Common Mistakes Made During a Computer Forensic

Case Study

A company suspects data on a computer and believes that it will be important to their case. The organization's lawyers subsequently ask the IT technician to print, download, and/or save the data to portable media. The technician goes to the site, turns on the computer, opens the files, prints the data, and saves the data on a CD.

From forensic investigator’s perspective, discuss mistakes that happen in the above scenario.

Introduction

In this case, computers have become an indispensable communications tool for many people and businesses. In this regard, several different applications are used to generate and store important documents. These documents contain vital data to the user and to an investigator, in the event that a crime is committed using that computer. The investigators try to reconstruct the evidence so it can be presented to a court of law, but the investigations have to be done carefully and followed the investigation step in forensic to make sure the evidence can be used in the court , in this case we can see a lot mistake have happen while do the investigation .

The Mistaken that Happen

1. Mistake One

The oanization law ask the IT technician which is can be clasifiated as internal IT

staff to conduct a computer forensics investigation

v In this situation there is information and data but there is no evidence ,because the IT staff is internal and not have the certified in computer forensics and not trained on the evident procedures ,as we know the Chain of Custody have to be maintain and followed others accepted evidence techniques to make evidence can use in court .

v Next is the when to the the collecting the evidence ,it not be done by printing ,and saving the file because the meta data is irrevocably changes .

v Next is the investigator have know the Act of turning on the computer is actually changes the caches ,the temporary file and the slack file space which along with alteration of mate-data seriously damaged and can destroyed the evidence on the computer .But if the damaged actually can be rescue by the computer forensics vendor . In this case the good solution is use the certified external vendor of computer evidence collection.

2. Mistake Two

No being prepared to preserve electronic evidence

v First a company have prepared to preserve electronic evidence at a moment’s notice .In the emerging case law standard is that the duty to preserve electronic evidence begins when the future litigants have a reasonable belief that there may be future litigation. Yet, the majority of corporations do not have a plan in place to respond to a preservation order. Because the failure to preserve electronic evidence can be exceedingly costly to a client and by extension, their external counsel

v Next the external counsel typically does not have the forensics capabilities necessary to preserve electronic evidence. Nevertheless, a qualified computer forensics team working with the external counsel and the client's IT and legal team can help prepare a client to respond to a preservation order. Consequently, even when there is just a “reasonable belief” that there may be litigation, it is a good rule of thumb to consult with your qualified computer forensics vendor on proactive electronic evidence preservation.

3. Mistake Three

Waiting until the last minute to perform a computer forensics exam

v Firstly to perform a complete computer forensics examination in every matter. The nature of forensic collection provides an elegant solution to this quandary. Forensic collection is based on the principal of imaging, which creates an exact bit-by-bit copy from electronic media that is protected from further alteration. Thus, collecting evidence from a system preserves a snapshot of that system at that particular moment in time which can be examined later.

v Compared to forensic examination, the process is relatively simple and inexpensive. Typically, forensic examination cost three to four times more than forensic acquisition.

v A complex forensic examination can be as much as or greater than nine to ten times more expensive than forensic collection.

v A good rule of thumb is that if there is even a slight chance that evidence will be needed, a Quick Analysis or imaging should be completed immediately

4.Mistake Four

Not selecting a qualified computer forensics team

v The first thing to consider is that computer forensics is more than just using programs to collect and analyze evidence. Operators may be certified in the use of a single program only, and are not certified computer forensic investigators. EnCase is a forensic product for the Windows operating system and is an essential and accepted tool for that environment.

v A qualified computer forensics vendor must have the capability to work across platforms and with older legacy systems. This expertise should also enable them to act as expert witnesses on you or your client's behalf.

v The second thing to consider is that your computer forensics expert needs to be a trusted advisor. They must be able to understand the cost trade-offs associated with late-versus-early or narrow-versus-broad forensic collection and analysis. This

v his extends to the ability to provide trusted and accurate advice to a client when they receive a preservation order for electronic evidence.

v Here are 6 questions to consider when choosing a computer forensics firm:

§ Do the follow accepted protocols and procedures?

§ Can they handle the nuances of different systems and hardware?

§ Do they know how to balance the cost of early versus-late-and broad-versus-narrow forensics collection and analysis?

§ Can they advise you and/or your client on discovery and preservation strategies?

§ Have they served as expert witnesses?

§ Who are their references?

§ How many years have they been in business?

§ How quickly can they react?

§ How large of a service area can they help your clients/branches?

§ Do they comply with DOJ practices in their own labs?

5.Mistake Five

Too narrowly limiting the scope of computer forensics

v It often be very difficult to know which systems have evidence and which do not. Did the principals use their home computers? Did they use the file servers? Which e-mail servers were involved? Is there data stored off site or on portable media? One of the most common mistakes, both in investigations and discovery,

v is too narrowly limiting the scope of computer forensics. There are two principle reasons this occurs.

§ First, it is an attempt to limit costs by restricting computer forensics. Second, it occurs because the individuals involved do not fully understand computer systems or forensics, and they do not know where to look for evidence.

Conclusion

Computer forensics tools to trace activities are necessary from a law enforcement perspective however, any data gathered with regard to an investigation must not violate the privacy rights of individuals. More important thing the procedures to conduct the investigation to make sure the evidence valid in court the 5 mistaken in this case study should be avoid because the important aspects of computer forensics and its goal of presenting evidence that is acceptable in a court.

source:http://www.newyorkcomputerforensics.com/learn/common_mistakes.php