Toriality's Blog

COMPUTER FORENSICS - 03

created_at:

June 4, 2024 at 5:35 PM

last_updated:

July 15, 2024 at 8:11 PM

COMPUTER FORENSICS STUDY - 03 SOURCES: INFOSECINSTITUTE.COM

COMPUTER FORENSICS: THE CODE OF ETHICS.

CODE OF ETHICS ENSURES FAIRNESS AND INTEGRITY:

An important aspect of fmost professional association is its code of ethics.
A code of ethics is normally established and defined by the practitioners themselves, and is part of a membership practice and (often) licensing. 
In computer forensics, The International Society of Forensic Computer Examiners (ISFCE) establishes the code of ethics and professional responsibility for the field. It requires an examination which also has specific guidelines regarding how the exam is to be taken (such as not cheating). Like most codes of conduct, this one requires that each and every member abide by its rules in order to maintain good standing, retain licensing, and avoid potential suspension or revoking of certification if the code is broken.

DETAILS OF THE CODE OF ETHICS:

The heart of the code of ethics is broken up into two parts: what the practitioners "will at all times" do, and what they "will never" do. This two-part list includes unequivocal statements of responsibility.
WHAT A CERTIFIED COMPUTER EXAMINER "WILL AT ALL TIMES DO": 
    The code states, in part, that an examiner will at all times demonstrate "commitment and diligence", "abide by the highest moral and ethical standards", as well  as "comply with all legal orders of the courts" and "thoroughly examine all evidence" within the scope of an investigation.
    
WHAT A CERTIFIED COMPUTER EXAMINER "WILL NEVER" DO:
An examiner commits to "never withhold any relevant evidence", "reveal any confidential matters", "express an opinion on the guilt or innocence of any party" or "engage in any unethical or illegal conduct", among other express limitations.

COSTS OF CERTIFICATION:

U$ 395 (2019). Members must retake the exam every two years in order to stay current.

IMPORTANT LINKS:

Home page for the ISFCE:    https://www.isfce.com/
The code of ethics:            https://www.isfce.com/ethics2.htm

COMPUTER FORENSICS ROLES AND RESPONSIBILITIES:

INTRODUCTION:

Although there's still plenty of crime that requires police force on our streets, the internet neighborhood has created another crime arena that grows larger every day. And that's where computer forensics comes in, a filed where e-forensic experts spend their time chasing bad guys through file recovery of every kind.
To do the job, a computer forensics expert needs lot of training, plenty of hands on experience with data and file recovery, and the psychological stamina to wade through some pretty dark data bits. It's not a career for everyone.

CROSS-TRAINING IS BECOMING MORE COMMON:

More and more often, police officers and other investigators are cross-training in computer forensics as eletronic devices become integral to our daily lives and a source of increased levels of crime. For the forensics investigator, then, top-notch e-recovery skills is one of the skills imperative for the job - but that's only the beginning. A computer forensics specialist will also need to know how to communicate to any nunmber of professionals in related fields including the police, the legal profession and the courts as well as company officials among others. Communication will also include report writing and extensive documentation so the ability to write is an important aspect to consider. If sitting lenghty periods of time in fornt of a computer screen and then generating detailed reports does not appeal to you, this field may not be a good fit.

A REAL-LIFE FORENSIC INVESTIGATION:

When Hillary Clinton was found to be using a private home server to send classfied correspondence as US Secretary of State (2009 - 2013), forensic specialists were sent in to find out what had been sent, where and to whom. They were also searching to learn if Clinton had violated federal regulations around both the protection and disclosure of government information. It was an issue of recordkeepingm and Clinton was cleared.
How did the the FBI learn about the private server? They used forensic collection methods that allowed them to back track email correspondence sent out from the private home server to other government servers they could access. Specialists also recovered data from an old server that had been wiped clean. Why was this such an issue? In USA, government information has to be available to the public, unless it is classfied - and that material needs to be protected from hackers and cyber-attacks. A private server precludes that protection. 
Out of 30,000 emails, more than 2,000 contained classfied material, and more than one hundred contained secret or top secret information. FBI investigators determined that Clinton's home server had not been compromised, although its security measures were poor. One account was found to have been hacked through the Tor anonymizer application. No other breaches have been found in this case, and Hillary Clinton was cleared by the FBI of any wrong-doing, at least for now.
If you are considering a career in this field, you can expect to start with a decent salary in the $50.000 range, moving as you become more expert in the field. Not only you will need to develop the hard skills to extract data from computers or other similar devices to find information, but you will also have to interpret that data and write reports about it. You may also be called to testify in courts of law where your credibility will be closely scrutinized and even called in to question. Practitioners will sometimes work under pressure and possibly in tense conditions. Great communication ability, both orally and in writing, are paramount for success. Forensic investigator John Irvine in a conversation with thebalance comments on the need for both soft and hard skills to do the job: "It's as much an invstigative function as it is a technical challenge. If either skill set is missing, one will have a much harder time working succesfully in the field.".

DIGITAL EVIDENCE.

ETHICAL ISSUES WHEN EVALUATING DIGITAL EVIDENCE:

Evidence is something tangible that proves a fact. Digital evidence is evidence in electronic form. It can take a variety of forms - media, transactions, information - and can come from many sources - computers, smartphones, wearables, printers, home routers.
Before collecing evidence, the digital forensics eaminer must ensure that he has the legal authority to identify, collect and preserve digital evidence. 
The constant challenge of digital forensic examination is its fragility. Depending on data persistency and volatibility, digital evidence can be classified from less fragile to very fragile. Volatile data is stored in main device memory: network connection can be altered or eliminated rapidly. Persistent data stored on device media can still be tampered with or overwritten.

HOW CAN EVIDENCE SHAPE AN INVESTIGATION:

Digital forensics involves acquiring and analyzing digital information for use as evidence in criminal, administrative, civil or intellectual property cases.
ADMINISTRATIVE INVESTIGATIONS: 
    Relying on the nature of the action, administrative investigation might become a criminal matter despite the fact that it is not criminal in nature, if information is developed to prove a fact such aas corruption or misbehavior of employees, which are the most common issues on this type of investigation. Examples of misbehavior of employees are accusation of sexual harassment, profiling, bribe taking, stalking, and racial discrimination. Misbehavior may also be a form of corruption such as unauthorized phone calls, short working days, office supplies expropriation, and private use of a government vehicle. To find digital evidence, administrative investigation involves the inspection of networks and computer system of the employee in question. That may include computer hardware, email and work managment applications. In addition to workplace, evidence can also be found in external sources, such as social media. Evidence can also be derived from the employee's address book, calendar, phone logs and timesheets. Clerks, analysts, police officers, peace officers, detectives, special and private investigators perform administrative investigations at times. The results of such investigations are reviewed by an administrative law judge if the case takes on a criminal nature.
    
CRIMINAL INVESTIGATIONS:
The difference between a crime and a tort must be established. While torts involve disputes between individuals, crime involes a breach of law where the plubic or a member of the public is affected. 
    
    Crime and torts are handled in differ manner, from a digital forensic investigator's perspective, while a volitional act, harmful or offensive contact to the plaintiff, and causation are elements that defines a tort. Intent, conduct, concurrence and causation define a criminal action. The digital evidence examiner should support these elements and must be aware also of the definition of a crime.
    
    Another important aspect of criminal investigation is exculpatory evidence. Inculpatory evidence tends to incriminate or prove guilt, while exculpatory evidence tends to prove the innocence of the defendant. A criminal investigation can be launched as a response to complaint by a law enforcement victim, an indictment conducted by a grand jury, or the observation of a crime by law enforcement or by a non-victim citzen. In the case of a criminal investigation and based on authorized search warrant, a forensic investigator can forcibly seize a computer and other devices that may have been used for criminal purposes. This is a privilege, however, and exculpatory evidence presents limitations because of the duty to disclose it. An attorney can be consulted before publically disclosing the investigation results.
    
CIVIL INVESTIGATIONS:
Civil investigations are proceedings in which questions of property or money need to be settled. In most civil lawsuits, two parties are arguing about an issue that relates to their legal rights. This type of investigation is used to collect proofs that are essential to deal with such disputes. A dispute has six fundamental categories: 
    
        - Lawsuits for damages;
        - Requests for court orders;
        - Civil rights actions;
        - Requests for declaratory judgments;
        - Dispute over contracts or other agreements;
        - Appeals from administrative decisions.
        
    Unlike a criminal investigation, which is conducted by law enforcement agents, civil investigations are conducted primarily by private investigators. Attorneys may also participate to get better results. The main concern of civil investigators is deriving evidences, which may be private or public records. When conducting the investigation, the following three general methods are used:
    
        Interview and interrogations:
        
            The investigator has no authority to use coercive, threatening, or harassing means to obtain information and is not authorized to make a legal arrest.
            
        Physical surveillance:
        
            Listening in on conversations that take place in public between relevant subjects. Eavesdropping or recording a phone conversation is prohibited by federal law. The investigator should obtain consent from at least one of the subjects of the conversations. Visiting the physical location is also the part of the investigation.
            
        Record checking:
            
            Records can be bank accounts, phone logs, credit reports, criminal records, and court documents.
            
    Notice that evidence gathered by civil investigators in a legal manner is usually admissible.
    
CRIMINAL X CIVIL COMPARISON:
Criminal Investigations:
  • Disputes or rlawsuits in which questions of property or money must be settled.
  • The violation of a criminal statute leads to the application of punishment such as imprisonment;
  • Conducted by a law enforcement investigators;
  • Physical evidence;

  • Investigator can forcibly seize the computer to obtain information.

    Civil Investigations:

  • Inflicted upon individuals or organizations;
  • Punishment cannot include imprisonment;
  • Conductd primarily by private investigators;
  • Checking public and private records;
  • Investigator has no authority to use coercive, threatening or harassing means to obtain information;

  • The investigator is not authorized to make a legal arrest.

    INTELLECTUAL PROPERTY INVESTIGATIONS:

    Trademarks, copyrights, trade secrets, licenses and patents are all types of intellectual property. The goal of intellectual property investigation is to prevent intelleectual property theft.

    Network topology, server shares, logs (proxy, VPN, phone, DNS), video systems and access control systems are sources of logical evidence. Physical evidence requires seizing the equipment used by the suspect. Proper authorization should be requested to legally access the equipments. Computers, mobile devices and removable media are among sources of physical evidence.