Sign In
Not register? Register Now!
You are here: HomeCase StudyLaw
Pages:
10 pages/≈2750 words
Sources:
5 Sources
Level:
APA
Subject:
Law
Type:
Case Study
Language:
English (U.S.)
Document:
MS Word
Date:
Total cost:
$ 36
Topic:

Digital Forensics (Case Study Sample)

Instructions:

Using the photograph depicting Mr. Didit's work space (posted along with this project description or provided by your instructor), you will develop a case portfolio that will include the following: collection of digital evidence; transfer/handling of digital evidence; differentiation of non-digital evidentiary items collected separately; methodology of preservation; summary of analysis results for the intended audience (prosecution); and final testimonial preparation materials.
Consider this project a continuation of the work performed in Project 2, and assume the same overarching scenario.
You now know that digital forensic examiners found five (5) contraband images on Mr. Didit's computer, and the hash values of those images were matched by the National Center for Missing and Exploited Children (NCMEC) to those of known child pornographic images (previously tied to known underage victims). You are being called to put together a case portfolio to present to the prosecution for the trial of Mr. Didit. This case portfolio should be written as a professional report (you may select an appropriate format) and will include a summary of your trial testimony. Just as a prosecutor will detail for an investigator what information they need to have included in the case file, your instructor has detailed items he/she would like you to include in your case portfolio:
1. A short, professional summary providing the facts of the scenario;
2. The photograph the workspace; (does not count for your minimum page count)
3. A complete list of the potential digital evidence you found in the workspace (i.e., in the picture), along with an explanation of the significance of each piece (e.g., what type of important data might be found on each piece of evidence collected), how the evidence would be preserved or protected (including technological preservation, such as forensic imaging), and how it would be stored or protected pending analysis or the transfer to a law enforcement agency;
4. A complete list of the non-digital evidence you found in the workspace that you could collect (or at least search), including what significant information might be found in that evidence;
5. A completed Evidence Collection Document (posted along with this project description or provided by your instructor) detailing at least three of the items of digital evidence you would collect and establishing chain of custody; (does not count for your minimum page count)
6. A rough (hand-drawn) sketch of the workspace (you made need to fill in some details you can't see outside the scope of the photo), with the locations of at least major items of digital evidence you would collect; (does not count for your minimum page count)
7. A list of locations outside of Mr. Didit's immediate workspace where pertinent digital evidence might be found;
8. A list of at least three forensic examination/analysis tools that could be used by you or ABC Corporation's other digital forensic analysts to process/analyze items of evidence you collected (be specific), ensuring you include the manufacturer of each tool and each tool's capabilities;
9. A summary of what you would tell the court in testimony responding to the following questions (feel free to compose fictitious details, but please ensure it is plausible based on the scenario):
Under what instrument or authority were you able to search Mr. Didit's workspace?
Please explain to the court what is meant by a hash value and how it is used in digital forensics.
The defense asks you the following question based on the fact that you write a personal blog about digital forensics in your off-time, from which it appears you are a staunch supporter of government and law enforcement. “How do we know you were not just a "police hack" in this case, choosing to report only what would help law enforcement and your company's bottom-line in this case?”
Project Requirements:
Minimum 10 full pages, excluding those items listed above as not being included in your page count
Cover page (not included in page count): course number, course title, title of paper, student’s name, date of submission
Format: 12 point "normal" (e.g., Times New Roman, Arial, or similar) font, double-space, one-inch margin

source..
Content:

Digital Forensics
Name:
Institution:
Outline
Introduction3
Scenario summary4
A Photograph of Mr. Isure Didit’s Work Station5
Digital Evidence Acquisition5
Non-Digital Evidence8
Other Pertinent Digital Evidence Sources9
Digital Evidence Analysis10
Summary of analysis11
Testimonial12
Conclusion13
References14
Introduction
Digital forensics relates to the processes involved in the investigation and recovery of data, which is contained in the digital devices. The main purpose is the ability to provide proof of guilt in a litigation process or even in the case of a corrective action within an organization. As a branch of forensic science, digital forensic deals with computer crimes that involve creation, manipulation, possession and distribution of digital data that can be found on the digital media devices. In the early 70s, much of the devices that were involved in the digital crimes were the computers. Towards the end of the era, there was a personal computer revolution where personal computers came to the scene (Trček, Abie, Skomedal, & Starc, 2010). The increase in the number of personal computers relative to the affordability of the units also led to a surge in computer crimes. The number of media devices that could now be involved in the digital crimes also increased. Although the digital forensic science has also grown through its trends from the 90s to date, the number of computer related crimes are also on an exponential growth (Karie & Venter, 2014). The crimes range from illegal pornography, identity theft, counterfeiting, financial fraud and terrorism among many others.
The science of collecting digital data for litigation purposes is carried out by the digital forensic examiners, who are trained on the technicalities and the proper procedures. The process of investigating digital material for digital evidence involves certain cautious procedures and techniques to prove the hypothesis of the crime indicated (Bulbul, Yavuzcan & Ozel, 2013).The general process involves the seizure of the material, acquisition of the evidence, analysis and reporting of the findings.
In this case, the paper deliberates on the evidence collection and presentation of the same in the case against Mr. Isure Didit. He is accused of having on his computer five pictures that are positively linked to child pornography. According to the National Center for Missing and Exploited Children, the images recovered from Mr. Isure Didit match the records of victims who were underage. The data seizure was carried out by the technical specialist under the directives of the resource specialist at the widget corporation, Mr. Iam.
Scenario summary
Mr. Iam Helpful is a Human Resource Specialist working at the Widget Corporation. On the 25th of September 2014, he suspected that Mr. Isure Didit, from the marketing department may have been involved in unscrupulous activities on his company issued computer. Using the help of a technical specialist, Mr. Iam confiscated the hard disk from Mr. Didit computer for further investigations, on allegation of having child pornographic material. After the hard disk was described in the records, the technician undertook the data analysis on the disk. To ensure the integrity of the data in the drive, the disk was mounted onto another computer that had a Write Blocker Hardware from a company called Tableau (Trček, Abie, Skomedal, & Starc, 2010). The precaution in this case was that the data on the disk should not be modified in any way, through writing extra files or removal of any files. This way, the data could not be compromised in any way and would pass as evidence in court (Richard & Roussev, 2006). Using the Linux dd utility, the image of the hard disk was made, and a checksum value of the same generated to show that the data had not been tampered with during the imaging process. All the devices that were confiscated were packed in non-static plastic bags to be preserved as evidence and passed on to the law enforcement agencies to be used in the persecution case.
A Photograph of Mr. Isure Didit’s Work Station
Fig 1
Digital Evidence Acquisition
This is by far the most crucial step in the process of acquiring the evidence that can be used in a court law. Any mistakes that result at this stage could compromise the entire law suit and could also increase the chances of massive losses (Trček, Abie, Skomedal, & Starc, 2010). It is veryfragile and open to alterations and damage, which can result from improper handling as well as examination. As such, it is a stage that requires the specialists to take maximum precautions and extract the evidence. Mistakes at this stage could mean that the data acquired may be unusable or may become a precursor of inaccurate findings and therefore wrongful judgment (Bulbul, Yavuzcan & Ozel, 2013). The bottom line is that, the digital evidence seized from Mr. Isure Didit work station should be extracted in its original state if it is to stand a chance of being used in court.
At the work station of Mr. Isure Didit, there were five photographs, which were found on his computer. The hard disk of the said computer was confiscated by a technician under the directive of Mr. Iam. The hard disk is a very significant piece of evidence and forms the backbone of most digital investigations. The hard disk is the central storage unit on the computer and thus will contain all the evidence of any scrupulous activity that the analysis technicians may uncover. This would explain why the technician at the widget corporation opted to take away the hard disk rather than taking away the entire computer for analysis.
To acquire the data that would be used in the analysis of the material evidence in the case, the hard disk must be imaged. This means that, a copy of the hard disk would have to be made for purposes of extracting the incriminating digital evidence related to the child pornography claims. To make a copy, the hard disk which had been acquired from Mr. Didit, the technicians have to connect it to another computer at the labs. However, it is important to note that the data on the hard disk cannot be compromised in any way. In a normal computer, for the other hardware to communicate with the hard disk, there are some drivers that have to be written (Bulbul, Yavuzcan & Ozel, 2013). It is thus quite risky as the data on the hard disk could be modified, and the evidence compromised. As such, making a duplicate of the hard disk requires quality controls to ensure that data is not written onto the disk and at the same time, there is not form of modification or deletion of the existing data. Write blocking hardware installed on the lab computer was used in this case. The write blocker hardware from Tableau, made sure that the image extracted from the hard disk only contains data originally existing on it without an addition, subtraction or even modifications of any kind (Carrier, 2003).
For the purposes of security on the hard disk, the physical evidence was returned to the holding facilities (Karie & Venter, 2014). This ensured that the data on the drives could not be further modified or exploited for purposes of compromising the evidence, it is important to note that if the hard disk is compromised in any way, such that the data on it does not match the image collected, the digital evidence could be dismissed in court (Carrier & Spafford, 2004). As such, it is crucial for the hard disk to be protected from any malicious persons that may want to dismiss the case in court. Both the hard disk and the image have to be identical to prove that the source and the data are intact, and implicate the owner or the user of the same.
Once the image is acquired from the hard disk, it is crucial that it is verified. There are several methods that can be used to verify that the image and the hard disk data are of the same nature, and none differs from the other even on the very minute levels. In this case, the method used to establish the similarity of the image and the hard disk data was by generating the MD5 hash functions. The latter is scientific algorithm which is used in the event that data from a given source needs to be verified. The integrity of the data is assessed through the creation of a 128 bit message. The message digest is made out of the data input and is unique to the data in question much like a finger print (Trček, Abie, Skomedal, & Starc, 2010). The message can be of any length, and it is up to the technician to decide. The message digest gives a specific output that is only unique to the input value on the data in the image. The hash functions are very crucial in the event that the defendant team may want to verify if the data on the drive is the same as the data on the image. In the same way, the prosecution will find the checksums crucial to their evidence as they are required to show the validity of the data on the two sources (Carrier & Spafford, 2004). If there is any form of data corruption on either the hard disk or an image using the checksums, this can be identified. Ideally, this would mean that the data on either of the sources is compromised and the defendant would have a case in refuting the evidence and thus the claims made against him.
After the verification of the data on the hard disk and that of the image, the evidence needs to be stored away pending the analysis. The image can be encrypted to ensure that it is not modified. At the same time, the hard disk has to be protected (Karie & Venter, 2014). Given that the hard disk is physical evidence, in that state it has to protect from weather elements and electrical impulses. Any form of static electricity could harm the hard disk and thus the data on it would be corrupted. At the same time, electrical impulses can trigger data corruption compromising the...
Get the Whole Paper!
Not exactly what you need?
Do you need a custom essay? Order right now:

Other Topics:

  • Business Law
    Description: Analyzing case study and using legal provisions interpret them accoordingly Case Study...
    1 page/≈275 words| APA | Law | Case Study |
  • Criminology
    Description: Criminology. The case of Daniel Pelka Law Case Study...
    3 pages/≈825 words| APA | Law | Case Study |
  • Discussion Question Organized crime
    Description: Discussion Question Organized crime Law Case Study Undergraduate level...
    1 page/≈275 words| APA | Law | Case Study |
Need a Custom Essay Written?
First time 15% Discount!