With the progression of time and advancement in technology, our digitized nation has and will become more dependent on computers as we use them in our daily lives whether it be at school, work, or for personal use. By evaluating past trends it is safe to calculate a rise in crimes using computers. Today criminals put a strain on computer forensic examiners, because there are few crimes that are committed without the involvement of a computer or any other computing device of some sort. Today with computer hardware and software becoming more sophisticated and portable along with wireless technology this broadens the definition of computers, but for this research a personal computer is the extent of the subject.
With technology constantly evolving and with the definition updating what is to be considered evidence, this is why proper training and education is necessary. This is why it is imperative to examine crimes where computers play a role in a crime and it is essential to find any potential evidence located on the digital media. For a person charged with an offense, their charge in the case can be weakened if the investigation fails to find any such evidence. This is why it is imperative to create, build, and improve a national standardization and certification for the computer forensics field.
The Statement of the Problem
The definition of computer forensics may vary slightly depending on the authors on the subject. One of commonly known definition refers computer forensics as "the acquisition, examination, and reporting of information found on computers and networks that pertain to a criminal or civil investigation" (Kessler, 2005). Computer forensics is becoming increasingly important due to growth of crime-rates involving the use of computers and the Internet. Although such a trend is difficult to control completely, computer forensics technologies and applications provide necessary tools to law enforcement and other agencies to assist in crime investigations.
Computer forensics is effectively used in solving cybercrimes; however, its use reaches far beyond just that. As many criminals engage in more sinister crimes-such as murder, kidnapping, sexual assault, and terrorism-also maintain incriminating information on their computers, recovering damning evidence from their computers often provides law enforcement crucial discoveries during investigations. There are numerous real-life crimes that were solved by use of computer forensics, and the significance of computer forensics continues to increase as technologies develop. However, computer evidence does not always provide solid traces of information necessary to prosecute a criminal due to computer's volatile and virtual nature of data storage. Proper processing of computer evidence is essential to establishing credibility of evidence collected from computers and other peripherals, and it is computer forensics experts' responsibility to ensure that the evidence is valid, uncorrupted, and unquestionable.
Why research this topic
During a computer investigation, the computer system that is suspected to have to possible evidence must be properly handled by a professional. They investigator must create a copy or true image (bit stream) of the original media, which would be inspected later in the process for crucial evidence. When inspecting the copy the investigator will look for specific expressions or key words to establish any vital digital evidence that exists or has been deleted. The types of incriminating digital evidence could be many such as: racial discrimination, sexual discrimination, stock fraud, blackmail, and numerous others. To help promote fast turnaround time computer forensic professionals have the aid of commercial software packages like X-Ways Forensics, Encase, and several other commercial and open source utilities. Unfortunately, the consequences of not following precisely these steps can lead to the lost of evidence itself, and therefore it is important to create, build, and improve the methods of performing well-organized searches in order to trace evidence.
The need for a current study in the computer forensics field is important for the future of not only the computer forensics field, and law enforcement, but for the legal system and everyone else who uses a computer. Today in our digital nation, we are becoming more dependable on technology and its many branches of devices. This has lead to make investigators ask themselves what type of computer crime has happened, what is considered evidence, and how to handle it.
As time and technology progresses computer forensics is a very important factor on the war in computer crimes in our nation. Most reading suggest in order for computer forensics to properly be considered by the courts as a scientific discipline there has to be proper education, training, and testing for adequate certification. The time frames from the readings were 2000-2010, but a majority of them were from 2004 - 2006. There has been improvement in recent years to develop a national unified approach in undergraduate and graduate programs.
Computer forensics is a relatively new field and discipline in the private sector compared to other forensic sciences. Computer forensics is the science of acquiring, preservation, identification, extraction/retrieving, and documentation of computer evidence that has been processed by electronic means and stored on a computer without altering any of the data in the process. With our rapidly evolving improving technology this has lead the definition of computer forensics to be interchangeable with digital forensics, which expands the definition to include PDAs, cell phones, and other portable devices. When conducting a forensic investigation with computer evidence; the investigator must perform particular procedures to guarantee successful evidence collection. The evidence collected can be useful in civil disputes, criminal cases, computer system break in, recover data, and human resources/employment proceedings. As our homes, workplaces, and organizations become more incorporated with the aid of information technology and the Internet; we also have to take into consideration the human element as a factor. This is why current research is needed to tailor programs for computer forensics to keep up with advanced criminals.
In order to prepare for the future we need to look in the past and try to figure out how we got here and how to fix some of the problems. "Technological progress is like an axe in the hands of a pathological criminal." (Albert Einstein) As technology changes and the words that explain it there is the unchanged motives and emotional needs that drives the criminal behavior. With this in mind we need to understand the intentions of the inventors for the computer and the Internet. Before the invention of personal computers and the Internet these technological tools were used exclusively for scientific leaders and the military; which were located in either military bases or major university campuses. Half a century ago, the technology we use today might have seemed like science fiction. The first general-purpose electronic computer was the ENIAC, Electronic Numerical Integrator And Computer. The intentions of the creators were to design a machine for mathematical power for computing. The United States Department of Defense began funding of ARPA (the Advanced Research Projects Agency) and in 1969 the Internet's first long distance electronic communication was made. The intentions of the creators were to create an instrument to guarantee an infrastructure between military installations.
The goal of computer forensics is to recover and preserve digital evidence and to understand as much information regarding to the data as possible. The need for a computer forensics examiner is after the fact electronic information has been altered, deleted, or stolen in a computer crime. As with any other types of crimes it is a fact that the criminal leaves behind traces of their activity and these traces are the smoking gun that leads to prosecution in the court system. A computer forensics specialist is more than a computer expert; they must know how to effectively perform complex evidence recover procedures. These procedures include: data duplication/preservation, data seizure, data recover, document searches, expert witness services, media conversion, computer evidence service options, and miscellaneous services.
A computer forensic examiner must follow federal guidelines for data seizure. One course of action allows a representative to examine and duplicate designated documents or data compilations that may include evidence, and it is The Federal Rules of Civil Procedure. When data is duplicated or preserved the main concern is that data must not be altered in any way. Data recover is performed using dedicated tools for computer forensics to safely recover and analyze evidence. A document search is the ability to understand storage technology and perform a search with speed and efficiency. Media conversion is the ability to find and cross-examine data from the source or unreadable device, extract data and convert it into readable formats. Part of being a computer forensic specialist is to at times be an expert witness, and explain complex technical processes in an easy to understand manner. Some level of services that should be offered is on-site, standard, emergency, priority, and weekend services. Other miscellaneous services include analysis of computers and data, on-site seizure in criminal investigations. Also an advantage is the ability to work on both PC and Mac O/S and a fast turnaround of time.
Overview of Computer Crime
Today criminals usually are one step ahead of law enforcement agencies and they have the knowledge to use computers to their gain, and they have the ability to cover their tracks. Since technology is constantly changing definitions are quickly becoming outdated as new definitions expand new offenses to computer crimes. However, computer crime can be generally categorize into four categories and they are criminal activity that involves using a computer as an instrument to commit a crime, criminal activity that has a computer as a target, such as hacking into, criminal activity when the computer was unintentionally part of the crime, and crimes frequently associated with the use of computers. With this new definition computer crimes in 2009 have increased 22% from 2008.
The computer as an instrument of a crime
When a criminal uses a computer as an instrument in a crime we can think of it as when a burglar uses a crowbar or lock picks as in instrument to enter a house. For this research, when a computer is used as an instrument of a crime there objective is to obtain data to commit fraud, theft of service, harassment and other illegal activities through a network by copying data rather than deleting. Theft is when a criminal unlawfully takes and carries away property or service without the permission of the owner. The property and service can range from personal/private information, financial information, security information, human resources information, internet access and trade secrets. With the stolen property or services the criminal can reproduce false identification, copyright material, and distribute child pornography among other types of crimes. Another use of a computer is by writing letters or e-mails to make threats, harassments, or stalk individuals.
Computer as a target
When a criminal targets a computer as part of the crime they launch an attack on computers or networks trying to deny service by denying the rightful user access to their own computer system or data. Another attack could be to damage or alter the computer system or data by browsing through valuable information stored or saved on the computer. When a computer is vandalized this also is considered as a computer as a target, because valuable information stored in the computer is denied to the rightful owner.
The computer as incidental to a crime
In a crime scene a computer can be seen as a subsidiary tool to a crime when criminals use the computer to simplify their transactions. These crimes could happen without technology, but the computer assists the criminal in their transactions which might include child pornography, money laundering, leads to other crimes and other criminal information. This computer crime evidence could have names of victims, associates, clients, and perpetrators personal information.
Crimes associated with the prevalence of computers
Technology advancements have created new targets of conventional crimes and the targets are on the industry. This includes academic property, software piracy/counterfeiting, copyright infringement of computer programs, black market computer equipment, counterfeit equipment, identity theft, and programs, and theft of technological equipment. The most common use of this crime is piracy or the violation of copyright infringement of commercial software
COMPUTER FORENSICS SERVICES
Today on television there are shows that portray crime scene investigation while using computer forensics, and they give the audience a little glimpse into the world of computer forensics. When in reality computer forensics is meticulous work, but the shows leave out all the details of the process. Computer forensic today based on a theory of trace evidence, and this theory is build upon the development of forensic science. One of the motivating factors in the development of forensic science was by 20th century forensic scientist Edmond Locard, and his theory was called the The Locard Exchange Principle.
The Locard exchange principle states there will always be an exchange when two items come into contact, and that the contact(s) will bring something into the scene of the crime and leave behind something in the scene, therefore leaving a trace of evidence. Although trace evidence might be small yet important information found in a computer, it alone is not enough to make a case. Traces evidence can might be the smoking gun that leads to a successfully win in a court case. No matter how well the criminal tries to cover up their tracks, in today's society with computers hooked up to a network or wirelessly leaves traces of stored data on a computer to be found. This is where the skills and services of a computer forensics specialist will come in handy.
This section is where computer forensic specialist and self proclaim computer experts get divided into separate groups. The field of computer forensics is vital to law enforcement agencies, because the procedures to protect and present evidence in court are followed by the requirements of the judicial system. There are plenty of computer experts who know how to search through files, point, click, copy, and make directory listings, but a computer forensics specialist does more than this. A computer forensics specialist must be familiar with and understand in detail how files systems are created, accessed, deleted, and changed. With training and experience a computer forensics specialist understands the methods and techniques for securing and acquiring evidence without altering it in a legal manner.
Just as any other type of evidence, digital evidence also comes across some difficulty. So why go through the trouble of collecting it? It is because if we don't try to figure out who committed the crime, why they did it and how, then we will never be able to stop them or anyone else from committing a crime again. This is why trying to recover all possible deleted files is crucial. Areas to look evidence can be in the hard drive, page files, temporary or swap files, and unallocated space. When collecting evidence in this step no changes or modifications to the evidence must be made or else the evidence will be considered inadmissible.
When a proper warrant is issued the ability to protect data from a recovered system must be protected and unaltered in any way. The computer forensic specialist should pay close attention to this step in trying to avoid the notorious "Murphy's Law". To avoid this mishap at this point in time an exact duplicate copy should be made in order to preserve the best evidence, the original evidence. One of the most effective ways to back up is the use of bit stream image back-ups. This method copies and preserves all data enclosed partition, logical drive, and physical drive in the hard drive. Another idea to think about when preserving digital evidence is where to save it, and that depends on the investigator and the organization they work for.
The person conducting and analyzing the evidence in the investigation but be able to guarantee that the result of an conclusion came from the evidence, and were not in any way a part of contamination or error. One area that the computer forensic specialist can control is making sure hardware and software are working properly. They can also check to make sure their equipment is up to date with updates, verify licenses, and know how to use the equipment. A vital process to conduct analysis is creating a "hash" value. The hash value is created with software to produce a unique value, like a digital fingerprint, produce a mathematical value.
This process is crucial in the field, because if one mistake is made in reporting of evidence, then any other evidence could be questioned. Once the evidence has been indentify everything encountered with the use of a digital camera, video camera, or pen and paper or a combination of two. Once this is done, then all evidence must be labeled and any devices attached to the computer along with ports and wires connected the two. In case a computer forensics investigator is testifying in a court case, then the documentation process will help the investigator jog their memory.
In conclusion, following these steps is crucial in computer forensics because it builds stronger methods within time. Experience and training of software can result in better search techniques to build a better and faster turnaround time. There is a need for a current study to identify future trends and concerns in judicial system on the subject of digital evidence and computer forensics. With the data gathered on future trends schools and computer forensic field can educate and train future forensic investigators with current and proper techniques to keep up with criminals.