There evidence. (Subramaniam, n.d.) Lastly, the presentation, which the

There
are 4 evidence lifecycle to investigate the employee’s computer, there are
preparation, evidence collection, preservation, examination and analysis and
presentation. Firstly, the preparation. In the court, as an investigator needs
to declare in which to disturb the evidence seized, thus, to filing seize the
evidence by the authorities that must be collected. (Subramaniam, n.d)

 

At the
scene, as an investigator should interpret the media description that likely
detected. Furthermore,
to conduct a brief preliminary that can be accomplished with the suitable party.
Deliberately, the preparation phase may contain the responsibilities and
borders installation, and to recommend the client on the impact and the
suggestion that may contain investigation conclusion. (Subramaniam, n.d.) 

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

 

Second
evidence lifecycle is evidence collection. Device’s documentation is in the setting
and investigator’s journal should be made. Moreover, the number, the date of
the evidence that be delivered by the label management. Therefore, to interview
with the user of the system that obtain the computer’s IP address, which the
investigation collaboration. Furthermore, to recognize the evidence cause which
hardware and software that be used by the investigator when it’s applicable, forensically
and effective for the evidence breakdown A write-protected manned is acquired
by the evidence which can be achieved The authority need to be used to identify
the software to control the development of the disk acquisition and imaging. To
develop an image of the suspect’s disk can be prepared by the software
especially when the suspect’s disk duplicate. (Subramaniam, n.d.)

 

Preservation:
The original data has to be completely non-invasive that be used by the
forensic method. At the same time to duplicate files which to ignore the files
and information prosperity. Therefore, to duplicating the copies the files can
be visible as well as it difference from free space which may contains hidden
data, hidden partitions that contains hidden data, slack space, registry info, unallocated
space, temporary files, hidden files, , history files and etc. (Subramaniam,
n.d.)

 

Furthermore,
the examination and analysis is at this stage the result is
depended by the outstanding closing case, prosecution, settlement or conviction.
Additional during this development a due care must be taken and to avoid any
occupied with the original evidence. (Subramaniam, n.d.) 

 

Lastly,
the presentation, which the findings must be presented simultaneously manner that
may include screen captures, original files and etc. Furthermore, clear
evidence information with the techniques simultaneously. (Subramaniam, n.d.)

 

The
admissibility of evidence comes in four basic forms that are demonstrative
evidence, documentary evidence, real evidence and testimonial evidence. First
off demonstrative evidence, with efficiency enough for the task at hand,
correctly and adequately to express testimony and in another way is
unobjectionable and it will be admissible. Examples of demonstrative evidence
are diagram and the scene of an occurrence description. As a result of its
purpose is to clarify testimony, the witness whose testimony is being
illustrated authenticates the demonstrative evidence. (Findlaw, n.d.)

 

Another
admissibility of evidence is documentary evidence: The method of using document
that is genuine whereas the same as any other real evidence. Moreover, the rule
of evidence most highly contributed of where writing is being offered in
evidence, thus, a copy or the content’s other secondary evidence, which will
not be received in document distribution but the clarification that is offered
for the original insufficiency. (Findlaw, n.d.)

 

Furthermore, Real evidence: An
action which based on the real evidence to convince the terms and the defendant’s
performance. If it is written in a stumble way, as a result it may be relevant
to be presented. When real evidence that needs to be admissible, it must be
relevant, competent, and material. (Findlaw, n.d.)  

 

Lastly,
testimonial evidence. To view the problem that were questions of competence
connection and therefore evidence expulsion in which presenting in preference
questions of weight for accomplishment to classify, furthermore, competence
guidelines are interpret and it will be affected in the exclusion of evidence. (Findlaw,
n.d)

 

The
type of evidence to be collected is the documentation at stages is where to organize
the evidence reliability. Furthermore, collecting and handling the evidence in
documentation is required to the chain of custody preservation. It is constant
for individual who handled important evidence to be investigated. Be cautious
that the note should be made when the evidence was collected, that is from
where, and by whom. (Casey, 2011)

 

The
representation of evidence in the previous section is coincidental, so it is assume
the computer behind an IP address is reliable and it prohibited classifying or possessing.
First off, to resolve an IP address in the direction of the person which is to
complete the machine scene that responsible for the traffic. Subpoena can be
acquired by the investigator from the magistrate to petitioning ISP return
account information. (Pdfs.semanticscholar.org, 2010)

 

Lastly
is the storage that means it is important to collect significant information during
the investigation scene. Nonetheless, for maintenance and operational purposes,
a large amount of metadata is distributed by node in a P2P network. Logging a
bundle of incoming and outgoing would be required a large storage measurement. (Myneedu
and Guan, 2017)

 

To
preserve type of evidence that may include identification. It is to classifying
the type of evidence can be a challenge. Thus, a subpoena or search warrant
needs to be preparation, though it is crucial that to include any location in
which evidence may consist. Furthermore, the expression of Identification must
have correct phrasing and must be specialized; by using the expression as CPU which
mean that to collect the computer’s Central Processing Unit instead of the
computer. (Daniel and Daniel, 2012)

 

Beside,
the collection is to preserve the type of evidence. This step is decisive after
all the first real contact alongside the evidence. However, if not following the
collection procedures, which can be lead to evidence’s adjustment or extermination,
hence, evidence misplacement. (Daniel and Daniel, 2012)

 

Furthermore,
the existence of the blacklisted is to active observing which may present a
significant exposure of the IP address. Yet, the inactive application-level may
control the addresses of the issue, on the other hand, it collects a limited
information quantity. (Myneedu and Guan, 2017)

 

Likewise,
the Encryption, thus, to encrypted the communications between peers that
involve P2P traffic observation at the network level. Despite the network observe
at numerous locations, the encryption adoption can make it practically to acquire
consequential information from the network. Despite the network data is
encrypted, an initial evidence collection tool needs to be effective and it
should be carry out its functions. (Myneedu and Guan, 2017)

 

Eventually,
the write-protection technologies, which can be read-only files, in addition to
the description of concept as files with the write-protection function when it started.
However, a file can be write-protection preservation. And so forth, the
original file preservation is to prevent inactivity and to evade the attack
from virus. (Zhang, 2014)

 

A
hardware tool that will be selected to analyse the evidence is write-blocker which
is a read-only device in order that to approve the user to read the data in a
suspect device without the modifying opportunity. In other word, it prevents a
storage device capacity for being modified or erased. Other than that, a
hard-drive duplicator is an imaging device that copies all files from the
suspect hard drive to the clean drive, furthermore, it can duplicate data in
flash drives. (www.dhs.gov, 2016)

 

Furthermore,
the Wiebetech33 generates several hardware write-blocking systems that are
used. Thus, the hardware can control adapters variance to deal with the types
of drive individually, which interfaces confronted in the environment. (Nelson,
2014)

 

In
addition, software system can be accomplished by write blocking. The original
evidence is protected by the FastBloc Software Edition34 when it is connected
to exact supported interface cards. There is another software write blocker
from ForensicSoft, Inc.35 (SAFE Block) that is available and also does not need
any additional licenses require. Hence, in window system on a window system,
the registry can be manipulating any USB connected device. (Nelson, 2014)

 

Sharing
illegitimate material is commonly used by P2P, which a tool the information separately
from evidence that based on Java Object Serialization (JOS). Based on the
requirement of JOS, by using this tool that is AScan, the personal information
concerning the users can be extracted. On the other hand, another great tool is
PyFlag, which any recorder network can be capture and reproduce. (Dezfouli and
Dehghantanha, 2014)

 

First
and foremost, the chain of custody is important for the investigation process, for
the reason that it is the first step digital video and audio evidence
corroboration.  Moreover, to classifying the
information arranged by the chain of custody even if this evidence has been
cloned.  Therefore, the improvement of
technology and it becomes more approachable so that the evidence has become
simple to adapt. Generally, as an investigator collects the evidence from the
client which they received from the police. 
Therefore, the investigator has to think carefully to the reports and
legal documents. The development has become accepted during the whole of
investigations when the original evidence for the investigator’s recovery. Whereas
at the site and to recapture the digital evidence, has to approach the
administrator information about the evidence, such as managerial log, date and
file information. (Primeau Forensics, n.d.)

 

The investigator may access a
search warrant from a magistrate on observed evidence. Therefore, the search
warrant may indicate targets consistently where characterize as electronic
devices communicating or accumulating qualified digital prohibited.
(Pdfs.semanticscholar.org, 2010)

 

In the time of investigation,
there is no necessity to adjust the evidence existent as a result of all
analysis is handled on the original source representation and to determine the evidence
that can be exacted from the particular accumulate, image, and documented to
original source and duplicated. Whereas, to deal with all types of evidence that
fact the entire procedures are used reproducible, trustworthy and valid,
therefore, it is compulsory. (Scanlon and Kechadi, n.d.)

 

 

Furthermore, the valuable to
remember the development of forensic which capable to recover other evidence. In
this situation, the procedures should be developed; hence, the order completion
and examinations appearance should be carry out to collect complete content of evidentiary.
(Madhub, 2014)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Task 2

Date: 10th January
2018 (2pm)

 

Investigating the employee’s computer system

 

The investigator may access a
search warrant from a magistrate on observed evidence. Therefore, the search
warrant may indicate targets consistently where characterize as electronic
devices communicating or accumulating qualified digital prohibited. (Primeau
Forensics, n.d.)

 

The process
of the chain of custody is the original package materials protection. Take as much
physical evidence snapshot. Take capacity of the screenshots of the evidence. The
declaration’s document date, time and information. To consume the evidence reproduction
into the forensic computers. And lastly, a test analysis performance for
further working clone corroboration. (Primeau Forensics, n.d.)

 

A judicial legitimacy is
allowed by a legal authorization which to the evidence; therefore, important
steps is handling evidence. Further, to seize evidence is required by the
search warrant (Antwi-Boasiako and Venter, n.d.). In the time of investigation,
there is no necessity to adjust the evidence existent as a result of all
analysis is handled on the original source representation and to determine the
evidence that can be exacted from the particular accumulate, image, and
documented to original source and duplicated. (Scanlon and Kechadi, n.d.)

 

There are two categories of
techniques that are Storage device capacity and Storage Capability Query. First
off the Storage Device Capability Observation is to adopt the device labels
consideration and technical specifications, therefore, the device termination. On
the other hand, Storage Device Capability Query is to adopt a program the device
objection for its information effectiveness. (Carrier and Spafford, 2006)

 

A
hardware tool that will be selected to analyse the evidence is write-blocker
which is a read-only device in order that to approve the user to read the data
in a suspect device without the modifying opportunity. (www.dhs.gov, 2016)

 

The collection of evidence, as follows:  the removable media is established by the
application and virtualized in RAM without any trace on the hard disk. the malware
is RAM without the evidence on the hard disk. Lastly, the well known website that
offer the users to perform to cover their tracks which they created. (Henry,
2009)

 

The
process of analysis may include to the files fragments and hidden files have to
recognize and recover and location catalogue e.g. slack, free or used space.
Moreover, the file structures, headers, and characteristics to be analysed for
determining on data each and every file description. Furthermore, deleted, cloaked,
encrypted, cloaked fragmented files must to be inspected. All graphic files
size has to be presentation. The Internet activities, the chat archives, and the
email communications that based on complicated searched performance. To
demonstrate drive’s directory structure collection. And reports development
(Subramaniam, n.d.)

 

One of
the documentation of evidence is the system duplication. Therefore, the evidence
may found during the image investigation, which helps to recreate the scene and
review. Finally the forms of camera/video photography, graphics are used, and
notes are made on the document. Thus, the documentation at the scene is begin
at the chain-custody. (Jawad Abbas, 2015)

 

In chain
of custody, the documentation has to include the device description and device protection
from electromagnetic interference. Moreover, to confirmation to produce the
data source is not change. However if change, the document may cause the change.
(Graves, 2013)