For digital evidence to be admissible in court it is crucial that the evidence is not damaged during analysis by a forensic investigator. “If evidence is not collected and handled according to proper standards, the judge may deem evidence inadmissible when it is presented” (Shinder and Cross, 2008) and “for the admissibility of evidence, courts require proof of its authenticity” (Mercer, 2004) and finally, “because even the slightest modification to a file could destroy information that might be important in an investigation, and bring the validity of the data into question” (Shinder and Cross, 2008). However, according to the Association of Chief Police Officers good practice for Digital Evidence document version 5, changes to evidence are inevitable because of the need to “gather evidence from a computer whilst its running or in live state” (ACPO, 2012), “therefore changes will be caused by the examiner” (ACPO, 2012). It is very important then that a forensic technician should be “fully aware of the impact of their action have and should be prepared to explain their reasons for taking this route” (ACPO, 2012). So, we can draw the conclusion that evidence can still be valid if it is changed, but we must be able to justify why and how it is changed. Now, Unfortunately for digital forensics practitioners, “simply turning a computer on can lead to the modification of hundreds of evidentiary items” (Larry and Lars, 2012) and “untrained individuals commonly make the mistake of turning on a computer and looking for a particular item of evidence. The act of turning on and operating a computer is comparable to trampling on a crime scene” (Casey, 2011). To make matters worse, switching a machine off can have a devastating impact of potential evidence, the ACPO advise that you “do not close down any programs or shut down the computer, as this will cause changes to the stored data and may trigger wiping software to run, if this is installed” (ACPO, 2012), they advise you just remove the power lead from the back of the machine, but other material I have read, contradict this. So, switching on a machine can have an effect and switching off a machine can have an effect, so what do we do? In every book I have read on the subject, the same advice comes up over and over again, make a copy of the disk, so that we can investigate the copy without worrying that we are changing the original. Ideally we should make a “physical image”, because this “is a bit-for-bit copy of all the data contained on a device” (Shinder and Cross, 2008). This copy should be made to “forensically sterile” (Shinder and Cross, 2008) media. If the computer is switched on, the first thing we should capture is “the data that is held in temporary storage in the systems memory” (Shinder and Cross, 2008) because this volatile data depends on electric power and will be lost when the machine is shutdown. Next we should take a copy of the disk, either through a hardware or software solution depending on whether the machine is off or on. The best option “for making a forensic copy of a hard drive is to remove the hard drive from the computer, connect it to a physical write-blocker” (Larry and Lars, 2012). But sometimes it is not practical to remover the hard drive because the machine is on, or it is a laptop with and the hard drive is difficult to remove. In these cases we should make a “copy of the hard drive using a software write blocking technique” (Larry and Lars, 2012). It is important to implement “write protection” to the original disk so the “data on the original disk isn’t modified or deleted” (Shinder and Cross, 2008) which could affect its validity as evidence. Finally, we should validate the authenticity of the data through the use of Hashing. “Forensic examiners use an algorithm to create a hexadecimal numeric value representing the data set” (Mercer, 2004). This hash could be a MD5 or SHA-1 format, or both. But the hash acts as proof that the copy and therefore anything that is discovered on the copy is an exact representation of data stored on the original media. Word count 707 References Shinder, L. Cross, M. 2008. ‘Chapter 15, Collecting and preserving Digital Evidence’, ‘Scene of the cybercrime (Second Edition)’. Available online at sciencedirect.ezproxy.liv.ac.uk/science/article/pii/B9781597492768000157? Accessed online 25/10/2014 Mercer, L 2004, Computer Forensics: Characteristics and Preservation of Digital Evidence, FBI Law Enforcement Bulletin, 73, 3, pp. 28-32, National Criminal Justice Reference Service Abstracts, EBSCOhost, viewed 25 October 2014. ACPO, 2012. ‘Association of Police Officers ACPO Good Practice Guide For Digital Evidence, version 5’, ‘Association of Police Officers’, available online at acpo.police.uk/documents/crime/2011/201110-cba-digital-evidence-v5.pdf accessed online 26/10/2014 Larry, D. Lars, D. 2012. ‘Overview of Digital Forensics, Chapter 2’, ‘Digital Forensics for Legal Professionals’, available online at sciencedirect.ezproxy.liv.ac.uk/science/article/pii/B978159749643800002X accessed online 26/10/2014 Shinder, L. Cross, M. 2008. ‘Chapter 8, - iPod, Cell Phone, PDA and Blackberry Forensics’, ‘Scene of the cybercrime (Second Edition)’. Available online at sciencedirect.ezproxy.liv.ac.uk/science/article/pii/B978159749276800008X Accessed online 25/10/2014 Casey, E. 2011. ‘Chapter 17 – Reconstructing digital evidence’, ‘Crime Reconstruction (Second Edition)’, available online at sciencedirect.ezproxy.liv.ac.uk/science/article/pii/B9780123864604000175? Accessed online 26/10/2014 Larry, D. Lars, D. 2012. ‘Chapter 4 – The Foundations of Digital Forensics: Best Practices’, ‘Digital Forensics for Legal Professionals’, available online at sciencedirect.ezproxy.liv.ac.uk/science/article/pii/B9781597496438000043# accessed online 26/10/2014
Posted on: Sun, 26 Oct 2014 13:19:50 +0000
Trending Topics
Recently Viewed Topics
© 2015