You are on page 1of 5

Computer technology is the major integral part of everyday human life, and it is growing rapidly, as

are computer crimes such as financial fraud, unauthorized intrusion, identity theft and intellectual theft. To
counteract those computer-related crimes, Computer Forensics plays a very important role. Computer
Forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal or
administrative cases (Nelson, B., et al., 2008).
It is obvious that before starting the investigation, we need to have a preparation in order to conduct
the investigation efficiently. This is considered a proactive measure of investigation (Murray, 2012). The
following steps need to be taken in the preparation stage:
1. Gathering all available information from the assessing the incident, such as severity of the incident.
2. Identifying the impact of the investigation on the business, such as network down time, duration of
recovery from the incident, and loss of confidential information.
3. Obtaining information of the networks, network devices such as router, switches, hub, etc., network
topology documentation, computers, servers, firewall and network diagram.
4. Identifying the external storage devices such as pen drive, flash drive, external hard disk, CD, DVD,
memory cards and remote computer.
5. Identifying the forensic tools which can be used in this investigation.
6. Capturing live network traffic in case the suspicious activities are still running.
7. Documenting all the activities during the investigation which may be used in court to verify the
course of action that was followed in the investigation.
8. Imaging the target devices hard drive and hashing them with MD5 for data integrity.
Preparing for computer search is most important step in investigation. Better planning will smoother
the investigation. To perform effective search we have to make plan in the following way:
1. Identifying the nature of Case
2. Identifying the type of computing systems
3. Determining whether we can seize the computer or not
4. Obtaining the detailed description of the location
5. Identify the in-charge of each activities
6. Determine the tools we need
7. Preparing the team for investigation according to what we have to collect and how we can
The nature of case depicts whether it is a private, public or government organization with the actual
nature of case that is whether is related to computer science or related to civil, criminal investigation so that
the team can make plan accordingly. Also we can proceed and what type of assets or resources we need to use
in the investigation.
The ideal solution for any incident is to seize the computers and take them in forensic lab for further
investigation. However team has to identify whether it is possible to seize the computer from the workplace
is feasible or not. The team has to identify the detailed description of the location in terms of the safety issues,
hidden cameras, the authorized person allowed at that place etc. This is a case of computer malfunction so it
is to identify the persons using the computer, who was looking after the firewall / virus protector etc.
Yes, off course XYZ Inc has to seize the HR managers computer. So some basic steps are required to
seize the computer:
a. Plan to seize the entire computer and all peripherals with the media used for transferring
the data.
b. Is the computer switched on when our team collecting the equipment.
c. Prepare a list of persons available when we seize the computer.
d. Record all the event of seizing the computer from that organization.
e. Computer data is volatile, so keep in mind that checks the state of computer as soon as
f. Collect all the document evidence available at that place.
To document evidence, XYZ Inc has to create or use an evidence custody form. Because of constant
changes in technologies and methods for acquiring data, create an electronic evidence custody form that we
can modify as needed. An evidence custody form serves the following functions:
a. Identifies the evidence
b. Identifies who has handled the evidence
c. Lists dates and times the evidence was handled
With digital evidence, we need to consider how and on what type of media to save it and what type of
storage device is recommended to secure it. The media we use to store digital evidence usually depends on
how long we need to keep it. If we investigate criminal matters, store the evidence as long as we can.
Finally, collecting the clipboard content is also very important in a computer forensic investigation.
More evidence can be found from a machine which is still running, so if the anomalies are still there in the
SME, then we can retrieve a lot of important evidence from the running processes, network connection and
the data that is stored in the memory. There is a lot of evidence when the machine is in the volatile state, and
so it must be ensured that the affected computers are not shut down in order to collect such evidences.
Once the volatile data have been captured, then we will look into the non-volatile data. The first step
in non-volatile data collection is to copy the content of entire target system. This is also called forensic
imaging. Imaging helps to preserve the original data as evidence without any malfunction or changes in data
which occurs during the forensic investigation. Forensic imaging will be created by forensic tools such as
EnCase, ProDiscover and FTK. A forensic investigator uses a write blocker to connect to the target system and
copy the entire contents of the target drive to another storage device by using any of those forensic tools.
Hard drive cloning is nothing but to make a duplicate of the entire system. The difference between forensic
imaging and hard drive cloning is that forensic imaging cant be accessed without forensic tools, but hard
drive cloning can easily be accessed with a mount drive. Hard drive cloning contains only a raw image, and
every bit will be copied, and no other extra content will be added. Forensic imaging contains metadata ie.,
hashes and timestamps and it compresses all the empty blocks. Forensic imaging will hash with MD5 or SHA-
2 to ensure the integrity of digital evidence (Nelson, B., et al., 2008).
Data collection can be done in offline investigation and online investigation. Forensic imaging can be
done with offline investigation. Live network traffic can be done with online investigation by using ethereal or
Wireshark tools. Firewall logs, antivirus logs, and domain controller logs will be collected for the
investigation under the non-volatile data collection. We will also collect the Web server logs, Windows event
logs, database logs, IDS logs and application logs. Once we collect all the digital evidences, they must be
documented in the chain of the custody log documentation. Chain of the custody log documentation is to
maintain the integrity of the evidence from start to end of the investigation until this investigation report will
be presented (Nelson, B., et al., 2008).
When testifying, don't use technical jargon or try to "sound smart." Explain things in simple language
that's understandable to the average non-technical person. Juries and judges are often not technically savvy
at all. Don't talk down to them, but use plain words and analogies to explain difficult concepts. Here are some
tips for testifying effectively:
In direct testimony (when being questioned by the attorney that called you to testify), answer only
the question that is asked. Don't expound on the matter until or unless you're asked to do so. If you're
asked a yes or no question, answer yes or no without explanation. If the attorney wants you to say
more, you'll be asked to elaborate.
If you don't know the answer to a question, say so. Don't make something up or evade the question.
Don't offer opinions that are not in your area of expertise.
If you don't understand the question, ask for clarification and don't answer it until you're sure you
understand it.
Pick your words carefully. Be sure to say exactly what you mean.
In both direct and cross examination, if an attorney objects to a question you're asked, don't answer
the question until the judge rules on the objection.
Use visual aids (white board, video, photographs, slides, computer demonstration, etc.) to help
explain difficult concepts, demonstrate how a particular task is accomplished, or show relationships
of items to one another.
Be able to back up your opinions and conclusions with hard data.
Computer Forensic involves collecting, analyzing, preserving and presenting digital evidence in a
legally acceptable manner. It is a complex procedure therefore it requires due diligence at every stage of
process and this brings the role of investigator. Any carelessness intended or not can adversely affect the
outcome. To counter this problem, our forensic investigator XYZ Inc must follow the basic and specific
guidelines and rules.

References and Bibliography
[1] 7safe, (2013) Good Practice Guide for Computer-Based Electronic Evidence, Available at:, Accessed
on 12th January 2014.
[2] ACPO (2013), Good Practice Guide for Computer-Based Electronic Evidence, V4.0
[3] Adams, R., (2012), Evidence and Digital Forensics, Australian Security Magazine, Available at, accessed on 31st December 2013.
[4] Carvey, H., (2005), Windows Forensics and Incident Recovery, Boston: Pearson Education Inc.
[5] Case studies, PwC CybercrimeUS Center of Excellence, PricewaterhouseCoopers LLP, 2010,
[6] Dave, P., (2013), SQL A Career in Database Forensics!, Available at, accessed on 2nd
January 2014.
[7] Fowler, K., (2007), Forensic Analysis of a SQL Server 2005 Database Server, Available at
2005-database-server-1906, accessed on 2nd January 2014.
[8] Kent, K, and Grance, T., (2006), Guide to Integrating Forensic Techniques into Incident
Response, Available at:
[9] Kruse II, W.G., and Heiser, J.G. (2010), Computer Forensics: Incident Response Essentials, 14th
edn, Indianapolis: Pearson Education
[10] Nelson, B., et. al., (2008), Guide to Computer Forensics and Investigations, 3
Massachusetts: Course Technology.
[11] SANS, (2010), Integrating Forensic Investigation Methodology into eDiscovery, Available at:
[12] Venter, J. P., (2006), Process Flows for Cyber Forensics Training and Operations, Available at
[13] Wong, L.W.,(2006) Forensic Analysis of the Windows Registry Available at