Investigating Computer Crimes
If any forensic investigation involves Computer in one way or another, then the investigation is coined as Computer Forensic Investigation. Development of technology from the last two decades is so rapid that it made lot easier for criminals to hide information about their crimes, one advantage enjoyed by investigators is that any type of Computer Crime results in some type of clue and evidence stored on computer but still there are number of Cyber Crimes which requires Computer Forensic investigation, some of them are:
- Unauthorized access
- Property Theft (misuse of information)
- Forgery
- Privacy breach
- Computer fraud.
- Child pornography
Methodology of Forensic Investigation
First and Foremost step of Investigation process is Complaint. Investigation will never going to occur if it remain un-noticed, unless appropriate authorities are not aware of the crime being committed, criminal gets away with crime. There are some fundamental steps involved in forensic investigation,
Preparation (of the investigator, not the data)
Computer Forensic Investigators must be prepared with the tools and procedures used during investigation, these tools include Hardware as well as Software which are used to secure evidence and data.
Collection (the data)
Next important step is to collect damaged data as efficiently as possible, damaged data typically includes deleted files, formatted hard disk, deleted partitions or any other form of electronic storage medium like compact disk, USB drives etc. Special care must be taken when handling computer evidence: most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken.
Analysis
This step involves proper examination and evaluation of gathered information. During analysis it is very important that the collected data and information aren't modified in any way, otherwise property of data will change. Therefore it is very necessary to use tools that won't modify data. Chiefly Forensic Analysis consists of manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and images for review.
Reporting
After the completion of Analysis, a detailed report is generated enlisting all possible evidences and information. This Report is produced as a legal evidence before court whenever required.
The Role of Evidence
Collection of Evidence is the sole reason behind the Forensic Investigation; therefore Evidence plays a vital role in Computer Forensic Investigation. The Digital Evidence should be properly studied, preserved and presented. These Evidences are presented in court during legal process and questioning. Collection of Evidence is done in several steps, first of which is Identification of Evidence followed by the Recovery of Evidence, this is accomplished viewing log files, recovering data using different forensic tools. One more important point which should be kept in mind during Investigation is security of Data, Digital Evidence and Data must be secured throughout the investigation.
Volatile Evidence
Data stored in temporary storage media [Random Access Memory(RAM), Cache Memory, Onboard memory of different peripherals like Graphics and video card etc ) are termed as Volatile Memory because data stored in it depends on the electricity for their existence, as soon as the system is powered off, stored data will be permanently vanished. It is therefore very important to collect such data first.
Acquiring Evidence
This is the next step of processing evidence. Acquisition process involves in making exact copy of digital evidence. It is very important that the original data isn't altered, damaged or destroyed in doing so.
Disk Imaging
This technique is used to preserve the original evidence as it was seized. Disk imaging is different from back up of a disk in a way that while creating backup, only active files of a system are copied. Whereas during disk imaging exact replica of original disk is formed.
Retaining Data and Timestamp:
Retaining the Date and Time of creation and modification of Data is a vital factor to be kept in mind in criminal issues. Timestamp in a file are very important evidence, since the timestamp is according to the system clock which is in turn depends on the time zone. It should always investigated that which time zone is configured on the system, it may be possible that criminal deliberately change the time zone so that the data does not co-relate with the real time.
Investigating Company Policy Violations
Investigation Process of Companies are totally different from the other types of Investigations. Normally when Cyber crime occurs on house computers, police are called for proper investigation. In a Corporate World a team of some specialized skilled peoples are formed which is known as Incident Response Team. This team is responsible for finding the type of Cyber crime occurred and eventually contact police for further investigation, depending upon the type of crime occurred and what is found in investigation. This Incident Response Team also deal with the internal matter of the company like security breach by company employee, unauthorized access to company's computer etc. It is not always necessary to include police investigation when policies are violated, sometime it is dealt by company itself by taking disciplinary action against the accused employee. But still Forensic Investigations is important because these procedures create a tighter case, thus leaving no point to argue the facts.
Posts
