Maintaining The Digital Chain of Custody By John Patzakis [email protected] Employing proper computer forensic processes is the foundation of computer investigations. Even the for incident response and computer data preservation can mistakenly allow the mishandling of potentially key computer evidence. Once compromised, either during the collection or analysis process, the evidentiary integrity of the data is lost. Computer investigators must follow four basic steps in order to correctly maintain a digital chain of custody. These include:
Physically control the scene, or if conducting a remote network investigation, log all access and connectivity through an integrated and secure reporting function
Create a binary, forensic duplication of original data in a non-invasive manner Create a digital fingerprint (hash) that continually verifies data authenticity Log all investigation details in a thorough report generated by an integrated
computer forensics software application The Problem of Improper Computer Evidence Handling Maintaining the integrity of computer evidence during an internal investigation or incident response is important, especially when computer evidence may be presented in court. This is true whether human resource personnel suspect that an employees violation of company policies may warrant termination, if IT staff are responding to a network intrusion, or outside consultants suspect criminal activity that may need to be reported to authorities. However, the ability to maintain and precisely document digital contents, including its exact location on the subject media should stand as the cornerstone of any computer investigation. By not taking steps to preserve the digital chain of custody, a company is leading itself into an investigation that is compromised from the beginning. Such a lax investigation also can make it difficult to later map out the exact location of electronic evidence on a drive, or to prove who manipulated or created data, as it is no longer clear if it was the suspect or the investigator who was the last to access it. In fact, this is the reason that worldwide agencies regulating financial institutions have mandated incident response plans. Recent policies, standards, and court decisions strongly establish a compelling obligation for all types of businesses to preserve electronic data that may be relevant to a legal matter, audit, etc. On the U.S. legislative front, the Sarbanes-Oxley Act, which passed in response to the Enron/Arthur Anderson debacle, imposes severe penalties for the destruction of records, including electronic data. The act expressly prohibits the destroying records in contemplation of an investigation or proceeding. Securities Exchange Commission rules require retention for six years of all business-related email and Internet communications sent and received by brokers, dealers and exchange members. Additionally, the data must be preserved and maintained in a manner that verifies its authenticity.1 The Process of Computer Forensics Duplication of Original Data Electronic evidence is fragile by nature and can easily be altered or erased without proper handing. Merely booting a subject computer to a Windows environment
will alter critical date stamps, erase data contained in temporary files and create new files. Specialized computer forensic software employs boot processes or utilizes hardware write-blocking devices that ensure the data on the subject computer is not altered in any way. After initiating these measures, the examiner uses the forensic software to create a complete mirror image copy or exact snapshot of the target hard drive and all other external media, such as floppy or zip disks that are subject to the investigation. This evidentiary image must be a complete, but non-invasive sector-by- sector copy of all data contained on the target media in order to recover all active, deleted and otherwise unallocated data, including often critical file slack, clipboards, printer spooler information, swap files and data contained or even hidden in bad sectors or clusters. This process allows the examiner to freeze time by having a complete snapshot of the subject drive at the time of acquisition. This snapshot can also be stored and kept for reference or future use. Verifying Data Authenticity Gathering computer evidence by employing proper forensic tools and techniques is the best means to establish the integrity of the recovered data. Computer forensic examiners rely on software that utilizes a standard algorithm to generate a hash value, which calculates a unique numerical value based upon the exact contents contained in the evidentiary mirror image copy. If one bit of data on the acquired evidentiary bit- stream image changes, even by adding a single space of text or changing the case of a single character, this value changes. The standard hashing process is the MD5, which is based on a publicly available algorithm developed by RSA Security. The MD5 (Message Digest number 5) value for a file is a 128-bit value similar to a checksum. The MD5 hash function allows the examiner to effectively and confidently stand by the integrity of the data in court. Using digital signatures such as checksums and the MD5 hash concurrent to the acquisition of data, allows the examiner to effectively establish a digital chain of custody. This is because an integrated verification process, which is another important feature of computer forensic software, establishes that the examiner did not corrupt or tamper with the subject evidence at any time in the course of the investigation. This is a particularly important step, as courts will only accept duplicated computer data if the data is demonstrated to be an accurate copy of the original computer data. In one recent appellate decision, the court specifically upheld the admission of key computer evidence in court on finding that proper computer forensic software was employed.2 After the mirror image copy is created, authenticated and verified, computer forensic software will mount the mirror image as a read-only drive, thus allowing the examiner to conduct the examination on the mirror image of the target drive without ever altering the contents of the original. This process is essentially the only practical means to search and analyze computer files without altering date stamps or other information. Often times, a file date stamp is a critical piece of evidence in litigation matters. An IT administrator should approach every computer investigation, systems audit or incident response with the assumption that the mirror images of the targeted computers will ultimately either be turned over to company lawyers or law enforcement for civil litigation or criminal prosecution purposes. The creation of a mirror image that is verified and authenticated pursuant to proper computer forensic protocol is essential to ensure a smooth transition from the response stage of the investigation to the enforcement or litigation process. Maintaining a proper digital chain of custody also can turn out to be just as significant even months after the employee has left the organization. Routine image
back-ups are becoming more common, as they help protect individuals and companies from liability and claims of evidence spoliation (did you mean tampering? Spoliation is robbing or plundering). Because imaging is now non-invasive and non-disruptive to the work environment, many companies simply image drives whenever an employee is terminated or leaves voluntarily. This standard imaging also serves as a critical tool to fully investigate cases involving intellectual property theft a claim that is often difficult to investigate once a terminated employees computer is recycled and put back into use. Often times an employer will not learn of possible trouble until long after an employee has left. Since employees engaged in illegal activities or internal misconduct typically delete files to cover their tracks, traditional back up techniques are of little help because they lack the ability to retrieve data and do not adhere to even basic forensic standards. Report of investigation details and findings
In any type of computer forensic investigation, it is the chain of custody that is used to not only verify but also illustrate the existence and use of data. Investigations and searches on a piece of computer media can find endless amounts of evidence, but it is the chain of custody that maps its placement within the media and its use in relation to criminal or unauthorized actions. For this reason, a report is critical to prove and maintain a chain of custody. Forensic software now can clearly depict where every file on a piece of media is located, while also listing its many properties, including creation date, date last accessed, and date deleted. In fact, without a thorough report, despite the use of proper forensics techniques, it is extremely difficult to illustrate the exact location of evidence. Frequently admitted as key evidence in trials, these hard copy reports are the print out of the electronic crime scene, indicating even at what specific second a file was deleted or manipulated in some way.
Despite the investigators level of , following these four basic steps helps ensure that electronic evidence is not altered or manipulated in any way: Require physical control, data duplication, authenticity verification and reporting. Conclusion There are six reasons to employ proper forensics protocols when collecting computer evidence:
Enables simpler referral of computer crimes to law enforcement Allows corporations to defend their interests in civil litigation Eliminates evidence spoliation (destruction) claims Limits corporate liability Better controls corporate assets and infrastructure Helps comply with worldwide privacy, data, and information integrity standards
and regulations John Patzakis is President of Guidance Software. Recognized as a leading authority on the admissibility and authentication of computer evidence, he is the author of the EnCase Legal Journal, a publication that focuses on legal issues relating to computer forensics and electronic evidence. 1 17 C.F.R. 240.17a-4(f)(1). 2 State v. Cook, 777 N.E.2d 882, 2002 WL 31045293 (Ohio App. 2 Dist.)
Are you busy and do not have time to handle your assignment? Are you scared that your paper will not make the grade? Do you have responsibilities that may hinder you from turning in your assignment on time? Are you tired and can barely handle your assignment? Are your grades inconsistent?
Whichever your reason is, it is valid! You can get professional academic help from our service at affordable rates. We have a team of professional academic writers who can handle all your assignments.
Students barely have time to read. We got you! Have your literature essay or book review written without having the hassle of reading the book. You can get your literature paper custom-written for you by our literature specialists.
Do you struggle with finance? No need to torture yourself if finance is not your cup of tea. You can order your finance paper from our academic writing service and get 100% original work from competent finance experts.
While psychology may be an interesting subject, you may lack sufficient time to handle your assignments. Don’t despair; by using our academic writing service, you can be assured of perfect grades. Moreover, your grades will be consistent.
Engineering is quite a demanding subject. Students face a lot of pressure and barely have enough time to do what they love to do. Our academic writing service got you covered! Our engineering specialists follow the paper instructions and ensure timely delivery of the paper.
In the nursing course, you may have difficulties with literature reviews, annotated bibliographies, critical essays, and other assignments. Our nursing assignment writers will offer you professional nursing paper help at low prices.
Truth be told, sociology papers can be quite exhausting. Our academic writing service relieves you of fatigue, pressure, and stress. You can relax and have peace of mind as our academic writers handle your sociology assignment.
We take pride in having some of the best business writers in the industry. Our business writers have a lot of experience in the field. They are reliable, and you can be assured of a high-grade paper. They are able to handle business papers of any subject, length, deadline, and difficulty!
We boast of having some of the most experienced statistics experts in the industry. Our statistics experts have diverse skills, expertise, and knowledge to handle any kind of assignment. They have access to all kinds of software to get your assignment done.
Writing a law essay may prove to be an insurmountable obstacle, especially when you need to know the peculiarities of the legislative framework. Take advantage of our top-notch law specialists and get superb grades and 100% satisfaction.
We have highlighted some of the most popular subjects we handle above. Those are just a tip of the iceberg. We deal in all academic disciplines since our writers are as diverse. They have been drawn from across all disciplines, and orders are assigned to those writers believed to be the best in the field. In a nutshell, there is no task we cannot handle; all you need to do is place your order with us. As long as your instructions are clear, just trust we shall deliver irrespective of the discipline.
Our essay writers are graduates with bachelor's, masters, Ph.D., and doctorate degrees in various subjects. The minimum requirement to be an essay writer with our essay writing service is to have a college degree. All our academic writers have a minimum of two years of academic writing. We have a stringent recruitment process to ensure that we get only the most competent essay writers in the industry. We also ensure that the writers are handsomely compensated for their value. The majority of our writers are native English speakers. As such, the fluency of language and grammar is impeccable.
There is a very low likelihood that you won’t like the paper.
Not at all. All papers are written from scratch. There is no way your tutor or instructor will realize that you did not write the paper yourself. In fact, we recommend using our assignment help services for consistent results.
We check all papers for plagiarism before we submit them. We use powerful plagiarism checking software such as SafeAssign, LopesWrite, and Turnitin. We also upload the plagiarism report so that you can review it. We understand that plagiarism is academic suicide. We would not take the risk of submitting plagiarized work and jeopardize your academic journey. Furthermore, we do not sell or use prewritten papers, and each paper is written from scratch.
You determine when you get the paper by setting the deadline when placing the order. All papers are delivered within the deadline. We are well aware that we operate in a time-sensitive industry. As such, we have laid out strategies to ensure that the client receives the paper on time and they never miss the deadline. We understand that papers that are submitted late have some points deducted. We do not want you to miss any points due to late submission. We work on beating deadlines by huge margins in order to ensure that you have ample time to review the paper before you submit it.
We have a privacy and confidentiality policy that guides our work. We NEVER share any customer information with third parties. Noone will ever know that you used our assignment help services. It’s only between you and us. We are bound by our policies to protect the customer’s identity and information. All your information, such as your names, phone number, email, order information, and so on, are protected. We have robust security systems that ensure that your data is protected. Hacking our systems is close to impossible, and it has never happened.
You fill all the paper instructions in the order form. Make sure you include all the helpful materials so that our academic writers can deliver the perfect paper. It will also help to eliminate unnecessary revisions.
Proceed to pay for the paper so that it can be assigned to one of our expert academic writers. The paper subject is matched with the writer’s area of specialization.
You communicate with the writer and know about the progress of the paper. The client can ask the writer for drafts of the paper. The client can upload extra material and include additional instructions from the lecturer. Receive a paper.
The paper is sent to your email and uploaded to your personal account. You also get a plagiarism report attached to your paper.
PLACE THIS ORDER OR A SIMILAR ORDER WITH US TODAY AND GET A PERFECT SCORE!!!
Essay Writing Service Features
Our ExperienceNo matter how complex your assignment is, we can find the right professional for your specific task. Nursing Area is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free revision policy$10
Free bibliography & reference$8
Free title page$8
How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.Completing the order and download