You are on page 1of 8

u02a1 Computer Forensics and Other Information Technologies

Computer Forensics and Other Information Technologies Vaughn Parker TS5534 Computer Forensics and Investigations

600 Brooks Pond Road APT 111 Leominster, MA 01453 E-mail: Tel: 978-888-5696 Instructor: Dr.Adebiaye

u02a1 Computer Forensics and Other Information Technologies Computer forensics relates to other information technology (IT) disciplines, because all disciplines within IT require the use of software applications and a computer / mobile device to perform their job function. Disciplines within IT include IT fundamentals, programming, networking, human computer interaction, databases, and web systems. (ACM & IEEE Computing Society, 2008, pg.19) Since computer / mobile devices can be either the target of a crime, instrument of a crime, or an evidence repository for a crime (Vacca & Rudolph, 2011, pg.6) they [computers / mobile devices] can leave clues for computer forensics specialists to preserve as evidence when performing a computer forensics investigation. Computer / systems

forensic specialists are people who find evidence, determine the significance of the evidence, and relate the evidence to a crime. (Vacca & Rudolph, 2011, pg. 8) Evidence obtained is captured from a physical or cyber crime that was committed or is under investigation. A cybercrime could be wrongfully taking information, causing damage to information, or causing an information system or resources to be unavailable to authorized users when needed. (Vacca & Rudolph, 2011, pg.1) Due to information and IT resources being used throughout all IT disciplines, it means that most people are susceptible to a cybercrime whether or not they are intending to commit one. Computer forensics has a short history only about thirty years old. In 1984, an FBI [computer forensics] program was created. Known for a time as the Magnetic Media Program, it is now known as the Computer Analysis and Response Team (CART). Shortly thereafter, the man who is credited with being "the father of computer forensics" began work in this field. His name was Michael Anderson, and he was a special agent with the criminal investigation division of the IRS. Anderson worked for the government in this capacity until the mid 1990s, after which he founded New Technologies, Inc., a leading computer forensics firm. By 1997, it was widely

u02a1 Computer Forensics and Other Information Technologies recognized that law enforcement officials all over the world needed to be well-versed in how to acquire evidence from computers, a fact made evident in a 1997 G8 communique INTERPOL [the worlds largest police organization] held a symposium on computer forensics the following year, and in 1999, the FBI's CART program tackled 2,000 individual cases. The FBI's CART caseload continued to grow. Whereas in 1999, the team analyzed 17 terabytes of data, by 2003 the group examined 782 terabytes of data in just one year. With advances in computing and the proliferation of Internet access around the globe, the role of computer forensics began to play a more important role for law enforcement officials. With the advent of smartphones and PDAs, the ways in which computer forensics may operate have become even more important as criminals have a multitude of options for using computing devices to break the law. (Cummings) When a crime investigation involves the usage of computer forensics, computer forensic specialists can utilize the Digital Forensics Research Workshop Framework (known as the DFRWS Framework) in order to identify, preserve, collect, examine, analyze and present evidence if further investigation and prosecution is needed for an alleged or actual crime / cybercrime. (Vacca & Rudolph, 2011, pg.61) Identification that a crime or cybercrime has taken place is the first phase of the DFRWS Framework. Identification is performed through event / crime detection, resolve signature detection, profile detection, anomalous detection, [lodged / logged] complaints, system monitoring, and /or a crime detected from performing audit analysis. (Vacca & Rudolph, 2011, pg.61) After a crime has been identified, the next steps are to form the computer forensics team and decide next step actions to preserve the chain of custody. This part of the DFRWS Framework is called preservation.

u02a1 Computer Forensics and Other Information Technologies The computer forensics team determines how the case crime should be managed, which imaging technologies will be used, how to maintain integrity in the chain of custody, and determine the time synchronization actions needed to carry out the computer forensics investigation. (Vacca & Rudolph, 2011, pg.61) Once the preservation phase is completed, the cybercrime investigation moves into the collection phase of the DFRWS Framework. The collection phase of the DFRWS framework is when computer forensic specialists have identified approved methods to collect and preserve the evidence from the crime scene and are now ready to actively collect evidence. Using approved software, obtaining the proper legal authority, using lossless compression techniques, sampling data for evidence, data reduction techniques, and usage of data recovery techniques will all be factored into the proper collection methods for gathering evidence. (Vacca & Rudolph, 2011, pg.61) Once all the evidence is collected, the next phase of the DFRWS framework is examination. Examination is the phase to examine the collected evidence. Steps with the examination phase include preservation, traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction from the evidence. (Vacca & Rudolph, 2011, pg.61) Examining the data for usefulness and integrity is vital to the chain of

custody, because if there are material flaws in the evidence then it might not be usable in court or presentation. Once the examination process of evidence is complete, preserved and chain of custody is maintained, the computer forensic specialist team can now move into the analysis phase of the DFRWS framework. I wanted to take a moment to note that preservation is a common theme throughout the DFRWS framework. Without preservation, you cannot reach the final stage of the DFRWS framework, which is presenting the evidence, if evidence has been altered or

u02a1 Computer Forensics and Other Information Technologies changed. If evidence is found to be altered or changed since the day it was found at the crime scene, evidence can be rejected in court. The next phase of the DFRWS framework is analysis of the evidence. Analysis of the evidence includes preservation analysis, traceability analysis, statistical analysis, protocols analysis, data mining, timeline analysis, link analysis, and spatial analysis. (Vacca & Rudolph, 2011, pg.61) Once analysis of the evidence is performed, the computer forensic specialists can

then draw conclusions. These conclusions then get entered and presented into court or presented to corporations. Evidence is only permissible in court if it has maintained the chain of custody, and has been preserved in a manner that shows it has not been altered were changed anyway. Presenting the evidence in court is the final phase of the DFRWS framework. Presenting evidence collected from a crime scene of a cybercrime can be done via expert testimony. Sometimes computer forensic specialists are called into court as expert witnesses. Presenting evidence in court includes all the documentation collected about the evidence, providing expert testimony in court, clarification of the evidence in court, providing a mission impact statement as to why the evidence was collected and why the evidence is valuable in court and the court case, providing recommended countermeasures against future cybercrimes, and finally providing statistical interpretation of the evidence collected. Not all the evidence that is collected will be presented to a court or corporations. Sometimes corporations hire computer forensic specialists for internal purposes only. (Vacca & Rudolph, 2011, pg.62) Not all evidence presented in a court setting will be accepted by the courts. Evidence can be dismissed for any given number of reasons. A primary reason that collected evidence can be dismissed is due to violating constitutional protections and laws. There are a number of United States laws that address cybercrimes and computer intrusions. Some of those laws are the

u02a1 Computer Forensics and Other Information Technologies Computer Fraud and Abuse Act, the Prosecutorial Remedies and Other Tools to End the Exploitation of Children Today Act (PROTECT Act), the Homeland Security Act of 2002, the

Unlawful Internet Gambling Enforcement Act of 2006, and the Fourth Amendment of the United States constitution. (Vacca & Rudolph, 2011, pg.35) As mentioned earlier, if the chain of custody is broken while gathering evidence this can be viewed as a violation of certain laws. For example, if evidence was gathered and became public information but was subject to client attorney relationship privileges, you then could be in violation of privacy laws, the chain of custody, and the integrity of the computer forensics specialist team. Ethics is an important part of computer forensics, because it guides the moral conduct of the individuals performing the forensic activities. In computer forensics, it is all about preserving the chain of custody. Since computer forensics specialists are exposed to a ton of information, the appropriate use of the information that is obtained is critical. Using this information for personal gain or extortion would be some examples of violating the ethics code within computer forensics. According to Systems Forensics, Investigation, and Response textbook in several high profile instances, apparently solid cases have been weakened or thrown out because inappropriate consideration was given to the integrity and reproducibility of additional evidence. This may happen for several reasons. Lack of training is a prime culprit. If the individuals involved have not been trained to the required standards, tainted or damaged digital evidence is the sad but inevitable result. Another frequent cause is lack of experience. Finally, sloppiness, pressure applied on site, tiredness, and carelessness have been contributory factors in transforming solid digital evidence into a dubious collection of files. It is in everyones best interest to ensure that the highest forensics standards are maintained. (Vacca & Rudolph, 2011, pg.14) This would, of course, include ethics.

u02a1 Computer Forensics and Other Information Technologies In conclusion computer forensics relates to other IT disciplines in many ways since cybercrime can derive from any of the disciplines. Once a crime has been noted or an investigation has been started, computer forensic specialists can start to obtain evidence by working through the DFRWS framework in order to preserve evidence and the chain of custody. When chain of custody is preserved, computer forensic specialists can show evidence to

corporations or present it in the court of law. In order to maintain the chain of custody, computer forensic specialists must hold themselves to high ethical standards. If computer forensic specialists do not maintain integrity in the investigation, then evidence can be dismissed in court and criminal cases can be weakened. Proper training and education can aid in reducing the number of errors that can taint evidence.

u02a1 Computer Forensics and Other Information Technologies References: ACM & IEEE Computing Society (2008). Information Technology: Curriculum Guidelines for Undergraduate Degree Programs in Information Technology. Retrieved from ulum.pdf

Cummings, T. (n.d.). The History of Computer Forensics | | How to Videos, Articles & More - Discover the expert in you. | Retrieved July 21, 2012, from forensics.html Vacca, John R. and Rudolph, K. (2011). In Lawrence J. Goodrich and High Stakes Writing, LLC (Ed.), System forensics, investigation, and response. Sudbury, MA: Jones and Barlett Learning.