‘Encase is a series of forensic software products produced by Guidance software.’ [8] And as a software package Encase has several features such as;
- data acquisition
- the management of a forensic case
- the searching and analysis of evidence
- it allows documentation of evidence
- it produces documentation such as reports for courts [2]
‘Dependant on the software used, the image can then either be examined directly within the forensic software as a ‘virtual drive’ or a ‘clone’ of the original media made for the purposes of the examination.’ [6]
Steganography is also a technique which can be used to identify the contents of a file. Using a package such as ‘S-Tools (steganography tools) brings you the capability of concealing files within various forms of data’ [3, steganography handout]. And of course if S-Tools can conceal data such as text images or sound within other data, it can also reveal it.
If a storage device is found at a scene and not a whole computer the forensic examiner must be able to analyse this piece of equipment in the same way he would if it was a whole computer. For example, if a floppy disk drive was found the examiner must be able to analyse the disks slack space, which is the space on a disk which has been allocated a piece of data which still may have to remains of the previous data still in that space. So the examiner has to be able to retrieve that data and determine whether or not that data that had been over-written is of any importance to the case. This is because criminals who know how to hide files within other files or how to write over a file that he does not want anyone to find but that can still be found by himself will do so if it is absolutely necessary. This technique of hiding data within other files can also be done with sound files, for example a sound file can be sent to someone, which may be a song from itunes, however the sender could have also attached a hidden picture file or word document that would be of importance to the receiver, and no one would know that file was there unless you understood how to analyse that file.
There are three types of computer crimes in which forensic computing can assist in the analysis of data, according to the United States Department of Justice. There is Computer Assisted crimes, in which the computer is used to assist in a crime but isn’t unique to the crime. A Specific computer crime, are crimes that can only exist because of the computer and wouldn’t have existed before the computer. And Incidental computer crimes, in which the use of a computer is incidental, such as using a computer to write a ransom note. Under each of these three types of computer crime there are many ways to commit that crime, for example hacking, sending a virus, physical theft of hardware or software, financial fraud, unauthorised email or web access, eavesdropping and many others.
To overcome some of these types of attacks, companies have developed software packages that can detect such attacks and build firewalls and blocks to prevent any further destruction of computer data. Such as with telecommunication eavesdropping, packet sniffers have been developed. A packet sniffer is a piece of software ‘that can intercept and log traffic passing over a digital network or part of a network. As data streams travel back and forth over the network, the sniffer captures each packet and eventually decodes and analyzes its content.’ [4] Also with virus attacks, virus guards and security packages are useful to have installed on a computer, such as Norton, McAfee and Spyware, all of these packages provide security on a computer; they detect virus, harmful data or unwanted files. They can scan all of the files on a computer to check for anything harmful which could destroy files.
According to the National High Tech Crime Unit (NHTCU) a computer can be; used in a crime e.g. to write a ransom note or to send a virus, contain evidence of a crime e.g. the document that contains terrorist plots or can be a target of a crime e.g. receiving a virus, or being eavesdropped upon. This is a similar description of computer crime to the description by the United States Department of Justice. [2]
Like any evidence collected at a crime scene, the evidence at a computer crime scene has to be collected in an appropriate manner. For example at a murder scene, when collecting DNA evidence or bodily fluids they must be contained in a vile or sealable test tube. Or when collecting sharp weapons such as knives they must be placed into rigid plastic tubes, and taped shut. So when collecting computer evidence such as any copy of the applications that were running at the time of collection, must be packaged in antistatic bags to protect the saved data on that device, because any interference the device comes into contact with such as other electrical equipments, for example a police officers radio, could destroy the data actually on the device.
The principles of computer forensic evidence according to the NHTCU is that nothing should be changed, which is the same for any evidence at a crime scene, any tampering with evidence of any sort can compromise the reliability of that evidence in court. If the evidence has been tampered with or was not analyzed using the correct procedure then the judge could throw that piece of evidence out of court on the basis of misconduct. The NHTCU also states that only qualified persons can access the original data, because it is then their duty to justify and explain the reasons why they accessed the original data when there should have been no need, if they had made an exact copy of that data on the computer in the first place. An audit trail of the evidence must be created and preserved by all the staff that have had contact with the evidence in question. A person must also be assigned to monitor the progress that happens on any evidence, this is so that they can verify to a court that the principles that are required to be applied have been followed and the law has also been followed. [2, 5]
‘Combined, these principle mean that examination of computer-based evidence should only be performed by suitably qualified individuals, in a forensically sound manner, with sufficient records maintained to ensure that another examiner can reconstruct their actions.’ [6, crime to court]
Forensics as a principle is ever changing. This is because newer methods are always being developed. Methods which can advance, and improve the way in which evidence is analyzed, therefore could vastly improve the time in which the criminals themselves are captured. Computer crime has been on a steady increase over the years, as computers have slowly become a house hold ‘must have’. Because computers have become a global piece of technology, not just in house holds for recreational use such as hotmail and games. But computers are also a major investment in any company and are in continuous use. Computers in companies are used in all kinds of situations, such as, for security of a company, the building and maintaining of a company web site, storage of employee details, mailing food deliverers and many other uses. However technology is advancing so rapidly with the introduction of Microsoft Vista, the invention of ipods and hands free sets for mobile phones which has also become a global phenomenon in the technology world, it is inevitable that crime using computers would rise slightly. ‘Advances in storage technology are providing users with ever increasing amounts of storage capacity in their computer systems, forcing the development of more powerful forensic tools with faster imaging speeds and greater analytical functions.’ [6]
However it is more inevitable that within the next ten years almost all of the crimes committed will involve, if not the main feature, a computer. Therefore if the technology is advancing and criminals are finding more ways to abuse computer technology to commit crimes then examiners are going to have to be knowledgeable of how these crimes are committed, how they could be stopped by the average man, such as software security packages, they will be need to have a full understanding of how these packages work, what they actually do to prevent viruses, or hackers infiltrating the data within the computer. With this increase of technology being developed and the increase for experts to understand this technology, the forensic computing services will require more people to understand this technology. Information Technology is a mandatory subject within many schools at the present, because it is felt that children should have a knowledge of how a computer works and how to create the basic programs such as building a web page. However if computer crimes continue to increase there is the possibility that there will be an increase in the need for students to want to study Information Technology, and then go further to study for a degree. However even if students did choice to study for a computing course it is not certain that they would intend to recruit for a forensic computing career. They could wish to join a bank, or become a solicitor.
Overall, it is believed that computer crime is on the increase, and to prevent these crimes it is necessary to have more people to understand the technology and be able to analyse any evidence that is found, because the more people that can understand the computer technology, not only is there more people to analyse the technology but it is more likely that there will be more people who will ways to infiltrate that technology and use it to their advantage in any criminal act.
Reference
[1] Computer Forensics Incident Response Essentials, Warren G. Kruse, Jay G. Heiser
[2] Lecture notes
[3] steganography handout
[4]
[5]
[6] Crime Scene to Court The Essentials of Forensic Science, 2nd Edition, Ed P.C.White
[7]
[8]