Table of Contents
Digital forensics investigation is the acquisition of computer related data in connection to criminal activity committed using a computing platform to directly initiate or store evidence association to criminal activity. In order for the digital evidence to be examined, there is the significant need to establish the type of information or data required to associate suspects with a computer related crime. Nonetheless, evidence can be stored in computer hard drives whether or not it is related to computing activity. In this regard, this investigation plan takes into account the procedures required in the acquisition of evidence suspected to exist in two computers and a thumb stick memory. While these are the most important information resources to support the digital investigation, an acquisition protocol must be followed taking to account important chain of custody to obtain the sources. Thus, this investigation plan is divided into three section focusing on the association of digital forensic investigation and its compliance and application of the law in the investigation process. Secondly, the resources that can be utilized in the investigation process are identified while the ones relevant to the current case are integrated into the last section in planning and managing digital investigation process.
Thesis statement: Digital forensics investigation follows evidence acquisition process capable of positively and negatively influencing results of an investigation.
Overview of Legislation
Data acquisition in digital forensics investigation is an important aspect of the process which determines the sources needed to provide solid evidence capable of linking suspects to a crime or identifying criminal activity through file storage. For the current case, a computer and a thumb stick drive are the target sources of the investigation. However, a computer as a unit is not a significant resource but its drives, cache memory, file system, and browser history, and related network connections. The importance of these resources is the ability to store important information about information stored, deleted, modified, or communications established and received through the platform. The procedure of acquisition any form of evidence through the acquisition and seizing of physical property such as computer systems suspected to contain reliable data that can be used to directly or partially link a criminal suspect with the commitment of a crime is to acquire search warrant with detailed affidavit to state the type of information required and the type of resources needed. Additionally, the search warrant and the detailed affidavit also state whether the search would result in the confiscation of physical evidence in form of computers and memory drives.
Based on these expectations of the law regarding the acquisition of the digital resources of criminal evidence, the issuance of the search warrant has a strict adherence to a protocol that influences the direction and result of the investigation. Firstly, the acquisition of a search warrant must be applied to the Office of District Attorney General reporting the type of investigation being carried out and the evidence or merit for pursuing a criminal investigation on the said suspects or computing platforms. However, while the application and issuance of the search warrant process does not stall the process, the execution period restrictions are among factors that influence the effectiveness of the investigation.
Positively, the search warrant acquisition process and the duration of execution, which differs from one legislative environment to another, ensures that the search is conducted within a specific time upon which exceeding this time frame without execution makes the warrant stale. Stale warrant is not valid and cannot be used to search a suspect’s property and the process to re-acquire a new warrant is mandated. These restrictions influence the investigator planning and pace in conducting the search and helps in ensuring that suspects can be apprehended or evidence confiscated for further investigation. With a duration of execution ranging from 24-hours to a few weeks based on the type of criminal activity stated on the affidavit, an investigator is able to acquire much relevant information resources and evidence material provided the suspects do not acquire sufficient time to destroy evidence.
On the negative side of digital evidence acquisition with reference search warrant acquisition and execution is the risk of expiration. As a stale search warrant, which can be caused by impossibility to gain access to the property in question can lead to the stalling of the investigation allowing sufficient time for the suspects to destroy evidence and mask their digital activities.
Application and Extension to Computer Crime
The application of the law in the digital forensics investigation is linked to the exercise of freedom and provision of justice. These two approaches play significant roles in ensuring that the investigation is not only lawful, but also merited with logic and rational analysis of suspicious activities. Thus, in order to protect the privacy of individuals suspected of computer crime, investigation procedures such as searching the property or confiscation of evidence follows a lawful order. Investigators must provide information to link a suspicious set of activities to a specific computing platform offering authentic proof that the suspicious activity is criminal in nature and worthy investigating. On the other hand, due to the knowledge of the protection of personal rights and privacy, the provision of search warrants in digital investigation offers the investigation personnel an upper hand to launch an element of surprise confiscating evidence without warning or allowing the suspects time to hide, destroy, modify, or corrupt digital evidence held within the computer hard disks, file system, internet browsers, external memory devices, network connections, and system cache.
Through these procedures, the law regarding evidence acquisition extends to computer crimes by granting permission to investigators to seize any form of digital resources directly or suspected to be linked to criminal activity.
With reference to the acquisition of evidence needed in the investigation of digital devices, in this case to computer systems protocol questions are necessary to identify the focus of the investigation. These include;
What type of evidence is needed for the case?
Data files, images, audio files, documents, browser history, deleted files, network connections, recent communications, financial statements, contacts, emails, computer usage statistics, encrypted data, and security report of the computer.
What resources are necessary for the investigation?
Computer hard disks, system files, cache memory, external hard hard disks, networked devices.
What tools of analysis are needed to carry out digital forensics investigation?
Decryption software for decrypting data and breaking through security measures such as password protected data storage devices, and expert data analyst.
What is the procedure of acquiring search privileges?
Presenting detailed proof to the District Attorney General, argument of case to a judge, provision of merit through affidavit, and ability to honor the execution period.
What influence does search warrant and associated affidavit have on the progress of investigation?
These provide protection of the rights of individuals allowing them to only authorize searches mandated by an approved judge and also provide investigators with the permission to acquire material evidence resources.
What type of personnel are fit for the acquisition, assessment, analysis, and reporting of digital forensics investigation?
Data analysts specializing in the development of decryption software are required for coding varying programs based on the encryption difficulty of target resource. Technical systems analyst for analyzing computer usage and connectivity trends as well as user profiles.
Does attaining of a search warrant and following legislative jurisdiction sufficient for successful criminal profile compilation?
Depending on the execution of the warrant and the arguments of a defense attorney, the acquisition of material evidence, and successful digital criminal profile compilation can be disqualified based on the execution order of the search warrant.
We can do it today.
Requirements of the Investigation
Types of computer forensic technology
The rapid discovery of evidence and the assessment of the malicious activity carried out can be identified using three main types of computer forensic technology. The different forensic technologies that can be used include military, business and law enforcement computer forensic technologies (Evans, Peltola & Montasari, 2015).
Military Computer Forensics Technology
Military computer forensic technology is one of the computer forensic technologies used today. It was developed due to a partnership between the National Institute of Justice and the Information Directorate. The partnership led to the development of an integrated forensic analysis framework known as the CFX-2000 (Computer Forensics Experiment – 2000). The CFX-2000 assists to determine accurately the intent, motives, identity, sophistication, targets, and location for cybercriminals. The technology uses an integrated forensic analysis framework to curb cyber terrorists (Taylor, Fritsch & Liederbach, 2014).
Some of the tools used in the Computer Forensics Experiment – 2000 consists of Directorate-sponsored R&D prototypes, commercial off-the-shelf software as well as the SI-FI (Synthesizing Information from Forensic Investigation) integration environment. The SI-FI integration Environment supports the examination, collection and analysis operations carried out during a cyber-forensic investigation. It utilizes digital evidence bags (DEBs) to store digital evidence (Nelson, Phillips & Steuart, 2015). The bags are tamperproof and secure containers, where the investigators seal the evidence they acquire. The other forensic tools are then used to collect and analyze some of the specific features of the digital evidence attained. The tools assist to timeline digital events, perform case management, perform steganography detection and automate event link analysis. Nonetheless, as electronic technology continues to advance, more research should be put on advancing military computer forensic technology. Researchers should also enhance R&D of cyber forensic technology so as to prepare for the onslaught of cyber-attacks.
Business Computer Forensic Technology
Computer Forensic Technologies can also be used in business. They can be used in the remote monitoring of target computers, theft recovery and tracking electronic documents. The business computer forensic technology uses Data Interception by Remote Transmission (DIRT), which is a remote control monitoring tool, to monitor all activities in the target computers (Luttgens, Pepe, Mandia, 2014). The tool simultaneously monitors more than one target computer from a remote commanding center. The DIRT tool requires no physical access and allows the agent to remotely acquire and secure digital evidence.
Another tool used in business computer forensic technology is the Binary Audit Identification Transfer (BAIT). It is a powerful tool used in intrusion detection. The BAIT tool allows a user to create trackable electronic documents. Through the tagged documents, the tool can identify and locate the unauthorized intruders who access, download or view the documents. After identifying the intruder, BAIT allows security personnel to trace the chain of command or custody of all the individuals who possess the stolen electronic documents (Evans, Peltola & Montasari, 2015).
Computer forensic technologies as aforementioned can also be used in theft recovery of laptops and software in businesses. The recovery of lost or stolen laptops can be done by the use of the PC PhoneHome Software. The software is an easy and user-friendly application which helps to track and locate a stolen or lost laptop or computer from anywhere in the world. If a computer is PC PhoneHome protected, when it gets stole or lost, all one requires doing is to make a report to the police and call the CD’s command center. The recovery specialists of the CD will then assist the police in recovering the device (Luttgens, Pepe, Mandia, 2014).
with any paper
Resources required to conduct a forensic digital investigation
The digital forensic investigation requires the utilization of a precise set of tools and resources to group, understand and process the digital evidence acquired. Resources used in a forensic digital investigation ensure a thorough investigation of all the activities, which were, involved (Taylor, Fritsch & Liederbach, 2014). They assist to verify the attack, predict further threats, restore vital information as well as, analyze the digital data acquired suitable in criminal proceedings. The most significant resources use in forensic digital investigations include software resources.
One of the software resources used by forensic auditors in improving the effectiveness and efficiency of the investigation process is the acquisition tools. The acquisition tools are fundamental in the first step an auditor takes in an investigation, which is the acquisition process. During this operation, it is important for the evidence acquired to be collected and stored in trusted tools and methodologies. One of the most trusted software acquisition tools used is the NTI SafeBack (Takenaka, Morinaga & Unno, 2017). The SafeBack tool creates a bit-stream backup file or a mirror image of a storage device, such as a hard drive. Once the copy has been made, several exact reproductions of the original are also made. This guarantees safe and proper collection and preservation of crucial evidence. As aforementioned, the Digital Evidence Bag (DEB) is also a useful resource in digital forensic investigations to collect and secure evidence (Nelson, Phillips & Steuart, 2015).
After proper gathering and collection of evidence, the agent must then determine which part of the evidence is most useful. The first tool that an investigator will use or examine the digital forensic evidence acquired is a documentation and file listing software package. The software examines a bit-stream image and then produces a list of files and programs, which were present on the original device (Evans, Peltola & Montasari, 2015). The auditor the uses the list of programs to look for software which can be used to protect, hide, encrypt and delete filed from investigators. The presence of encryption software such as Hide and Seek or True Crypt show intent by a criminal to hide evidence.
Evidence Acquisition Plan
Sequenced evidence acquisition
The sequences evidence acquisition takes into account the process of acquiring the proper jurisdiction to the obtaining of digital devices capable of processing and storing information that can be accessed and analyzed for consistencies with forensics investigation objectives. The objectives in this case include the correlation of merited information regarding criminal activity with evidence obtained from two computers and a memory drive. To obtain the two, the permission to acquire the evidence material/sources should be authorized by a judge who must be provided with evidence relating to criminal activity reported. On the other hand, the judge must also be presented with a list of the materials acquired from a search warrant and a receipt provided to the suspect by the investigator. This receipts and lists must also contain the duration of the search warrant and the form in which it was served to the suspect at hand. In this regard, it is required that a search warrant is served upfront and during the day to the suspect or the owner of the property to be raided. Reporting of the investigation carried out must outline the form in which the warrant was executed with special attention of the lawfulness of the procedure. The observation of the process is significant in providing solid proof of the case while poor execution of the search can render the investigation unlawful and therefore not binding. Given this scenario, unlawful acquisition of data resources has the consequence of providing the criminal suspects to analytically erase data or destroy before the reissuance of another warrant.
Te investigation process is straightforward in that it follows a designated protocol to ensure that all cases are not only procedural but also ethical in the manner in which they handle specific human rights while at the same time preventing the case and criminal profile development from being demerited by means of unlawful acquisition of data resources. Thus, obtaining a search warrant is the first step into acquiring the resources needed. However, as a first step, there is a procedure of obtaining the warrant which accounts for the build up of a case and presenting it to a judge for analysis prior issuing the warrant. The second step is obtaining the needed data sources by following the procedure of serving the suspect or owner of property with the warrant and recording the evidence of sources acquired, supplying the target individual with a receipt of the items obtained, and providing the judge with the list of items and the signed warrant copy. Lastly, the once the evidence is obtained, the third step is to build up a forensics case report by executing the procedure of data decryption or identification through the use of investigative tools.
Data analysis procedures have the highest resource consumption in terms of financial and time resources. In this regard, the buildup of the case in order to obtain the search warrant will take into account three months at minimum and six months at maximum ensuring that enough evidence is presented to a judge. Thereafter, the execution of the warrant will take at most 10 days and the investigation time frame averaged to 2 months. In this case, the total duration is considered eight  and a half month at most and 5 months and a half at least. The justification of the adjustable timeframe is based on the difficulty level of obtaining evidence to link a suspect with the case and time and resources needed to fully analyze data obtained from the resource.
Some of the risks associated with the procedure of acquiring evidence in digital forensic investigations is the difficulty of acquiring the needed resources such as computers and memory devices that can be digitally exploited to reveal useful evidence. Based on the possibility of nullifying a case based on unlawful obtaining of resources, close adherence to training on the lawfully permitted procedure should is to be documented. Additionally, the laws protecting access and obtaining of evidence must be taken into account to provide guidance relating to the compilation of needed materials and confirmation of affidavit details with actual outcomes of the search. In cases where a case is dismissed for unlawful obtaining of evidence, the material evidence sources that can be destroyed thereafter can be protected from access by the suspect or the attorneys until a proper petition to reveal and associate such resource with the interests of the case.
- Excellent quality
- 100% Turnitin-safe
- Affordable prices
Communications and Reporting
Upon the successful compilation of the investigation results, reporting is done with reference to the merit provided by the presiding judge. Information irrelevant to the case at hand provides merit to defense attorneys to nullify the motive of the search and the execution of the investigation. In this regard, evidence obtained from data sources should only cover specific factors directly associated with the case.
- Evans, D. Peltola, P. & Montasari, R. (2015). Integrated Computer Forensics Model (ICFIPM) for Computer Crime Investigations. Communications in Computer and Information Science. Vol 534.
- Nelson, B., Phillips, A. & Steuart C. (2015). Guide to Computer Forensics and Investigations.
- Takenaka, M., Morinaga, M. & Unno, Y. (2017). High-Speed Forensic Technology Against Targeted Cyber Attacks. Advances in Network Based International Systems. NBiS 2017.
- Taylor, R. W., Fritsch, E. J., & Liederbach, J. (2014). Digital crime and digital terrorism. Prentice Hall Press.
- Luttgens, J. T., Pepe, M., & Mandia, K. (2014). Incident response & computer forensics. McGraw-Hill Education Group.