Forensic Computing

Documents produced electronically have an overwhelming percentage of the human community today compared to printed documents. Digital storage of documents is also mainly other conventional methods of storage and shall be transmitted largely through electronic networks and the Internet. Billions of emails are sent annually in the human communication, surpassing the traditional mail communication. All these ways of drafting documents, their storage and communication have opened new doors for abuse and criminality. The electronic environment raises new problems in penal systems worldwide.

To go to court reprehensible acts, crimes and abuses committed by using digital environment is necessary to administer the court undeniable evidence of these facts. An important role in preventing and combating digital crime is gathering electronic evidence. Digital evidence has been defined as any data that can establish that a crime has been committed or can provide a link between a crime and its victim (Casey, 2000). Digital evidences, like normal (traditional) evidences, must pass the test of admissibility and weight. Admissibility is a set of legal rules applied by judges in order to allow the use of evidence in a court of law.

Weight is the validity and importance of the evidence. Therefore evidence must be: admissible, authentic, complete, reliable and believable (Casey, 2011). Following these rules is essential to guaranteeing successful evidence collection. Digital forensic investigators are commonly employed to deal with such cases and they make use of principles and procedures currently employed for gathering evidence from computer, network, internet and mobile devices that are found in ACPO Good Practice Guide for digital evidence updated in March 2012.

Therefore there are four principles that the first responder to the crime must follow. Principle 1: “No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court”. Principle 2: “In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions”.

Principle 3: “An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result”. Principle 4: “The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to” (ACPO, 2012). Digital evidence is often highly volatile and easily compromised by poor handling. The investigators must be able to identify all digital devices that are capable of storing potential evidence.

After identifying the media the investigator must create a “forensically” (bit for bit) copy of that media, without changing the content. It is crucial for the examiner to not violate the applicable laws during the process of recovering data. They must be up to date and demonstrate knowledge of warrants, consent, relationship to decisions of what to acquire. Any law violated by an examiner could lead to the exclusion of the evidence by a judge, which can result a dead end for that investigation (John . J, 2008).

According to Casey (2011) there are a few questions that an investigator should ask when searching and seizing digital evidence: Does the Electronic Communications Privacy Act apply to the situation? Or have those requirements been met? How long investigators remain at the scene? And what the investigator need to reenter? In this days in almost every crime, digital evidence is now present or potentially present. Every case is different, but there are a general set of rules that should be followed when collecting digital evidence in a criminal case.

Photograph the monitor screen, important to capture the data displayed at the time of seizure, and also photographs with the system (back and front) and every cable attached, before it is being moved. Take steps to preserve volatile data, producing images of the disks to work with, preserving the original. After a copy is made, is checking the integrity of the image to confirm that is an exact duplicate. The system should be shut down properly and safely. It is recommended to unplug the system and to mark every peripheral collected (Shinder, 2002).

Some evidence must be collected when the computer is still running; this evidence is called volatile data. According to Vacca (2002) examples of volatile data would be : registers and cache; routing tables; arp cache; process table; kernel statistics and modules; main memory; temporary file system; secondary memory; router configuration; network topology. Casey, E. (2000). Digital evidence and computer crime (1st Ed. ). London: Academic Press. Casey, E. (2011). Digital evidence and computer crime (3th Ed. ) London: Academic Press John J. Barbara (2008). Handbook of Digital and Multimedia Forensic Evidence. New Jersey: Humana Press.