Digital Forensics: How It Works?

  

   Handling of evidence is remarkably the most essential part of digital forensics. Being a digital forensic expert, it is necessary that you understand that one of the recent changes in handling of digital evidence is the shift from “pulling the plug” to getting “live” evidence from the suspect’s computer[1]. It is also necessary that it is understood that in this modern time of computer era, there are applications and data that cannot be traced in the hard drive of the computer because there are data stored in USB sticks or external data storage; hence, as digital forensic expert, it is necessary that you have to check for available storage data in the computer before searching evidence in the RAM or hard drive. There are now available applications, such as Malware, and popular web browsers that can hide data and keep them undetectable in the operating system; hence, analysis of the memory must be done using the trusted local tools or binaries[2]. Cohen (n.d) enumerated the necessary sites or parts that may store documental evidence during searching a computer or digital source. These include the cache and register content of the CPU, the routing table (ARP cache), memory, temporary file system, data stored in hard disk, the remotely lagged data, and the data stored in the archival media.

    Before any form of evidence is collected, it is necessary that a warrant to search and for seizure is being issued. Any digital forensic investigator should first seek authorization from appropriate authorities before conducting any process for computer intrusion[3]. It is also necessary that the person who will execute seizure of digital evidence is knowledgeable about the three governing laws for digital forensics, namely the Wire Tap Act, Statute on Pen Registers and Trap, and Trace Devices and the Stored Wired Electronic[4].

   Consequently, the following steps must be done by the digital forensic expert that must ensure preservation and proper collection of evidence[5]. These include the following steps:
a) Take a picture of the computer and the entire scene.
b) Do not turn off the computer if it is on and make sure to photograph the screen.
c) Collect all the live data and collect the logical image if there is a disk encryption.
d) Unplug the computer or the laptop and diagram and label all cords.
e) Pack all the components including the data storage using anti-static evidence bags.
f) Make sure that all components are away from magnets or radio transmitters.
g) Check whether all the steps seizure are well documented.
To further secure the gathered and collected data, the digital forensic expert should only use the trusted local tools or binary in order not to damage the evidence, the impact should be minimized and there must be intensive recording of the system logging conducted[6].

---

1. Cohen, F. (n.d). Fundamentals of Digital Forensic Evidence. California Sciences Institute. Retrieved from: http://www.all.net/ForensicsPapers/HandbookOfCIS.pdf

2. Sharma, H., Arya, M. & Goyal, D. Secure Image Hiding Algorithm using Cryptography and Stenography.  IOSR Journal of Computer Engineering.  13(5). 2013. Retrieved from: http://www.iosrjournals.org/iosr-jce/papers/Vol13-issue5/A01350106.pdf?id=5775

3.Ibid., 23.

4. Cohen, F. Fundamentals of Digital Forensic Evidence. California Sciences Institute. n.d.Retrieved from: http://www.all.net/ForensicsPapers/HandbookOfCIS.pdf

5. Ibid.