Computer Forensics: The Issues and Current Books in the Field

Computer crime investigation is a multidisciplinary profession and almost no one today has been trained purely as a computer forensic analyst. Toward that end, investigators need professional reference guides and texts that cover the major points of computer forensics. In this article, we discuss some broad issues related to forensic computing and include a review of four texts on the subject: Computer Forensics: Incident Response Essentials, Warren G. Kruse II & Jay G. Heiser Computer Forensics & Privacy, Michael Caloyannides Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, edited by Albert J. Marcella Jr. & Robert S. Greenfield Handbook of Computer Crime Investigation, edited by Eoghan Casey

On the complexity of collaborative cyber crime investigations

This article considers the challenges faced by digital evidence specialists when collaborating with other specialists and agencies in other jurisdictions when investigating cyber crime. The opportunities, operational environment and modus operandi of a cyber criminal are considered, with a view to developing the skills and procedural support that investigators might usefully consider in order to respond more effectively to the investigation of cyber crimes across State boundaries

Forensic course development

In recent years, digital technology has experienced dramatic growth. Many of these advances have also provided malicious users with the ability to conceal their activities and destroy evidence of their actions. This has raised the need of developing specialists in computer digital forensics -- the preservation, identification, extraction and documentation of evidence stored in the form of digitally encoded information (data). In this paper, we present the procedures and rationale used in the development of forensic courses at both the undergraduate and the graduate levels. We also demonstrate our decision making process of selecting topics included in each course

La investigación policial en el ámbito de la informática

[ES] La investigación policial en el ámbito de la informática tiene lugar cuando se produce la implicación, ya sea en calidad de medio o de “víctima”, de un equipo o proceso informático en un delito. El ámbito material de este tipo de hechos delictivos requiere la existencia de un acceso físico o lógico a un sistema informático y la investigación subsiguiente se proyecta sobre evidencias directas o indirectas. Son, por tanto, requisitos para el desarrollo efectivo de una investigación policial en el ámbito de la informática, la existencia de una incidencia demostrada presuntamente delictiva, la determinación de una escena del delito y la protección de las evidencias existentes.[EU] Talde edo prozesu informatiko baten inplikazioa ematen denean, nahiz baliabide nahiz “biktima” bezala, informatika eremuko polizia ikerkuntza jazotzen da. Delitu egitate hauen eremuak sarbide fisiko edo logikoa behar izaten du eta ondorengo ikerkuntza zuzeneko edo zeharkako nabaritasunean proiektatzen da. Informatikaren eremuan, polizia ikerkuntza eraginkorra betetzeko baldintzak honako hauek dira: ustez delitu den inzidentziaren existentzia, delituaren lekuko zehaztapena eta dauden nabaritasunen babesa.[FR] L’enquête policière dans le domaine de l’informatique a lieu au moment de l’implication, en qualité de moyen ou de “victime“, d’un équipement ou d’un processus informatique dans une infraction. Le domaine matériel de cette sorte de délits requiert l’existence d’un accès physique ou logique à un système informatique, et la recherche ultérieure est projetée sur des preuves directes ou indirectes. Par conséquent, l’existence d’une incidence démontrée présumée délictueuse, la détermination d’une scène de l’infraction et la protection des preuves existantes sont les conditions pour le développement effectif d’une enquête policière dans le domaine de l’informatique.[EN] Police investigation in computing takes place when a computer -or a computer process– is implied in a crime, as a mean or as a victim. This kind of crime requires the existence of a physical or logical access to a computer system, and the subsequent investigation will focus on direct or indirect evidence. Therefore, requirements for an effective police investigation in computer crimes are: the existence of an allegedly criminal proved event, establishing a crime scene, and protecting existing evidence

Computer Forensics Field Triage Process Model

With the proliferation of digital based evidence, the need for the timely identification, analysis and interpretation of digital evidence is becoming more crucial. In many investigations critical information is required while at the scene or within a short period of time - measured in hours as opposed to days. The traditional cyber forensics approach of seizing a system(s)/media, transporting it to the lab, making a forensic image(s), and then searching the entire system for potential evidence, is no longer appropriate in some circumstances. In cases such as child abductions, pedophiles, missing or exploited persons, time is of the essence. In these types of cases, investigators dealing with the suspect or crime scene need investigative leads quickly; in some cases it is the difference between life and death for the victim(s). The Cyber Forensic Field Triage Process Model (CFFTPM) proposes an onsite or field approach for providing the identification, analysis and interpretation of digital evidence in a short time frame, without the requirement of having to take the system(s)/media back to the lab for an in-depth examination or acquiring a complete forensic image(s). The proposed model adheres to commonly held forensic principles, and does not negate the ability that once the initial field triage is concluded, the system(s)/storage media be transported back to a lab environment for a more thorough examination and analysis. The CFFTPM has been successfully used in various real world cases, and its investigative importance and pragmatic approach has been amply demonstrated. Furthermore, the derived evidence from these cases has not been challenged in the court proceedings where it has been introduced. The current article describes the CFFTPM in detail, discusses the model’s forensic soundness, investigative support capabilities and practical considerations

Comprehensive forensic examination with Belkasoft evidence center

The enhancement and proliferation of information and communication technology (ICT) has tackled every aspect of human activity: work, leisure, sport, communication, medicine, etc. All around us we can see mobile phones and other connected devices that are now ubiquitous, changing trends in consumer behaviour. Therefore, there is no surprise in fact that such technologies can play a significant role in committing or assisting a crime, since data held on digital devices can give a detailed insight into people’s lives, communications, contacts, friends, family and acquaintances. In order to help law enforcement investigation of such crimes, digital forensic is performed with the aim of collecting crime-related evidence from various digital media and analyse it. Investigators use various forensic techniques to search hidden folders, retrieve deleted data, decrypt the data or restore damaged files, etc. Obtaining evidence such as location data, photos, messages or internet searches can be beneficial, if not crucial, in assisting the police with criminal investigations. Since advances in technologies have led to an increase in the volume, variety, velocity, and veracity of data available for digital forensic analysis, without efficient techniques and tools such investigation would require a tremendous amount of effort and time. That is the reason for expansion in the market of digital forensic tools, both proprietary and free for use, that are available today. In this paper an insight of digital forensic process is given, emphasizing the role of digital forensic tools in providing digital evidence. The possibility of one particular tool, Belkasoft Evidence Center – BEC, in acquisition and analysis of digital evidence was briefly described

Paper Session II: Computer Forensics Field Triage Process Model

With the proliferation of digital based evidence, the need for the timely identification, analysis and interpretation of digital evidence is becoming more crucial. In many investigations critical information is required while at the scene or within a short period of time - measured in hours as opposed to days. The traditional cyber forensics approach of seizing a system(s)/media, transporting it to the lab, making a forensic image(s), and then searching the entire system for potential evidence, is no longer appropriate in some circumstances. In cases such as child abductions, pedophiles, missing or exploited persons, time is of the essence. In these types of cases, investigators dealing with the suspect or crime scene need investigative leads quickly; in some cases it is the difference between life and death for the victim(s). The Cyber Forensic Field Triage Process Model (CFFTPM) proposes an onsite or field approach for providing the identification, analysis and interpretation of digital evidence in a short time frame, without the requirement of having to take the system(s)/media back to the lab for an in-depth examination or acquiring a complete forensic image(s). The proposed model adheres to commonly held forensic principles, and does not negate the ability that once the initial field triage is concluded, he system(s)/storage media be transported back to a lab environment for a more thorough examination d analysis. The CFFTPM has been successfully used in various real world cases, and its investigative importance and pragmatic approach has been amply demonstrated. Furthermore, the derived evidence from these cases has not been challenged in the court proceedings where it has been introduced. The current article describes the CFFTPM in detail, discusses the model’s forensic soundness, investigative support capabilities and practical considerations