Cybercrime refers to any illegal act that involves a computer, its systems, or its applications. Digital forensics is a part of Forensic division that deals with the investigation of crimes which were committed using digital devices (i.e. Computers, Mobile Devices, and any form of Digital Storage Media), and also the crimes committed over the internet.
Computer forensic investigation always requires a methodological approach. It is often conducted in specific predetermined steps depending on the nature of the crime. The most important aspects of a Digital Forensic investigation include (but does not limit to) maintaining the integrity of the collected data and writing a concise report that is admissible in front of the court of law.
Once Digital Forensics Investigators start investigating a crime scene, they must remember that cybercrimes are mostly intentional and not accidental. The type of a cybercrime depends on the tools used and its target. The target of the crime refers to the victim, which can be corporate organizations, websites, consulting agencies, and government bodies. A system becomes the target for reasons such as stealing, modifying or destroying the stored data, Trojan attacks, unauthorized access etc.
The tools of the crime refer to various hacking tools used to commit the crime. They include the computer or workstation used for the crime, the peripherals such as the keyboard, the mouse, and the monitor, external storage devices. Forensic investigators must take these tools into custody and preserve them in forensically sound manner to use them as evidence.
As the crime is digital, it is inevitable that there will be at least one electronic device found during the investigation, be it a computer, a cell phone, a printer, or a fax machine. Skilled investigators must analyze such devices with utmost caution and care, as they may be of critical importance for the investigation and reveal valuable evidence that will help solve the case. The investigation often becomes tedious due to the volume and volatile nature of the digital data; that’s why digital forensic investigation is often compared to finding a needle in a haystack.
Digital evidence is “any information of probative value that is either stored or transmitted in a digital form.” That means any data which was stored in a device or transmitted from any device during the criminal act, that data is subject to probation. It can be gathered while examining digital storage media, monitoring the internet traffic, or imaging/duplicating digital data found during forensics investigation.
Digital evidence is often circumstantial and fragile in nature, which makes it difficult for the investigator to make it admissible in the court.
The objectives of a Digital Forensic investigations are:
- Understand the usage of proper tools for forensic investigations.
- Know the process of handling multiple platforms, data types and operating systems.
- Have knowledge about the laws of various regions and areas (i.e. Constitutional Laws), as digital crimes are omnipresent and remote in nature.
- Find vulnerabilities and security loopholes in system that help attackers.
- Perform incident response to prevent further loss of intellectual property, finances and reputation during an attack.
- Understand the techniques and methods used by attackers to avert prosecution, and overcome them.
- Estimate the potential impact of malicious activity on the victim and assess the intent of the perpetrator.
- Identify, gather, and preserve the evidence of a cyber crime.
- Recover deleted files, hidden files, and temporary data that could be used as evidence.
- Track and prosecute the perpetrators in a court of law.
- Interpret, document and present the evidence to be admissible during prosecution.
Standard Operating Procedure:
Law enforcement and forensic investigators must establish and maintain an effective system for quality control to ensure that digital evidence is collected, preserved, examined or transferred in a manner that safeguards the accuracy and reliability of the evidence. SOPs (documented quality control guidelines) must be supported by proper case records and broadly accepted procedures, equipment and materials.
Implementation of SOPs allows you to operate company-compliant policies and plans. It is important that no modifications are made to SOPs before implementation to achieve the desired outputs. However, if any modifications are required, they must be communicated before starting the investigation.
All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency’s policies concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency’s management authority.
For Wikipedia entry on Digital Forensics, click here.
For more posts on Digital Forensics, click here.
For more posts in The Cyber Cops project, click here.