Analyze evidence from a source they need to image it first


Assignment

As companies move to a paperless culture, more evidence will be digital. Deleted documents, e-mail messages, visited Web sites, and evidence of installed software applications are just a sampling of the evidence that can be recovered by a digital evidence examiner.

Electronic discovery represents a paradigm shift from traditional document discovery to this present age of digital information. Unlike paper documents that can go missing from a physical file, electronic versions of documents rarely can be destroyed completely in all their forms or from all the possible places they might be stored. You can use digital evidence forensic examiners to help craft the e-discovery request to find evidence as well as help in responding to such a request. Even though fraudsters may attempt to destroy digital evidence, a trained examiner knows where potential evidence might exist that the "wiping" software might have missed. Also, the digital evidence forensic examiner can report on the telltale signs that indicate fraudsters used a program designed to eliminate evidence (Cannon, 2006).

Computer documents, emails, text and instant messages, transactions, images, and Internet histories are examples of information that can be gathered from electronic devices and used very effectively as evidence, but it is important to know that according to the National Institute of Justice, digital evidence should be examined only by those trained specifically for that purpose.

Files on a computer or other device are not the only evidence that can be gathered. The analyst may have to work beyond the hardware to find evidence that resides on the Internet including chat rooms, instant messaging, websites, and other networks of participants or information. By using the system of Internet addresses, email header information, time stamps on messaging, and other encrypted data, the analyst can piece together strings of interactions that provide a picture of activity (Forensic Science Simplified, n.d.).

The most effective methods to ensure legal admissibility include the following:

o Drive Imaging
o Hash Values
o Chain of Custody

Before investigators can begin analyzing evidence from a source, they need to image it first. Imaging a drive is a process in which an analyst creates a bit-for-bit duplicate of a drive. This image of all digital media helps retain evidence for the investigation. When analyzing the image, investigators should keep in mind that even wiped drives can retain important recoverable data to identify and catalog. As a rule, investigators should exclusively operate on the duplicate image and never perform analysis on the original media (Simon, n.d.).

When an investigator images a machine for analysis, the process generates cryptographic hash values (MD5, SHA-1). The purpose of a hash value is to verify the authenticity and integrity of the image as an exact duplicate of the original media. Hash values are critical, especially when admitting evidence into court because altering even the smallest bit of data will generate a completely new hash value. If the hash values do not match the expected values, it may raise concerns in court that the evidence has been tampered with (Simon, n.d.).

As investigators collect media from their client and transfer it when needed, they should document all transfers of media and evidence on Chain of Custody (CoC) forms and capture signatures and dates upon media handoff (Simon, n.d.).

It is essential to remember chain-of-custody paperwork. This artifact demonstrates that the image has been under known possession since the time the image was created. Any lapse in a chain of custody nullifies the legal value of the image, and thus the analysis (Simon, n.d.)

Format your assignment according to the following formatting requirements:

o The answer should be typed, using Times New Roman font (size 12), double spaced, with one-inch margins on all sides.

o The response also includes a cover page containing the title of the assignment, the student's name, the course title, and the date. The cover page is not included in the required page length.

o Also include a reference page. The Citations and references must follow APA format. The reference page is not included in the required page length.

Solution Preview :

Prepared by a verified Expert
Business Management: Analyze evidence from a source they need to image it first
Reference No:- TGS03199170

Now Priced at $30 (50% Discount)

Recommended (98%)

Rated (4.3/5)