April 15, 2013 by Ozgur Ozden
Advancement in internet added another definition of crime into our dictionary as Computer Forensic. This branch of science collects forensic evidence to be used in court in case of a cybercrime. Encyclopedia Britannica describes cybercrime as “the use of a computer as an instrument to further illegal ends, such as committing fraud, trafficking in child pornography and intellectual property, stealing identities, or violating privacy.Computers more or less involved most of the crimes conducted today. So collecting solid, proper and analytical evidence backing up the court case becomes crucial in fighting against crime as well as extending our current laws to cyberspace.
We can summarize the steps to collect forensic evidence as follows
Consultancy: This is the first step in collecting forensic evidence. Here, what kind of information sought during the collection is questioned and possible strategies are discussed and developed by the team of experts. Possible outcomes and location of the important evidence that can be used in court identified. Briefly this is the step to identify what the team is looking for and what will be the expected outcome.
Data Preservation: Data contained in a computer may to change anytime such as creation date, reply date, last access, or a boot sequence may change many things. So we need to make sure that data we are about to investigate is intact, not infected by any virus, data is not harmed both mechanically and electromagnetically. Otherwise we may lose the data or end up with altered results.
Data Collection: In the previous step we have secured the data, now we need to extract the data. Using software specifically designed for this purpose data can be
– collected from disk drives
– collected from damaged drives
– deleted mails and informations can be recovered
– password protected documents or folders can be cracked
– Calendar, Contacts, list can be collected.
Copying hard drives, disks, servers usually done by imaging software. This creates a shop shot copy of the data including every sector on the hard drives. İmaging process does not create disturbance on the investigated data so original data is preserved.
Data Recovery: This is the step where all the data needed to analyze is collected from the various part of the system. This data may be locate in active data which is the part of the HD used actively either with many or particular user. Data also may be deleted and reside in HD can be recovered or may be reside in unused parts of the HD. All this work is done on the snap shot image of the original files.
Forensic Analysis: Huge amount of data collected in the previous step is analyzed here. This vital analysis may include
– searching for specific details related with the crime such as names, dates, amounts etc…
– originality of the documents are genuine
– Searching for internet, mail or history activity
– re-creating certain events, login and details
Report: Once the analysis done, expert prepare a detailed report about the findings to be presented to court and testify if it is necessary.
Forensic science for cybercrime in Turkey is done by a legislation accepted by the parliament at 2007 with acceptance number 5651. My search indicates that details and analytic steps need to be taken during the collection in Turkey is still not regulated.
1- Cybercrime, Encyclopedia Britannica, (2013), online, available at: http://www.britannica.com/EBchecked/topic/130595/cybercrime [Accessed at: 5 April 2013]
2- Adrian T.N. Palmer, Computer Forensics: The Six Steps, (2000) online, available at:http://www.krollontrack.co.uk [Accessed at: 5 April 2013]
3- : Misbah Saboohi, Collecting Digital Evidence of Cyber Crime, (Year Unknown), online, Available at: http://www.supremecourt.gov.pk/ijc/Articles/10/2.pdf [Accessed at: 5 April 2013]