Digital Investigation: Evidence Collection, Analysis, and Computer Use Policies

Digital crime investigations involve the collection of digital devices and their analysis to link them with a specific criminal activity or perpetrator. Courts require that such evidence be collected, analyzed, and results are interpreted based on written guidelines. Investigation procedures that do not follow such guidelines make the evidence inadmissible in court. Various protocols and tools have been developed to support the principles of an investigation by simplifying evidence collection, analysis, reporting, the chain of custody, and documentation. In order to conduct a successful digital crime investigation, the investigator should be able to follow the set procedures, understand the crime-evidence relationship, the policies of electronics use, chain of custody, documentation, and advanced tools in their work, and finally present the evidence in court.

Steps to Make Electronic Evidence Admissible in Court

Just as any other piece of evidence, electronic evidence requires careful handling for it to be admissible in court. Careful handling of such evidence is a necessity throughout the process from the collection phase to its presentation in court. Various electronic forensic experts provide their service at different steps of the process to make the evidence admissible in court (Scheindlin, Capra, & Sedona Conference (Organization), 2009). Electronic evidence includes both the hardware and the software. In order to make any piece of electronic evidence admissible in courts, various steps are followed. These steps include a collection of digital devices, a digital gathering of the evidence, analysis of the evidence, and quality control (Scheindlin, Capra, & Sedona Conference (Organization), 2009).

Collection of Digital Devices

General best practices for the proper seizing of electronic devices exist, most of which have been developed by such organizations as the NIJ and SWEGDE. Digital devices contain vital investigative leads, which can help arrest culprits of various criminal activities (Casey, 2002). Digital devices can leave a trail of evidence that can be analyzed to help unlock multiple leads due to the versatile nature of digital device’s usage. In general, the first step in the collection of digital devices is the identification of the crime scene and its securing to prevent the destruction of the evidence. The second step entails approval of the authority to gather the evidence and seize devices. This step also includes gathering important details such as security codes, pins, and passwords (Casey, 2002). If possible, such associated devices as chargers and author auxiliary devices and manuals should be collected. The third step involves protecting digital devices from extreme environmental conditions whose effects could lower the quality of the evidence.

Mobile Devices

Turning off should be the first step after the collection of mobile devices. The practice helps preserve vital information such as call history and stops the usage of the device. Additionally, the practice prevents incidences of remote manipulation of the device that could happen without the knowledge of the investigator. The second step is to disconnect the mobile device from its cell tower. The step can be successfully observed by placing the device in a faraday bag. The faraday bag should not have any static electricity properties, the effect of which on the device may interfere with digital information stored in it. Therefore, it is inappropriate to place the device in a plastic faraday bag. It is not advisable to access the information within the mobile phone at its scene of the collection (Jahankhani, Watson, & Me, 2010). However, if it is imperative to read the information when life is under threat, appropriate documentation practices should be adhered to. The third step involves taking the devices to the laboratory for analysis. The investigator needs to give specific details of the required data, images, videos, text, or audio information.

Computers and Equipment

The first responders have a duty to ensure that all digital evidence present in computers is saved and unaltered. Consequently, the first step in the collection of computers is to record the activity going on in the computer or any of its auxiliary devices at the crime scene. In this step, it is important to consult a computer forensic expert to avoid the loss of any digital evidence. The second step is to collect computer devices as well as any other equipment that can communicate with a computer, for example, cameras and printers (Casey, 2002). The investigator may consider turning the computer off according to the user’s guide. Some electronic evidence can be collected by digital means using special facilities. Such evidence that can be acquired by electronic means includes texts, images, and instant messages amongst others. Such media can help register the location of the device carrying it.

Analysis of Evidence

The study of digital data is a crucial step that occurs before the presentation of evidence in a court. Interpretation of digital data is carried out in the lab by qualified specialists.

Evidence Analysis Experts

Successful analysis of the digital evidence should be carried out by experts with special training. Different realms of electronic evidence should be investigated by individuals with corresponding qualifications to ensure success (Bryant, 2008). The first responders should have adequate training in data seizing techniques in order to protect the digital data in the evidence. Investigators need to have the proper training to help explore the digital evidence. Since a single investigator may not have all the necessary competencies, different forms of digital evidence require the deployment of a specific forensic team for successful analysis. Property crimes, for example, require the input of different experts on terrorism crimes (Brown, 2010). Therefore, different forms of digital evidence should be analyzed by specific experts to make it admissible in court.

Laboratory Analysis

In the laboratory, the digital evidence is examined by an expert. Laboratory analysis is a stepwise process that involves a number of steps. The first thing is to ensure the prevention of contamination. The step is observed by the collection office where storage of electronic copies is done in clean media. The second step is isolation of wireless devices to stop any communication with other connected devices (Bryant, 2008). The third thing is a conversion of the data into a read-only format using software to block any data change. The fourth step is to extract the data using a method that is specifically designed for specific devices. The fifth step is to submit the device for conventional evidence where such analysis as DNA fingerprinting is done. The last step in laboratory analysis of digital devices is to use the data viewing software to help interpret it and draw a conclusion about it.

Quality Management

Analysis of the digital evidence requires that set quality standards be followed to ensure production of reliable results (Jahankhani, Watson, & Me, 2010). The laboratory and all individuals involved in the chain of custody must follow set guidelines to ensure consistency of results. All undertakings in the investigation process must follow written systems, which define processes and responsibilities at every step of the investigation. A sound quality management system in forensic work strengthens findings of the investigation whenever they are presented in court (Bryant, 2008).

Crimes and Incidents Encountered in Electronic Forensic Investigations

According to Interpol, crimes encompassing the use of computerized equipment can be classified into three classes. These types include attacks on computerized devices and software, financial violations, and abuse. Such activities that result in the attack of the electronic hardware and programs most often involve the intrusion of network and use of malware. On the one hand, an intrusion of a network allows the intruder to access important files and communication without the authorization of the owner (Lilley, 2002). Malware, on the other hand, is installed in electronics to help the system intruder execute various activities of his or her interest. For example, the NSA recognized 50,000 networks that were involved in the installation of malware across the globe in 2013. Various forms of malware provide means for a perpetrator to execute various crimes via electronic devices. Such malware includes viruses, Spywares, worms, and Trojan horses amongst others. Numerous financial crimes can be perpetrated through electronic devices (Lilley, 2002).

The most common incidents of such crimes include fraud, phishing, and interruption of online financial platforms. Perpetrators of such crime aim at gaining some unjustified financial advantage at the expense of the real owners of the money. The FBI recognizes that the cyber threat to financial services is ever-growing. The third category is online abuse. Such form of crime has recently advanced to include bullying, exploitation, and child pornography, as well as identity theft. It is highly possible to spread child pornography through various websites that do not confirm the age of their users. The US federal law, for example, recognizes child pornography as criminal activity (Thies, 2013). Additionally, social media present an excellent stage for bullying and identity theft offenses.

Security and Machine Use Systems

General security and computer usage policies are intended to guard the business’s affairs and have the following consequences. Firstly, the computer use policy defines systems included in it. It helps advise users on secure systems that do not present any threat to the users and the user’s files. Such systems covered in the use policy include computer communication facilities, networks, and important files. Secondly, security and computer use policies help emphasize importance of using a computer system for business purposes only (Sarmento, 2005). As a result, employees stay informed that all messages and files are the company’s property. Thirdly, these policies provide the guidelines under which the company’s computer systems can be used for personal purposes by employees. Such personal use of the company’s computers by employees that is prohibited in most workplaces includes pornography, travel, stock trading, and social media. Fourthly, computer use policies help prohibit access to confidential information by employees (Sarmento, 2005). Prohibition of access to confidential company information helps protect the business interests of the company; it can also help the company protect itself against spying activities of its competitors. Finally, computer use and security policies help prohibit any unauthorized access of communications between employees of the same company. Such a policy not only promotes a healthy relationship between employees but also helps uphold the integrity of communication.

Techniques to Obtain Evidence from Internet and Web Resources

According to most digital forensic experts, evidence from the internet and web resources is broader than it is apparently thought. Such evidence most often helps file cases for clients who have been abused by a specific web user on a specific web platform like Facebook. Experts agree that a picture or a comment itself cannot win a case without additional information to support the claim (Bryant, 2008). As a result, special steps and techniques need to be used in order to give satisfactory information. Copying the web evidence kick-starts the chain of custody where the investigator does not know the standard method of copying the online evidence, it is advisable to contract a third party to help copy it without introducing any modifications. Identification of the author of defamatory remarks or threats occurs as a subsequent step. In some cases, the step can be simple if the perpetrator leaves a trail of identifying details (Thies, 2013). However, most cases are complicated because the author of the threat remains is unknown. In such a case, the author can only be traced by studying the website, email, or the IP address used while posting the threat. The last step is to obtain evidence that has already been removed from the web. The forensic expert can study the ISP where the threat was first posted and capture the data from the archive using the Wayback Machine of the website.

Several techniques have been developed to help capture the web evidence. The first technique involves obtaining details and web locations from a victim. The victim can help locate the threat by allowing him or her provide web pages where the threat was posted. The technique helps the forensic expert locate offending details as directed by the client. The second technique is to use the internet search engine to locate the evidence (Bryant, 2008). Google, for example, provides several search options that can help reveal important leads. The technique that enables the application of specific keywords optimizes Google results, which can serve as important leads. The fourth technique is to contact the ISP or the website that provided hosting of the threat. In this technique, the website owner can help identify the author of the material, leading to his or her apprehension. The fifth technique is checking social media platforms through search engines (Sarmento, 2005). It is possible, for example, to check Facebook or Twitter posts through Google without having to be a friend or follow the suspect on two respective social media platforms.

Evidence Recovered from Computer and Electronic Devices

Electronics provides a wide array of items that can be used as evidence. These items can link a suspect to criminal activity, thus assisting the court to obtain a just judgment. Such digital evidence that can be used in court includes an address book, showing important details of the suspect’s friends, relatives, and businesses (Scheindlin, Capra, & Sedona Conference (Organization), 2009). Such type of evidence provides a means to link the owner of the address book to criminal activity in various locations as indicated in his or her address book. In the same light, a contact list can help establish a network of criminal activities conducted by different individuals. The network can be obtained from contact lists of members of organized criminal gangs. The second type of evidence of digital nature is audio evidence. Audio files can provide invaluable information about criminal activity or even a criminal (Scheindlin, Capra, & Sedona Conference (Organization), 2009). Most criminal gangs have command centers whose information can be available in audio form. Sometimes, the audio file may be in the form of a recorded voice that upon analysis can help isolate the culprit from a group of suspects.

The third class of digital evidence makes up the internet usage. The internet presents a broad spectrum of services, which leave a trace of evidence. The first set of internet usage evidence is browser records. It is possible to access the history internet browsing activity by checking both recent and all history options (Scheindlin, Capra, & Sedona Conference (Organization), 2009). All accessed and logged in websites can be seen and examined to link the computer device to criminal activity. Internet usage evidence is the user’s bookmarks and favorites. These options help show the most important websites or files about the computer user’s priorities and preferences. They also give leads to the most often accessed files through that specific digital device. Email messages can help trace communication between the suspect and a different individual; it is also a piece of evidence by itself. The attached files can provide details of activities taking place between suspects by showing the information they share. Additionally, the email database can show various important email addresses.

The fourth type of digital evidence is documents. With the rising advancement of digital technology, it is possible to access vital documents in their digital formats. Such documents as passports and different forms of licenses provide information about the origin and possessions of culprits (Tilstone, Savage, & Clark, 2006). Gun licensing documents, for example, can help link the suspect to a criminal activity allegedly committed by a licensed gun. Documents can also help link the criminal to an event where a crime was allegedly perpetrated.

The fifth type of evidence comes in the form of files. A wide array of files can be used as evidence to help litigate an issue in court. Such files that are important in forensic investigations include log files, temporary files, and system files amongst others. Log files help indicate how often the device has been in use (Tilstone, Savage, & Clark, 2006). Temporary files help important information that could be lost in the event that a device is put off. Properties of a digital system are provided by system files. Forensic experts often examine different digital files to establish the computer usage, properties, and their capacity to be used in different cases.

The sixth type of digital evidence that is invaluable in investigation processes includes pictures, digital photos, videos, and images (Tilstone, Savage, & Clark, 2006). Pictures can be used to obtain vital locations and plans drawn to assist the perpetration of a crime. Quite often criminals utilize pictures and photos to help them locate their victims or targets. Videos can be used by criminals for various purposes, including training. Videos, once analyzed, can help identify members of a criminal gang in order to apprehend them with ease.

Top Writer Your order will be assigned to the most experienced writer in the relevant discipline. The highly demanded expert, one of our top 10 writers with the highest rate among the customers.

Hire a top writer for $10.95

Documentation and the Chain-Of-Custody

Documentation and chain of custody are significant ideas, which cannot be overlooked in the forensic process. Documentation is the means of recording various activities encompassing the forensic process. Documentation plays different roles in forensic investigations, some of which are discussed here. Firstly, documentation records vital steps involved in the investigation process. Since standardized processes have been developed to guide the investigation process, it is important to make entries of investigative activities that take place from evidence collection to the closing of the case (Barrett & Kipper, 2010). It should be understood that flawed documentation protocols weaken the importance of the evidence presented in a specific case. Secondly, documentation provides the basis for future reference. Documentation of forensic processes provides a record of all activities that can always be referred to in the future of a criminal case. Such records are imperative where an audit of a specific case is requested by the court. Thirdly, documentation strengthens the concept of the chain of custody in any case.

The concept of the chain of custody requires that all steps, individuals, or handlers of the evidence be identified before proceeding from one investigative step to the next. It is important to note that the chain of custody cannot be complete without complete documentation of activities and individuals involved in the process (Barrett & Kipper, 2010). Sound documentation standard provides means for recording all steps of the investigation and can also help evaluate the quality of the investigative process. The chain of custody is a concept that helps track the flow of evidence from the point of collection to the point of the determination of the case. The chain of custody is an imperative concept that serves two purposes discussed below (Tilstone, Savage, & Clark, 2006). First, the chain of custody helps protect the integrity of the evidence that could be compromised during forensic investigations. Since all details of the evidence and handlers are recorded in every step of the investigation, it is difficult for any handler to interfere with the quantity or even arrangement of the evidence without drawing the attention of stakeholders. The packaging practices of the evidence prevent any handler from altering or manipulating, hence protecting the best interests of the judicial system. Secondly, the chain of custody ensures accountability of the evidence handlers (Tilstone, Savage, & Clark, 2006). All undertakings in various steps are recorded along with names of the evidence handlers and it is easy to hold different individuals accountable for activities taking place under their authorization. Evidence handlers involved in the transportation, for example, can be easily held accountable for any activity that took place in that step.

Encase Forensic Tools

Encase forensic tools are compatible with a number of operating systems, including AIX and Microsoft Windows. The use of these tools cuts across investigative methods like transferal of data, duplication, and several other kinds of data handling. The newest variant of the tools is the Encase Forensic 7.05. The version is three-fold faster than earlier versions without requiring much of the CPU activity and memory (Widup, 2014). It also has the capability of showing threads of emails, various related conversations, and multiple numerous records concurrently. Additionally, the tool can produce hyperlink-embedded reports. It can also be successfully used to acquire data from compatible tablets.

One of the advantages of using Encase Forensic 7.05 is its automation capability. The capability helps increase the speed at which the investigation is carried out. Encase Forensic 7.05 can automate such processes as information extraction, analysis of the hardware, recovery of erased folders, and recovery of the partitions. Another advantage of the Encase tools is their user-friendly nature. The software allows the user to upload raw data and access reports with ease. The third advantage of encase forensic tools is that it is comprehensive, offering a friendly user interface that is comfortable and simple to use (Widup, 2014). The tools have some setbacks that its users experience. One disadvantage is that Encase tools only display files with a flawed signature without highlighting them. Therefore, it is not easy for the investigator to detect a bad signature in the displayed file. Additionally, Encase does not support a variety of hashing because it supports only MD5. These shortcomings, notwithstanding the unique features of Encase tools, make it the leader in the digital forensic industry. A package of Encase forensic 7.05 costs a minimum of $ 3,495.

Conclusion

In conclusion, digital evidence provides means to identify perpetrators amongst suspects and can also help win a case in court. However, the versatility of this type of evidence calls for sound standards of collection and handling to be employed. There is a need to classify the evidence according to various crimes that can be perpetrated via electronics. Software like the Encase Forensic 7.05 can be employed investigative process to help address inherent setbacks of the digital evidence. Companies can reduce the incidence of digital criminal attacks by employing sound security policies to guide the usage of their computers by their employees.