The process of obtaining and processing computer evidence and taking suspects to court is usually a long and expensive task. This process involves four primary stages. These being the acquisition, identification, evaluation and presentation.
The acquisition stage is mainly concerned with forensic capture of the device and its resident data. This is where the digital device that was involved in a cyber crime is secured. A record is made of the location where it was found and seized. For example an external hard disk that was hidden under a pile of newspapers provides a clue about the intent of the suspected offender.
During this stage of acquisition, data must be copied from the original hard disk using a write-blocking device. This device sits between the offender’s disk and the investigating computer. It stops all write signals being passed from the computer to the disk, hence preserving the data contained in the disk.
The second stage is identification. Here we recognize that digital evidence from an offender’s device can be interpreted from a number of perspectives. You can, for instance, examine the physical sectors of a disk and the logical partitions and files system. This can give you an idea on the technical expertise of the offender.
At this stage we also consider the context within which any digital evidence is found. This is especially crucial in financial forensic investigations where context will help the forensic investigator relate and untangle complex financial transactions.
Useful sources of evidence include records of internet activity, local file accesses, cookies, e-mail records among many other sources. Evidence should be handled with utmost care and a chain of evidence must be made. The investigator must also make notes at the time he takes any action regarding an offender’s device. These notes are more likely to be accepted by a court rather than a witness who is relying on his memory of a past event.
The third stage is evaluation where a decision on the digital evidence found is made. To achieve this, the investigator must have understood how the data was produced, by whom and when.
The fourth, and final stage, is where the interpretation of the raw data and the reconstruction of events that occurred on the offender’s disk prior to its seizure are undertaken.
You can avoid this process by implementing information security measures. For example you can place monitoring equipment on the perimeter of your network. This will allow you check for new access points and devices.
My point is that individuals and companies must aim to avoid a lengthy computer forensic investigation by investing on security controls, educating staff and developing policies that bolster information security in the organization.