Thereare 4 evidence lifecycle to investigatethe employee’s computer,there are preparation, evidence collection, preservation, examinationand analysis andpresentation. Firstly, the preparation. In the court, as an investigator needs to declarein which to disturb theevidence seized, thus, tofiling seize the evidence by the authorities that must be collected. (Subramaniam, n.d) At the scene, as an investigator shouldinterpret the media description that likely detected. Furthermore, to conduct a brief preliminary that can be accomplished withthe suitable party.
Deliberately, the preparation phase may contain theresponsibilities and borders installation, and to recommend the client on theimpact and the suggestion that may contain investigation conclusion. (Subramaniam,n.d.
) Secondevidence lifecycle is evidence collection. Device’s documentation is in the settingand investigator’s journal shouldbe made. Moreover, thenumber, the date of the evidence that be delivered by the label management.
Therefore,to interview with the user of the system that obtainthe computer’s IPaddress, which the investigation collaboration. Furthermore, to recognize the evidence cause which hardwareand software thatbe used by the investigator when it’sapplicable, forensicallyand effective for the evidence breakdown A write-protected manned is acquired by the evidence which can beachieved. The authority needto be used toidentify the software to control the development of the disk acquisition and imaging.
To develop an image of the suspect’s disk can be prepared by the software especially when the suspect’s disk duplicate.(Subramaniam, n.d.) Preservation:The original datahas to be completely non-invasive that be used by the forensic method. At the same time to duplicatefiles which to ignore the files and information prosperity.
Therefore, to duplicating the copies the files can be visibleas well as it difference from free space which may contains hidden data, hiddenpartitions that containshidden data, slackspace, registryinfo, unallocated space,temporary files, hidden files, history files and etc. (Subramaniam, n.d.) Furthermore,the examination and analysis is at this stage the result isdepended by the outstanding closing case, prosecution, settlement or conviction.Additional during this development a due care must be taken and to avoid anyoccupied with the original evidence. (Subramaniam, n.
d.) Lastly,the presentation, which the findings must be presented simultaneously manner thatmay include screen captures, original files and etc. Furthermore, clearevidence information with thetechniques simultaneously. (Subramaniam, n.
d.) Theadmissibility of evidencecomes in four basicforms that aredemonstrative evidence, documentaryevidence, real evidence and testimonial evidence. First off demonstrativeevidence, with efficiency enough for the task at hand, correctly and adequately to express testimony and inanother way isunobjectionable and it will be admissible. Examples of demonstrativeevidence are diagram and thescene of anoccurrence description.
As a result of its purpose is to clarify testimony, the witness whose testimony is being illustratedauthenticates thedemonstrative evidence. (Findlaw,n.d.) Anotheradmissibility of evidenceis documentary evidence: The method of using documentthat is genuinewhereas the same asany otherreal evidence. Moreover, the rule of evidence most highly contributed of where writing is being offered in evidence, thus, a copy or the content’s other secondary evidence, whichwill not be received in documentdistribution but theclarification that isoffered for the originalinsufficiency.
(Findlaw, n.d.) Furthermore, Real evidence: An action which based on the real evidence to convince theterms and the defendant’sperformance. If it is written in a stumble way, as a result it may be relevantto be presented. When real evidence that needs to be admissible, it must berelevant, competent, and material. (Findlaw, n.
d.) Lastly,testimonial evidence. To view the problem that were questions of competence connection and therefore evidence expulsionin which presenting in preference questions of weight for accomplishment toclassify, furthermore, competence guidelines are interpret and it will be affected in theexclusion of evidence. (Findlaw,n.
d) The type of evidence to be collected is the documentation at stages is where to organize the evidencereliability. Furthermore, collectingand handling the evidencein documentation is requiredto the chain of custodypreservation. It isconstant for individualwho handled importantevidence to be investigated. Be cautious that the note should be made when theevidence was collected, thatis from where, and by whom. (Casey, 2011) The representation of evidence in the previoussection is coincidental,so it is assume thecomputer behind an IPaddress is reliable andit prohibited classifyingor possessing.
First off, to resolve an IP address in the direction of the person which is tocomplete the machine scene that responsiblefor the traffic. Subpoenacan be acquired bythe investigator from themagistrate to petitioningISP return account information.(Pdfs.semanticscholar.org,2010) Lastlyis the storage that means it is important to collect significant information duringthe investigation scene. Nonetheless, for maintenance and operational purposes,a large amount of metadata is distributed by node in a P2P network. Logging abundle of incoming and outgoing would be required a large storage measurement. (Myneedu and Guan, 2017) To preserve type of evidence that may include identification.
It is to classifying the type of evidence can be a challenge. Thus, asubpoena or searchwarrant needs to be preparation,though it is crucial thatto include any location in which evidence may consist. Furthermore, the expression of Identificationmust have correct phrasingand must be specialized;by using the expression as CPU which mean that to collect the computer’s CentralProcessing Unit instead of the computer. (Daniel and Daniel, 2012) Beside,the collection is topreserve the type ofevidence. This step isdecisive after all thefirst real contact alongsidethe evidence.
However, ifnot following the collection procedures, which can be lead to evidence’s adjustment or extermination,hence, evidence misplacement. (Daniel and Daniel, 2012) Furthermore, the existence of the blacklistedis to active observing which may present a significant exposure of the IPaddress. Yet, the inactiveapplication-level may control the addresses of the issue, on the other hand, itcollects a limited information quantity. (Myneedu and Guan, 2017) Likewise, the Encryption, thus, to encrypted the communications between peers that involve P2P trafficobservation at the networklevel. Despite the networkobserve at numerous locations, the encryption adoption can make it practically to acquire consequentialinformation from the network. Despite the network data is encrypted, an initialevidence collection tool needs to be effective and it should be carry out itsfunctions. (Myneedu and Guan, 2017) Eventually,the write-protection technologies, which can be read-only files, in addition tothe description of concept as files with the write-protection function when it started.
However, a file can be write-protection preservation. And so forth, theoriginal file preservation is to prevent inactivity and to evade the attackfrom virus. (Zhang, 2014) Ahardware tool that will be selected to analyse the evidence is write-blocker whichis a read-only device in order that to approve the user to read the data in asuspect device without the modifying opportunity. In other word, it prevents astorage device capacity for being modified or erased. Other than that, ahard-drive duplicator is an imaging device that copies all files from thesuspect hard drive to the clean drive, furthermore, it can duplicate data inflash drives.
(www.dhs.gov, 2016) Furthermore,the Wiebetech33 generates several hardware write-blocking systems that areused. Thus, the hardware can control adapters variance to deal with the typesof drive individually, which interfaces confronted in the environment. (Nelson,2014) Inaddition, software system can be accomplished by write blocking.
The originalevidence is protected by the FastBloc Software Edition34 when it is connectedto exact supported interface cards. There is another software write blockerfrom ForensicSoft, Inc.35 (SAFE Block) that is available and also does not needany additional licenses require. Hence, in window system on a window system,the registry can be manipulating any USB connected device. (Nelson, 2014) Sharingillegitimate material is commonly used by P2P, which a tool the information separatelyfrom evidence that based on Java Object Serialization (JOS). Based on therequirement of JOS, by using this tool that is AScan, the personal informationconcerning the users can be extracted. On the other hand, another great tool isPyFlag, which any recorder network can be capture and reproduce.
(Dezfouli andDehghantanha, 2014) Firstand foremost, the chain of custody is important for the investigation process, forthe reason that it is the first step digital video and audio evidencecorroboration. Moreover, to classifying theinformation arranged by the chain of custody even if this evidence has beencloned. Therefore, the improvement oftechnology and it becomes more approachable so that the evidence has becomesimple to adapt. Generally, as an investigator collects the evidence from theclient which they received from the police. Therefore, the investigator has to think carefully to the reports andlegal documents.
The development has become accepted during the whole ofinvestigations when the original evidence for the investigator’s recovery. Whereasat the site and to recapture the digital evidence, has to approach theadministrator information about the evidence, such as managerial log, date andfile information. (Primeau Forensics, n.d.) The investigator may access asearch warrant from a magistrate on observed evidence.
Therefore, the searchwarrant may indicate targets consistently where characterize as electronicdevices communicating or accumulating qualified digital prohibited.(Pdfs.semanticscholar.
org, 2010) In the time of investigation,there is no necessity to adjust the evidence existent as a result of allanalysis is handled on the original source representation and to determine the evidencethat can be exacted from the particular accumulate, image, and documented tooriginal source and duplicated. Whereas, to deal with all types of evidence thatfact the entire procedures are used reproducible, trustworthy and valid,therefore, it is compulsory. (Scanlon and Kechadi, n.d.) Furthermore, the valuable toremember the development of forensic which capable to recover other evidence. Inthis situation, the procedures should be developed; hence, the order completionand examinations appearance should be carry out to collect complete content of evidentiary.
(Madhub, 2014) Task 2Date: 10th January2018 (2pm) Investigating the employee’s computer system The investigator may access asearch warrant from a magistrate on observed evidence. Therefore, the searchwarrant may indicate targets consistently where characterize as electronicdevices communicating or accumulating qualified digital prohibited. (PrimeauForensics, n.d.) The processof the chain of custody is the original package materials protection. Take as muchphysical evidence snapshot.
Take capacity of the screenshots of the evidence. Thedeclaration’s document date, time and information. To consume the evidence reproductioninto the forensic computers. And lastly, a test analysis performance forfurther working clone corroboration. (Primeau Forensics, n.d.) A judicial legitimacy isallowed by a legal authorization which to the evidence; therefore, importantsteps is handling evidence.
Further, to seize evidence is required by thesearch warrant (Antwi-Boasiako and Venter, n.d.). In the time of investigation,there is no necessity to adjust the evidence existent as a result of allanalysis is handled on the original source representation and to determine theevidence that can be exacted from the particular accumulate, image, anddocumented to original source and duplicated. (Scanlon and Kechadi, n.d.) There are two categories oftechniques that are Storage device capacity and Storage Capability Query. Firstoff the Storage Device Capability Observation is to adopt the device labelsconsideration and technical specifications, therefore, the device termination.
Onthe other hand, Storage Device Capability Query is to adopt a program the deviceobjection for its information effectiveness. (Carrier and Spafford, 2006) Ahardware tool that will be selected to analyse the evidence is write-blockerwhich is a read-only device in order that to approve the user to read the datain a suspect device without the modifying opportunity. (www.dhs.gov, 2016) The collection of evidence, as follows: the removable media is established by theapplication and virtualized in RAM without any trace on the hard disk. the malwareis RAM without the evidence on the hard disk.
Lastly, the well known website thatoffer the users to perform to cover their tracks which they created. (Henry,2009) Theprocess of analysis may include to the files fragments and hidden files have torecognize and recover and location catalogue e.g.
slack, free or used space.Moreover, the file structures, headers, and characteristics to be analysed fordetermining on data each and every file description. Furthermore, deleted, cloaked,encrypted, cloaked fragmented files must to be inspected.
All graphic filessize has to be presentation. The Internet activities, the chat archives, and theemail communications that based on complicated searched performance. Todemonstrate drive’s directory structure collection. And reports development(Subramaniam, n.d.
) One ofthe documentation of evidence is the system duplication. Therefore, the evidencemay found during the image investigation, which helps to recreate the scene andreview. Finally the forms of camera/video photography, graphics are used, andnotes are made on the document. Thus, the documentation at the scene is beginat the chain-custody. (Jawad Abbas, 2015) Inchain of custody, the documentation has to include the device description anddevice protection from electromagnetic interference. Moreover, to confirmationto produce the data source is not change.
However if change, the document maycause the change. (Graves, 2013)