Consider the two goals of data collection maximizing the usefulness of the evidence and minimizing the cost of collecting it. Analyze why these goals can create significant challenges for an investigator. Determine what potential downfalls may arise in an investigation when limiting evidence collection operations purely based on cost.
Achieving the two goals of data collection may be hard to achieve. This is because of the notion that the better your data collection tools implemented, which can be equated to having equipments and tools that are more expensive, the better the quality of your collected data. From this alone, it is a great challenge to an investigator on how he can make use of tools and mechanisms available which but is also enabling him to collect quality data when he knows that there is an available tool that can collect more but only it costs more. The possible downfalls when limiting the amount of data collection activities purely because of problems with cost is that the quality of data collected may be jeopardized. It can be that not all information available has been collected. In addition to this, the extent of investigation done may also be affected. There may be some other important data that can be connected and important in the investigation but because this data is located in another place, which entails additional cost, then there is a possibility of not getting the data anymore.
Examine the nuance of evidence collection when dealing with volatile and temporary data and provide an example. Suggest at least three procedures, tools, and / or techniques at the disposal of an investigator that could assist him / her in evidence collection of this potentially critical evidence.
There is no question as to the need and importance of good mechanism to collect volatile and temporary data as this is one medium where a lot of information and evidences can be acquired. However, the collection of volatile data is not an easy thing to do. Due to the constant change of information involved in volatile data collection, numerous challenges are present. Collection of evidences from running computers are prone to losing the data before the law enforcement or the investigator even gets the data that may be crucial to among others the resolution or not of a case, determination whether a person is guilty or not of a crime or the type of sentence to be given to an accused person or company as the case may be. The lack of a capability plan and lack of established procedure are some other challenges in collecting volatile data. There are other several reasons why collection of volatile data is important like uncovering passwords or encryptions techniques used or help determine the amount of criminal activity. They are very important because it can contribute in altering evidences. Some of the sources of volatile data include the Random Access Memory (ROM), Operating Systems, Networks and networks logs and the micro devices such as mobile phone and personal SIMs. (Eroraha, 2008)
The lack of a verified toolkit to collect live data is still another challenge. Today, some of the techniques used or tools used in collecting volatile data include the creation of log files of all actions or things done in a running computer and filing a photograph of the machine to know the current state of the machine. It is also important that while doing these, the date and time of such activities are recorded and all data collected are being saved. The use of diskmap.exe to collect information on the contents of the disk is still another tool to collect live data on the computer while the use of portqry.exe enables monitoring of all open ports and active connections present.
References:
Erorah, Inno (2008). Responding to the Digital crime Scene: Gathering Volatile Data. Retrieved from https://www.owasp.org/images/2/29/NetSecurity-RespondingToTheDigitalCrimeScene-GatheringVolatileData-TechnoForensics-102908.pdf
Hay, Brian (2008). Forensic Examination of Volatile System Data Using Virtual Introspection. Retrieved from http://assert.uaf.edu/papers/forensicsVMI_SIGOPS08.pdf
