Thereare 4 evidence lifecycle to investigate the employee’s computer, there arepreparation, evidence collection, preservation, examination and analysis andpresentation. Firstly, the preparation. In the court, as an investigator needsto declare in which to disturb the evidence seized, thus, to filing seize theevidence by the authorities that must be collected.
(Subramaniam, n.d) At thescene, as an investigator should interpret the media description that likelydetected. Furthermore,to conduct a brief preliminary that can be accomplished with the suitable party.Deliberately, the preparation phase may contain the responsibilities andborders installation, and to recommend the client on the impact and thesuggestion that may contain investigation conclusion. (Subramaniam, n.d.) Secondevidence lifecycle is evidence collection.
Device’s documentation is in the settingand investigator’s journal should be made. Moreover, the number, the date ofthe evidence that be delivered by the label management. Therefore, to interviewwith the user of the system that obtain the computer’s IP address, which theinvestigation collaboration. Furthermore, to recognize the evidence cause whichhardware and software that be used by the investigator when it’s applicable, forensicallyand effective for the evidence breakdown A write-protected manned is acquiredby the evidence which can be achieved The authority need to be used to identifythe software to control the development of the disk acquisition and imaging. Todevelop an image of the suspect’s disk can be prepared by the softwareespecially when the suspect’s disk duplicate. (Subramaniam, n.d.
) Preservation:The original data has to be completely non-invasive that be used by theforensic method. At the same time to duplicate files which to ignore the filesand information prosperity. Therefore, to duplicating the copies the files canbe visible as well as it difference from free space which may contains hiddendata, hidden partitions that contains hidden data, slack space, registry info, unallocatedspace, temporary files, hidden files, , history files and etc. (Subramaniam,n.d.) Furthermore,the examination and analysis is at this stage the result isdepended by the outstanding closing case, prosecution, settlement or conviction.Additional during this development a due care must be taken and to avoid anyoccupied with the original evidence.
(Subramaniam, n.d.) Lastly,the presentation, which the findings must be presented simultaneously manner thatmay include screen captures, original files and etc. Furthermore, clearevidence information with the techniques simultaneously. (Subramaniam, n.
d.) Theadmissibility of evidence comes in four basic forms that are demonstrativeevidence, documentary evidence, real evidence and testimonial evidence. Firstoff demonstrative evidence, with efficiency enough for the task at hand,correctly and adequately to express testimony and in another way isunobjectionable and it will be admissible. Examples of demonstrative evidenceare diagram and the scene of an occurrence description. As a result of itspurpose is to clarify testimony, the witness whose testimony is beingillustrated authenticates the demonstrative evidence. (Findlaw, n.
d.) Anotheradmissibility of evidence is documentary evidence: The method of using documentthat is genuine whereas the same as any other real evidence. Moreover, the ruleof evidence most highly contributed of where writing is being offered inevidence, thus, a copy or the content’s other secondary evidence, which willnot be received in document distribution but the clarification that is offeredfor the original insufficiency. (Findlaw, n.d.) Furthermore, Real evidence: Anaction which based on the real evidence to convince the terms and the defendant’sperformance. If it is written in a stumble way, as a result it may be relevantto be presented. When real evidence that needs to be admissible, it must berelevant, competent, and material.
(Findlaw, n.d.) Lastly,testimonial evidence. To view the problem that were questions of competenceconnection and therefore evidence expulsion in which presenting in preferencequestions of weight for accomplishment to classify, furthermore, competenceguidelines are interpret and it will be affected in the exclusion of evidence.
(Findlaw,n.d) Thetype of evidence to be collected is the documentation at stages is where to organizethe evidence reliability. Furthermore, collecting and handling the evidence indocumentation is required to the chain of custody preservation.
It is constantfor individual who handled important evidence to be investigated. Be cautiousthat the note should be made when the evidence was collected, that is fromwhere, and by whom. (Casey, 2011) Therepresentation of evidence in the previous section is coincidental, so it is assumethe computer behind an IP address is reliable and it prohibited classifying or possessing.First off, to resolve an IP address in the direction of the person which is tocomplete the machine scene that responsible for the traffic. Subpoena can beacquired by the investigator from the magistrate to petitioning ISP returnaccount information. (Pdfs.
semanticscholar.org, 2010) Lastlyis the storage that means it is important to collect significant information duringthe investigation scene. Nonetheless, for maintenance and operational purposes,a large amount of metadata is distributed by node in a P2P network. Logging abundle of incoming and outgoing would be required a large storage measurement. (Myneeduand Guan, 2017) Topreserve type of evidence that may include identification. It is to classifyingthe type of evidence can be a challenge. Thus, a subpoena or search warrantneeds to be preparation, though it is crucial that to include any location inwhich evidence may consist. Furthermore, the expression of Identification musthave correct phrasing and must be specialized; by using the expression as CPU whichmean that to collect the computer’s Central Processing Unit instead of thecomputer.
(Daniel and Daniel, 2012) Beside,the collection is to preserve the type of evidence. This step is decisive afterall the first real contact alongside the evidence. However, if not following thecollection procedures, which can be lead to evidence’s adjustment or extermination,hence, evidence misplacement. (Daniel and Daniel, 2012) Furthermore,the existence of the blacklisted is to active observing which may present asignificant exposure of the IP address. Yet, the inactive application-level maycontrol the addresses of the issue, on the other hand, it collects a limitedinformation quantity. (Myneedu and Guan, 2017) Likewise,the Encryption, thus, to encrypted the communications between peers thatinvolve P2P traffic observation at the network level. Despite the network observeat numerous locations, the encryption adoption can make it practically to acquireconsequential information from the network.
Despite the network data isencrypted, an initial evidence collection tool needs to be effective and itshould be carry out its functions. (Myneedu and Guan, 2017) Eventually,the write-protection technologies, which can be read-only files, in addition tothe description of concept as files with the write-protection function when it started.However, a file can be write-protection preservation. And so forth, theoriginal file preservation is to prevent inactivity and to evade the attackfrom virus. (Zhang, 2014) Ahardware tool that will be selected to analyse the evidence is write-blocker whichis a read-only device in order that to approve the user to read the data in asuspect device without the modifying opportunity.
In other word, it prevents astorage device capacity for being modified or erased. Other than that, ahard-drive duplicator is an imaging device that copies all files from thesuspect hard drive to the clean drive, furthermore, it can duplicate data inflash drives. (www.dhs.gov, 2016) Furthermore,the Wiebetech33 generates several hardware write-blocking systems that areused. Thus, the hardware can control adapters variance to deal with the typesof drive individually, which interfaces confronted in the environment.
(Nelson,2014) Inaddition, software system can be accomplished by write blocking. The originalevidence is protected by the FastBloc Software Edition34 when it is connectedto exact supported interface cards. There is another software write blockerfrom ForensicSoft, Inc.35 (SAFE Block) that is available and also does not needany additional licenses require. Hence, in window system on a window system,the registry can be manipulating any USB connected device. (Nelson, 2014) Sharingillegitimate material is commonly used by P2P, which a tool the information separatelyfrom evidence that based on Java Object Serialization (JOS).
Based on therequirement of JOS, by using this tool that is AScan, the personal informationconcerning the users can be extracted. On the other hand, another great tool isPyFlag, which any recorder network can be capture and reproduce. (Dezfouli andDehghantanha, 2014) Firstand foremost, the chain of custody is important for the investigation process, forthe reason that it is the first step digital video and audio evidencecorroboration. Moreover, to classifying theinformation arranged by the chain of custody even if this evidence has beencloned. Therefore, the improvement oftechnology and it becomes more approachable so that the evidence has becomesimple to adapt. Generally, as an investigator collects the evidence from theclient which they received from the police.
Therefore, the investigator has to think carefully to the reports andlegal documents. The development has become accepted during the whole ofinvestigations when the original evidence for the investigator’s recovery. Whereasat the site and to recapture the digital evidence, has to approach theadministrator information about the evidence, such as managerial log, date andfile information. (Primeau Forensics, n.d.
) The investigator may access asearch warrant from a magistrate on observed evidence. Therefore, the searchwarrant may indicate targets consistently where characterize as electronicdevices communicating or accumulating qualified digital prohibited.(Pdfs.semanticscholar.org, 2010) In the time of investigation,there is no necessity to adjust the evidence existent as a result of allanalysis is handled on the original source representation and to determine the evidencethat can be exacted from the particular accumulate, image, and documented tooriginal source and duplicated. Whereas, to deal with all types of evidence thatfact the entire procedures are used reproducible, trustworthy and valid,therefore, it is compulsory.
(Scanlon and Kechadi, n.d.) Furthermore, the valuable toremember the development of forensic which capable to recover other evidence. Inthis situation, the procedures should be developed; hence, the order completionand examinations appearance should be carry out to collect complete content of evidentiary.
(Madhub, 2014) Task 2Date: 10th January2018 (2pm) Investigating the employee’s computer system The investigator may access asearch warrant from a magistrate on observed evidence. Therefore, the searchwarrant may indicate targets consistently where characterize as electronicdevices communicating or accumulating qualified digital prohibited. (PrimeauForensics, n.d.) The processof the chain of custody is the original package materials protection. Take as muchphysical evidence snapshot.
Take capacity of the screenshots of the evidence. Thedeclaration’s document date, time and information. To consume the evidence reproductioninto the forensic computers.
And lastly, a test analysis performance forfurther working clone corroboration. (Primeau Forensics, n.d.
) A judicial legitimacy isallowed by a legal authorization which to the evidence; therefore, importantsteps is handling evidence. Further, to seize evidence is required by thesearch warrant (Antwi-Boasiako and Venter, n.d.). In the time of investigation,there is no necessity to adjust the evidence existent as a result of allanalysis is handled on the original source representation and to determine theevidence that can be exacted from the particular accumulate, image, anddocumented to original source and duplicated. (Scanlon and Kechadi, n.
d.) There are two categories oftechniques that are Storage device capacity and Storage Capability Query. Firstoff the Storage Device Capability Observation is to adopt the device labelsconsideration and technical specifications, therefore, the device termination.
Onthe other hand, Storage Device Capability Query is to adopt a program the deviceobjection for its information effectiveness. (Carrier and Spafford, 2006) Ahardware tool that will be selected to analyse the evidence is write-blockerwhich is a read-only device in order that to approve the user to read the datain a suspect device without the modifying opportunity. (www.dhs.gov, 2016) The collection of evidence, as follows: the removable media is established by theapplication and virtualized in RAM without any trace on the hard disk. the malwareis RAM without the evidence on the hard disk.
Lastly, the well known website thatoffer the users to perform to cover their tracks which they created. (Henry,2009) Theprocess of analysis may include to the files fragments and hidden files have torecognize and recover and location catalogue e.g.
slack, free or used space.Moreover, the file structures, headers, and characteristics to be analysed fordetermining on data each and every file description. Furthermore, deleted, cloaked,encrypted, cloaked fragmented files must to be inspected. All graphic filessize has to be presentation. The Internet activities, the chat archives, and theemail communications that based on complicated searched performance. Todemonstrate drive’s directory structure collection.
And reports development(Subramaniam, n.d.) One ofthe documentation of evidence is the system duplication. Therefore, the evidencemay found during the image investigation, which helps to recreate the scene andreview.
Finally the forms of camera/video photography, graphics are used, andnotes are made on the document. Thus, the documentation at the scene is beginat the chain-custody. (Jawad Abbas, 2015) In chainof custody, the documentation has to include the device description and device protectionfrom electromagnetic interference. Moreover, to confirmation to produce thedata source is not change.
However if change, the document may cause the change.(Graves, 2013)