Understanding Digital Evidence in this digital devices utilized in cyberattacks and different security breaches store some knowledge regarding the session, like login user, time, sort of association, science addresses, etc., which may act as proof for prosecuting the assaulter. Digital proof includes all such data that’s either keep or transmitted in digital type and has important price, so serving to investigators notice the wrongdoer.
Digital proof is present across computing devices, servers, routers etc. it’s unconcealed throughout forensics investigation whereas examining digital storage media, watching the network traffic, or creating duplicate copies of digital knowledge.
Investigators ought to take utmost care whereas gathering and extracting the digital proof because it is specific and fragile in nature. This makes it troublesome for a forensics investigator to trace the criminal activities. Investigators ought to be trained and versatile to extract, handle and analyze such fragile proof.
According to Locard’s Exchange Principle, “anyone or something, coming into against the law scene takes one thing of the scene with them, and leave one thing of themselves behind once they leave.” for instance, if data from a victim’s computer is keep on the server or system itself at the time of the crime, the investigator will get that data simply by examining log files, net browsing history, and so on.
Similarly, if a personal sends Associate in Nursing discouraging message via Associate in Nursing Internet-based e-mail service like Hotmail, Gmail, or Yahoo Mail, the browser stores files, links, and different data on the magnetic disc along side the date and time of the sent data. rhetorical investigators will find lots of digital data with reference to the sent message on the victim’s disc drive, together with the first message.
Related Product : Computer Hacking Forensic Investigator
Digital Forensics Challenges
Forensic investigators face several challenges throughout forensics investigation of a digital crime, like extracting, preserving, and analyzing the digital proof. for instance, system knowledge that associate unwelcome person will simply modification or destroy ought to have priority whereas collecting the proof. a number of the most important challenges two-faced by digital forensic investigators ar mentioned within the same slide.
Digital evidence is a feature of most criminal cases. Everything is moving in this direction.
– Susan Brenner
Types of Digital proof
Cybercriminals directly rely on technology and digital devices to have interaction with the targeted system or network. Therefore, most of the proof is gift within the devices employed by Associate in Nursing attacker to attach to a network or to the computing devices of the victim, Digital proof are often any sort of file keep on a device together with a document, image, document, workable file, and application knowledge. Most of this proof is within the storage media of the devices.
Based on the storage vogue and time period, digital proof is of 2 types; volatile knowledge and non¬volatile knowledge.
1. Volatile Data: Volatile data refers to the temporary data on a digital device that needs a continuing power provide and is deleted if the facility provide is interrupted. for instance, the RAM stores most volatile data and discards it once the device is converted.
Important volatile knowledge includes system time logged-on user(s), open files, network data, method data, process-to-port mapping, method memory, writing board contents, service/driver data, command history, etc.
2. Non-volatile Data: Non-volatile data refers to the permanent knowledge keep on secondary storage devices, like arduous disks and memory cards. Non-volatile data doesn’t rely on power provide and remains Intact even once the device is converted.
Information keep in non-volatile type includes hidden files, slack area, swap file, index.dat files, unallocated clusters, unused partitions, hidden partitions, written record settings, and event logs.
FOLLOW THE EVIDENCE WHERE IT LEADS AND QUESTION EVERYTHING
– Neil degrasse Tyson
Characteristics of Digital proof
The digital proof should have some characteristics to be acceptable in a very court of law
- Admissible: Investigators ought to gift proof in admittable manner, which implies that it ought to be relevant to the case, act in support of the shopper presenting it, and be communicated and non-prejudiced.
- Authentic: it’s terribly straightforward to govern digital proof, that raises queries of its possession. Therefore, investigators should offer supporting documents concerning the genuineness of the proof with details like supply and its relevancy to the case. If necessary, they have to conjointly furnish details like author of the proof or path of transmission.
- Complete: The proof should be complete, which implies it should either prove or contradict the accordant reality within the proceeding. If the proof fails to try to to thus, the court is vulnerable to dismiss the case citing lack of sturdy proof.
- Reliable: The forensic specialists ought to extract and handle the proof whereas maintaining a record of the tasks performed throughout the method to prove that the proof is dependable. forensic investigations should be conducted solely on the copies of the proof as a result of the court must have the first proof for future reference.
- Believable: Investigators and prosecutors should gift the proof in a very clear and comprehensible manner to the members of jury. they have to justify the facts clearly and acquire associate professional opinion on a similar to verify the investigation method.
Also Read : The Principles of Digital Evidence Collection
Scientific working group on Digital Evidence (SWGDE)
Principle 1
To make sure that digital evidence is collected, preserved, examined, or transferred during a manner that safeguards the accuracy and reliability of the evidence, enforcement and forensic organizations must establish and maintain an efficient system for internal control .
Standard Operating Procedures (SCIPs)
Standard Operating Procedures (SOPs) are documented quality-control guidelines that has got to be supported by proper case records and broadly accepted procedures, equipment, and materials.
Implementation of SOPs allows you to work company-compliant policies and plans. it’s important that no modifications are made to SOPs before implementation to realize the specified outputs. However, if any modifications are required, they need to be communicated before starting an investigation.
Standards and Criteria 1.1
All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency’s policies and procedures concerning digital evidence must be clearly set forth during this SOP document, which must be issued under the agency’s management authority.
Discussion: the utilization of SOPs is prime to both enforcement and forensic science. Guidelines that are according to scientific and legal principles are essential to the acceptance of results and conclusions by courts and other agencies. the event and implementation. of those SOPs must be under an agency’s management authority.
Standards and Criteria 1.2
Agency management must review the SOPs on an annual basis to make sure their continued suitability and effectiveness.
Discussion: Rapid technological changes are the hallmark of digital evidence, wherein the kinds , formats, and methods for seizing and examining digital evidence change quickly. to make sure that personnel, training, equipment, and procedures still be appropriate and effective, the management must review and update SOP documents annually.
Standards and Criteria 1.3
SOPs must be generally accepted within the field or supported by data gathered and recorded during a scientific manner.
Discussion: As a spread of scientific procedures may validly be applied to a given problem, standards and criteria for assessing procedures got to be flexible. The validity of a procedure could also be established by demonstrating the accuracy and reliability of specific techniques. within the digital evidence area, referee of SOPs by other agencies could also be useful.
Scientific working party on Digital Evidence (SWGDE) (Cont’d)
Standards and Criteria 1.4
The agency must maintain written copies of the acceptable technical procedures.
Discussion: Procedures should set forth their purpose and appropriate application. Required elements like hardware and software must be listed and therefore the proper steps for successful use should be listed or discussed. Any limitations within the use of the procedure or the utilization or interpretation of the results should be established. Personnel who use these procedures must be conversant in them and have them available for reference.
Standards and Criteria 1.5
The agency must use hardware and software that’s appropriate and effective for the seizure or examination procedure.
Discussion: Although many acceptable procedures could also be wont to perform a task, considerable variation among cases requires that personnel have the pliability to exercise judgment in selecting a way appropriate to the matter .
Hardware utilized in the seizure and/or examination of digital evidence should be in good operating condition and be tested to make sure that it operates correctly. Software must be tested to make sure that it produces reliable results to be used in seizure and/or examination purposes.
Standards and Criteria 1.6
All activities associated with the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony.
Discussion: generally , documentation to support conclusions must be such , within the absence of the originator, another competent person can evaluate what was done, interpret the info , and reach an equivalent conclusions because the originator.
The requirement for evidence reliability necessitates a sequence of custody for all items of evidence. this suggests that proper documentation must be maintained in chronological order for all digital evidence.
Case notes and records of observations must be of a permanent nature. Handwritten notes and observations must be in ink, not pencil, although pencil (including color) could also be appropriate for diagrams or making tracings. Any corrections to notes must be made by an initialed, single strikeout; nothing within the handwritten information should be obliterated or erased. Notes and records should be authenticated by handwritten signatures, initials, digital signatures, or other marking systems.
Standards and Criteria 1.7
Any action that has the potential to change , damage, or destroy any aspect of original evidence must be performed by qualified persons during a forensically sound manner.
Discussion: As outlined within the preceding standards and criteria, evidence has value as long as it are often shown to be accurate, reliable, and controlled. A high-quality forensic program consists of properly trained personnel and appropriate equipment, software, and procedures to collectively ensure these attributes.
Questions related to this topic
- What are the four steps in collecting digital evidence?
- How do you handle evidence?
- How can email be investigated and used as evidence?
- What are some of the problems traditionally associated with finding digital evidence?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
