Preserving the Crime Scene
The preservation of a digital crime scene requires that standard recommended procedures be followed. According to Houck, Crsipino, and McAdam, (2012), preserving the crime scene is aimed at reducing chances of tampering the digital evidence. The preservation of the crime scene forms part of the digital investigation process (Wiles and Reyes, 2011). All parties concerned with the crime will be required to be asked questions and the location of the crime scene will need to be identified prior to the preservation.
Performing a live analysis will require the computer to be disconnected. This will ensure that data cannot be modified from a remote system (Houck, Crsipino, and McAdam, 2012). During the preservation process, care needs to be taken to ensure that potential evidence, which may be existing in the different storage zones, such as word processing files and spreadsheets are not compromised. According to Vacca (2005), simple actions such as booting a computer or running the operating system can easily cause the existing files to be overwritten by creating new files in the process. Open files in the computer system need to be recorded in a temporal buffer directory to ensure that the original evidence is not overwritten (Houck, Crsipino, and McAdam, 2012). The system is turned off to allow a dead analysis to be carried out after completing the live analysis. Switching off the system requires not using software prompts and menus. The data saved from the live or dead analysis is then given a cryptographic hash, which will ensure that no changes to the data collected occurred.
Preserving the Evidence
Any evidence collected will have to be preserved appropriately. A number of approaches can be used in preserving digital evidence. In the preservation of the evidence, duplication and authentication will need to be observed. It will be essential to place the database administrator’s computer system and the storage media in a secure storage for future use. Secondly, only the information that will contain evidence will be extracted. This will include memory logs and registry logs. Log records hold a significant amount of data that are normally used in evidence collection. Thirdly, all material from the database administrators system will have to be saved in an image format.
Transportation
Transportation of the evidence or data collected from the analysis to the digital laboratory for further processing is a very vital step. Documentation will be required in case movement of the evidence is being done from the crime scene to the laboratory. The documentation will provide and help in maintaining a chain of custody on all the evidence that is being transported. This documentation will be used to confirm that the evidence arrived at the laboratory in the very same condition that it was collected from the digital crime scene. This becomes significant in establishing a level of accountability in case the evidence is reported to be compromised (Vacca, 2005).
The digital evidence being transported will have to be kept away from magnetic fields. Additionally, devices that may produce any form of static electricity will have to be eliminated near the evidence being transported during the transportation (National Institute of Justice, 2010). Further, computers and other electronic devices being transported will have to be packaged securely to ensure that damage does not occur because of shocks and vibrations that may be generated during transportation. Long periods of storing the digital evidence in the vehicles may cause damage to the evidence. This is because of presence of heat or humidity may damage the digital evidence (National Institute of Justice, 2010).
Physical and Logical places where potential evidence can be located on the suspect’s computer and network servers
Potential evidence in can be obtained from a variety of areas in the crime scene. The computer system itself has valuable components that can aid in the investigation. Potential evidence will be obtained by assessing the suspect’s computer and other computers that may have been used in sending the unauthorized emails. Critical areas to search for potential evidence will be in the form of logs, tools, and files. Documents, hardware, software emails and other attachments, chat logs and data stored on external devices are potential sources of evidence (National Institute of Justice, 2010). Further internet browsing history will provide recent websites that the perpetrator may have used to access the co-conspirators.
Any hard drives found at the crime scene may contain valuable information, thus need to be analyzed for any evidence or potential clues that may be linked with the crime. Furthermore, portable hard drives may have been used to transfer information from various computers in the organization. Removable drives like the compact disk may contain information, which the perpetrator may have copied when transferring data. Therefore, it becomes important that any compact disc or digital versatile discs (DVDs) be kept as potential evidence (National Institute of Justice, 2010). Moreover, handheld devices such as cameras and mobile phones that can be used for purposes of digital photography and communication purposes may provide information that enhances or establishes a link between the perpetrator and other conspirators (National Institute of Justice, 2010). Potential evidence may also exist in peripheral devices that may have been used to enhance the user’s access to the computer systems. These devices include memory card readers, VoIP devices and USB and FireWire hubs (National Institute of Justice, 2010).
Surveillance equipment in the crime area may also offer significant information on the suspect’s activities and access to other company information. Networked computers may provide information on any email messages that the perpetrator may have sent and information regarding the recipients of the messages. Internet protocol addresses and local area network addresses may be vital sources of evidence hubs (National Institute of Justice, 2010).
The first step when conducting an email investigation is retrieving the message header (Appel, 2011). The message header provides routing information containing details of the origin of the email. Any emails the perpetrator received from the senders should be viewed from his or her computer directly. When using Yahoo mail there exist a link written ‘Full Headers” at the bottom of the page. If using Outlook, routing information can be obtained from “Options” and in Gmail clicking the reply button and then selecting “Show Original” provides the routing information (Appel, 2011). Each email service provider has a procedure outlined in the help options containing the process of obtaining message headers.
The second step will consist of analyzing the message header to obtain the senders email and IP addresses. The IP addresses for the sender will be located next to the recipient email address. Thirdly, after obtaining the IP address, a reverse IP address service is used to identify the ISP and geographical information concerning the location of the region from where the email originated (Appel, 2011). A warrant or a formal legal approach will have to be used to compel the ISP and mail service provider to provide the identity of the sender.
Caution needs to be taken since the sender may decide to create a fake account for the purposes of committing the crime. Thus, it will essential to analyze critically the content of the email and context of the message sent. Some of the email accounts may provide public profiles that can identify the sender (Appel, 2011). This may provide links to the sender’s websites or social sites. In case this process fails, engaging the sender of the emails in supposedly subsequent dealings may lead to his or her identification. However, this will require expertise so as not to alert the sender that he or she is being trapped (Appel, 2011).
Process of Recovering Data That May have Deleted from the Suspect’s Computer
When the files are deleted in the suspect’s computer, data will still be recovered. The data that are written on the hard disk exist there until it is overwritten by additional data or physically erased by a magnet (Wiles and Reyes, 2011). The recovery process will require using forensic software. Deleted file recovery tools become very beneficial in retrieving damaged, deleted, or corrupted files (Wiles and Reyes, 2011). The Active@ UNDELETE software enables the recovery of data from large hard disks, and removable drives.
Description of Tools for the Investigation
Camera
Photography will be used to capture the arrangement of the room where the computer system exists. Photography is important in cases where a court of law may require a reconstruction of the crime scene.
Voice Recorder
A voice recorder will be used for conducting interviews with the personnel that was involved in crime. This will be beneficial in collecting statements that may be beneficial in a court of law.
Field Kit
The field kit will consist of gloves, marker pens for marking of items recovered screwdriver, side-cutters and pliers for removal of cable ties where necessary; property register for purposes of knowledge of property movement; and evidence labels for labelling different pieces of evidence. Labeling of all details such as wires, cables and other devices is significant. According to Sheetz (2007), this will assist in ascertaining the purpose of each cable and components of the workstation area. This provides the legal team an understanding of how a given computer environment functions.
EnCase
This forensic tool will be used to create a drive image of the suspect’s computer. According to Solomon, Barrett, and Broom (2008), the Encase forensic tool develops complete images of the drives in the computer. The EnCase forensic tool will also be used to perform sector-by-sector acquisition of the suspect’s hard drive to collect and identify deleted files on the hard disk (Kanellis, 2006).
Paraben’s Email Examiner will be used to recover emails that have been deleted in the folders (Doherty, Purdy, Joel, and Liesbesfeld, 2008). Further, this tool will recover emails from the deleted items.
FTK Imager
Imaging will be done using the FTK tool. This will assist in creating an evidence disk (Lewis, 2007). An evidence disk will be created by inserting a sanitized USB thumb drive into the suspect’s system. FTK imager will be installed in a USB thumb drive to provide the required storage space for acquired images and files. The desired drive in the system where the evidence is to be extracted is selected. Verification of the summary image information will be carried out to ensure they are correct. This will involve ensuring that the source, destination, and summary file information are all correct (Lewis, 2007).
Password Recovery Toolkit
This software will be essential in case the suspect fails to provide a password to access his or her computer (Lewis, 2007). Presence of a password may limit access to the evidence. The password recovery tool will be installed in a thumb drive and once it finishes its operation, the password for the computer will be obtained.
References
Appel, E. J. (2011). Internet searches for vetting, investigations, and open-source intelligence.
Boca Raton, FL: CRC Press.
Doherty, E., Purdy, D., & Liesbesfeld, J. &. (2008). Computing and investigations for everyone.
Bloomington, IN.: Authorhouse.
Houck, M. M., Crispino, F., & McAdam, T. (2012). The science of crime scenes. Waltham, MA:
Academic Press.
Kanellis, P. (2006). Digital crime and forensic science in cyberspace. Hershey PA: Idea Group
Pub.
Lewis, J. A. (2007). Corporate computer forensics training system text manual. Volume I. Leslie,
Mich: Cyber Defense and Research Initiative.
National Institute of Justice (U.S.), N. I. (2010). Electronic crime scene investigation: a guide for
First responders (2nd Ed.). Darby, PA: Diane Publishing.
Solomon, M., Barrett, D., & Broom, N. (2008). Computer Forensics JumpStart. CA: John Wiley
& Sons.
Sheetz, M. (2007). Computer forensics: an essential guide for accountants, lawyers, and
Managers. Hoboken, N.J.: John Wiley & Sons.
Vacca, J. R. (2005). Computer forensics computer crime scene investigation (2nd Ed.).
Hingham, Mass.: Charles River Media.
Wiles, J., & Reyes, A. (2007). The best damn cybercrime and digital forensics book period.
Rockland, Mass.: Syngress.Top of Form
