By Muthoga Kioni
The process of obtaining and processing computer evidence and taking suspects to court is usually long and expensive. This process takes four stages: Acquisition, identification, evaluation and presentation of evidence.
The acquisition stage is mainly concerned with capture of the device and data. This is where the digital device that was involved in a cyber crime is secured. A record is made of the location where it was found. For example, an external hard disk that was hidden under a pile of newspapers provides a clue about the intent of the suspected offender.
During this stage data must be copied from the original hard disk using a write-blocking device. This device sits between the offender’s disk and the investigating computer. It stops all write signals being passed from the computer to the disk, hence preserving the data contained in the disk.
Interpretation
In the identification stage, we recognise that digital evidence from an offender’s device can be interpreted from a number of perspectives. For instance, the physical sectors of a disk and the logical partitions and files system are examined. This can give you an idea on the technical expertise of the offender.
At this stage we also consider the context within which any digital evidence is found. This is especially crucial in financial forensic investigations where context helps investigators relate and untangle complex financial transactions.
Useful sources of evidence include records of Internet activity, local file accesses, cookies, e-mail records among others. Evidence should be handled with utmost care and a chain of evidence must be made. The investigator must also make notes at the time he takes any action regarding an offender’s device. These notes are more likely to be accepted by a court than a witness who is relying on his memory.
Evaluation
The third stage of evaluation is where a decision on the digital evidence found is made. The investigator must understand how the data was produced, when and by whom.
In the final stage, the interpretation of the raw data and the reconstruction of events that occurred on the offender’s disk prior to its seizure are undertaken.
You can avoid this process by implementing information security measures. For example, you can place monitoring equipment on the perimeter of your network. This will allow you check for new access points and devices.
My advice is that individuals and companies must aim to avoid a lengthy computer forensic investigation by investing on security controls, educating staff and developing policies that bolster information security in the organisation.
The writer is an ICT Security and Forensic Specialist. Email: [email protected]
Stay informed. Subscribe to our newsletter
The Standard Group Plc is a
multi-media organization with investments in media platforms spanning newspaper
print operations, television, radio broadcasting, digital and online services. The
Standard Group is recognized as a leading multi-media house in Kenya with a key
influence in matters of national and international interest.
join