Free Computer/Digital Forensics Essay Sample
Despite the fact that this discipline is still new in the market, it still stands out as a fast growing one businesswise. The main objective of computer forensics therefore is to perform a comprehensive and structured examination in order to determine what happened on a computer system and also the person who can be held responsible of the unwanted act. On the other hand computer fraud is mainly the crime that is being combated by computer forensics.
As much as the spread of computers and networking has helped in the making of the business world a lot easier, they have greatly contributed to computer fraud. It is obvious that this crime translates into massive financial losses because these 'thieves' are not usually satisfied with small amounts of money. This grave situation affects both individuals and businesses as well. It is evident that computer fraud has overtime triggered a sharp reaction from the society as much as the judicial system has not really done enough to curb the vice.
Issues likely to be faced in a typical Fraud Examination case
In any computer fraud case be it hacking into a computer network in order to get access to vital information, tapping on telephone lines using complicated computer software or the selling of counterfeit or fake services and products over the internet, there are a number of issues that one will come across during the investigation of that particular case.
The examination of fraud requires integration of information and skills from quite a number of disciplines for instance auditing, law, criminology, accounting and general investigations. Pollitt and Shenoi assert that it is unfortunate that fraud examination only commences after fraud is discovered or suspected considering that some of these cases even go for even two years before being detected.
Fraud examination consists of planning, going for the field work, assessing of the evidence and finally generating a comprehensive report. The regular reviewing of the procedures and policies of an organization in order to identify weaknesses so as to prevent fraud is necessary. However, many organizations usually wait until they are hit by a fraud case then they start resolving the problem then.
Large volumes of valuable information can be collected as evidence of a fraud case during investigation or rather examination. In any investigation it is important to ensure that one remembers to follow proper guidelines and procedures of investigation in order to be successful. The practice of searching for information whether in hardcopy or softcopy usually drains resources of the defense teams. This exercise is what leads to time and resource wastage. This situation in turn affects the progress of a case.
Since the defence team is usually multidisciplinary and it might occur that they are not in the same locality at any one time, the idea of sending the sensitive data over electronic mail might be counter-productive.
A solution to this problem can be production and reviewing of evidence that is electronically stored for litigation. This exercise is commonly referred to as electronic discovery. The evidence might be in form of electronic mail, documents generated by word processors, databases and also spreadsheets. The information can be retrieved from removal media such as flash disks, compact discs. Other forms of storage include hard drives, personal organizers, mobile phones or even personal computers belonging to respective employees.
Goel states that the use of electronic discovery involves scanning of evidentiary documents and uploaded into the E- discovery software. This can take a number of days before being burnt onto a secondary storage device like a DVD then handing the same to the defence team. The team is now in a better position to proceed with the examination since lost data has been recovered by computer forensics. This initiative is only manageable by large firms. They will definitely be able to realize its cost effectiveness unlike small firms that will find it very costly.
The detection of a computer fraud is very difficult, since only a small percentage of the cases usually come out clearly. It is also true that even if the crime is detected, chances of it being reported are very slim.
It is important that the investigator obtains information from the availed evidence without interfering with the original condition of that particular evidence. This is why the originality of the evidence must be maintained and protected throughout the investigation. It is only then that the evidence is useful in that case.
It is common knowledge that sufficient skill is required when interacting and also preserving of evidence in a fraud examination case. Computer science as well as traditional skills of forensics is required. The evidence in question is of a volatile nature thus the need for great care when handling the same. The case is very complicated since it can be obtained from any resource of computing and at any operation level. The levels under discussion could be between low-level or rather machine language and meta-data or even further than this.
The ease of altering the same evidence also increases the chances of risks. Computer evidence in a fraud case can be interfered with without anyone's knowledge thus worsening the situation further.
In addition to putting the computer on, using a web browser and a word processor, an investigator should have a clear understanding of the particular information system in question. He or she should be aware of computer security issues and also have necessary skills of system administration.
The issues of the computer system, functioning of computer networks, operating systems and databases in general are also vital. He or she should have a high imagination power and skills to draw accurate conclusions as they relate to a specific fraud case. The tools used by a fraud case examiner are: utilities of an operating system, special software for data recovery, special editors and billing and report trackers.
To preserve the evidence obtained from a certain system, one needs a preservation laboratory. It can be described as a conducive environment to facilitate the processing and proper storage of evidence. Examples of these laboratories include: Linux workstations, personal computers, tape backup systems, the Ethernet, systems for CD or DVD writing, removable devices among others.
An investigator also requires a notebook just in case he or she is away from the main laboratory and he or she needs to make a recording of some kind. A case management system to help the investigator organize information in order while in the field is necessary. It will enable him or her to securely recover information when he or she is outside the main laboratory. Data encryption should be highly recommended in addition to high levels of authentication of data in the event that someone needs to access the evidence. The software system that is intended to handle this evidence should be of good quality and reliable enough to ensure that the required integrity of the very evidence is protected and maintained.
The procedure of gathering, controlling and preservation of evidence in a computer fraud case
As mentioned earlier the process of dealing with a fraud case involves planning, evidence gathering and reporting. Planning involves the development of an audit program to schedule and identify procedures that are necessary to facilitate the acquisition of evidence. The procedures to gather evidence are simply to observe, confirm, calculate, make an analysis, inspect and compare.
In other words, in the event of a cyber crime, the examiner should have the tools that will help him or her perform a number of tasks. These tasks are documenting, disconnecting of required parts of a system, removing, packaging and finally transporting the digital evidence. The equipment needed to obtain the evidence should be well prepared prior to the gathering exercise. The documentation of activities right from collection to storage of the evidence should be effected. Electronic evidence should not be exposed to magnetic sources since it can be destroyed.
Pollitt and Shenoi state that in a typical fraud case, the law enforcement officers usually confiscate computer systems upon issuing of warrants. Normally, all hardware, manuals and software are taken as evidence. All passwords that might have been noted down somewhere near the computer should be taken into account. When there is no corporate policy to cover the evidence, it means that the specialists could be risking the litigation of themselves and even of the entire corporation.
In the case of encrypted files, it is wise for the investigator to check for any writings on the desks, tables and even the calendars for passwords. One should observe utmost care when shutting down and transporting the computer. The computer should be detached from the power supply. Immediate break of power is still necessary even if the system uses a UPS. The keys should not just be pressed carelessly as this might lead to interference of memory status.
In case the computer is still in use at the times when the search warrant is issued then the operator should be removed from the crime scene. Several photographs of the computer should also be taken to ensure that the state of the computer before and after the seizure is well known. Proper marking of the cables and the computer should also be done.
It is necessary to also record the time and date of gathering the evidence. The investigator has to consider evidence destructive software that could be hanging around the computer. Evidence is not only found in storage device but also in deleted files, emails, slack space, the swap file of windows and temporary files of the internet. A typical example is when a computer system boots up, it generates new files for that session and will only recall the previous files much later when needed by the user.
This situation means that there is a possibility of overwriting the files that previously existed. These fine details are very vital during the gathering of evidence. Research has shown that an investigator who is paranoid tends to take precautionary measures that will assist to protect the evidence. He or she always has a thinking that something wrong could happen any time therefore prompting him or her to be very careful with the evidence and even go ahead and create its back up just in case.
In summary the major process of securing digital evidence in a computer fraud case include: proper shut down of the computer, recording the configuration of the hardware, moving the computer system to a safe place where it cannot be tampered with, making a back up of the existing storage media, authenticating of data on the storage media using mathematical procedures, identifying anomalies that are related to the program, storage media or files, recording the date and time of the system under investigation, making a comprehensive list of search words, evaluating swap file of windows operating system, file slack, deleted files and knowing about storage areas of the internet and e-mails.
In terms of controlling cases of fraud, the employer should be keen to retain and hire employees who are honest. The employees should therefore respect the laid down rules, regulations and policies of the company. On the other hand the company should be ready to show gratitude to honest employees. Vacations can be used to show gratitude. Immediate investigation and prosecution of dishonest employees should be considered. Proper supervision of employees is necessary. As much as they take part in tasks of data processing they should be held responsible of any anomaly.
The internal control system should be up to date and effective to enhance reliable reporting. It is worth noting that the procedures of control are preventive. These procedures work to curb fraud associated problems even before they happen.
Other practices that might help control cases of fraud are for instance employing employees who are well trained. Jahankhani et al recommend that the proper segregation of duties and effective control of access of physical systems is equally important. Segregation of tasks among employees touches a number of areas including: computer operations, authorization of transactions, data control, maintenance of file library, systems programming and general analysis and programming of systems.
When duties are separated, it means that it will not be easy for employees to misappropriate funds. Another way is by using documents that are well designed not forgetting authorization of instructions.
Another aspect of fraud control is known as detective control procedures. They include simple practices such as the rechecking of mathematical calculations, regular reporting of the performance of systems, verifications on documents that were numbered previously. These procedures work to bring out the causes of fraud, correction of errors due to the problem and making sure that the system is up to date in anticipation of future problems.
Creating of back up for the original documents, files, data or information is also another control measure. Internal audits should be considered to ensure that cases of fraud are put to check. Through this exercise, respective audit controls will be generated. The internal audit is concerned with reviewing the integrity of information, controls in use for the purpose of protecting assets within the organization or company, examination of employees and the efficiency of the organization in general. It is for the above mentioned reason that a department for internal audit is inevitable.
The type of evidence that needs to be preserved include log files of the computer system such as both failed and successful logins, hits of the website, error, physical and access logs. Other types include email and phone communication, data or information on electronics storage media and documents in hardcopy format.
To preserve evidence, the evidence cycle must be put into consideration. The evidence cycle is made of a number of phases such as gathering and recognition, analyzing, storing, preserving, transporting and finally presenting. The evidence should not be tampered with in anyway. It should therefore be handled and protected properly. Private information should remain private. Such cases are when information between a client and his or her attorney. Another scenario is where particular information must have a warrant. It follows that it should have one as required.
Pollitt and Shenoi assert that when booting up a computer system, it should not be from the hard drive that is being investigated for evidence. Instead, one should boot from another media or connect it to another computer and retrieve information as a slave to an original hard drive. Write-protection software should be used at all times. The hard drive under investigation should only be used for backing up by creating a copy of the same.
Jahankhani et al suggested that a mirror image of the suspect hard drive can easily be created without worry since digital evidence of this kind is not likely to tamper with the original evidence. Afterwards the hard drive should be sealed and then the duplicates be put into use. Imaging tools are divided into two groups. There is hardware and software.
The hardware consists of slave or clone drives, optical drives, disk duplicators, network servers, tape drives and removable media. The software tools are safe back, encase, teledisk, Norton ghost, byte and Linux "dd". It is true to note that imaging software is meant to produce an exact duplicate copy as the original one. Another function is the provision of file system authentication.
The chain of custody of evidence that needs to be maintained and evidence lifecycle that needs to be followed
A chain of custody is a tool that is used to protect the evidence retrieved from a computer fraud case. It is otherwise used to show that the evidence has not been interfered with by the investigator. It therefore means that when the proper chain of custody is not followed then the integrity and authenticity of that particular evidence is at stake.
The chain of custody is concerned with a number of issues including questions that the investigator has to answer while handling the evidence. When these questions are answered then a chain of custody is generated. These components of the chain of custody are: who obtained the evidence, the location and time when it was found, the person who managed to secure the evidence, the method applied to secure the evidence, the person who was responsible for controlling the evidence and who gained access and handled it. In general the fewer the custodians who are expected to testify the better.
As mentioned earlier, in order to ensure that the evidence that is related to a certain case, is preserved and its integrity maintained, the evidence cycle must be put into consideration. It is made of a number of phases such as gathering and recognition, analyzing, storing, preserving, transporting and finally presenting.
Computer forensics is a growing discipline since fraud cases are still there to stay and fraudsters get sharper by the day. This calls for continuous training of fraud investigators that will help them to be up to date with issues concerning computer crimes. Regular audits must be carried out in order to prevent fraud cases even before they jeopardize the normal functioning of a particular organization. Simple tips that work towards prevention of fraud should be embraced.
An operator should be encouraged to delete emails from unknown sources and at the same time be aware of pop-up messages. He or she should not respond to them and instead ignore such calls. In relation to email precautions, one should always use secure mail for sensitive issues.
Other online applications that should be encouraged are like knowing whom one is making a deal with, installation of competent anti-viruses and spywares, receiving statement of credit cards online among others. Proper record keeping has a great inclination towards the success of a computer fraud case. When handling the evidence, it is important to have up to date documentation in addition to use of compressive procedures of processing the same evidence.