Computer forensic investigation involves obtaining and analysing digital information for use as evidence in legal matter. It encompasses all processes, from searching and collecting digital evidences from the crime scene to the acquisition and examination in the laboratory to presenting the findings in the court of law.
The role of a computer forensics investigator is to gather evidence from a suspect’s computer and determine whether the suspect committed a crime or violated a company policy. If the evidence suggests that a crime has been committed, a case is prepared which involves the collection of evidence that can be offered in the court law. This process involves investigating the suspect’s computer and then preserving the evidence on a workstation or a sterile storage media. Following are the general tasks investigators perform when working with digital evidence:
- Identify digital information that can be used as evidence.
- Collect, preserve, and document evidence.
- Acquire, analyse and present evidence.
- Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably.
Pre Search Considerations
Before the investigation begins, an accepted procedure must be followed to prepare a case. By approaching each case methodically, you can evaluate the evidence thoroughly and document the chain of custody, which is the route the evidence takes from the time it is found till the case is closed or goes to court. Doing an investigation systematically not only minimises confusion but also reduces the risk of overlooking and tampering or damaging digital evidences.
1. Securing and Evaluating
questions: Make an initial assessment about the type of case being investigated—Talk
to others involved in the case and ask questions about the incident such as
whether the computer was used to commit a crime, or does it contain evidence
about another crime?
- Note safety issues: Do not assume the persons inside the place do not pose a potential threat to those executing the search. Be sure to identify any potential threat before conducting the search.
- Check the consent issues: Check if you have the legal permission to conduct such search and if you need to acquire his or her system, determine whether you have the consent to seize the computer.
- Planning the search and seizure: Based on the type of crime being committed, evaluate how to go about the search and seizure. Also, depending on the type of device you need to acquire evidence from or the OS of the computer or any other conditions of the case, list the software you plan to use for the investigation, noting any other software or tools you might need.
- Obtain Witness signature
2. Conducting Preliminary Interviews
Conducting preliminary interviews at the scene of offence will help identify and seize potential evidence during pre investigation.
or users of the Electronic Devices found at the scene: Identify the
complainant/ owner(s) of the various devices and obtain the access details,
usernames, service provider’s details, etc.
- Password required to access the System: IO should ensure the availability of the owners for accessing various password protected/ secured information in the presence of the panchnama witnesses.
- Purpose of using the System: Ask the purpose for using or accessing the system.
- Unique Security schemes or any off-site data storage: Gather information on all security schemes and systems including encryption policies, off site data storage and data centre, disaster recovery polices or back up plans incase of an organisation.
3. Documenting the Electronic Crime scene
The process of documentation provides a detailed and exact historical record of the evidence found at a crime scene and is an accurate representation of the condition of the computer, phone, storage media or any other such physical evidence.
Photograph and video-graph the crime scene and record the condition of the System, number of storage media, electronic devices and conventional evidence (including power status of the computer). Sketch the crime scene.
Collection of Digital Media
Collection of digital evidence for further examination and analysis is of the utmost importance in a forensic investigation. Therefore, it should be done in such a way that the evidence is not altered or tampered in any manner. The IO should first confirm the power status of the system before the collection procedure begins. Any signs of a live system such as flashing lights, running fans, and other sounds that indicate that the device is on should be thoroughly checked. If the power status of the system cannot be determined from these indicators, the monitor should be observed to determine if it is on, off or in sleep mode.
On identifying the status of the system, the following procedure can be followed accordingly:
The computer is ON –
- Move people away from the computer and power supply.
- In case the monitor is on and a program, picture, internet, etc., is displayed on the screen, photograph the screen and record the information displayed.
- In case the monitor is on and a screen saver is displayed, move the mouse slightly without clicking any buttons or rotating the wheel. Photograph the screen and record the information displayed when the screen restores.
- Disconnect the modem, if attached.
- Label and photograph all the components including the ports and cables so it may be reconstructed at a later stage, if required.
- Remove all other connection cables leading from the computer to other devices or walls.
- Record the unique identifiers of each component and make sure all components have signed labels attached to them.
- Search the area for any other possible related evidences such as diaries or note pads that may contain passwords.
- Document all steps and procedures taken with respect to the system.
- Use live forensic tools to extract volatile data from temporary storage media such as RAM.
- Remove the power supply.
- Collect all power supplies and adapters for all electronic devices seized.
The computer is OFF –
- Do not turn on the computer under any circumstances.
- Move people away form the system.
- Unplug the power supply and other devices from the socket.
- Label and photograph all the components including the ports, wires and cables so it may be reconstructed at a later stage, if required.
- Carefully open the side casing and identify the hard disk. Then detach it from the motherboard by disconnecting the power cable and the data trader cable. Note all unique identifiers.
- Check whether the CD or DVD or floppy disk slots are empty or contain disks, and tape the drive slot to prevent it from opening.
- Look for any other related evidences such as diaries or note pads that may contain passwords.
- Connect the suspected hard drive to the forensic work station for copying/cloning etc., or package them for transporting.
- Collect all power supplies and adapters for all electronic devices seized.
Packaging of Digital Evidences
- Before packaging, make sure all evidences are properly labeled, documented or photographed.
- Take appropriate step to preserve other evidences such as fingerprints or other biological evidence.
- All digital evidences should be packaged in anti-static bags and again wrapped in bubble wrap envelop for good protection. Plastic materials should be avoided as it can cause static electricity and allow condensation and humidity to develop.
- Use separate packaging for every exhibit.
- Label all containers used for storing evidences clearly.
Transportation and Storage of Digital Evidences
- Keep electronic evidence away from magnetic sources while transporting.
- Store the evidence away from high temperature and humidity. Heat, cold and huffily can damage digital evidence.
- Ensure that the evidences are free from any kind of shock or vibration during transportation.
- Maintain the chain of custody of all the evidences that are to be transported.