Computer Forensics: Comprehensive Investigative Manual

The hash file is changed when the data is modified because the information within the file has changed and it is considered a new/different file.

What potential sources of digital evidence do you find at a crime scene? First of all, what is digital evidence? Digital evidence is any information or data of value to an investigation that is stored on, received by, or transmitted by an electronic device. Also, Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Text messages, emails, pictures and videos, and internet searches are some of the most common types of digital evidence. Most criminals now leave a digital trail;

A big problem with digital evidence is, that the suspects can hide the evidence on any location on the Hard Drive. That means a judge, a police office or a forensic analyst can impossible predict where exactly the evidence is located on the Hard Drive. That implies, that the forensic analyst have to search through the entire Hard Drive to find the evidence

The three items that I would collect would be the external hard drive, the laptop, and the USB thumb drive. It’s important to remember that you ”must use caution when collecting, packaging, or storing digital devices to avoid altering, damaging, or destroying the digital evidence. Avoid using any tools or materials that may produce or emit static electricity or a magnetic field as these may damage or destroy the evidence” (Mukasey, 2008). The first item that I would collect as digital evidence would be the external hard drive. It may contain all types of evidence such as: files, logs, pictures, recordings, or even video logs. Before collecting it as evidence I would take pictures of the hard drive, making sure to get the manufacturer and serial numbers, and then document it. Once complete, I would seal it in an anti-static bag and label that as well. The second item that I would collect would be the laptop. This could have all of the same type of information that the hard drive has and also may contain copies, pictures, or the source code itself from “Product X.” The laptop may show whether or not he was sharing files or trade secrets with outside sources, or even if he were attempting to crack passwords so as to get into systems that weren’t available to

The rapid growth of the internet has made it easier to commit traditional crimes by providing criminals an alternate method for launching attacks with relative anonymity. Effects of such technology has been great but , with the

The reduced data process required only 79 seconds to collect the subset from a 320GM hard drive, which presents a significant reduction in time when compared to the time required to forensically image and verify a hard drive using standard forensic bit-by-bit imaging (2014). The proposed methodology presents an efficient solution for reducing data storage requirements while simultaneously reducing the chances of a privacy violation from reviewing unrelated personal information.

Specialized techniques for data recovery, evidence authentication and analysis of electronic data far exceeding normal data collection and preservation

After distribution digital devices to the research laboratory, the detective should point to the sort of info being wanted, such as phone numbers as well as call pasts from a cell phone, emails, documents and also messages from a processer, or even imageries on a tablet. As soon as the digital proof has been sent to the research laboratory, a skilled analyst will take the subsequent stages to reclaim as well as scrutinize information. When the proof collection and examination is conducted correctly; the inspectors can protect the info that can help with the felonious bustle claims through conversation or even a communication interchange, imageries as well as documents. The inspector will normally deliver all the auxiliary certification, emphasizing pertinent info, but also a statement itemizing what was done to excerpt the information. As with proof of additional sorts, chain of custody as well as proper assortment and extraction methods are acute to the believability of proof and should be painstakingly recognized. An uninterrupted chain of custody should be upheld in directive for proof to be acknowledged in the court of law. Values necessitate that every individual who handles

Digital evidence is defined as being evidence that takes form as electronic data, or information stored in bits and bytes on magnetic media. Digital evidence cane range from photos, videos, text documents, internet activity logs, phone numbers, or any other data that is stored electronically that has involvement with a criminal case. Devices that can hold digital evidence are personal computers, computer media, disks, CDs, DVDs, etc. and cellular phones or similar all into one devices and many other types of devices as well. When preserving digital evidence extreme care must be taken. Investigators are sworn in to never change or altar evidence digital or not. Digital data however is very fragile and extra care is imperative. So the first and foremost concern when dealing with digital data is to preserve all data on the hard disk drive or other computer media in a pristine, unaltered, unharmed and unchanged manner.

Whether it is an entire hard drive or specific files, create and record the MD5 hashes of your evidence. Performing MD5 hashes for all evidence provides support to the claim that you are diligent and attentive to the special requirements of forensic examination. The MD5 hashes calculated for a given set of data will always remain the same, if your evidence is handled properly and remains tamper-proof. Your audience becomes confident that you are handling the data in the appropriate manner by recording these MD5

1. Executive Summary: Before the 1980s, computer crimes were handled and processed with existing laws, which may have worked in a pre-internet era, but obviously will not work today. In 1978, computer crimes gathered the attention of officials with the Florida Computer Crimes Act (www.leg.state.fl.us, 2015). This act included new legislation prohibiting unauthorized deletion, changes, or modification of data on computer systems ().

The purpose of having a reconstruction feature in a forensics tool is to re-create a suspect drive to display what happened during a crime or an incident. Another reason for replicating a suspect drive is to create a copy for other computer detectives, who might need a fully functional copy of the drive so that they can achieve their own procurement, test, and study of the evidence. These are the subfunctions of reconstruction:

RAM can play a very important role in a computer forensics investigation. However, according to an article in the Forensics Magazine, “RAM didn’t start playing a role until recently when investigators started to learn how to capture forensics through a “live-box” analysis instead of the traditional “dead-box” analysis.” With a “dead-box” analysis an investigator could look for evidence on someone’s hard drive by making a copy of that, but there wasn’t always evidence in the hard drive, however, the evidence could have been found in the RAM, but that wasn’t available. Now, with advancements in forensic technology an investigator can perform a “live-box” analysis of the suspect’s computer and that actually captures the RAM or the volatile memory.

1TB hard drives will be used in case the size of the data exceeds the size limit of 500GB. Every hard must be appropriately labeled according to the every case. Some of the hard drives will be used for short term storage until the investigation for the case is completed. Then, the evidence will be stored in hard drives specifically for long term storage and will be physically stored in a closet or cabinet that has at least one security measures. Some examples of security measures for the closet or cabinet are key locks, PIN code access, or a fingerprint lock. In addition to closet or cabinet security measure, the hard drives will be secured using symmetric encryption. Only the forensic investigators should know the secret key. After the evidence is stored in the long term hard drives, it also needs to be have a backup. All of the backups form the hard drives will be stored in an 180TB storage pod that costs around $2,000.00. The storage pod will hold all of the most important evidence of all of the cases. The storage pod needs to be located in another building.

The purpose of anti-forensics is to intentionally make digital investigations and the examination of digital media more difficult through several means including data forgery, data hiding or data deletion. The techniques differ in what they do but the purpose is to make sure data is unrecoverable. (Lucia, 2013)