Cybercrime and many other crimes are justified by the collection of appropriate evidence by detectives and other law enforcement agencies. The forensics team to collect evidence from the crime scene uses various techniques and tools. Interviewing the witnesses to gather evidence and being able to incorporate the correct method to investigate the crime scene is expected from professional detectives. The paper highlights four mini cases and knowledge of methods used in these cases to collect evidence by forensics experts. Cyber crimes are crimes done by computer experts through their knowledge of software, programming, and networking techniques. In addition to that, computer forensics is the digital science of collecting evidence from the crime scene and abilities of detectives to reach to the bottom of the case and catch the criminals.
Referring to the case that involved Mr. Kasey in the fire set up, the arson investigator was given computer evidence to find out about the incident. It is mandatory that the investigator who has the expertise in cracking hidden passwords and knowledge of assessing the digital evidence examines the evidence. The police at the crime scene, if lacks the expertise of digital evidence, collects all the digital evidence from the scene, documents it, and sends to the forensics investigator who has the knowledge of handling digital evidence. The arson investigation was done by detectives to find out the arsonist who was involved in the intentional set up of fire. The investigator needed to conduct an appropriate examination of the evidence available by following a series of steps. Forensic investigators follow four steps including preparation, extraction, analysis of extracted data, and conclusion. In the case of a computer retrieved from the suspected arsonist is examined by the investigators for digital evidence. Also, the investigator evaluates the integrity of data and makes a preliminary inquiry to determine the authenticity of digital evidence available to avoid the situation where the digital evidence is altered before handling it to the investigators. Record of the evidence collected from the crime scene or house of suspect is necessary to be maintained. In the selected case, the insurance company wanted the arson investigator to verify the claim made by their client of losing $2million in the damage of property. The investigator needed evidence to prove that the client was not connected to the intentional fire set up and claim made by him was accurate and not a felony. In this case, the investigator would inquire from the victim and gather the required information from the crime scene by inquiring the onlookers.
In the case of a bomb threat received by the school in an email, the investigator needs to evaluate the contents of the email and when it was originated. The server used by the suspect to generate the anonymous mail needs to be traced, and the originating IP of the email should be traced. Also, if the mail is encrypted or there is a chance of losing the data, the investigator needs to take actions to document the evidence accurately. In counterfeiting investigation where emails or other printed digital evidence is available, the investigator examines the potential digital evidence properly. In email threats, potential digital evidence may contain information regarding Internet activity, computers, emails, and printed notes. Referring to the bomb threat case, it could be indicated that the potential digital evidence is the anonymous email received by the school authorities. The investigator should be able to crack the code of email and provide the information regarding the sender of the email. The forensic investigation organization follows an accurate method to validate the forensic software incorporated in the system.
The NIST Standardized Approach of Tool Evaluation would be preferred by the organization to evaluate the forensic software package. The NIST Standardized Approach of Tool Evaluation used by an organization to validate the software package depends on rules such as establishing categories of forensic requirements, identifying requirements for a particular category, developing test assertions, developing test codes, identifying relevant test cases, developing methods, and reporting test results. In test method, investigators combine the desired software package and procedures to complete the test. The validation of methods is required as the test result produced by the software should be valid and reproducible. The software package deployed is considered valid if it produces the desired result from repeated testing. International Organization of Standardization (ISO) also provides certain standards for the management system, document control, corrective actions, and preventive actions to be implemented in the software package deployed by the organization. In the case of a hard drive retrieved from the crime scene, the investigator would require to decrypt the hard disk, crack passwords, and retrieve the hidden data. There are forensic tools and methods to recover evidence from password protected files. With the drastic change in technology, there are techniques to recover passwords from the protected files, archives, and documents. The forensics organizations deploy tools such password kit enterprise or Passware Kit forensics that decrypts hard disks protected by BitLocker, Truecrypt, FileVault, and PGP. The procedure followed by such forensic tools is simple, and all significant data is extracted from the encrypted hard disk (Nelson, Phillips, & Steuart, 2014).
Computer forensic tools such as hex editors, disk splicing, magnetic sensors, and electron microscopes are used to decrypt the protected hard disk. With hex editors, forensic experts can view the data written on the hard disk. Hex editors allow the forensic expert to examine the physical contents of the protected hard disk. With the help of hex editor, forensic experts can retrieve the data on the hard disk and decrypted it. Hex editor relies on physical sectors of the hard disk rather than operating system readable files. The forensic tools such as magnetic sensors and electroscopes allow experts to collect data from magnetic traces left behind by the suspect. When a file is saved on a hard disk that saved file leaves magnetic traces on the hard disk and even after deletion, experts can retrieve the file from the magnetic traces left on the hard disk (Solomon, Rudolph, Tittel, Broom, & Barrett, 2011).
Another procedure used by forensic experts is using disk-splicing procedure. In this procedure, no matter how many times a suspect overwrites or shreds the file, experts can retrieve the data. If the headers are not same as extensions, forensic tools used by experts detect it and identify the glitch. Suspects change the extensions to hide the files. For instance, in the case of an investigator looking for controversial images, a suspect can change JPEG extension to some other extension to create a mismatch. The header might be kept different from the extension to hide the data. However, the investigator can identify it using disk-splicing procedure. Experts carefully examine by using computer forensic tools to analyze the hard disk.
Computer forensics analysis depends on preservation, identification, extraction, documentation and interpretation. Passware Kit Forensic is a technique used by many forensic organizations to recover passwords from protected files. Experts to retrieve the password use many other decryption/encryption techniques. Experts carry out the analysis of evidence to find the cause of a crime and factors present in the crime environment. Experts to recover all password-protected files and crack passwords to get the desired data use different computer electronic software.
References
Nelson, B., Phillips, A., & Steuart, C. (2014). Guide to Computer Forensics and Investigations. Boston: Cengage Learning.
Solomon, M. G., Rudolph, K., Tittel, E., Broom, N., & Barrett, D. (2011). Computer Forensics JumpStart. Hoboken: John Wiley & Sons.
