Technology has been taking over in the recent past. As time goes by internet and computers have invaded our daily lives while at the same time the Internet continue to invade and pervade our lives and the harm brought about by computer crimes is increasing at an alarming rate. Unluckily, there is a shortage of information on what computer crime is all about and how it can be dealt with properly. Due to the lack of necessary information pertaining computer crimes there has been an increase of these crimes thus costing the society a lot every year (Britz, M. T. 2008).
The coming of Computer Forensic is an attempt to deal with this challenge through provision of a secured and effective means of investigating crimes related to computers. This research paper is meant to provide a guide to computer investigators and how to apply computer forensics. This research paper will also address issues and questions that are important in investigating computer related crimes while at the same time detailing proper methods for doing seizures and search of physical computer proof and information detection of logical computer verification.
Setting the scene
The defacing of websites, defiance of service attacks is frequent, while e-commerce websites are wrecked and plundered. Note this is just the tip of a very heavy iceberg. For several years now IT (Information Technology) activities have fallen victims of the various computer abuse and fraud from outside and inside of their network borders. Incidents that range from malicious data destruction to unauthorized access of data, to hacking, logic bombs and the disclosure of secretive information have been a challenge to IT professionals (Saferstein, R. 2001). In a computer crime study carried out annually by the FBI and the Computer Security Institute, showed that only 51-52% of 1999’s study respondents could admit that they had suffered a loss financially because of computer crime (Britz, M. T. 2008). Even more shocking, a small fraction of 31% of the respondents could place a dollar figure on the loss they incurred! And this means that the $123,779,000 reported in the survey as lost, was just a lower hurdle for the people who participated in the survey.
A similar survey carried out in the year 2000 indicated that 74% of the total respondents admitted the financial loss due to various computer crimes while 42% reported losses amounting to $265,589,940. The very basic reasons why the IT industry have problems in accessing and accounting for costs of computer crimes is because there is no adequate information pertaining computer crimes and how to investigate it. As stated in their white paper containing different computer crimes information, the ICSA(International Computer Security Association) points out that a greater percentage of computer crimes are not detected by their sufferers and those that are detected, only a small number are reported (Saferstein, R. 2001). In our current world people are faced with a condition that can greatly increase risks and the cost of utilizing various information equipments and services. The question that many people ask is what is the difference between computer abuse and computer fraud? Computer abuse occurs when one violets organization’s policy pertaining computer use while computer fraud occurs involve acts of criminology on computer usage.
when it come to matters concerning computer crimes people who violate Cap 18, section 1030 of the criminal code in US can either be fined heavily or sent to prison for many years while computer abuse may result to a demotion, reprimand or even termination of employment. By lacking the know how in investigating computer abuse and fraud means that solving issues relating to computer crimes is nearly impossible. This means that Computer crime has become more damaging and dangerous and so as to address this issue of computer abuse and fraud a new field called Computer Forensic has emerged.
Basics of Evidence
Computer forensics deals with collecting and gathering of evidence in computers while at the same time using the collected evidence in legal proceedings. The evidence collected is both logical and physical and it may include media and hardware components that contain data. On the physical part of Computer Forensic there is the seizure and search of computer evidence. Here, the Computer Forensic specialist visits the computer crime scene search for evidence and put into custody the various media and hardware components involved in the crime (Saferstein, R. 2001). On the other side the logical aspect of Computer Forensic deals with data extraction from relevant sources of information. This logical aspect is also known as information discovery and it normally involves a specialist who retrieves data from a database, searches the net, log different files et cetera. There is also a defining concern that forensics science grapples with regards to evidence, namely, the investigator should be able to come up with information from the evidence he or she has and without bringing any changes on the original evidence state. Besides, the state of the evidence (Original state) should be maintained through out the investigation period or even thereafter. The effectiveness of the evidence will depend on the proper way the evidence has been kept. There are also moments whereby preserving the original state of evidence has proven to be difficult; at times, the change of a few bytes of information can have dire consequences on the entire investigation. Computer Forensic specialists use what we call chain of custody so as to safeguard evidence collected in an investigation. Basically this is a method of accounting for the people who have come into contact or touched any piece of evidence at a given time and if there is any change/alterations done to a piece of evidence. In short it is a method used to demonstrate whether the evidence has been tampered with or damaged while under the care of the person investigating. Any failure to validate any evidence’s custody chain can lead to doubts regarding the accuracy and integrity of a given evidence and the assessment done on it as
Tools and skills used in Computer Forensic
Computer forensics is different from other forensics activity: interacting and preserving various evidences of a computer crime needs tools and skills which are taken from both computer science and traditional forensics. If mismanaged with a custody chain that is weak or mislead the forensic evidence may be deemed to be useless. On the other hand, evidences are inherently volatile and complex in their own different way. The computer evidence is said to be complex in that it can be derived from different computing resources and at any operation level i.e. machine language through to meta-data. It is also found to be volatile because t can be altered digitally or can be destroyed with ease and mostly without being detected. This clear means that the computer fraud investigator must deploy tools and skills which are tailored for the job.
So as for a computer forensic investigator to be effective in his work, he must be conversant with Computer information system. The Computer forensic investigator should have an understanding of different computer administration systems and also have knowledge and skills related to computer security. The investigator should also have an understanding on databases, computer functions, operating systems and a basic understanding of different work concepts such as distributed computing, computer organization, database architecture etc. To add on to these skills, the investigator must also posses deductive and imagination skills in solving cases.
The different tools required to investigate different crimes related to computers are said to be relatively straight forward and they consist both software and hardware. On the hardware part a lab for evidence preservation is needed and it is supposed to be highly secured. The lab should have enough physical space to assist the investigator in performing a range of tasks and also interact and experiment with a variety of computing surroundings (Michael G. Solomon, D. B. 2005). A Computer Forensic lab may include: token ring LANs, Ethernet PCs, tape back-up systems, Linux workstations UNIX workstations, CD writer/readers systems, removable media of high capacity, drives, and blank media. A notebook computer is also needed to take notes while outside the lab so as help and facilitate the computer fraud and abuse specialist in analyzing and storing data while in the field.
On the subject of the software tools required to investigate computer crime and the software used in the evidence preservation lab is vital. This includes database systems, operating systems, and information archiving/runining programs to run the tape backup, case management system and CD writer/reader systems. The case management style is an important component in the analytical process, because it gives the investigator a medium of storing case observations and information on all the players. Preferably, the data should be kept and interacted in a secure way: while case data are archived or transmitted they must be highly encrypted, and accessing the case data must be via a well-built authentication.
The other software tool is the GNU/Linux operating system. The end effect is software in which Linux runs prevents high risks. This is particularly significant to the venture of computer forensics, since it means that Linux gives a relatively safe, tough and a feature rich podium to work on. By installing Linux in the evidence protection lab is a brilliant way to get access to some valuable software (Michael G. Solomon, D. B. 2005).
Britz, M. T. (2008). Computer Forensics and Cyber Crime: An Introduction. New York: Prentice Hall.
Computer Forensics, Computer Crimes, Available from http://www.ncjrs.gov/App/Publications/abstract.aspx?ID=76640
(Retrieved 24th November, 2008)
Michael G. Solomon, D. B. (2005). Computer Forensics Jumpstart. Michigan: Wiley_Default.
Saferstein, R. (2001). Criminalistics – An Introduction to Forensic Science – Second Edition. A-Z Publications.