Overview
When a computer incident occurs, the attacked organization responds with a set of predetermined actions. Applying digital forensics techniques and protocols and looking at the above sources of evidence aid to uncover the actions of the criminal. The paper presents the procedures of conducting cybercrime investigations. The paper concludes its discussions with the techniques to obtain evidence from Internet resources, and to properly document evidence and maintain chain of custody.
Steps in Evidence Gathering
The fundamental processes every investigator need to follow in order to correctly maintain a digital chain of custody: ensuring the evidence is physically protected; controlling the crime scene, logging all access and connectivity; creating a forensic image of the original evidence in “a non-invasive” manner ; hashing the image and the evidence to ensure that the evidence has not been altered; and documentation of all investigation details thorough report generated by an computer forensics software being used. When computer evidence is prepared to be presented in court, keeping the integrity of computer evidence is very crucial. Investigators must be able to maintain and accurately document the content of digital evidence.
Process of Evidence Gathering
The process of computer forensics involves: duplication of original evidence; verification of the integrity of the evidence; and the report of investigation results and findings. Digital evidence is volatile and can change if they are not handled with caution. For example, restarting computer under investigation can change an important data such as date stamps. Restarting the computer can also remove data contained in temporary files. Ensuring that the computer (under investigation) has not altered critical data, investigative software and hardware write-blocking devices that prevent alteration of evidence must be used. To ensure authenticity of the evidence and to effectively establish a digital chain of custody. The investigator must utilize digital signatures and hash concurrent to the acquisition of the evidence.
Digital Forensic Procedure
The six reasons why proper forensics procedures are needed when collecting computer evidence are: ensuring that there is “simpler referral of computer crimes to law enforcement”; ensuring that organizations defend their interests in civil litigation; destruction of evidence claims when necessary; reducing limits of liabilities; better protection of organizational assets; complying with privacy laws and maintain information integrity standards and regulations.
Rules of Evidence and Chain of Custody
The most basic rule is admissibility. The evidence must be able to be used in court or elsewhere. Failure to comply with this rule is equivalent to not collecting the evidence in the first place, except the cost is higher. Secondly, the evidence must be Authentic. If one cannot tie the evidence positively to the incident, he cannot use it to prove anything. One must be able to show that the evidence relates to the incident in a relevant way. Moreover, it is not enough to collect evidence that just shows one’s perspective of the incident. Not only should one collect evidence that can help prove the attacker’s actions but for completeness it is also necessary to consider and evaluate all evidence available to the investigators and retain that which may contradict or otherwise diminish the reliability of other potentially incriminating evidence held about the suspect. Similarly, it is vital to collect evidence that eliminates alternative suspects. Additionally, the evidence collection and analysis procedures must not cast doubt. The evidence presented should be clear, easy to understand and believable by a jury.
Documentation and Chain of Custody
There are many pieces of information that may be included in a chain of custody form, depending on the evidence collected and the nature of the case. For example, standard details to include are the date and time of collection, name of the investigator, and the location of collection. The chain of custody form may also include the reason for collection, relevant serial numbers, a physical description of the collected item, and method of capture. Chain of custody forms should also include signatures of individuals who were in possession of the evidence and the dates of transfer. Not only is it very important to document the facts and details correctly on the chain of custody form, but also to preserve evidence in tamper-proof bags. Superior Bag provides secure and tamper-evident evidence bag have space to write important case details, such as the case number, victim information, and location of the crime scene. Additionally, modern software systems can help track physical and digital evidence always. It is also recommended to label all evidence as soon as it is found, have a witness for everything to increase credibility, and assign a unique identification number or bar code to each piece of evidence.
Author: Sam O. Aduafo, Member of Institute of ICT Professionals, Ghana, CyberGhana, and advancedevidence.com|| info@advancedevidence.com; Stephen Hasford: Member of Institute of ICT Professionals, Ghana, Technical Director, Ghana National Youth in Cybersecurity Technology (NYCT) Program|| 0268672979
