As define by Sammons, (2), forensic is a method of applying science to solve legal problems. Therefore, digital forensic involves applying computer science during investigation procedures and analyzing digital evident for use during legal litigation. As the field involves dealing with hard drives present in all computers, there is a major challenge to keep updating the general practices used in investigations especially when dealing with volatile data found in computer memory. Investigators are facing a challenge of developments of computer systems and the increasing trend of organized criminals who pose a threat by making forensic duplicates in computer software (Casey 3). Digital investigations can be facilitated by developing and preserving volatile data which includes encrypted volumes locked when the computer shuts down, passwords and running programs that a suspect could be using. In order to acquire the forensic duplicate with full memory content, there has been the development of mobile device forensics, memory forensics and network forensics to enable practitioners to obtain meaningful information. In addition, forensical sound authentication process needs to be supported by use of unique IDs and MD5 hashes of obtained data. These unique properties ensure authentic documentation of the evidence since they contain detailed records of the person responsible for transporting and transferring the evidence at any time (Casey 4). Care should be necessary when processing the digital evidence to avoid misidentification, contamination of the evidence, or loss of pertinent elements such as the metadata (Casey 5).
In an effort to carry out a comprehensive and reliable investigation, the company needs to understand the underlying techniques used by the suspect to commit a crime through frauds, steganography, data hiding, stealing of credit card’s information and extraction of encrypted data. The company also needs to learn how it can retrieve the evidence from emails that can proof that the suspect is guilty of an illegal act. Since fraud involves a series of legitimate transactions that can be difficult to detect, Enterprise Resource Planning (ERP) systems can help to prevent fraud by use of policies and internal controls. However, policies are not effective in case of multi-transaction frauds and insufficient staffs.To prevent fraud, fraud scenarios and intrusion scenarios can be used to detect fraud by separating semantic aspects of signatures of the fraud from the configured aspects (Peterson, Shenoi 144). Steganography is detectable by use of Access Data, which in turn creates Forensic Toolkit (FTK) product. The product has a number of digital signatures or the MD5 hacker tools that can include the steganography tools. CCE then uses the FTK to make a clone of suspect’s laptop (Doherty 249). The use of Small Web Format (SWF) files can detect data hiding crimes which depend on the observation that the (SWF) has an End tag that indicates the end tag of the file (Peterson, Shenoi 248). Criminal profiling and data mining can help to prevent stealing of credit cards. Data mining involves techniques such as deviation detection, social network analysis, entity extractions and clustering techniques. (Hajankhami, David Watson, Me, Leonhardt 557). Encrypted data in the server providers is retrievable by use of Data token which contains the suspects ID and it normally links with the encrypted data (Weerasinghe 70)
Steps when approaching the digital crime scene
The first and the most important initiative is to identify the potential and significant physical evidence whether small or large, at the scene of the crime. In this stage, the investigators look for evidence exchange. They follow trails the offender leaves when commissioning the crime and connect the perpetrators to the victim and the crime scene to detect evidence exchange. Attackers may leave multiple traces of registry, network level logs and system logs. They can also use again elements of crime scene such as P11, stolen user passwords in the file system (Casey 16). Another step involves examining evidence characteristic; class characteristic and individual characteristics (Casey 17). Furthermore, the digital evidence should pass through examination and preservation in a forensic sound manner so that it can be useful in the investigation (Casey 19). The recovered evidence should pass through authentication process to ensure it is the same as the original data seized at the scene of the crime (Casey 20). The collected digital evidence must pass evidence integrity test to make sure there are no alterations made. For example, comparing digital fingerprints (Casey 22). Lastly, the cornerstone of the forensic evidence is objectivity. The investigator should interpret and present evidence that is free from bias for the decision makers to have a clear view of the presented facts (Casey 24).
Steps when handling the digital evidence
The first step is to remove the suspect from the computer. The best plan to handle the digital evidence depends on the principle that the program is only present when collecting the evidence due to its volatile nature. For example, the suspect can format the hard drive making it too difficult to retrieve the data (Moore 206). As soon as the suspect is away from the scene of the crime, the investigator should secure the scene for the purpose of documentation. In addition, the recommended personnel can take pictures using digital camera in case the suspect plans to pursue a jury trial (Moore 207). Disconnection for possible control of digital evidence outside the crime scene should take effect. An outside investigator must make ensure the computer under investigation does not connect with internet or phone-line connections. The aim is to prevent loss or distortion of the data at the scene of the crime (Moore 209). Another step should be taken to secure additional evidence that could be present at the scene of the crime. Such evidence may include floppy disks, manuals, paperwork and flash drives (Moore 220). Lastly, the investigator should prepare the evidence for transportation. The personnel logging the evidence should verify that the asset seizure log is complete and itemized and inform everyone before transporting it. The investigator can wrap up the evidence and preserve it for clear presentation during the court session (Moore 220).
How to perform investigation given digital evidence
The investigator makes observations and gathers information as the first step during the forensic examination. When verifying authenticity and integrity of the evidence, there is reprocessing that is intended to salvage any deleted data, extraction of embedded metadata, and handling of special files. Forensic practitioners form a hypothesis to give possible explanations for what they see in the digital evidence. The third step involves evaluating the hypothesis to come up with possible predictions that may be true, or false. The last step involves drawing conclusions and communicating the findings and once there a possible explanation that the event resulted to the crime, then the forensic practitioners can present their work to the judges (Casey 24).
Although investigative departments have tools that can help to track down digital crimes, invention and innovation of technology continue to challenge the forensic experts. Crime suspects have access to sophisticated equipment that enables them to commit fraud, transfer funds in a multinational company without detection by the security department. In order to reduce and prevent digital crime, the forensic practitioners should constantly update themselves with technology and get advanced training skills. Institutions with extensive bureaucratic structures should have a strong internal control system with experts who are well versed in digital forensics.