1. You are a digital forensic examiner and have been asked toexamine a hard drive for potential evidence. Give examples of howthe hard drive (or the data on it) could be used as (or lead to thepresentation of) all four types of evidence in court. If you do notbelieve one or more of the types of evidence would be included,explain why not.
Real evidence involves anything one can place in the courtroom tableto be examined by the judge and it is the most widely usedtype of evidence (Solomon, et al., 2011). In digitalforensics, a hard drive may contain the suspect’s fingerprints onits surface and this may prove that a suspect was present at thecrime scene. Also, one can find DNA evidence on the drive’ssurfaces. Documentary evidence that may be contained in a hard driveincludes reports, database files, log files, and theincident-specific file contained in the hard drive and according toSolomon(2011), most evidence falls under this category. Forexamples, a hard drive may contain financial reports of the moneypaid for illegal purposes. Also, it may contain database files usedby the suspects to commit crimes such as hacking. Examples ofdemonstrative evidence one can find in a hard drive include photos,video tapes, models and sound recordings. For example, a hard diskmay contain photos, video and recordings that may represent a childpornography ring. However, I do not think that testimonial evidencecan be found in a hard drive unless an expert is sought who willexplains certain elements of a hard disk to the fact finder.
2. You have been asked to assist a law enforcement team serving asearch warrant related to a child pornography investigation. You arethe digital forensic expert for the team, and, as such, have beenassigned the task of identifying and collecting the digital evidenceat the search location.
A. What steps should you take before the search?
As a digital forensic expert, upon arrival at the crime scene whereit is alleged that child pornography has taken place the first thingto consider is the integrity of the scene. First, I will have toensure that the scene is safe for me and other investigators. Thisincludes identifying any explosive device that may be attached to themachines that can destroy the building and the evidence in case of anintruder. Second, I will take photos of everything. When theinvestigation is underway one may refer to the photos taken of theoriginal scene. Additionally, the photos may point to another type ofevidence such as a young girl’s underwear that may be proof of theexistence of the alleged crime although it is not digital evidenceitself. Thirdly, after taking the photos of the image I will goahead and identify all the important real evidence. For instance, Iwill have to locate mobile phone present and ensures they have power.
B. For what types of evidence should you be alert when searchingthe residence?
The type of evidence that I should be looking for is real evidencewhich includes the physical evidence that I can see from the room.This includes any documentation such as notes used, notepads, and thecomputer, cameras, among others. The other type of evidence that Ishould be keen on is documentary evidence such as hard copies andfinancial records. Lastly, I should be keen on demonstrative evidencesuch as videos, photos and sound recordings used in pornography.
C. What types of items would you seize?
Items that I should seize includes mobile phones, computers, sourcesdocuments such as printed hard copies, storage devices such asDVD/CD-ROM, recording devices such as cameras, communication devicessuch as microphones, and input/output devices such as cables, Flashdrives, and other magnetic media such as tapes.
1. Describe at least 5 steps in a process to collect digitalevidence to the time you testify that you consider important. Pleaseexplain why they are important.
The five steps of forensic investigation process according toKumar, et al., (2011). The first step is identificationwhich involves recognizing the gadget that may contain digital thatit is alleged to be used for criminal purposes. This helps digitalforensic investigators target the object identified thus saving time.The second step is preservation where evidence is protected frombeing destroyed. For example, if it is a phone, it is connected to apower source before going off. Also, it may involve copying thecontent of the hard disk or the memory disk. The third step iscollection where the real evidence is collected such as the harddisk, the computer, input/output devices for further examination andanalysis. This step helps in convincing the fact-finder that thealleged crime took place. The fourth step is analysis wheretechnology is used to understands how the material collected in acrime scene explains what happened. The last step is the presentationstage where the material identified, collected, and analyzed isavailed in a courtroom to be examined by the fact finders to helpthem make a decision.
2. You are a witness and I am asking the following question-please answer as if you are on the witness stand. Upon entering theroom where the computer was located, what was the first thing youdid?
The first thing I did is to take the photo of the computer to ensurethat I can show from which computer I corrected the evidence.
3. After seizing the computer evidence, what did you do with it?
After seizing the computer evidence, the first thing I did was todocument them. The next thing I did was to store them accordingly,for example, in the case of the real evidence it should not be storedin a polythene bag as the sweating may destroy important evidencesuch as fingerprints. The next step I took was to send the digitalevidence to an expert, if I am not one, for analysis. In doing so, Iensured that I maintained the chain of custody by documenting thename of the person I have given what evidence.
C Do some research on encryption and steganography and list five(5) examples each of how steganography and encryption or cryptologywere used BEFORE the advent of computers. Then, discuss howsteganography or encryption could be used legitimately, and why thiscould cause you a problem as a computer forensic examiner.
Steganography entails hiding the existence of a message. First,writing a normal sentence that has an ordinary surface meaning, butcarries a special message to the person for which the message isintended for. For example, the use certain letters of each word usedto construct a different meaning such as the second letter of eachword in a normal sentence to come up with a different sentence. Theother example is the use of a symbol. For example, according to theSANS Institute (2001) a bear paw symbol was used to guide the slavesto escape as it communicated the message that the individuals shouldfollow the bear track that crossed the mountains. Another example isthat in Persia, a messenger could be shaved a message written on hisscalp only to be sent after the hair has grown again (Warkentin, etal., 2008). The other example is the use of a map or a diagram withfeatures only known to the person to whom the message is intended to.This was mostly used by soldiers to communicate the route, targetpoint, meeting point and point of departure. Also, during the worldwar, soldiers used the eye lids to send messages when they were surethey were being recorded.
Encryption involves hiding the meaning of the message, but not themessage itself. The first example of encryption technique used beforecomputers is the use of lips movement whenever one is being recordedso that the person receiving the recording will read their lipsmovement to form words that will have meaning to them and not to theperson recording. The other example of encryption is overwritingprinted text using a pencil. Also, in the early days, one tribe couldwrite using their local language to a person also in the same tribe.Even if a person from a different tribe comes into contact with themessage, they could not understand it. The other method used is torearrange the letters of a word, for example, instead of writing theword dog one writes ogd. Also, according to the SANS institute(2001) Julius Caser used the shift by 3 methods where instead ofwriting an A he wrote D and instead of a B he wrote an E whensending the message to the people he trusted when the message was tobe delivered by his messengers (SANS Institute, 2001). The otherexample is the use of code matrix. Also, a piece of paper withmissing letters was used to hide the meaning of the message.
In modern day, encryption and steganography can be used legally byobtaining a court order to do so. However, it becomes hard to obtaindigital evidence as a digital forensic investigator is faced with thechallenge of being accused of infringing the right to privacy of anindividual as protected by the constitution. For this reason, adigital forensic investigator must point the basis of their suspicionthat a certain digital component contains information that may pointto a possible crime before they are allowed to initiate either theencryption or stenography processes.
D Discuss why you need to use a write blocker (either hardware orsoftware) in your examinations, whether for a criminal case or acorporate case.
As a digital forensic investigator, I need to use a write blocker toacquire information from a drive, but at the same time ensure that Ido not destroy its contents. This is done by allowing the readcommands, but at the same time blocking the write commands(Solomon, et al., 2011).
Also, imagine you are a computer forensic examiner receiving asuspect hard disk drive from a detective in your department. Thedrive was seized properly during a legally executed search warrant.The detective signs the chain of custody log and hands you the drive.Your job is to accept the drive, conduct an analysis, and maintainthe drive until trial. Please explain the steps you would take, fromreceipt until testimony, including the reasons why you would takeeach step. For example, what would you check for when you signfor the drive on the chain of custody?
The first step after receiving a hard drive is to check whether it isdamaged after which I will ensure that it is repaired before I makeaccess to any data contained in the disk. The second step isperforming a forensic duplication of the hard drive (Schwarz, 2004).However, I will have to store the original copy for futureduplication in case a need arise hence, I will undertake to labeland enter it in the evidence log. The next step will be conducting adigital analysis on the hard drive where I will need to document allthe steps I have used. At this step, I will rely on certain forensichardware. Upon acquiring the data, I will protect it by installing astrong password. The last step is writing a report of what I havefound until I am required to produce the report in a court.
Kumar, K.,Sofat, S., & Aggarwal, N. (2011). Identification and Analysis ofhard disk drive in digital forensic. InternationalJournal of Computer Technology and Applications, 2(5).
SANSinstitute. ( 2001). "Steganography: Past, Present, Future.Accessed on March 29, 2016.https://www.sans.org/reading-room/whitepapers/stenganography/steganography-past-present-future-552
SANS Institute. ( 2001). "History of Encryption." Accessedon March 29, 2006
Schwarz, T. (2004). "Computer Forensics Unix File System."Accessed on March 29, 2004.http://www.cse.scu.edu/~tschwarz/coen252_04/Lectures/FPHarddrive.html
Solomon, M.G., Rudolph, K., Tittel, E., Broom, N., & Barrett, D.(2011).Computerforensics jumpstart.John Wiley & Sons.
Warkentin,M., Bekkering, E., & Schmidt, M. B. (2008). Steganography:Forensic, Security, and Legal Issues. TheJournal of Digital Forensics, Security and Law: JDFSL, 3(2),17.