Computer Forensic Procedure of Digital Evidence

A Backup Article Contributed by Sumedh Shanbhag

Confirming the Authenticity of Digital Evidence in Computer Forensics

Evidence derived during the process of computer forensics is subject to legal questioning. While some judges may accept the evidence without much questioning, others may require the evidence to be supported by documents or practical demonstrations. Again, there arises the question of the professionalism of the computer forensic analyst. Under such conditions, the computer forensic analyst must make sure that he is thoroughly equipped to deal with any of these obstacles during legal proceedings.

For genuine acceptability of digital evidence the computer forensic analyst must adhere to the following three rules:

a)Authenticity - producing a true copy of the original.

b)Best Evidence - producing the original itself.

c)Exceptions to Hearsay - confessions, official or business records.

3 Commandments of Efficient Computer Forensics

For any computer forensic analysis to be acceptable, the following commandments must be followed by the computer forensic analyst:

1) Documentation

2) Preservation

3) Authentication

* Documentation forms a very integral part of computer forensics. Improper documentation may create a mayhem in the proceedings due to lack of proper references. Every step in the computer forensic analysis process must be supported by documentation. Every evidence must be recorded. It is only then that a forensic scientist can successfully decipher the forensic evidence.

* Preservation of evidence is an imperative process in computer forensic analysis. Improper preservation of evidence may lead to such evidence being subject to errors in the form of mishandling, destruction or contamination. Apart from preserving the evidence against contamination, the analyst has to label the evidence as well which in turn assists in documentation.

* Authentication is the production of the original evidence to the concerned authority. Poor authentication will make the analyst look like an amateur, when the question of explaining the authenticity of the evidence arises. The federal courts have accepted that the data on computer were similar, unlike those on paper. The federal rules of evidence state that any data which is stored in a computer can be represented for by a computer printout which is legible.

Skill-Sets of Computer Forensic Analysis

Computer forensic analysts have to follow certain procedures during collecting evidence. The following are the steps to be followed by the computer forensic analyst:

1)The computer forensic analyst must ascertain that during seizure of computer equipment, proper shutdown procedures are followed. The screen must be photographed before shutdown. Also, all the available evidence must be photographed and documented. Special care must be taken during handling of volatile data.

2)The specimen computer must never be used to work upon. It is very easy to lose stored data if the specimen computer has been incorrectly shutdown. Rather, a backup of the hard-disk of the specimen computer must be maintained and any analysis regarding the specimen computer must be performed on this. Once the backup is taken, it is necessary to validate the data for exact duplication of the original. This can be done with the aid of programs such as CRCHECK (Cyclic Redundancy Checker) and CRC32.