoelz, B., & Ralha, C. (2012, January). A new approach for creating forensic hashsets. In IFIP International Conference on Digital Forensics (pp. 83-97). Springer, Berlin, Heidelberg.
Shah, M. S. M. B., Saleem, S., & Zulqarnain, R. (2017). Protecting digital evidence integrity and preserving chain of custody. Journal of Digital Forensics, Security and Law, 12(2), 12.
ORDER A PLAGIARISM-FREE PAPER HERE
We’ll write everything from scratch
Question 
Digital Forensic Research Paper
Now that you have learned the basics of digital forensics analyses and methodology and have experienced one of the common forensic tools use the material presented in this project, as well as research you’ve conducted outside of the course materials, to write a research paper that addresses the following:
digital forensic methodology
the importance of using forensic tools to collect and analyze evidence (e.g., FTK Imager and EnCase)
hashing in the context of digital forensics
How do you ensure that the evidence collected has not been tampered with (i.e., after collection)? Why and how is it important to prove this in a court of law?
Complete the order form and upload all of your files, including any instructions, rubrics, or other materials provided by your instructor. 
Complete the order payment after filling in the order form. We’ll receive your order and assign it to a writer.
The assigned writer will complete your paper and forward it to our Editing Team for review and approval.
Once approved by the editor, the completed paper will be uploaded to your account for you to download, review and approve.