Computer Forensics deals with the application of the knowledge of computer in combating crimes committed in the society. It is the branch of Forensic Science that is simply defined as the art and scientific application in the field of law. Computer forensics is also called computer Network forensics or digital forensics. It entails the application of science in the collection, examination, analysis, and identification of data, while at the same time, preserving the integrity of maintaining a very strict chain of custody to the available data.
Data in this case refers to the distinct pieces of digital information that have been in format in a very specific way. These can be obtained from different sources which are transferred by standard systems of the computer, computing peripherals, personal digital assistants (PDA), networking equipment, various types of media and consumer electronic devices among various other sources available in the forensics department (Bejtlich, 2004).
Since data exists in a number of sources, these techniques can be used in different purposes like in the investigation of crimes and other internal policy violations, troubleshooting the problems of operations, recovering from the accidental damage programs and reconstructing the computer security incidents. Practically, in each and every organization there is the need to have the capability to perform this procedure of digital forensics. This will help the organization in tracing the events relating to the general operations of the firm. This is especially in the networks and the systems like the exposure of the very sensitive and protected data in that organization.
It is important for any organization to provide detailed information pertaining to the establishment of the forensic capability. This will include the development of policies and procedures, which will then focus primarily on the use of these techniques in the aid of the security department to detect the possibility of the occurrence of some of these situations. This will help in the response towards the investigation and alleviation of such traits in the society through incorporating these gadgets into the courts system of a specific country. Much of these materials could also be used in other scenarios relevant to the technological advancements in the same filed.
Background Information to the Case under Investigation
The aim of this paper is to develop a computer forensics tools that would be used to investigate the circumstances surrounding three personalities in a case involving estate development. Slatestone Land Development has contracted Acer Tree Service to clear land for construction of several homes. The home is located on a bluff with a tree obstructed view of a lake. The tree service cut several trees that were on a private landowner’s property that were obstructing the lake view for the new homes (Carrier, 2005).
The private landowner is upset because she now has a fish bowl effect where the new homes are looking at her house, whereas before the tree cutting episode her home was secluded. The developer claims he didn’t authorize the tree cutting. The new home owners claim that they didn’t request the trees to be cut. Acer Tree Service claims that they were instructed cut all the trees that were marked with red spray paint. Slatestone and Acer have worked in the past, and marking trees with red spray paint is standard practice in the industry. All 18 trees were clearly marked with red paint, though no one from Slatestone was on site to supervise, and Slatestone claims they did not mark the 18 trees that were mistakenly cut. The private landowner has decided to file a lawsuit for criminal trespass and destruction of property against Slatestone, Acer, and the owners of the new homes for the 18 mature maple trees that were cut.
The law firm representing the private landowner has successfully argued for electronic discovery of the phones and computer for the home owners; Slatestone and Acer in order to establish fault and liability. As a computer forensics expert, I have the responsibility of performing the digital forensic examination. The court order stipulates that only email and text messages from one month prior to the incident to the present time may be retrieved by the investigator and I have to abide to that. A further stipulation includes that the forensic report must first be provided to opposing the counsel and is subject to either acceptance or even objection.
Additionally, the court order indicates that if information is disclosed to the private landowner or her legal representative, then one could be subject to civil and criminal prosecution. I basically have ten days to schedule your evidence collection and submit the reports to opposing counsel. The aim of the paper is to outline the materials and tools that are important in the need to make the engagement with clear indication of how each toll will be utilized in the investigation. The paper seeks to provide the schedule that will outline the plan to be utilized in the completion of the investigation with proper explanation of the dissemination procedure. The steps needed in order to comply with the court order are also illustrated at the end of the paper (Casey, 2001).
Investigation Methodology
In order to understand the issues bordering the fats related to this case, it is important first to review the supporting basic principles of the information system life cycle in the forensic investigations department. Several incidents can be dealt with in the whole idea of the forensic field. These considerations are as follows:
Performing very regular backups to systems and maintaining the previous backups for specific time;
Enabling auditing on workstations, servers, and network devices;
Forwarding audit records to secure centralized log servers;
Configuring mission-critical applications to perform auditing, including recording all authentication attempts;
Maintaining a database of file hashes for the files of the common Operating Systems and application deployments, and using file integrity checking software on particularly important assets;
Maintaining records like those of the baselines of network and system configurations;
Establishment of data retention policies that support performing historical reviews of system and network activity, complying with requests or requirements to preserve data relating to ongoing litigation and investigations, and destroying data that is no longer needed.
These are individual guidelines and not in the central operations of the forensic department. The methodology for the forensic guideline should include both the external experts and incorporate the internal operations of the firm where necessary. This will make it feasible to develop any comprehensive procedure that is tailored to give the best results out the whole system of the investigations in this era of lots of technological advancements in the very field. In order to have the best, these organizations should also develop the step to step guidelines that could be useful in the investigation of the cases involved.
The method that could be important in this scenario could be the fact to use features like imaging the hard disk, volatile information recording and capturing and securing the physical evidence in the case of the removable data. These guidelines should be very effective, consistent and accurate to provide very precise and concise forensic actions which will lead to the identification and prosecution of the parties involved in the crime. It is important to cross check the credibility of the records kept by these organizations under the question they could easily alter the records available in their favor. The integrity of these records must then be questioned with a lot of sensitivity.
With the mass advent of information from the traditional aspect to a total reliance on the electronic form of information, it is clear that the forensics is not also left behind in this noble course of events. The credibility, authenticity and reliability of such information at the hands of the information technology specialists has taken a very central role in the mainstreaming of the whole investigative series in most cases, and the case under question here is not also left behind in this quest. It is important to treat information as the original information but with a lot of care as it could be manipulated under such circumstances by malice individuals and organizations.
It is important to understand how these electronic records could be treated, created, manipulated and even altered. This calls for proper verification of the integrity of the files kept in the electronic media. There should be caveat of explicit issues used for the discussion with the legal counsel and senior information and technology officials. The sound methods used in the forensics must be incorporated with other means in order to attain some good results in the field required. The other methods important in this series of investigation, include issues like log retention and log analysis. These are very important in the incident handlers like the forensic experts and also the decision makers in the same field.
In addition to the experts required for this case, legal experts are also very important in handling the issues bordering these three parties to the case. The legal courts would give proper advice and methodology to be followed, while drawing important information to the case therein. This would ensure a very effective and accountable system of investigation that is standardized and acceptable to all the members of the society as well as the parties involved in this case.
The proper guidelines and procedures would really help in alleviating the issues laid down in the management team of the organization in order to help in the factors of fighting the vices brought about as a result of the upcoming of the case between these three parties to the filed case. It is very confusing as every individual to the case seems to be the complainant and none looks like plaintiff to the case at all. This, therefore, calls for proper understanding of the factors laying under the cases much deeper as they could seem to appear in the public domain (Davis et al, 2004).
These procedures and guidelines must be maintained once they are laid in place in order to produce very quality and accurate report regarding the case therein. The procedures must be reviewed regularly in order to ensure proper and accurate information that is in line with the current system of governance and investigation policies. It should be reviewed at least annually if need arises, or once the team policies and guidelines undergo some specific and significant changes. Once a guide line is updated, then the previous method should be archived for any future use in case need arises in a legal proceeding. The team participating in the investigations should not be changed no matter what is the circumstance in order to avoid distortion and coordinated chain of events and investigative information to the courts of justice. Exercises must be in place to help explicitly to confirm the accuracy of the information in the records or the information collected by the forensic experts.
Under the American constitution, the forensics bill is illustrated under section 2.1 of the very constitution. It stipulates that an event of interest could be placed under investigation in order to find and analyze the facts using scientific knowledge. It covers the role of forensic scientists from issue relating to the collection of evidence for legal considerations, internal disciplinary measures and handling of issues relating to malwares with unusual operational problems. It is performed by using four basic steps that are: collection, examination, analysis, and reporting of the fats underneath the cause of this case. These are referred to as phases in the development of the whole process of forensics.
Collection of Evidence
This is the initial step in investigating a crime, whether for business purpose or for autopsy purposes. It this phase, it is important for the forensic scientist to investigate the appropriate sources of data that are relevant to the case in question. As in the case with this scenario, the most probable source of data would form the laptops, desktops, servers, and network storage devices among others like mobile phones that also could create some link to piecing together the evidence in this (Farmer and Wietse, 2004).
These systems must be thoroughly screened, plus all the accessories involved therein. Accessories would include internal drives like CDs, DVDs and other ports like Universal Serial Bus (USB), fire wire, Personal Computer Memory Internal Association (PCMCIA) to which the external data storage media and devices are attached like the thumb drives, flash and memory cards, optical and magnetic disks. Standard computer will contain some information that can be obtained directly and very fast provided the computer was not shut down or even rebooted and it, therefore, important to ambush the organization in order to obtain such loose and very volatile information.
Other information could be obtained from other organizations through the net by use of the logs. This information would be very useful in the tracing if the day to day activity of the organization could be used to link the pieces of information gathered from the systems within the organization in question. Remember that no stone will be left unturned and every individual suspected to have a link in the case with the deal on the trees must be investigated fully and if tangible information is not gained, then a very close ally could be used as a source of information to piece up the evidence to produce a flowing, very chained and convincing evidence before the courts of justice. Such information could be readily available from the Internet Service Provider (ISP). Under this case getting the relevant information from the ISPs would be easier since this very forensic expert has got the court order to do so. Audit record will give the best information as they give even the duration of time that the whole issue must have occurred (Honeynet Project, 2004).
Evidence Examination and Processing
This stage involves the extracting and assessing of the data collected from the previous step. The pieces of information are extracted separately before trying to piece them together to gain some considerable outcome of the events therein. This may involve the use of techniques to mitigate the Operating Systems in order to reveal the data that were obscured due to data compression or encryption. This would enhance the access and control systems to such data, and in the end allow for the extraction and assessment of the data involved as to whether it is important to the investigation or not.
Since the data available for examination may be very large and confusing, then filtering must be done to the data to obtain purely what was meant for the investigation of the case. There are a number of mechanisms that can be used in the process of filtering the data available in the series of data collected for such purposes. Text and pattern searches become very useful in the identification of very pertinent data. This can be done by finding documents that point to a particular person or subject in order to attain a better understanding. For example, in this case texts pointing to the issue of estate development and clearing of trees could look handier than texts pointing at the financial debts of various departments (Jones et al, 2005).
Another mechanism could be to find a specific log to the specific e-mails belonging to specific individuals in the same category of events surrounding this whole case. Another tool that is very important in this case is the tool that can detect specific contents to each file like the graphics, texts, music, or any other compressed file in this category. Data files with very unique names and codes are screened very thoroughly in order to be sure of any hidden identity to the files.
Analysis of Data
In this section, the examined data is pieced together to find any connection to the event being investigated. It involves the correlation of data among several other sources that could be of importance to the whole idea in the case. Network Intrusion Detection System (IDS) may help in the linking of an event to the host being investigated therein. Other tolls like the centralized logging and security event Management software may facilitate the process by automatically gathering and even correlating the data.
Reporting
This is the final stage of the forensic experts work. It involves the preparation and presenting of the data and evidence linked to the crime or offence that was committed. Reporting could be affected by several factors. These include the following:
Alternative Explanations: the information available is not adequate leading to a wide variety of choices and possibilities of the outcome and cause of the events in question;
Consideration of the audience: the data in this case is presented to the courts of justice and maximum adherence to the law is paramount throughout the process of investigating the crime. Copies of evidence will be required in order to avoid basing the case on imaginable causes. The network traffic would be obtained in details in order to convince the system of law on the due process of the investigation;
The information must be actionable: these contains the information that is available on the data and need further investigation or verification in order to piece it together with the information therein. A list of contacts could be used to develop further evidence to the case. This information could also be used to block any further occurrences of such crimes in the future (Kruse and Heiser, 2001).
Conclusion
In a nut shell and with the mass advent of information from the traditional aspect to a total reliance on the electronic form of information, it is clear that the forensics is not also left behind in this noble course of events. The credibility, authenticity and reliability of such information at the hands of the information technology specialists has taken a very central role in the mainstreaming of the whole investigative series in most cases, and the case under question here is not also left behind in this quest. It is important to treat information as the original information but with a lot of care as it could be manipulated under such circumstances by malice individuals and organizations.
