End of chapter Review Questions
Explain the process used to preserve the verifiable integrity of digital evidence. How does this ensure that data are preserved unmodified? How can an analyst show that the original evidence is unmodified?
Digital information is of two forms. It could be static, that is, it is stored on physical memories like hard drives, CDs and other memory storage devices. It may be dynamic, meaning it the information may be moving on a certain medium i.e. internet. For example if a file has been shared over WhatsApp groups and other active members, it would be traveling from one to another network or device. In both cases, it is important to preserve its integrity if it is a part of an investigation. In an age where a lot of information is stored in the cloud storage, preserving the integrity of information for investigation purposes has become more challenging and requires an active participation of the companies that are providing these cloud storage facilities (Birk & Wegener, 2011).
To preserve the integrity of information, the first thing that we need is an effective chain of custody. Effective chain of custody ensures that information is dealt with effectively during its collection and analysis phases. The personnel’s who are collecting digital evidence must keep proper documentation that would tell about the health of information at different stages that it is handled. Byte by byte copies of information is also used. This helps in order to recover the whole information if some or all of it is lost or tempered with.
Investigators can also use specialized software to preserve the integrity of information. This type of software is developed to manage digital forensic information and is operated by experts. This software would keep track of how the information was acquired and how it has been examined to get information for legal proceedings.
Trace and explain how the hardware of a computer organizes and stores information for later retrieval from an active file being processed in the processor chip to a mass storage device (hard disk or removable storage). What is the trend in terms of speed in this progression of components? What is the trend in terms of the size and capacity in this progression of components?
There are many ways in which a computer organizes and stores information for later retrieval. Following is an explanation of some of the ways in which information is stored.
Nonvolatile storage which is also known as nonvolatile memory random access memory (NVRAM). It is a form of memory which is stored and is not lost when a computer is shut down or loses external power. The information stays retrievable even after the power outage.
Volatile storage is also known as volatile random access memory. This is a form of memory the constituents of which are lost if the computer is shut down or if power is lost. This type of memory is used in computers to store information that is used to run the active operations of a computer. For example if you start to use MS Word, it is store in the volatile storage. If you even close the MS Word program, some part of it remains active in the volatile memory and if you open it again, it would open quickly. But if you shut down the computer or power goes off, it will be washed out of the volatile memory.
Removable storage media
Removable storage memory is a type of memory that you can disconnect from one computer and connect it to another computer. Memory sticks is an example of such a memory which is used to transfer information from one to another computer.
Hard disk drives
Hard drives are fixed inside computer and store huge amounts of information. It consists of system information and operating systems. They are responsible to store most of the information that is on a computer.
The current trends in the storage area are more concerned with the speed of information being transferred and stored. Also the precision of information and the ability of storage devices to store huge amounts of information is also what is demanded in the technologically advanced world.
Describe in broad terms how the software of a computer organizes information for storage and later retrieval. Does this process yield any potential locations for latent digital evidence? Is latent evidence always intact? Why or why not?
Information is stored in a storage device with the help of the internal software mechanism that is a part of the operating system. Processor registers and processor cache performs a fundamental role in storing and retrieving information form storage devices. The storage device is virtually divided in to sectors of information with each sector having its unique identifier. Data is stored and indexed with the help of these identifiers. This indexing of information helps in the retrieval of the stored data when needed.
“Digital evidence is defined as information and data of value to an investigation that is stored on, received or transmitted by an electronic device” (Casey, 2011). The mechanisms of data storages can always be tempered with to provide an opportunity for latent information storage. This latent information may not always be intact as it could be divided into segments and each segment may be stored at a distance from the other segment on a storage device.
What advantages are offered by commercial forensic packages? Are there any disadvantages to using them? If so, what are they?
There are many advantages of commercial forensic package. They come in the form of dedicated technical support which is accepted in the court of law. One of the other advantages is that departments that deal with forensic evidence may not be efficient in dealing with such evidence due to lack of expertise and resources. In such a case, commercial forensic software can come in handy.
One of the disadvantage of commercial forensic package is that they may have high initial costs as they are specialize software package. There could also be security concerns because they are provided by third party developers.
Birk, D., & Wegener, C. (2011). Technical issues of forensic investigations in cloud computing environments. In Systematic Approaches to Digital Forensic Engineering (SADFE), 2011 IEEE Sixth International Workshop on (pp. 1-10). IEEE.
Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers, and the internet. Academic press.