Forensic investigation of computer systems has a number of features that differentiate it fundamentally from other types of investigations.
Forensic investigation of computer systems can be defined as:
Using scientific and safe of insurance tightening, validation, identification, analysis, interpretation, documentation and presentation of digital evidence obtained from such sources such as computer science to facilitate the discovery of truth in criminal trials.
A possible model of good practice in such computer forensic investigations include the following steps:
- Identification of incident – recognition of an incident and determining its type. There is not indeed a criminal investigation stage but has a significant impact on the next steps.
- Preparation of investigation – preparation of tools, verification of procedures, obtaining documents allowing search, etc.
- Formulation of strategy approach – to formulate a strategy based on implied technology and possible consequences on involved individuals and institutions. The formulation of this strategy is to maximize the potential of obtaining relevant evidence while minimizing negative impact on the victim.
- Providing evidence – isolation, insurance and maintenance of the physical and digital evidence. This includes the removal of which could distort the evidence in any way.
- Gathering evidence – recording of physical environment and copying digital evidence using common and accepted practices and procedures.
- Examination of samples – in-depth examination of the evidence, looking for items that are in relation to the offense under investigation. This involves locating and identifying samples and documenting each step in order to facilitate analysis.
- Analysis of samples – determination of the significance of the evidence and pointing out the conclusions about the investigated crime.
- Presentation of evidence – summarizing findings and presenting them in a manner intelligible to the layman. This summary should be supported by detailed technical documentation.
- Refund evidence – if necessary, return to the rightful owners of the objects retained during the investigation. If applicable, determine, based on the provisions of the criminal procedural laws, confiscation of objects.
Forensic investigation of computer systems must provide a number of specific characteristics, required to ensure a high degree of accuracy of the conclusions. These characteristics are:
- authenticity (proof of sources of evidence);
- credibility (lack of doubt on the credibility and robustness of the evidence);
- completeness (taking all available evidence and integrity);
- lack of interference and contamination of the specimen as a result of the investigation or handling of samples after lifting.
Also, forensic investigation requires:
- existence of pre-defined procedures for situations encountered in practice;
- anticipate possible criticism of the methods used, on the grounds of authenticity, reliability, completeness and damage of evidence offered;
- possibility of duplication of tests performed to give identical results;
- anticipate problems for admissibility of evidence;
- accepting that the research methods used at a time may be subject to change in future.
On this last point, it highlights a feature of forensic investigation of computer systems, ie changing forensic techniques in a very short time, modification given by the extremely rapid technological advancement globally manifested in computer science.
(This article contains materials translated and adapted from MCTI)