In 1991, the World Wide Web was created and brought along aquick rise of social networking, email, and instant messaging used for personal, professional, and criminal uses of the internet, networked computers, and cellular devices. As crime on the internet grew, computer forensics was used to inspect digital componentsin a forensic way with the aim of classifying, conserving, retrieving, investigating and exhibiting evidence about the computerdata. According to the Salem Press Encyclopedia ofScience, computer forensics can be defined as a “forensic specialty thatapplies science to the acquisition and analysis of electronic data fromcomputers, other digital devices, and the Internet to assist in civil and criminalinvestigations” (Volonino, 2013). Computer Forensicsidentifies as a progressively important part of crime investigations, homeland security,civil cases, and law enforcement. Illegal computer offenses leave behind recorded traces ofelectronic data that can be drawn back by digital trails that lead to theperpetrator. Computers collect vast quantities of data in their memory when files aredownloaded, sent, or saved.
The computer stored filesand records can be utilized as evidence to justify or make a case foraccusations of crime. PC consumers aremost likely unknowledgeable to the fact that their happenings have leftnumerous trails of proof, and many may not try to getrid of those trails. Indeed, even innovative and skillful operators who rather have their activitiesbe concealed, will most likely be unableto erase or mask every one of their trails of data and evidence entirely. It is difficult to erase all hints of electronic proof. The job of computer forensic specialists includes discovering, breaking down, and protecting pertinentcomputerized documents or information for use as electronic evidence.
Conferring tothe rules of evidence, the testimony of thewitnesses, physical evidence, and electronic evidence are the three essential sorts of proofexhibited in legitimate procedures.The most modern and latest of evidence is electronic proof. Some examples of electronic proof include subjects of email andtexts and multi-person chat room discussions,history of sites clicked on, downloaded and transferreddocuments, word-preparing reports, spreadsheets, pictures, Global Positioning System (GPS) records, and information from personal digital assistants (PDAs). Since the nature of evidence is electronic or digital, computer crimes such as identity theft, hacking, electronic surveillance, and cyberterrorism require computer specialized and investigativeabilities and tools (Volonino, 2013). Withinthe lawful court, computer forensic evidenceis centered to the typical rules for electronic evidence.
This demands that evidencebe real, dependably attained, and permissible. Consequently, its turned out to be clear that when examining computer crime, a similar basic standard was used just like any other examination. The investigation procedure incorporates periods of physicalscene preservation, review, search and restoration utilizing gathered evidence and data, all of which must take after a fixed arrangement of standardsand be formally archived (Bassett et al,2006). The thorough examinationand unbiased investigation of electronic evidence requires particular computercrime scene investigation devices utilized by specialists who comprehend both computeradvancements and lawful methods. It might appear thatelectronic evidence falls into the class of “hearsay, which is secondhand evidence,it would not be admissible in court,but electronic evidence is one of the exceptions to the hearsay rule” (Volonino, 2013). It is viewed as dependablegiven that it is dealt with legitimately and reasonably.
The initialphase in any computer forensics examination is securing of the evidence throughthe cautious gathering and safeguarding of the primary records on a hard drive;this is refined through the making of an identical bit-stream matching copy ofthe whole hard drive utilizing computer forensics programming, for example, Forensic Toolkit (FTK) orEnCase, that is perceived by thecourts as worthy for confirming evidence.This copy, which is indicated as themirror copy, is utilized for theinvestigation; the original is used in extraordinary circumstances. In theory, creating a mirror copy ofa hard drive is straightforward in easy,yet the truth of the picture must meet evidence guidelines. To ensure precision,imaging programs depend on scientific cyclic redundancy check calculations toapprove that the duplicates produced are precisely the same as the firsts. CRC approval procedures look at the bit stream of the firstsource information with the bit stream of the obtained information. A few cases may include critical work retrieving records thathave been erased; analysts utilize distinct tools and programming to reproduce lostdata.
The second phasein the computer criminology examination is confirmation of the exact representationof evidence, or confirmation that theduplicate is exactly the same as the original.Data verification depends not just on the utilization of the programming butalso the equipment, nature, and certification of the stages taken within evidenceprocessing. At the very least, conservation of the chain of custody for electronicconfirmation requires proof that no data was included, erased, or changed in theduplicating procedure or through investigation,that a perfect duplicate was made and checked,that a dependable replicating process was utilized, and that all information that ought to have been replicatedwere duplicated. This is checked andcompleted when the mirror image is “fingerprinted” by using anencryption strategy called hashing.Hashing guarantees the honesty of the record since it makes any alteration ofthe information evident, for example, the utilization of steganography (Bassett et al, 2016). The third and the most timeconsuming step in the examination is the specialized investigation andassessment of the confirmation, which must be doneis a way that is reasonable and unprejudiced to the individual or people being investigated.
Examiners assess what could have occurred and alsowhat couldn’t have happened. The solution to successfulelectronic evidence verification is cautious preparation. Defective preparation within the beginning phasesof an investigation can prompt nonfulfillment in court, as data can be overlooked, damaged, or compromised. Practiced computer forensics experts are able to createsearch tactics that are expected to discover related and new information.
Investigations are more useful when inspectors havesome feeling of what they are looking for before they start their hunts. For instance, the computer forensics examiners need to know names, important words, or parts of words that are expected to be foundinside those reports (Bern 2008). Finally, the last phases are the clarificationand detailing of the outcomes.
Investigators findings must be exact, finished,and usable in legitimate procedures. Clarifying the discoveries of forensicinvestigators in court can be troublesome, particularly when the evidence mustbe introduced to people with minimal specialized learning. The importance ofthe evidence relies upon the way it is exhibited and defended in court. Onaccount of the sophistication of much of the tools associated with computercriminology, examiners must be prepared and licensed in their utilization.General teaching and verifications are accessible for computer forensics agents(Volonino, 2013).