Computer forensics is the utilization of investigative and analytic techniques of computing to come up with evidence that can be used in prosecution. It involves investigation in a structured manner while at the same time recording the sequence of events in order to unearth those responsible for the cyber crime. Over the years, computer forensics has developed to be a specialized area in science with its own curriculum and documentation.
The field of computer forensics compared to other forms of crime investigations is unique in that in opening a computer file leads to its alteration. The computer keeps track of the time and date of opening. The opening of computer files by investigators could be used by lawyers to contest a case since there is no guarantee that they did not tamper with it. Arguments have arisen over the validity of digital evidence in court cases due to the ease of altering computer data although many jurisdictions allow its use in trials (Vacca 2005).
As computers become more powerful and sophisticated, the field of digital forensics must also change in order to cope with market trends. In this case involving the financial auditor, my work as an investigator will involve coming up with steps that will aid the investigation, and formulating questions to be answered by the auditor. Due to the deep knowledge of the auditor in both financial and computer disciplines, the investigation will keenly observe possible techniques used by the suspect. Basing on the outcome of the investigation, a report will be compiled summarizing all aspects of the investigation.
Steps in forensic investigation
Te first step in computer forensics is the acquisition of a search warrant by investigators. A warrant is required to be as detailed as possible giving the area of interest of the investigators. In most cases, the judge expects the investigators to be very explicit when seeking a search warrant.
The second step involves the securing the computer system to ensure that it is not tampered with. This involves investigators limiting access to the computers and storage devices to avoid unwarranted entry (Vacca 2005). Internet connection must be disconnected in cases where there is connection. The next step is digging up all files in the computer including those with passwords, and those deleted or concealed but have not been overwritten. The detectives then produce a copy of files on the system. Because accessed files are altered, detectives should store the original file and only use the copies while carrying out the investigation.
The next step is unearthing deleted information by utilizing software that discover and recover data that was deleted. Hidden files are then recovered by using programs dedicated to sensing the presence of hidden data. Files that are protected by passwords are then decrypted. All parts of the computer including inaccessible sections and unutilized space are then thoroughly scrutinized as it may have files or leads related to the case. Every step of the investigation must be recorded to Proof that the detectives did not alter information while carrying out their work. Due to the lengthy nature of many trials, documentation is paramount in order to protect against any damages. In coming up with documentation, a report must accompany it detailing the structure of the system and the presence of hidden and encrypted files. The last step is testifying in a court of law as an expert in this field (Clarke 2010)
Some of the questions the auditor will be required to answer include:
- How many computers does she have a part from the one in the work place?
- A part from her, are their other people who can access her computer?
- Are there encrypted files in the computer?
- Has she deleted or hidden any data?
- How many storage devices does she utilize?
Due to the expertise of the suspect in both financial and computer fields, some of the ways in which she can hide her misdeeds include; utilizing multiple storage devices such as thumb drives, CDs, DVDs, and hard drives, deleting and then overwriting the data is another possible method, and use of anti-forensics.
Anti-forensics is the most utilized form of hiding cyber crime by professionals. It essentially covers all techniques aimed at hindering or preventing the work of detectives. There are programs that alter the header of a file thereby making it seem like a different file (Kruse & Heiser 2002). Others break up files into smaller bits and hide them at the end of different files since files in most cases contain unutilized space known as slack space. Hiding files within others is another form of anti-forensics. Executable files can be inserted to other files by use of programs called packers and tools referred to as binders.
Computer forensic tools
Disc imaging software enables the documentation of the structure and contents of the hard drive. This facilitates the transfer of data from drives while retaining their order and interaction. Using software that decodes encrypted data and password cracking to open up protected data is also another tool of forensics. Other programs retain information in the computer’s random access memory when the computer is switched off hence facilitating its recovery (Kruse & Heiser 2002).
Recovery programs are also used to recover deleted information but those that have not been overwritten. Hashing tools enable detectives to differentiate between original and fake hard disks. These tools give each disk a unique number.
Components of a forensic report
Sufficient evidence will lead to the formulation of a report that will include the steps taken in conducting the investigation from the time of securing a warranty. It will also have the methods utilized by the suspect in carrying out the crime and lastly the tools employed by the investigators in order to come up with the evidence.