IMPACT OF DIGITAL FORENSICS IN COMPUTER NETWORK CRIMES

By Samuel Wagema

W0772663310@gmail.com

PhD. Digital Forensics

ABSTRACT

Globally, Cyber-crime is a growing problem, but the ability law enforcement agencies to
investigate and successfully prosecute criminals for these crimes are unclear. While law
enforcement agencies have been conducting these investigations for many years, the previously
published needs assessments all indicated that there is lack the training, tools, or staff to
effectively conduct investigations with the volume or complexity included many of these cases.
This study discussed on Cyber crime and Global Economic Growth, Reasons for Conducting
a Digital Forensic Investigation, Various Branches of Digital Forensics in details, Potential
Source of Digital Evidence, standard operating procedure for digital evidence, Legal Aspects
and What the Future Holds in the field of digital forensics.

1. Introduction
In the early days of digital forensics, interest and effort were focused on addressing standalone
and networked PCs. As technology has developed, focus has extended to include the recovery
of evidence from any device that has a digital processor or digital storage capability. As a result,
the role of digital forensics has moved from the investigation of computer-based crimes such
as hacking, to the investigation of all types of crime.

Increasingly, with the information that can be recovered from car engine management systems,
satellite navigation systems, and cell phones, the type of evidence that can be obtained has
grown from recovery of documents, images, and network activity records to indications of an
individual’s movements and activities.

Investigators of conventional crimes such as murder, robbery, blackmail, and drug dealing
increasingly look to the digital environment for evidence and indications of suspects’ activities.

In the recent past, investigators of conventional crimes did not understand the potential value
of digital evidence, and as a result they would often ignore it. This is already changing, but
there is still a long way to go before investigators of conventional crimes understand the
potential value of digital evidence, and suitable levels of resources are available to address it.

3. Literature Review
The focus of many of the original needs assessments on the investigation of crimes involving
digital evidence, did not typically focus on cyber crime investigation clearly, only were
considered general role of digital forensics in criminal investigation.
As technology has improved, so has the way it is used in government, commerce, academia,
and our personal lives. The potential value of high-tech devices has been recognized and their
uses have been adopted by both criminals and investigators. There has been a constant
requirement for updated tools, techniques, and methods that can be used for digital forensic
investigations to address the increasing range of devices that contain either digital processors
or digital storage media, as well as to address the complex environments in which they are
found.

One of the few studies conducted between 2004 and 2010 was completed by Rahul Bhaskar
(2006), and was written after the negative federal, state, and local governmental response to
the destruction caused by Hurricane Katrina. The author compared that response to the
likelihood that a digital Hurricane Katrina could occur. The study found that only a small
number of responding law enforcement personnel had even a basic understanding of
computer forensics, and that individual organizations thought it difficult to respond to
incidents because of the limited knowledge of computer forensics within law enforcement
and legal personnel such as prosecuting attorneys (Bhaskar, 2006). The author identified the
key elements of computer forensics as identification, preservation, analysis, and presentation,
and stated that the lack of performing these tasks uniformly across agencies caused an
uncertainty in the ability to ensure that digital evidence would withstand the scrutiny of trials
(Bhaskar, 2006).

The investigative capabilities of law enforcement have been reviewed previously in needs
assessments and analyses conducted on issues involving digital forensics. (ISTS, 2010; NIJ,
Joseph Peterson, Ira Sommers). However, many of these were completed during the late
1990’s and early 2000’s, with only a few reports being published in 2010 and 2013 (Gogolin
& Jones, 2010; Henry, Williams, & Wright, 2013). While it is not clear why this large
publication break exists, it is well documented that the prevalence of technology use during
the commission of a crime has increased (Weiner-Bronner, 2014).

In addition, while law enforcement agencies have been conducting these investigations for
many years, the previously published needs assessments all indicated that state and local law
enforcement did not have the training, tools, or staff to effectively conduct investigations
with the volume or complexity included many of these cases.

Other paper discussed on the past three investigations in the United States, illustrated the
importance of digital evidence for the criminal justice community—one case presented an
example of how digital forensics can be central to case closure and prosecution, another case
demonstrated how digital evidence missteps can have serious implications, and the final case
highlighted the challenges for modern investigation when digital evidence is limited or does
not exist. (Sean E. Goodison, Robert C. Davis, and Brian A. Jackson)

3. Cyber crime and Global Economic Growth

It is defined as crime committed on the Internet, using the Internet and by means of the Internet.
Computer crime is a general term that embraces such crimes as phishing, credit card frauds,
bank robbery, illegal downloading, industrial espionage, child pornography, kidnapping
children via chat rooms, scams, cyber-terrorism, creation and/or distribution of viruses, Spam
and so on. All such crimes are computer related and facilitated crimes.
Cyber attacks as defined are “deliberate actions to alter, disrupt, deceive, degrade, or destroy
computer systems or networks or the information and/or programs resident in or transiting these
systems or networks. Cyber attack weapons are easy to use and they can generate outcomes
that range from the simple defacing of a web site to the stealing of data and intellectual
property, espionage on target systems and even disruption of critical services.

Cyber criminals have different motives, but they can command the resources to create attack
vectors in order to achieve the results they want. They may commit fraud, identity theft, steal
money, and commit robbery against corporations, banks, nations, regions and even individuals.

According CV-HG-2019 Official annual cybercrime Report, revealed that Cybercrime was
creating unprecedented damage to both private and public enterprises, and driving up IT
security spending. Worldwide spending on information security (a subset of the broader
cybersecurity market) products and services will reach more than $114 billion (USD) in 2018
, an increase of 12.4 percent from last year, according to the latest forecast from Gartner, Inc.
In 2019, the market is forecast to grow 8.7 percent to $124 billion.

Cybersecurity Ventures also predicts cybercrime will cost the world in excess of $6 trillion
annually by 2021, up from $3 trillion in 2015.

Cybercrime is the greatest threat to every company in the world, and one of the biggest
problems with mankind. The impact on society is reflected in the numbers.

Cybercriminals are using more advanced and scalable tools to breach user privacy, and they are
getting results. Two billion data records were compromised in 2017, and more than 4.5 billion
records were breached in the first half of 2018 alone.

In addition, according to the World Economic Forum report, showed that the biggest
cybercrime trends of 2019 includes advanced phishing kits, Remote access attacks, Attacks via
Smartphone, Vulnerabilities in home automation and the Internet of Things, and Utilizing
artificial intelligence.

4. Reasons for Conducting a Digital Forensic Investigation

The past decade has seen previously unimagined advances in technology, and although those
developments have benefited individuals and businesses alike, they have also become tools for
fraudsters and cyber criminals to steal money and data, and avoid detection.

Hackers use technology to hide their illicit activities and to move funds across jurisdictions and
around the globe. Their operations are complex and they have significant resources to help
them evade detection. This means that those tasked with investigating cyber criminal activity
have had to keep pace. We are seeing a new breed of investigators, the digital forensic
practitioners, who trace these criminals and their activities.

In conjunction with a digital forensics tools and techniques that they use, provide tremendous
insight into attack trends, how these criminal groups work, what their motivations are, what
new tricks and tools they are using, and so on. This evidence gives valuable input into
knowledge and best practice resources, as well threat intelligence databases.
Moreover, the evidence collected from a digital forensic analysis helps in incident response
and remediation activities, once the company realises that a breach has happened, also data can
be gleaned on new attack vectors, and sophisticated types of malware that might not have been
seen before.

It is also particularly useful in tracing the path of an advanced persistent threat (APT) which
uses a variety of tricks and tools to achieve its ends. APTs are highly targeted, and usually stay
undetected on the victim’s network for months, performing reconnaissance and exfiltrating
data. Digital forensics also helps to trace these attacks and discover what motivated them.

Security professionals routinely use such tools to analyze network intrusions—not to convict
the attacker but to understand how the perpetrator gained access and to plug the hole. Data
recovery firms rely on similar tools to resurrect files from drives that have been inadvertently
reformatted or damaged.

Irrespective of the motivation, the examination, interpretation, or reconstruction of trace

evidence in the digital world, digital forensics is also practice of identifying, collecting,
analysing, and reporting on information found on computers, mobile devices and networks, in
such a way that this all the evidence is admissible in a legal context. In addition, evidence of
all types of crimes such as assault, murder, human trafficking, fraud and drug dealing are
increasingly found in digital devices that either the perpetrator or the victim used.

Digital forensics is necessary for law enforcement and investigation, but also has applications
in commercial, private, or institutional organisations. All activity conducted on an individual’s
computer systems as well as on a company network leaves digital traces, which can range from
web browser history caches and cookies, all the way to document metadata, deleted file
fragments, email headers, process logs, and backup files.

5. Various Branches of Digital Forensics

Digital Forensics has a very wide scope. Hence it must be divided into specialized branches to
facilitate greater knowledge base in each area. Cyber Forensics, when divided into 4--5
branches, helps by having experts in each area and not 1 expert knowing all areas. The branches
of Digital Forensics are:

1. Disk Forensics
2. Printer Forensics
3. Network Forensics
4. Mobile Device Forensics
5. Database Forensics
6. Digital Music Device Forensics
7. Scanner Forensics
8. PDA Forensics
9. Multimedia Forensics
Let us look at these branches in detail.
 a. Disk Forensics
Disk forensics is the science of extracting forensic information from digital storage media like
Hard disk, USB devices, FireWire devices, CD, DVD, Flash drives, Floppy disks etc. The
processes of Disk Forensics are:
• Identify digital evidences
First step in Disk Forensics is the identification of the storage devices in the crime scene.
Computers may having the disks like Hard disk of IDE/SCSI, CD, DVD, Floppy
Disk etc, Mobiles, PDAs etc may have the flash card, SIM, USB / Firewire disks, Magnetic
Tapes, Zip drives, Jazz drives etc.

• Acquire the evidence

Once the digital evidences are identified, it should be acquired by any of the forensic imaging
tool. Acquisition is a process of bit--stream imaging. Imaging should be done with correct and
complete data and also it should maintain the Disk Geometry. During this process the source
media should be write protected.

• Authenticate the evidence

Once the imaging has done, it should be verified with the original one. Hashing is a mechanism
to prove that the copy is exact with original and it has not been altered.

• Preserve the evidence

Electronic evidences might be altered or tampered without trace. Once the acquisition and
authentication has done, the original evidence should be placed in secure storage. One more
copy of image should be taken and it needs to be stored into appropriate media or reliable mass
storage. Optical media can be use as the mass storage. It is reliable, fast, longer life span and
reusable.

• Analyze the evidence

Analysis is a searching of relevant information in the digital evidence. Analysis should be in
the complete evidence without leaving a single bit of information. Searching may be of files or
data in normal files and folders, Registries, Pictures, databases, cookies, temporary files, swap,
Internet History, passwords etc and ambient data area like deleted, formatted, slack,
unallocated, lost.

• Report the findings

Report generation is an important and the final stage in Disk Forensics. The value of the
evidence will ultimately depend on the way it is presented. Technical evidence of the report
should be in simple and precise way so that the non – technical person can also understand.

b. Printer Forensics
Printed material is a direct accessory to many criminals and terrorist acts. In addition, printed
material may be used in the course of conducting illicit or terrorist activities. In both cases, the
ability to identify the device or type of device used to print the material in question would
provide a valuable aid for law enforcement and intelligence agencies. For example
counterfeiters often digitally scan currency and then use colour laser and inkjet printers to
produce bogus bills. Forgers use the same methods to make fake passports and other
documents. Investigators want to be able to determine that a fake bill or document was created
on a certain brand and model of printer. They also want to identify not only which model printer
was used but specifically which printer was used. Thus it will be possible to tell the difference
between counterfeit bills created on specific printers even if they are the same model.

First, by analyzing a document to identify characteristics that are unique for each printer and
second by designing printers to purposely embed individualized characteristics in documents.

The second method is done by most of latest printer manufacturing companies. No two printers
of the same model will behave in the exact same pattern. This is because the mechanical parts,
which make the printer, will not be 100 percent equivalent.

Manufacturing such printers would reach to the point where each printer would be too
expensive for consumers. If, however, the printer cartridge is changed after a document is
printed, the document no longer can be traced to that printer.

c. Network Forensics
Network forensics is a branch of digital forensics that focuses on the monitoring and analysis
of network traffic. Network forensics is the process of gathering and examining raw data of
network and systematically tracking and monitoring traffic of network to make sure of how an
attack took place.

Traffic is usually intercepted at the packet level, and either stored for later analysis or filtered
in real--time. Unlike other areas of digital forensics network data is often volatile and rarely
logged, making the discipline often reactionary. Security professionals routinely use such tools
to analyze network intrusions not to convict the attacker but to understand how the perpetrator
gained access and to plug the hole.

It is also helps to investigate offenses after the event, determine how they occurred and identify
the party or parties responsible. A digital forensic investigator will gather network based
evidence from a particular computing device in the network so that it can be presented in court,
conducting a thorough digital investigation and building a documented chain of evidence.

d. Mobile Device Forensics

Mobile phone forensics is the science of recovering digital evidence from a mobile phone under
forensically sound conditions using accepted methods. Mobile phones, especially those with
advanced capabilities, are a relatively recent phenomenon, not usually covered in classical
computer forensics. Cell phones vary in design and are continually undergoing change as
existing technologies improve and new technologies are introduced. Developing an
understanding of the components and organization of cell phones is a prerequisite to
understanding the criticalities involved when dealing with them forensically. Similarly,
features of cellular networks are an important aspect of cell phone forensics, since logs of usage
and other data are maintained therein. Cell phone forensics includes the analysis of both SIM
and phone memory, each requires separate procedure to deal with.

It differs from Computer forensics in that a mobile device will have an inbuilt communication
system (e.g. GSM) and, usually, proprietary storage mechanisms. Investigations usually focus
on simple data such as call data and communications (SMS/Email) rather than in--depth
recovery of deleted data.

e. Database Forensics
Database forensics is a branch of digital forensics relating to the forensic study following
the normal forensic process and applying investigative techniques to database contents and
metadata. Cached information may also exist in a servers RAM requiring live analysis
techniques.

A forensic examination of a database may relate to the timestamps that apply to the update time
of a row in a relational table being inspected and tested for validity in order to verify the actions
of a database user. Alternatively, a forensic examination may focus on identifying transactions
within a database system or application that indicate evidence of wrong doing, such as fraud.

Third party software tools which provide a read-only environment can be used to manipulate
and analyze data. These tools also provide audit logging capabilities which provide
documented proof of what tasks or analysis a forensic examiner performed on the database.

f. Digital Music Device Forensics

Large storage capacities and personal digital assistant (PDA) functionalities have made the
digital music device a technology that should be of interest to the cyber forensic community.
The digital music revolution has also seen the digital music device become a common
household item. It is only a short time until they too make a natural progression into the criminal
world. This progression has already begun. Some of the hard drive--based devices have
capacities upwards of 60GB. With this much storage space for music, developers have
branched out and included features like a calendar and contact book (Apple iPod -- Music and
more). These devices are simply a portable hard drive, and have the ability to store other types
of files besides music; such as documents or pictures.

An employee could take sensitive information by using the capabilities of a digital music
device. Suspects could potentially store critical evidence on these types of devices. It must be
determined if current frameworks of cyber forensic science are applicable and to what extent
current guidelines can be applied to digital music device forensics.

g. Scanner Forensics
A large portion of digital image data available today is created using acquisition devices such
as digital cameras and scanners. While cameras allow digital reproduction of natural scenes,
scanners are used to capture hardcopy art in more controlled scenarios. For forensic approach
a non--intrusive scanner model identification, which can be further extended to authenticate
scanned images is a necessity.

Using only scanned image samples; a robust scanner identifier should determine the
brand/model of the scanner used to capture individual scanned images. A proposal for such a
scanner identifier is based on statistical features of scanning noise. Scanning noise of the
images can be done from multiple perspectives, including image denoising, wavelet analysis,
and neighbourhood prediction, and obtain statistical features from each characterization. The
same approach can be extended to digital cameras and other imaging devices. The most
significant challenge is that “analytical procedures and protocols are not standardized nor do
practitioners and researchers use standard terminology.

The technology change will result in new devices emerging in the digital world. Whenever a
new digital device enters the market a forensic methodology has to evolve to deal with it. This
phenomenon will expand the field of device forensics.

h. PDA Forensics
In the modern era, Personal Digital Assistants (PDAs) are getting immensely popular. They are
no longer meagre electronic devices holding personal information, appointments and address
book. Modern PDAs are hybrid devices integrating wireless, Bluetooth, infrared, WiFi, mobile
phone, camera, global positioning system, basic computing capabilities, Internet etc., in
addition to the standard personal information management features.

Investigating crimes involving PDAs are more challenging than those involving normal
computers. This is mainly because these devices are more compact, battery operated and store
data in volatile memory. A PDA is never really turned off as long as it has sufficient battery
power. Evidence residing in PDA is of highly volatile in nature. It can be easily altered or
damaged without getting noticed. In order to collect such evidence and ensure its admissibility
in a court of law, sound forensic techniques and a systematic approach are needed. A standard
forensic model for PDAs, which provides an abstract reference framework, is particularly
important in digital crime investigations. In addition to law enforcement officials, such a model
can also benefit IT auditors, information security experts, IT managers and system
administrators, as often they are the first responders related to any sort of computer crime in an
organization.

6. Potential Source of Digital Evidence

a. Computer System
A computer system and its components can be valuable evidence in an investigation. The
hardware, software, documents, photos, image files, e-mail and attachments, databases,
financial information, Internet browsing history, chat logs, buddy lists, event logs, data stored
on external devices, and identifying information associated with the computer system and
components are all potential evidence.

b. Storage devices
Storage devices such as hard drives, external hard drives, removable media, thumb drives, and
memory cards may contain information such as e-mail messages, Internet browsing history,
Internet chat logs and buddy lists, photographs, image files, databases, financial records, and
event logs that can be valuable evidence in an investigation or prosecution.

c. Portable Devices
Potential evidence also named Handheld devices such as mobile phones, smart phones, PDAs,
digital multimedia (audio and video) devices, pagers, digital cameras, and global positioning
system (GPS) receivers may contain software applications, data, and information such as
documents, e-mail messages, Internet browsing history, Internet chat logs and buddy lists,
photographs, image files, databases, and financial records that are valuable evidence in an
investigation or prosecution.

d. Peripheral Devices
Peripheral devices are equipment that can be connected to a computer or computer system to
enhance user access and expand the computer’s functions.

The devices themselves and the functions they perform or facilitate are all potential evidence.
Information stored on the device regarding its use also is evidence, such as incoming and
outgoing phone and fax numbers; recently scanned, faxed, or printed documents; and
information about the purpose for or use of the device. In addition, these devices can be sources
of fingerprints, DNA, and other identifiers.

e. Other Potential Sources of Digital Evidence

First responders should be aware of and consider as potential evidence other elements of the
crime scene that are related to digital information, such as electronic devices, equipment,
software, hardware, or other technology that can function independently, in conjunction with,
or attached to computer systems. These items may be used to enhance the user’s access of and
expand the functionality of the computer system, the device itself, or other equipment.

The device or item itself, its intended or actual use, its functions or capabilities, and any settings
or other information it may contain is potential evidence.

f. Computer Networks
A computer network consists of two or more computers linked by data cables or by wireless
connections that share or are capable of sharing resources and data. A computer network often
includes printers, other peripheral devices, and data routing devices such as hubs, switches, and
routers.

The networked computers and connected devices themselves may be evidence that is useful to
an investigation or prosecution. The data they contain may also be valuable evidence and may
include software, documents, photos, image files, e-mail messages and attachments, databases,
financial information, Internet browsing history, log files, event and chat logs, buddy lists, and
data stored on external devices. The device functions, capabilities, and any identifying
information associated with the computer system; components and connections, including
Internet protocol (IP) and local area network (LAN) addresses associated with the computers
and devices; broadcast settings; and media access card (MAC) or network interface card (NIC)
addresses may all be useful as evidence.

7. Standard Operating Procedures

a. Evidence Collection
The first responder must have proper authority—such as plain view observation, consent, or a
court order—to search for and collect evidence at an electronic crime scene. The first responder
must be able to identify the authority under which he or she may seize evidence and should
follow agency guidelines, consult a superior, or contact a prosecutor if a question of appropriate
authority arises.

Digital evidence must be handled carefully to preserve the integrity of the physical device as
well as the data it contains. Some digital evidence requires special collection, packaging, and
transportation techniques. Data can be damaged or altered by electromagnetic fields such as
those generated by static electricity, magnets, radio transmitters, and other devices.
Communication devices such as mobile phones, smart phones, PDAs, and pagers should be
secured and prevented from receiving or transmitting data once they are identified and collected
as evidence.

The National Institute of Standards and Technology, NIST divide any forensics investigation
into four phases, which are briefly summarized below:

a. Collection: Identify, label, record and acquire data from possible sources, while
preserving the integrity of the data.

b. Examination: Use manual and automated methods to assess and extract data of
particular interest, while preserving the integrity of the data.

c. Analysis: Use legally justifiable methods and techniques to derive useful information.

Reporting: Describe actions used, explain how tools and procedures were selected,
determine what other actions need to be performed, including forensic examination of
additional data sources, securing identified vulnerabilities and improving existing security
controls. Recommend improvements to policies, guidelines, procedures, tools and other
aspects of the forensic process.

b. Computers in Business Environment Business environments

Frequently have complicated configurations of multiple computers networked to each other, to
a common server, to network devices, or a combination of these. Securing a scene and
collecting digital evidence in these environments may pose challenges to the first responder.
Improperly shutting down a system may result in lost data, lost evidence, and potential civil
liability.

The first responder may find a similar environment in residential locations, particularly when
a business is operated from the home.

In some instances, the first responder may encounter unfamiliar operating systems or unique
hardware and software configurations that require specific shutdown procedures. Such
circumstances are beyond the scope of this guide.

8. Legal Aspects – Techno legal

Of the disciplines that comprise Information Assurance, digital forensics is perhaps the one
most closely defined by legal requirements, and one whose growth and evolution is informed
and guided by case law, regulatory changes, and the ability of cyber lawyers and digital
forensics experts to take the products of forensic tools and processes to court.
The tension between privacy rights and law enforcement’s need to search and seize digital
evidence sometimes mirrors, and frequently extends, the extant tensions inherent in rules of
evidence.

a. THRESHOLD CONSIDERATIONS
Evidence to be admissible in court, must be relevant, material and competent, and its probative
value must outweigh any prejudicial effect. Digital evidence is not unique with regard to
relevancy and materiality, but because it can be easily duplicated and modified, often without
leaving any traces, digital evidence can present special problems related to competency.
Moreover, to even reach the point where specific competency questions are answered, digital
evidence must survive the threshold test posed by Daubert of its competency as a class of
evidence. There is no specific test that can be used to determine whether digital evidence
possesses the requisite scientific validity. The Court in Daubert suggested several factors to be
considered:

• Whether the theories and techniques employed by the scientific expert have been tested;
• Whether they have been subjected to peer review and publication;
• Whether the techniques employed by the expert have a known error rate;
• Whether they are subject to standards governing their application; and
• Whether the theories and techniques employed by the expert enjoy widespread
acceptance.

These factors are not exhaustive and do not constitute a definitive checklist or test. Testimony
may be admissible even where one or more of the factors are unsatisfied. The Court further
clarified that the admissibility inquiry must focus solely on the expert's principles and
methodology, and "not on the conclusions that they generate.

So, digital forensic evidence proposed for admission in court must satisfy two conditions: it
must be (1) relevant, arguably a very weak requirement, and (2) it must be derived by the
scientific method and supported by appropriate validation.

Digital forensics is, of course, highly technical, and therefore grounded in science: computer
science, mathematics, physics, and so forth. It is also a discipline that requires knowledge of
engineering, particularly electrical, mechanical and systems engineering. And applying the
science and engineering in specific investigations is a complex process that requires
professional judgment that is sometimes more art than science.

b. ADMISSIBILITY OF DIGITAL EVIDENCE

Computers today come with or can be augmented to provide huge amounts of data storage.
Gigabyte disk drives are common and a single computer may contain several such drives.
Seizing and freezing can no longer be accomplished simply by burning a single CDROM.
Failure to freeze the evidence prior to opening the files, coupled with the fact that merely
opening the files changes them, can and has invalidated critical evidence. Then comes the
problem of locating the relevant evidence within massive amounts of data. Wading through
such volumes of information to find relevant evidence is a daunting task.
As daunting as these problems are, additional problems arise when we have to look beyond a
single computer.

In modern distributed computer architectures, the digital evidence we need may reside on many
different servers and clients within the organization’s IT infrastructure. The problems get even
more difficult when the IT infrastructure is connected to the Internet, for then digital evidence
may be spread across vast geographic distances and several sovereign jurisdictions.

As with any evidence, testimony clearly establishing that the evidence has been under the
control of responsible law enforcement personnel and trained investigators is required to assure
the trier of fact that the evidence is complete and has not been changed. Attempts to introduce
incomplete printouts of web pages have failed.

Since digital evidence usually takes the form of a writing, or at least a form which can be
analogized to a writing, it must be authenticated and satisfy the requirements of the Best
Evidence Rule.

The proponent of the evidence need not present testimony by a programmer, but should present
some witness who can describe how information is processed through the computer and used
by the organization.

With regard to hearsay, most courts have dealt with the objection to the introduction of
computer records by relying on the business records exception. Such an approach may work
for audit logs, provided they satisfy the rule, which might not be the case for computer records
collected as part of an investigation rather than as the result of a routine, periodic process. The
following are some guidelines to preserve admissibility of digital evidence:

• Upon seizing digital evidence, action should not change that evidence.
• When it is necessary for a person to access original digital evidence, that person must
be forensically competent.
• All activity relating to the seizure, access, storage or transfer of digital evidence must
be fully documented, preserved and available for review.
• An individual is responsible for all actions taken with respect to digital evidence while
the digital evidence is in their possession.
• Any agency that is responsible for seizing, accessing, storing or transferring digital
evidence is responsible for compliance with these principles.

7.3. EMERGING PROBLEMS

As challenging as the profession of digital forensics has been to date, still more interesting
problems are looming on the horizon. Computers are proliferating throughout modern society,
and as their numbers grow, they change in size, shape, speed, and function. Once we gathered
digital evidence from monolithic, stand alone mainframes.

Today we have PC’s, supercomputers, distributed client-server networks, laptops, palmtops,

and PDA’s, all of which can, and do, provide digital evidence at times. We have networks
that use twisted pairs, coaxial cables, fiber optic cables, radio, and infrared radiation to convey
information. We have LAN’s and WAN’s. Digital evidence stored in one computer is readily
available to a miscreant using another computer half a world, and several legal jurisdictions,
away.

As computers become smaller, faster and cheaper, computers are increasingly embedded inside
of other larger systems in ways that are not always obvious and allow information to be created,
stored, processed and communicated in ways that are unprecedented. Consequently, digital
evidence can arise in unexpected places and forms. Instrumentation of spaces for every purpose
from environmental monitoring to interactive control of heart rhythms will mean that digital
evidence will be even more difficult to collect and analyze, and harder to present in ways that
the trier of fact can understand and use.

Computerized control systems manage banks, factories, retail inventories, air traffic control,
hospitals, schools, corporations, and government organizations. Computers and their software
programs are embedded in our cars, boats, trains and planes, in tools, equipment, and
machinery, in telecommunications systems and public switched networks, even in our bodies.
Each of them is a potential source of digital evidence, the collection, storage, analysis, and
presentation of which is and will be constrained by evolving legal standards and constraints
that we fail to understand at our peril.

7.4. DIGITAL WIRETAPS

Interception of message traffic as a means of espionage and law enforcement is an excellent
way to gather information, but one that is very invasive of privacy. Consequently, wiretapping
as a means of gathering evidence has presented special concerns and special problems for the
legal system. Collection of electronic evidence by telephone wiretap has been carefully
controlled by the legal system through statutes such as the Wiretap Act, the Pen/Trap statute
and numerous court cases.

As computerized telecommunications systems have increasingly borne the communications of

governments, businesses and individuals, law enforcement and private litigants alike have
turned to seeking digital evidence online, sometimes with interceptions that are analogous to
telephone wiretaps. So it has become important to know what a “digital wiretap” is.

Wiretapping is the surreptitious electronic monitoring of telephone, telegraph, cellular, fax or

Internet-based communications.

Wiretapping is achieved either through the placement of a monitoring device informally known
as a bug on the wire in question or through built-in mechanisms in other communication
technologies. Enforcement officials may tap into either for live monitoring or recording. Packet
sniffers (programs used to capture data being transmitted on a network) are a commonly-used
modern-day wiretapping tool. A variety of other tools, such as wiretap Trojans, are used for
different applications.

In order to obtain a court order for a wiretap, the police or law enforcement officer
must show the probable cause required for a search warrant exists. In addition, the
police must also show that they either unsuccessfully exhausted all other less
intrusive means of investigation, or that those other means are too dangerous.

9. Conclusion
As discussed above, digital forensics plays an significant role in the criminal justice system as
we continue to incorporate a range of technologies into our everyday lives. Evidence of all
most the types of crime are increasingly found in digital devices that either the perpetrator or
the victim used. As a result of this potential evidence which did not exist in the past,
investigators of conventional crimes increasingly need to consider any digital evidence that
may be available.

In addition, Security professionals routinely use such tools to analyze network intrusions not
to convict the attacker but to understand how the perpetrator gained access and to plug the hole.
Data recovery firms rely on similar tools to resurrect files from drives that have been
inadvertently reformatted or damaged.

In the future, digital forensics will play an increasingly significant role in the criminal justice
system as we continue to incorporate a range of technologies into our everyday lives. As the
digital forensic discipline continues to mature, those in the criminal justice system will more
readily understand and accept the contribution it can make to the discovery and production of
evidence.

10. What the Future Holds

There is no doubt that developments in technology will continue at a rapid pace, and that the
range and complexity of technologies digital forensic investigators must understand and work
with will continue to increase.

In the future, we will see the digital forensic discipline becoming more established and gaining
credibility while we also see its use increasing in all types of investigations. As a part of the
increasing maturity of the discipline, we should also see improved acceptance of digital
evidence in courts and tribunals.

This will, in part, result from the courts’ greater exposure to this type of evidence, but it will
also be a result of developments such as a professional framework for digital forensic
investigators and improved and agreed upon methods for presenting evidence. The problems
facing the digital forensic investigator will continue to challenge organizations, however. These
problems are the result of increasing workloads due to the increased number of devices that
may be of relevance and their increased storage capacity.

In addition, the issue of one’s right to privacy will continue to challenge digital forensic
investigators as well. When this consideration is added to the problems facing investigators
regarding understanding and putting into context the increasingly vast volumes of information
they face on a standard computer, those challenges are likely to continue. It is unfortunate (or
in some cases, very fortunate) that computer users rarely delete data.

The relationship between digital forensic investigators and criminal justice agencies will
continue to develop so that the understanding between the two groups can continue to improve.
As this happens, the criminal justice community will become more knowledgeable regarding
evidentiary requirements, which means digital forensic investigators will be better briefed on
the evidence that is required, ultimately reducing the amount of data that has to be analyzed.

References

• The Role and Impact of Forensic Evidence in the Criminal Justice Process by Joseph
Peterson, Ira Sommers, Deborah Baskin, and Donald Johnson,2010
• Digital Forensics in Law Enforcement: A Needs Based Analysis of Indiana Agencies by
Teri A. Cummins Flory ( Purdue University),2016
• STANDARD OPERATING PROCEDURE OF DIGITAL EVIDENCE COLLECTION
(Digital Forensics Department, CyberSecurity Malaysia)
• Forensic Examination of Digital Evidence: A Guide for Law Enforcement
• ISO/IEC 27037:2013, Guidelines for Identification, Collection, Acquisition and
Preservation of digital evidence, International Standard Organization.
• Forensic Examination of Digital Evidence: A Guide for Law Enforcement, National
Institute of Justice, Apr. 2004, https://www.ncjrs.gov/pdffiles1/nij/199408.pdf, viewed on
24th June 2013.
• SWGDE Best Practices for Computer Forensics, Scientific Working Group for Digital
Evidence, Version 2.1,
• https://www.swgde.org/documents/Current%20Documents/2006-07-
19%20SWGDE%20Best%20 Practices%20for%20Computer%20Forensics%20v2.1 ,
viewed on 23rd June 2013
• Supplemental Requirements for the Accreditation of Forensic Science Testing
Laboratories, 2011 edition, ASCLD/LAB-International, 2010.
• ISO/IEC 17025:2005, General Requirements for the Competence of Testing and
Calibration Laboratories, 1st Revision, 2005, International Standard Organization.
• 2019 Official Annual Cybercrime Report by Cybersecurity Ventures Legal Aspects of
Digital Forensics by Daniel J. Ryan and Gal Shpantzer Daubert at 590.
• McMahon, 2001
• DIGITAL FORENSICS :Digital Evidence in criminal envestigations
• Long-Term Preservation of Digital Records: Trustworthy Digital Objects By Henry
Gladney,2009
• The Admissibility of Wiretap Evidence in the Federal Courts by Robert Price
• Systematic Digital Forensic Investigation Model by Mr. Ankit Agarwal
• Digital Forensics for Legal Professionals :Understanding Digital Evidence From the
Warrant to the Courtroom by Larry E. Daniel and Lars E. Daniel
• National Institute of Science and Technology, Information Technology Library, NIST
Computer Forensics Tool Testing Program. http://www.cftt.nist.gov
• Legal Information Institute at Cornell Law School, Federal Rules of Evidence (LII 2010
ed.). http://www.law.cornell.edu/rules/fre/rules.htm
• Best Practices In Digital Evidence Collection by Best Practices In Digital Evidence
Collection
• https://digital-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-
evidencecollection/
• https://www.fbi.gov/about-us/lab/forensic-
sciencecommunications/fsc/april2008/index.htm/standards/2008_04_standards01.htm
• https://www.weforum.org/agenda/2019/03/here-are-the-biggest-cybercrime-trends-
of2019/
• https://whatis.techtarget.com/definition/wiretapping
• https://www.factmonster.com/us/laws-and-rights/all-about-court
• https://commons.erau.edu/jdfsl/vol11/iss1/4/
• https://careersincybersecurity.com/digital-forensics-cyber-security/
View publication stats