Forensic investigation - Essay Example

Currently, the number of crimes committed has been increasing with the technology applied continuously advancing. This has raised concerns among various stakeholders. Forensic investigation has been playing a significant role in identifying the criminals. This is achieved by the use of a well-defined strategies and equipped laboratories. Computer Forensic Process: a guideline for best practices is sequence of steps or set of procedures, which plays a very important part in supporting the forensic examiner to protect the digital evidence. By protecting the evidences, the examiner builds a strong case and avoids dismissal of the case in the court. This paper focuses on creating a manual that helps the forensic examiners in the lab to avoid committing any mistake while they are dealing with the digital evidence. The process that the examiner should follow when he receives case: check the investigator needs, document everything about the case, fill chain of the custody, resize the evidence, and store it; make verification for the lab tools and software has to check that it works properly and clearly outlined. In addition, they take images for the original hard drive by using different software and check the MD5. Finally, they store the original hard drive, and do peer’s review for the investigation using checklist of all required steps. This field having not been fully explored, the results of this project are fundamental in future research. Introduction Now days, because of the development and use of technology everywhere, criminals are using them to hack systems and to steal private information or money. This means, we have moved from traditional crime to digital crime. Around 80% of crimes contain digital evidence, which means criminals use technology in their crime such as desktop computers, internal hard drives, laptop, external hard drives, and other digital devices1. All of these items are important and contain valuable information, which should be handled correctly to protect, and save the evidence. Computer forensic is different from other forensic science because it is in its development stage. Currently, there is no sufficient knowledge about how to handle the evidence and fewer standards about the best practice to protect the digital evidence in forensic examination are available. Despite this, forensic examiners have to go through many steps to get the valuable information from digital evidence without contaminating it. Therefore, Forensic examiner should have well defined manual that help them to understand the process and procedure that should be followed in order to avoid committing any mistake while they are dealing with the evidence. By protecting the evidences, the examiner builds a strong case and avoids dismissal of the case in the court. Challenges such as lack of sufficient research materials are encountered in the project. Despite this, the available material are sufficient to brainstorm on in order to realize the formation of a manual that will help a great deal in improving digital evidence testing in forensic laboratory. In the preparation of the manual, various contents of the entire project are taken into consideration. In the accreditation of any forensic lab under ISO 17025, the lab should have reliable manual and other facilities to ensure its tests results are reliable. For this to be achieved, the various steps involved in laboratory testing must be clearly outlined in a well understandable manner to ensure that they do not raise any ambiguity. In UAE, there is no international or national stander for manual, which can be used in Digital Forensic Lab. This has necessitated the conduction of such researches. The manual include the process that the examiner should follow when he receives case: check the investigator need, document everything about the case, fill chain of the custody, resized the evidence, and store it, make verification of tools and software. In addition, it analyzes images for the original hard drive by using different software and checks the MD5, store the original hard drive, do peer’s reviews for what he has done, and check a pre-defined checklist of all required steps.  Literature Review Each Digital Forensic Laboratory should have a manual that the examiner can use to be able to handle the digital evidence without causing damage or alteration to the original evidence so that Court cases are rejected based on provision of insufficient digital evidence. The entire process of preparing forensic evidence includes protection, recognition, extraction, understanding, and documentation for computer evidence. To make it a success, examinations in digital forensic need some method and technique to collect the information from the evidence, software, or tools for acquisition and analysis, and protection of the digital device that is used as evidence in a court of law2. According to International Stander of ISO/IEC 17025, for Lab to be accredited under ISO 17025, it should create manual for technical procedure, examination, and verification3. This has brought forward the need for preparing of a standard manual for use by various forensic investigation laboratories. In the investigations, the original evidence availed should not be altered under any conditions. This ensures that the evidence provided is able to hold in the proceedings of the cases. To many people, their perspective is that the examiner should carry out his examination using the evidence itself. Contrary to this, the examiner should work on the image not on the original evidence and should protect the original evidence while he is doing the image so the original is not damaged or altered. Therefore, guidelines should be established for the examiner to be able to know how to receive, process, document, and handle evidence and work products associated with the examination4.  Prior to undertaking any forensic examination, all the necessary tools and equipment should be prepared in advance to reduce chances of inconveniences arising. This usually entails making some text for the software and tools that the examiner will use for making image.By this, the examiner will make sure that the tools and software, which has been used, did not make damage or change to the original digital device while it is imaging5.  According to Guo, there is very little good practice guide for validation and verification of digital evidence and tools. Furthermore, Scientific Working Group on Digital suggested general guidelines for validation testing of tools6. As a result, various groups such as CART, SWGDE, TWGDE, and NIJ have been working together and discussing the need for standardization7. There are various steps involved in the preparation for undertaking a digital forensic investigation. The examiner should wipe the media that will contain the E01 file for the evidence, which is the image. In addition, he should verify the wiped media and make format before use it. In addition, the examiner should check the BIOS for the evidence to check the boot sequence and data/time. Moreover, the examiner should check the image “E01” MD5 and match it with the original evidence. To ensure effectiveness in the entire process, the examiner should run hash check for the files to identify the known file. In addition, for any new case, examiner should define the export and folders that will provide location for export document or image8.  Despite the field being quite old, there are various challenges that have been encountered in its modification. Currently, the technological advancement is being used by criminal in order to try to leave no trace after committing the crime. This has posed great challenge in digital forensic investigation. In addition, there is very little good practice guide for validation and verification of digital evidence and tools. In response to this, various opinions have been brought forth by various stakeholders. In some cases, they have been contradicting and thus detailed analysis is necessary. In digital forensic investigation, validation of the data is very crucial. According to SWGDE, “validation test for forensic hardware and software is very important and there is methodology for doing the validation”9. The test should include the work that the software or hardware do, the way that the test has been done, and the test result. After getting the result, documentation in a manner presentable to the courts is necessary. This is then followed by comparison of the result and the original evidence. There are various manuals available to various labs for use during their investigations. There are universal guides that can be used in Forensic Lab or help the different Labs to create their own manual according to the condition at hand. These manuals provide systematic guidance on how to undertake the investigation. Some of the most important consideration to be taken into account includes the way of seized the evidence, the equipment that are need to do this job, the software that can be used to make image, preparing drive for the image, using write blocker, and preparing the workstation10 .  It is very important to make test for forensic tools to make sure that it works properly. One of the tools that need to be tested is the write blocker to make sure that it prevents any command to be written on the original device while making image, and these paper discuses some methodology for testing the write blocker.  It is undeniable that the role played by write blocker is very valuable in forensic investigation. As a result, there have been various investigations that have always been strived towards continuously improvement. NIST explains the method that can be used to make test for the write blocker and if it is working properly. It explains the methodology of doing that by sending some command to the machine that connected to the write blocker and watch the result if the write blocker prevents writing on the machine or not11.  According to Philip Craiger, there is some major component for computer forensic procedure which is make copy for the original evidence, verify that the copy match the original and work on the copy to avoid causing any change to the original evidence. In addition, it mentions that the examiner should document everything about the computer such as serial number, model, manufacture, and anything attached to the computer. Moreover, take photo for the evidence from different angle and label the evidence12.  According to James R. Lyle, for law enforcement, it is very important to make test for forensic tools to make sour that it work properly. One of the tools that need to be test is the write blocker to make sour that it prevent any command to be written on the original device while making image and this paper discuses some methodology for testing the write blocker13. Methodology In this project, I plan to create a manual that can be used in Digital Forensic Lab to make work easier and avoid mistakes. The manual will be organized as follows: a flow chart for the process and procedure that examiner should follow. This flow chart gives the examiner general idea about what he should do when he receives a case and what he should do when he is imagining the original hard drive so he does not damage the digital evidence or alter it. To create the flaw chart I use Microsoft office Visio 2007. In addition, to prepare thumb drive to use for the software verification, I use Encase version 6.16 and Winhex version 15.4. Encase is primarily used to make wipe for the 2GB Thumb drive that I will use for software verification. The entire process is long and thus has to be divided into various parts. First, I install Encase on the test machine and connect the Encase dongle to the machine. After that, I add the thumb drive that I want to wipe on Encase by going to tools and then wipe drive. It is important not to open the drive when one wants to wipe because the wiping process will not work if the drive is open. This process takes about ten minutes, after which a pop up message telling that it has finished the wipe, and verify it pop up appears on the screen. The purpose of wiping the thumb drive is to have empty drive that I can put what I want to use for software verification. After that, I used Winhex software to check that the wipe for thumb drive has been done correctly. I add the wiped thumb drive to Winhex and do 64 checksum on it. After five minutes, a pop up message containing zeros appears, meaning the drive has been wiped correctly. Then, I double click on my computer icon and go to the thumb drive to format it with FAT file system to be able to put some file. Then, I add one picture named study-pic and one text file named delete and delete it permanently by holding shift+delete. In addition, I open Winhex, select the thumb drive as physical media, and add sentence “good job” in unallocated space. After that, I make calculation for MD5 for the thumb drive, deleted text file, and the picture. Then, I put the result on the software verification form to use it when I make verification for the software (Encase, FTK, X-ways, FTK imager). The MD5 results were the following thumb drive: 4F7C434FF53390B17AAFA31D24276413, study-pic: 1b9c396d8b38550a1752bb3b48257c27, delete.txt: 49f68a5c8493ec2c0bf489821c21fc3b. I create ghost CD by install Symantec ghost and burn it on CD. This is useful in explaining the ghost steps that I will put in the manual. I restart my machine to enter the BIOS settings and change the boot sequence to boot from CD. Then, I connect external hard drive to put my ghost image on it and take photo for all the steps to put it on the manual. In the manual, I divide the ghost process in two types: first, one is “To” image and the second one is “From” image. To give clarity, I divide the manual to different section each one containing information and steps about the procedure that the examiner should do making it easy to use.  First section in the manual contains the process and documents that the examiner should do or fill when he receives case. For example, sign chain of custody, take photo for the sized evidence before and after open it, label the evidence, and take photo for any damage. Also, fill the entire document which is related to the case which contain computer type, damage, computer condition, computer serial number, operating system, and hard drive information. To create these forms and document, I use Microsoft software and look to the forms that have been done by others researchers such as NIST, SWGDE, and Guidance Software to get ideas about what should be include on the forms that the user will use while he is doing the verifications.  Second section contains the steps of preparing the target drive, which includes wiping the drive to put the image that will be taken from the evidence hard drive. Moreover, explanation of the purpose of using target drive and why the examiner should wipe the target drive before using it. To do this step I use Omni wipe and Encase version 6.16 to wipe hard drive. After that, I use Winhex to verify that the hard drive has been wiped correctly and the result should be zeros. Then, I put file system for the target drive by going to my computer and formatting the drive as NTFS file system.  Third section is about making ghost for the machine that the examiner will use to make the image for the original device and analyze the image. In addition, this section explains the purpose of making ghost and the two types of ghost, the difference between the two types and, when the examiner should use each one.  The fourth section includes verification of the write blocker and the process of how to make sure that it is working correctly. Then, explain the purpose of using write blocker while making image for the original drive, explain the two types of write blocker (for example, Hardware and Software Write Blocker) and steps of how to use each one. To make this step, I use USB software write blocker and USB hardware write blocker TABEALU. In addition, I prepare one USB and wipe it by Encase version 6.16 to put picture calculated from MD5: F6866C6FD0AA779763566CBA9A25C620. After that, I test both write blockers by trying to delete or add something on the USB and make print screen for all the steps to include it on the manual. After which, I use Winhex version 15.4 to check if the MD5 for the USB changed or not. If no changes are observed, then the write blocker works correctly.  Fifth section includes verification for three types of software (example, Encase, FTK Tool Kit, FTK imager, and Xways). To make the verification, I check the image MD5 to confirm if there is a picture or deleted file, and look for sentence “good job” in unallocated space. Moreover, it includes the purpose of doing verification for the software and the steps of how to do verification for each of these softwares.  Last section contain checklist that the examiner should go through to make sure that he does all the steps to protect the original device and has good image. This checklist has been creating by use Microsoft office 2007.  Conclusion Digital evidences are found in different types of crime because many people now days use technological gargets such as computer and laptop in most of their undertakings. In the recent past, these forms of crimes have been accelerated bringing forth the necessity for continuous improvement of the already implemented structures of investigations. In a bid to cover up for any traces, the criminals have been improvising various strategies. As a result, the undertaking of digital forensic investigation has been requiring continuous improvement in order to be able to identify the criminals. The process of investigation in the laboratory is very demanding and thus has to have well outlined strategies carried by experienced personnel. The manual provides such guidelines. These manuals can be accessible from specified locations but for such laboratories, it is important to create manual for handle digital evidence to make the work in Digital Forensic Lab easier and efficient. Before undertaking the process, it is necessary to look at the need for creating manual to be used on lab because there is no international stander for manual that explain the procedure that should be done to verify the hardware and software that is used for examination. The research project has been structured to be able to obtain the effective structure of the manual that could be used in digital forensic investigation not only in this country but also worldwide. Accreditation by ISO/IEC17025 is necessary and the manual has been prepared taking into consideration all the requirements. The entire process of examination has been explicitly outlined to ensure that the evidence provided from the samples is viable to be used in court cases. Read More