What is Computer Forensics?
Computer forensics is the investigation of computer crimes with the objective of identifying and prosecuting the perpetrator. It involves the collection, examination and safeguarding of information from and related to computer systems that can be used to pinpoint and prosecute the perpetrator. For this information to be admissible in a court of law as evidence, standard computer forensics methods must be used to protect the integrity of that evidence.
Because information that is stored on the computer is in digital format, there are particular challenges involved in the investigation of computer crimes. Investigators and prosecutors have a compressed time frame to conduct their investigation and may impose upon the normal business procedures of an organization. When gathering evidence, there might be complications in obtaining key information as it might be stored on the same computer as data needed for the normal conduct of business.
Categories of Evidence in Computer Forensics
To be admissible in a court of law, the evidence must have relevance and be legally permissible, reliable, correctly identified, with its integrity preserved. The gathering, overseeing, and preservation of evidence are priorities.
The evidence gathered at a computer crime scene is usually intangible and susceptible to easy alteration without being traceable. Because of this risk, evidence must be handled carefully and properly monitored throughout the evidence life cycle, which entails the evidence gathering and application process. This includes the discovery and recognition, protection, recording, collection, identification, preservation, transportation, presentation in a court of law, and the return of evidence to the owner. The gathering of evidence could also include collecting all relevant storage media, obtaining an image of the hard disk before cutting power, taking and printing a screen shot, and avoiding degaussing equipment.
Preservation of evidence includes archiving and logging all information related to the computer crime until investigation procedures and legal proceedings are completed; safeguarding magnetic media from deletion, storing evidence in the appropriate environment both onsite and offsite, and defining, documenting, and following a strict methods for securing and accessing evidence both onsite and offsite.
Evidence gathered for a court of law falls into different categories, such as:
- Best evidence, the originating or source evidence rather than a copy or duplicate of the evidence.
- Secondary evidence, a replication of the evidence or oral description of its contents and is not as solid as best evidence.
- Direct evidence, which proves or disproves a specific act through oral testimony based on information gathered firsthand by a witness.
- Conclusive evidence, considered incontrovertible evidence that trumps all other categories of evidence.
- Opinions, a category that can be divided into two types:
- Expert opinions, which can offer an opinion based on personal expertise and facts.
- Non Expert opinions, which can testify only as to facts.
- Circumstantial evidence, inferences of information from other, intermediate, relevant facts.
- Hearsay evidence, evidence obtained from another source outside of firsthand information. Hearsay evidence is considered weak information and generally not admissible in court. Computer-generated records and other business records are considered hearsay evidence because the information can’t be proven as implicitly accurate and reliable. However, there are certain exceptions when considering records as evidence:
- Made during the regular conduct of business and authenticated by witnesses familiar with their use
- Relied upon in the regular course of business
- Made by a person with knowledge of the records
- Made by a person with information transmitted by a person with knowledge
- Made at or near the time of occurrence of the act being investigated
- In the custody of the witness on a regular basis
Chain of Custody
Because of the critical nature of evidence, it is crucial that its continuity be preserved and documented. A chain of custody, also referred to as a chain of evidence, must be produced to show how the gathered evidence went from the crime scene to the courtroom. Policies and procedures dealing with the management of evidence must be followed.
Evidence management starts at the crime scene. When a crime scene is being processed, each piece of evidence must be sealed inside an evidence bag that has two-sided tape that allows it to be sealed shut. Each evidence bag must be tagged identifying the evidence and be marked with a case number, the date and time the evidence was secured, the name of the investigator who discovered the evidence, and the name or badge number of the person who obtained the evidence.
An evidence log should also be created. Information contained in the log should include a description of each piece of evidence, serial numbers, identifying marks or numbers, and other information that is required by policy or local law. This log also specifies chain of custody, chronicling who was in possession of the evidence after it was initially tagged, transported, and locked in storage, and which individuals had access to the evidence while it was held in storage.