Unraveling Digital Mysteries- The World of Computer Forensics
The Components of a Computer That Should Be Photographed at a Crime Scene
All computer components are involved in data collection after a crime has taken place (Román et al., 2016). Computer components are divided into hardware and software. Hardware components are the physical parts of the computer. While the software components are intangible parts of a computer such as computer programs. Therefore, a computer user accesses the hardware before the software. This also applies to crime scene investigations. An investigator would collect hardware evidence before collecting software evidence. Hardware evidence requires that photographs be taken. The photographs would include the computer screen, keyboard, mouse, CPU, processor, hard disk, and motherboard. These components could be used to identify any physical damage done to the computer.
The environment where the crime happened is also photographed to identify if there was forced entry (Yanbo Wu et al., 2019). All photographs are used to describe the crime that took place and can be used in a court of law against the offender (Brown, 2015). The photographs can also be used to demonstrate the chain of custody for the evidence in a court of law (Brown, 2015). Photographs of the hard disk are important because they illustrate the status of the hard disk before imaging. Hard disk imaging is used to access and acquire data such as computer files including system-created files and user-created files. Computer software can also be photographed after the hardware is photographed. The photographs would include capturing the programs displayed on the computer screen at the time when the crime investigator arrived at the crime scene. Such photographs would be important in describing the programs that were running to identify what the last computer user was doing on the computer. It would also be possible to identify the user who was last signed into the computer by photographing the screen and capturing the username of the active session. After performing data recovery and acquisition on the hard disk, the data would be compared to the photographs taken on the computer display. Data from the hard disk could include audit logs. The audit logs are used to provide an audit trail of the actions made on a computer. Ideally, the audit logs would provide a detailed explanation of the photographs that were captured from the computer screen. For example, if the photographs taken from the computer screen indicated that user A was logged in, audit logs would identify how long user A was logged in and the activities he did. If the photography step is not done thoroughly, the subsequent steps in crime investigation will not be handled effectively (Yanbo Wu et al., 2019). Photography in computer forensics is conducted in the evidence collection phase, after crime scene preservation (Román et al., 2016). The evidence analysis is conducted after the evidence-collection phase. Therefore, evidence collection has an impact on evidence analysis (Román et al., 2016). For example, if some hardware components such as the keyboard and mouse were not captured in the photographs, the evidence analysis phase would not analyze physical damage. Consequently, evidence analysis could just focus on software damage or exploitation. Such omissions could lead to insufficient evidence support during a court case.
Actions Concerning the Computer in a Cybercrime Scene That Are Emergent and What May Result if Action Is Not Taken Immediately
The first action in a crime scene is to preserve the crime scene. This is done to ensure that everything within the crime scene is intact for evidence identification and collection (Román et al., 2016). Therefore, it is not different for computer forensics. The first step would be to ensure that the computer’s physical environment is preserved. It would be important to check if the computer is still running and avoid shutting it down because the hard disk could be encrypted. Fully encrypted hard disks are difficult to analyze when powered off (Balogun & Zhu 2013). Documentation of everything within the crime scene should be done (Román et al., 2016). For example, details about the crime, date of the incident, area details, the person responsible for the computer, contact information, and full name (Román et al., 2016). Technical details would include the IP address for the computer, hard drive capacity and state, computer model, operating system, processor model, RAM capacity, computer’s function, and digital evidence (Román et al., 2016). Evidence could also be collected through photographing the computer’s environment to capture all physical details. All evidence collected would then be categorized into embedded systems, information systems, mobile devices, wireless networks, and others (Román et al., 2016). This phase would follow eight steps; implementing chain of custody, identifying legal environment devices, authorizing research, documenting current computer status, incidence response, agreement, hypothesis, and research planning (Román et al., 2016). If these activities are not followed, the evidence collected might not be accepted in a court of law (Brown, 2015). And if the evidence is accepted, it would not carry the intended weight.
If action is not taken immediately, evidence on the computer crime scene will be tampered with. For example, other people may walk into the crime scene and contaminate evidence such as fingerprints and footprints (Yanbo Wu et al., 2019). Also, another person might walk in and use the computer, and this could mess with the audit trails. The offender could even come and erase some evidence, such as taking away the hard disk that contains system files and audit logs. Therefore, an unpreserved crime scene might let the offender go unpunished. Meaning, there is no court case for unpreserved crime scenes. This is described and evidenced in Brown’s (2015), research. Without proper copies of evidence such as backup and the physical computer components, it would be impossible to complete a computer forensics analysis. The chain of evidence, a crucial part of the forensics process, would lack integrity, nullifying the forensics analysis report.
Some of the activities that could be done on a computer to compromise evidence include physically damaging the hard disk, degaussing, overwriting, file-by-file method, power tool method, and whole drive method (Bansal et al., 2016). Physical damage to the hard disk makes it unusable, and data recovery might not be successful. Degaussing also makes the hard disk unusable (Bansal et al., 2016). Overwriting the hard disk ensures that the data that was previously stored cannot be recovered (Bansal et al., 2016). The file-by-file method deletes specific files and leaves the other files, including software, intact (Bansal et al., 2016). This method could be used to eliminate useful evidence files such as audit logs. The whole drive method formats the hard disk permanently; however, the hard disk remains useful (Bansal et al., 2016). The power method removes all data and destroys the hard disk (Bansal et al., 2016). Based on these findings, it is vital to preserve a computer crime scene immediately before taking further action (Román et al., 2016). With the crime scene preserved, all evidence would be collected systematically, and the forensics results would be accurate (Brown, 2015).
Why the Hard Disk Drive Component Have the Most Value in a Cybercrime Scene
The most commonly used computer storage over the decades is the hard disk (Davies & Sutherland, 2010). This storage is mounted on a computer’s motherboard, and it stores most of the computer files, including operating systems. This makes the hard disk a vital component of a computer system. The higher the storage capacity of a hard disk, the higher the number of files stored. Therefore, the hard disk becomes the main target for cybercrime within a computer (Bansal et al., 2016). Some of the attacks that can be made on the hard disk are installing malicious software like viruses, deleting data, undermining data integrity, and physical destruction (Bansal et al., 2016). Since vital computer files are stored on a hard disk, it becomes important to have the hard disk analyzed during computer forensics. In a crime scene, a computer forensics analyst would identify the type of hard drive attack; physical or software (Bansal et al., 2016). For example, in a physical attack, a hard disk could be broken into pieces that indicate a hard-hit hard disk. Also, it could be that a hard disk got worn out and some of its pieces fell apart. This would include elements such as head stack and tape that could cause minimal damage to data (Bansal et al., 2016). However, forcefully breaking down a hard disk would cause much damage to data. Such would be a result of cybercrime. Software damage in hard disks would be caused by malware, mis-operation, mis-partition, power outage, and mis-clone (Bansal et al., 2016). A computer forensics analysis would be useful in categorizing the type of software damage in a crime scene to differentiate between an accident and a cybercrime. Extensive data collection and suitable tools for computer forensic would yield comprehensive analysis reports.
There are several tools used to analyze hard disks during computer forensics. For example, image acquisition facilitates disaster recovery (Mahajan et al 2018). This would ensure that digital evidence is handled with integrity and can be accepted in a court of law (Mahajan et al 2018). It is acceptable because replicas of the hard disk are made without tampering with the data in it. The tools used in digital forensics for hard disks include tableau forensic duplicator, image Masster solo4, image MASSter SOLO4 G3 SLIM, AccessData® FTK® imager, and encase 7(Mahajan et al 2018). Choosing the right tool for analysis is important in ensuring that results reflect an actual scenario. There are notable areas of hard disk forensics where these tools can be used. These areas include where a hard disk is physically destroyed, a degaussed hard drive, and an overwritten hard drive (Bansal et al., 2016). However, there are instances where data recovery is difficult. These instances include where files are eliminated on file by file method, the hard drive is destroyed by power; the power tool method, and the whole hard disk has been permanently erased (Bansal et al., 2016).
The disk firmware can be used to hinder effective hard disk forensics (Davies & Sutherland, 2010). For example, a cybercriminal could conceal information on a hard disk using disk firmware through a control system defect. This would make a computer forensics analysis ineffective unless the analyst is highly skilled and has suitable forensic tools (Davies & Sutherland, 2010). A cybercriminal could also deny forensics access to data by exploiting some firmware elements (Davies & Sutherland, 2010). Such activities would completely damage a hard drive making it difficult to recover data for computer forensics (Davies & Sutherland, 2010).
Encryption, and Its Concern in a Cyber-Crime Scene Investigation
Encryption is an aspect of information security that is classified under cryptography (Balogun & Zhu 2013). To encrypt data, a public key is used to encode and decode data. A public key is basically an algorithm that facilitates data encryption and encryption (Balogun & Zhu 2013). This makes it difficult for persons without access to the public key to decrypt data. Encryption is used for information security along with other cryptography and cybersecurity measures (Balogun & Zhu 2013). Therefore, encryption alone cannot fully protect data. Most organizations use encryption to protect their hard drives, such as full disk encryption (Balogun & Zhu 2013). According to research, computer forensics on hard drives was easier to conduct before companies adopted full disk encryption (Balogun & Zhu 2013). Meaning, it is difficult to conduct computer forensics on fully encrypted disks as compared to non-encrypted ones. In encrypted hard disks, data recovery is possible, but it is difficult to process the data recovered from the encrypted disks (Balogun & Zhu 2013). Forensic analysts have to be highly skilled in the different encryption types and possess suitable tools for data access and acquisition.
There are two types of hard disk data encryptions that are common; full disk encryption and file system encryption (Balogun & Zhu 2013). In full disk encryption, data is secured using one symmetric key while file system encryption uses separate keys. All data areas on a disk drive and outside the file system are protected in full disk encryption as compared to file system encryption which does not secure data outside the file system (Balogun & Zhu 2013). The full disk encryption protects swap, registry, hidden, and temporary files. It also protects boot sector data and file metadata (Balogun & Zhu 2013). During computer forensics, accessing encrypted hard disks is dependent on power level and state, as well as the encryption technique employed (Balogun & Zhu 2013). For example, when power is off it would be difficult to access data on a fully encrypted disk as compared to a disk on file system encryption. However, it would be difficult to access data in file system encryption on hardware implementation and easier on software-implemented full encryption (Balogun & Zhu 2013).
Computer forensics analysts have to find ways of accessing and acquiring data from encrypted hard disks (Balogun & Zhu 2013). For example, in full encryption, an analyst would ensure that he accesses the computer system when the fully encrypted hard disk is still powered on (Balogun & Zhu 2013). A forensics analyst could also use the option of searching for the key used for encryption. The search would include looking for a notepad that could have been used to store the encryption key (Balogun & Zhu 2013). This approach is traditional and has a low probability of success. Some tools could be used to acquire the encryption key from the memory. The tools include F-response, GMG system’s KnTList, and MoonSol’s Windows Memory (Balogun & Zhu 2013). In full encryption, the encryption key is cached from the first encryption task and it continues to decrypt data even when powered off (Balogun & Zhu 2013). Therefore, some forensics tools could be used to retrieve the cached encryption key even if the hard disk is powered off. None of the described methods is easy to use as they require a lot of timing calculations that are similar to playing a game of chances (Balogun & Zhu 2013). Hence, it is extremely challenging to conduct computer forensics on encrypted hard disks.
Restrictions Available to Crime Scene Investigators on the Data Seized While Executing the Warrant
There are restrictions that are instigated by jurisdictions based on various things. For example, the differentiation of records generated by an operating system, and those generated by humans (Brown, 2015). This focuses on who created data in a computer; and users of the operating system. Therefore, during computer forensics, some evidence might not be considered in a court of law as sufficient based on the creator of the content (Brown, 2015). For example, changes made by a program might not be categorized in the same crime bracket as compared to changes made by a user. However, changes made by a program could be induced by a user, causing a program to behave in a particular manner (Brown, 2015). Meaning, a jurisdiction could classify the outcome as machine-generated instead of user-generated. Also, metadata is prone to modifications that could mislead crime investigators (Brown, 2015). The modification could include deletion or overwriting. Another challenge would be that of system time and the difference in time zones (Brown, 2015). For example, a computer whose time is not set properly would display incorrect time. Emails spanning different zones could be affected and display incorrect times as well. Such factors could affect the weight of the presented evidence in a court of law (Brown, 2015).
Another factor that could affect the admission of evidence from computer crime is where there has to be proof of criminal act and criminal intent by an offender (Brown, 2015). Without such proof, crime scene investigators cannot prove that an offender is guilty that he committed a crime (Brown, 2015). Also, for digital crimes, there has to be a connection between the electronic device and an offender actually sitting behind the electronic device. Meaning, there has to be direct and circumstantial evidence (Brown, 2015). In a case where an offender steals electronic material, the offender has to be caught in possession of the material. This could ideally be done by the police (Brown, 2015). Also, there has to be proof that the offender had knowledge of the electronic material and that he intended to have it (Brown, 2015). However, the challenge of proving software crime is that an offender could cause a program to perform illegal actions and pretend not to have the knowledge (Brown, 2015). For example, a programmer could cause software to perform money laundering and insist that it could have been a bug. This could be argued as a warrant’s scope being exceeded (Brown, 2015). In cases where a computer system user caused a program to act in a particular manner, it could be argued that anything else within the network could have caused the action. For example, authentication issues could be raised in a document creation or amendment crime. It could be argued that an intruder could have accessed the computer through the firewall (Brown, 2015). This would require more proof before rendering the offender guilty.
The process of acquiring and preserving evidence could also be challenged in a court of law (Brown, 2015). A defense lawyer could argue that the chain of custody for evidence was not adequately preserved, hence, rendering the evidence unreliable. Therefore, evidence collected from an electronic device should appear in court, exactly as collected (Brown, 2015). The physical electronic material presented in court must also be proven to be identical to the one at the crime scene. In cases where changes are said to have been made in a computer, proof of computer program competency is required (Brown, 2015). All these challenges make it difficult for crime scene investigators in computer forensics to provide sufficient evidence in a court of law. Meaning, not all offenders are punished for their crimes (Brown, 2015). The law loopholes should be re-evaluated to ensure that no digital offenders go unpunished.
References
Balogun, A. M., & Zhu, S. Y. (2013). Privacy Impacts of Data Encryption on the Efficiency of Digital Forensics Technology. International Journal of Advanced Computer Science and Applications, 4(5), 36-40. Retrieved from https://www.researchgate.net/publication/259240078_Privacy_Impacts_of_Data_Encryption_on_the_Efficiency_of_Digital_Forensics_Technology
Bansal, A., Agrawal, A., Sankhla, M. S., & Kumar, R. (2016). Computer Forensic Investigation on Hard Drive Data Recovery: A Review Study. IOSR Journal of Computer Engineering, 18(5), 39-42. Retrieved from https://www.iosrjournals.org/iosr-jce/papers/Vol18-issue5/Version-2/F1805023942.pdf
Brown, C. S. (2015). Investigating and Prosecuting Cyber Crime: Forensic Dependencies and Barriers to Justice. International Journal of Cyber Criminology, 9, 55–119. Retrieved from https://www.cybercrimejournal.com/Brown2015vol9issue1.pdf
Davies, G., & Sutherland, I. (2010, May). Hard Disk Storage: Firmware Manipulation and Forensic Impact and Current Best Practice. Paper presented at ADFSL Conference on Digital Forensics, Security and Law, Embry-Riddle Aeronautical University. Retrieved from https://core.ac.uk/download/pdf/227087517.pdf
Mahajan, K. N., Chafale, S. S., Mulik, V. G., Pawade, V. S., & Kulkarni, K. V. (2018). Importance of Forensic Image of Hard Disk Using Different Forensic Tools By Preserving The Integrity of Digital Evidence. International Journal of Advance Engineering and Research Development, 5(1), 272-279. Retrieved from http://www.ijaerd.com/papers/finished_papers/Importance%20of%20Forensic%20Image%20of%20Hard%20Disk%20Using%20Different%20Forensic%20Tools%20ByPreserving%20The%20Integrity%20of%20Digital%20Evidence-IJAERDV05I0187660M.pdf
Román, R. F., Mora, N. M., Vicuña, J. P., & Orozco, J. I. (2016). Digital Forensics Tools Rodrigo. International Journal of Applied Engineering Research, 11(19), 9754-9762. Retrieved from https://www.researchgate.net/publication/319332701_Digital_Forensics_Tools
Yanbo Wu, Xiang, D., Gao, J. M., & Wu, Y. (2019). Research on investigation and evidence collection of cybercrime Cases. Journal of Physics: Conference Series, 1176, 1-6. Retrieved from https://iopscience.iop.org/article/10.1088/1742-6596/1176/4/042064/
ORDER A PLAGIARISM-FREE PAPER HERE
We’ll write everything from scratch
Question
Do you know what the term computer forensics means? Many people do not nor do they understand the techniques involved in finding and obtaining evidence. Computer forensics is part of digital forensic science, and the goal for the investigator is to examine forensically with the goal of identifying, obtaining, and analyzing digital information. Depending upon the skill of the investigator, the limit to analyzing electronic data is limitless. As with experience, the more skilled one is with computers, the application of software, and digital data, the more knowledgeable the investigator will be with his or her exploration of evidentiary data.
Reflect for a moment on your computer devices and your knowledge of how they operate, and think about how and what you might recover as evidence.
In a 10–12-page paper, discuss the following topics:
Identify the components of a computer that should be photographed at a crime scene, and explain why.
Upon entry into a cybercrime scene, explain actions concerning the computer that are emergent and what may result if you do not take action immediately.
The hard disk drive on a computer contains the data stored in and by that computer’s use. Why does that component have the most value in a cyber crime scene?
Secure Hash Algorithms (SHA) cut up and compartmentalize data in an encrypted file, making them hard to access. What is encryption, and why is it a concern in a cyber-crime scene investigation?
Warrants for the content of a hard drive are normally restricted to the relationship of evidence to the crime being investigated. What restrictions are there for crime scene investigators on the data seized while executing the warrant?