Everyone would have seen a yellow tape line with the sign "do not enter or do not cross either in a movie or real life".
The reason why those lines are there are to prevent human interference in a crime scene. If someone should interfere, vital evidence can be lost and a case can become inadmissible in a court of law
The same law that applies to a physical crime scene also applies to a digital crime scene. Evidence is very volatile and can be easily destroyed.
When an investigator is been called to a digital crime scene, there are some things that an investigator must do before handling any electronic or media devices in the crime scene.
Electronic evidences are volatile and once they are lost or changed, it is almost impossible to get it back to its original state.
Let's take for instance , You own an organization and you suspect that a member of staff is using the organization's facilities(Computers, Internet) to commit crime or fraudulent activities online. So what do you?
Call an investigator and once he arrives, you show him the computer and he begins his investigation on the computer immediately searching all files to see if he can gather any tangible evidence?
Lets say the investigator gathers some implicating files and then turns around to you and say "yes, mr A is guilty."
Sorry to tell you this, but the investigator has just set the suspect free. The case will be thrown out in court and the suspect will go home smiling.
In this article , I will be listing out things an investigator or first responder must do upon arrival in a digital crime scene.
1 Less People, Less Problem
One of the first things to do upon arrival is to move people away from the computers. The reason for this is because at the heat of the moment, someone that is doing something bad might want to delete some information once they spot people like you so it is advisable to move people away from the computers as soon as possible. Even possible, you can move them to a seperate room and then photograph the computers and devices exactly as you met them.
2 Take Pictures
Someone might ask why is this important?
This is important because as a Forensic Investigator, you will need to replicate whatever you saw in a crime exactly the way you saw it and you can easily forget if you decide not to take pictures. The pictures will help when it is time for investigations and also presenting to the court of law. You don`t want a situation whereby the judge is having doubts about the evidence. According to the court of law, before someone is found guilty, there must be no reasonable doubt. Don`t provide an option for the case to be thrown out.
3 Maintain a Chain of Custody
A chain of custody is a document that shows who had a digital evidence as at when and also showed how it was transported to a location. This is very important because this is the only way you can prove that the evidence was not tampered with. There have been some high profile cases that have been thrown away in a court due to the fact that a chain of custody was not maintained. So in any case, try to ensure that a chain of custody is maintained and also evidence should be properly stored in a faraday bag so that metadata should not be tampered with or any physical features of the device destroyed or smeared.
4 Never work on the original evidence
Upon arrival in a crime scene, never try to start digging up evidence on the original device rather use a write blocker to make an image of the original digital device. Any Investigations must be conducted on the imaged file. This will help preserve data integrity and metadata.
5 Thou shall not switch off the Digital Device
Digital devices should be left in its original state. Do not turn on or turn off any digital device especially computers. If you need to move the device e.g CPU, unplug the power source from the device and move the device. Do not shut down or press the power button because digital evidence is volatile and a touch of a button can change metadata and even delete important files that can never be recovered. There have been situations in the past whereby people program a particular script on their device that if the device should be touched in a particular way, the script will run automatically and delete files that can never be recovered or even destroy the entire system.
Thanks for reading and feel free to leave your comments
#DigitalInvestigations
#ComputerForensics
#Cybersecurity
#Informationsecurity
No comments:
Post a Comment