Introduction
Computer forensics concerns the technical knowledge necessary for collection, analysis and provision of digital evidence in a court of law. Computer forensic refers to the collection, discovery, and preservation of digital data for use in a court of law for the protection of entities or individuals (Bayuk, 2010). This has been in response to the major increase in electronic crimes since the 1970s, especially in the financial sector.
Computer Anti-Forensics
Anti-forensics are the tools, procedures and techniques that undermine forensic tools and the work of forensic investigation. Anti-forensics aims at disrupting the collection of information, avoiding detection, increasing investigation time and reducing the credibility of the forensic report. Computer anti-forensics has arisen due to the counter measures taken up by computer criminals in a bid to derail investigation procedures. This means computer anti-forensics aims at altering or hiding digital evidence so that it may cease to be admissible in a court of law. The methodologies used can affect the computer forensics process at any stage in time.
According to Daniels (2008), anti-forensics is the technology involved in avoiding the detection of incriminating evidence or data. The techniques involved incorporate elimination of sources, destruction of evidence, hiding of data or creation of counterfeit evidence. Destruction of evidence may involve corruption of the physical or logical address of such data. Some crude methods of destroying data include the use of a magnet to destroy a hard drive. Data hiding may be executed through modification of logs, run-time libraries or even the operation system. Data may also be hidden in slack memory or space (between the sectors or partitions of mass storage memory). These are collectively referred to as covert channels.
Anti-forensic Methodologies
Computer criminals may eliminate a data source through the log and disk wiping. This involves use of unique tools to delete any traces of data from the mass storage. The targeted files may be all MFT entries and orphan files. This method is only available to digital criminals prior to image acquisition of the data by the investigators. Data may also be hidden and manipulated, such that it is difficult to access, carry out any analyses, through manipulation of file headers (and extensions), and set up of unusual directories. This technique ensures that the hidden files will be overseen during the data imaging process.
Data hiding may also be executed via steganography. This is a method of hiding data within other data to obscure the presence of the data. This is a procedure that can be executed legitimately using digital watermarks as a protective mechanism against copyright infringement. Data can also be concealed by encryption. The examination of such data becomes futile. However, encryption is expensive and time-consuming.
Computer forensics may also be disabled through direct attacks on the program software. This means trying to create a form of vulnerability to the software so that the credibility of the corresponding evidence is questioned and rendered unreliable. Reliability of digital evidence may be questioned through time stamp modification. This means modifying the files that are supposed to store data relating to changes or updates of the contents of files. It has been found that it is practically easy to find effective counter forensics methodologies through internet search engines (Jahankhani, Hessami, & Hsu, 2009).
According to practical investigative experiments carried out on anti-forensics techniques, it was found that not all the techniques are effective in working against computer forensics tools and software. Encryption and steganography were found to be the two most effective techniques (Stewart, 2011).
Anti-Forensics Tools
One of the common anti-forensic tools is time-stomp that can alter time stamps. Transmogrify is a tool that facilitates one to effect changes on headers and extensions of various files and folders. Slacker is a tool that disintegrates a file and stores it in the slack spaces of files. Encryption of passwords without traces of such execution is possible through Sam juicer tool. Data can also be inserted in null directories using the KY tool. Destruction of data stored in hard drives can be executed using data mule that effectively attacks the reserved space (Bayuk, 2010). Signature based inspections can be avoided using randomizers. This enables generation of random file names.
Crimes Involving Digital Evidence
The world today has become a hub of beehive activities with most of these activities occurring online. Many of such activities are illegal, and hence the need to have control measures against them. Such crimes include software piracy, economic fraud and counterfeiting, identity theft, computer intrusion, online gambling and extortion, harassment and terrorism threats, and child exploitation.
In the recent past, computer forensic evidence has become reliable and admissible in courts of law (Vacca, 2005). Digital criminals even without their knowledge leave traces of evidence in computer. Both the private and public sectors use computer forensics to conduct investigations (Maras, 2011). Such digital evidence is analyzed and provided by computer forensic experts before it is presented in any court of law.
Government agencies such as FBI make use of computer forensic evidence in tracking emails and hence following up on any potential criminal or terrorist activity, fraud, extortion and distribution of computer viruses. Computer forensics can also detect a violation of digital or computer laws such as storage of pirated software in a firm’s computer and destruction of data.
Basic Forensic Tools
This refers to the means and techniques available to forensic experts in the analysis and determination of the admissibility of evidence. Computer forensics is a broad field and deals with a range of areas in the digital and electronic world. These include cracking of passwords, remote monitoring of computers, tracing of online activities, recovery and retrieval of deleted data, location of stolen computers and identification of software pirates (Daniel, 2011).
Forensic experts have the necessary technology, software, and hardware for accessing hard-drives and copying any data there in. Such experts can offer several services such as remote monitoring of networks and PC’s, follow up on internet activity, tracing of threatening emails, and decryption of emails and files. Firms find it necessary to employ computer forensics when there is potentially a substantial risk involved of loss of information. Threatening lawsuits, potential damage to a firm’s band or just regular check-ups on employees’ computers may also necessitate the need for forensic expertise (Lewis and Brian, 2006).
Types of Investigations Using Computer Forensics
The expertise of computer forensic professionals may be required in cases where firms call for internal investigations. In such instances, a subpoena or search warrant is not mandatory. It is remarkably similar to an internal audit of the firm’s IT infrastructure. Civil cases where two or more individual disagree, for example, over the true ownership of some intellectual property may also call for such investigations. In such a case, the digital evidence would require sufficient authentication. Criminal cases, for example, those involving serious charges like intent to partake in criminal activities, child pornography and the like, invoke serious computer forensic investigations. These investigations should be accurate since the stakes are high and the consequences life threatening.
Advantages of Computer Forensics
Computer forensic has become increasingly beneficial, especially since the recent increase in digital crimes. Companies have managed to curb illegal financial activities of employees that would otherwise have resulted in massive financial losses, both directly or in the form of penalties. Employees are found to be disciplined when they are aware that they are under scrutiny. Therefore, computer forensics has improved the integrity of the workforce. Furthermore, with the recent technology, experts can determine any changes made to computer networks and databases and even trace the culprit, even if he or she worked remotely (Ec-Council, 2009).
Furthermore, the use of computer forensics is essential in tracking down terrorists and cyber criminals from various parts of the world by tracking of IP addresses that the criminals and terrorists use for communication (Clarke, 2010). Further, computer forensics proves to be useful in cases of email spamming and child pornography. In the process of using computer forensics technology, organizations save time and money.
Qualities of a Good Investigation
In the course of conducting the investigation, the forensic expert has to observe certain guidelines so as not to tamper or alter the digital evidence that lies therein. Similarly, the responsibility lies with the forensic professional to curb or avoid the introduction of any malware that may distort the digital evidence. Experts should also be keen and careful when extracting any data from the source database, such that the source is left unaltered (Mohay, 2006).
The normal ethics that govern any investigation together with the necessary protocol, such as search permits should also be adhered. Other than observing the highest level of ethics, the investigator should also be unbiased and present the details of the case as facts and not opinions. The investigator should seek the necessary assistance when need be to complete the investigation effectively (Newman, 2007). Any findings should be properly documented for easy reference. Equally important, the investigator should be consistent in the methodology he uses while carrying out investigations (Olivier, 2006).
Conclusion
Carrier (2003) observes that the normal forensic investigation occurs in three stages: acquisition, analysis, and presentation. Acquisition stage involves extraction, copying, and storage of data from the specific digital evidence. It is at this stage that investigators should be especially keen and careful as they handle the data. Through this phase, relevant tools copy all the data from the suspect device to a central computer (of the investigator).
Data is analyzed and closely monitored during the analysis stage. This stage mainly aims at acquiring specific information from the database for use as evidence (Lewis and Brian, 2006). Such evidence may be inculpatory, exculpatory evidence or evidence of tampering. Inculpatory evidence is that which is consistent with a certain theory. Exculpatory evidence contrasts a certain theory or way of thinking (Nelson 2006). Evidence of tampering shows that there are some modifications to the system by an unauthorized person.
Computer forensics is a relatively new field with new opportunities. It has helped to curb cyber crime across the globe to quite a large extent. However, the criminals have also become alert and have also been able to find ways and means of escaping the tools and procedures that are placed so as to curtail their activities.
References
Bayuk, J. L. 2010. Cyberforensics Understanding Information Security Investigations. New
York: Humana.
Carrier, B. 2003. Defining Digital Forensic Examination and Analysis Tools Using Abstraction
Layers. International Journal of Digital Evidence, 1(4), 1-12.
Clarke, N. 2010. Computer Forensics A Pocket Guide. Ely: IT Governance Pub.
Daniels, J. 2008.Forensic and Anti-forensic Techniques for Object Linking and Embedding 2
(OLE2)-formatted Documents. Pro Quest: Utah.
Daniel, L. 2011. Digital Forensics for Legal Professionals: Understanding Digital Evidence
Ec-Council, 2009. Investigation Procedures and Response, Book 1. Cengage Learning
Jahankhani, H., Hessami, A. G., & Hsu, F. 2009. Global Security, Safety, and Sustainability
5th International Conference, ICGS3 2009, London, UK, September 1-2, 2009 :
Proceedings. Berlin: Springer.
Lewis, P. & Brian, G. 2006. Understanding Data Forensics. Bank Accounting &
Finance, 19(6), 36-44.
Maras, M. (2012). Computer Forensics: Cybercriminals, Laws, and Evidence. Sudbury, Mass.:
Jones & Bartlett Learning.
Mohay, G. M. 2006. Computer and Intrusion Forensics. Norwood: Artech House.
Nelson, B. 2006. Guide To Computer Forensics And Investigations (2nd Ed.). Boston, Mass:
Thomson Course Technology.
Newman, R. C., 2007. Computer Forensics: Evidence Collection and Management. Boca Raton,
FL: Auerbach Publications.
Olivier, M. 2006. Advances in Digital Forensics II: IFIP International Conference On Digital
Forensics, National Center For Forensic Science, Orlando, Florida, January 29 –
February 1, 2006. New York, NY: Springer.
Stewart, J. M. 2011. Network security, firewalls, and VPNs. Sudbury, Mass.: Jones & Bartlett
Learning.
Vacca, J. R. 2005. Computer Forensics Computer Crime Scene Investigation (2nd Ed.).
Hingham, Mass: Charles River Media.
