Investigation Scope and Digital Evidence

DFI Part -7

Not all cases are the same, which means different types of cases will requires different types of investigations. Different types of investigations have different rules and strictness levels too.

The investigation of any crime involves the meticulous collection of clues and forensic evidence with attention to detail. So in this articles we will learn about some of the types of cyber crime investigation cases, crime reconstruction processes, digital evidence, and evidence rules we need to follow during the investigation process. In this technical world, we tend to use electronic device a lot these days or we can say that using electronic device has became a part of our daily schedule. Inevitably, at least one electronic device will be found during the investigation, such as a computer, cell phone, printer, or fax machine. The electronic device acquired from the crime scene might contain valuable evidence and play a major role in solving the case, and if that is tempered then it may lead case as unsolved. Therefore, the information contained in the device must be investigated in a forensically sound manner in order to be accepted by the court of law.

So, now let’s discuss types of cyber crime investigation cases are as follows:

• Civil
• Criminal
• Administrative
• Internal

Civil Cases

Civil cases are brought for violation of contracts and lawsuits, where a guilty outcome generally results in monetary damages to the plaintiff. Here investigation carried out to collect data regarding a case concerning the safety of the organization’s assets, such as: Internal network, Copyrights and other resources. In this type of cases investigators try to show the opposite party some proof to support the claims and induce settlement. Searching of the devices is generally based on mutual understanding and provides a wider time window to the opposite party to hide the evidence. The initial reporting of the evidence is generally informal. The claimant is responsible for the collection and analysis of the evidence. Punishments include monetary compensation. These type of cases are generally poorly documented or they follow unknown chain-of-custody for evidence. It is even possible that sometimes, evidence can be in third-party control. It is preferred for an investigator who is carrying such investigations to have a background in law. Civil Investigations are usually harder to conduct, especially within large organizations due to the size and complexity. For example, in many situations, the whole case might depend on the investigator’s ability to prove that a certain user was logged into the system at a certain time. Thus, the tools that are used within such types of investigations are usually more sophisticated and expensive.

Criminal Cases

Criminal cases are generally brought by law enforcement agencies in response to a suspected violation of law, where a guilty outcome may result in monetary damages, imprisonment, or both. Investigators must follow a set of standard forensic processes accepted by law in the respective jurisdiction. Investigators, under a court’s warrant, have the authority to forcibly seize computing devices. A formal investigation report is required while carrying out this investigation. Law enforcement agencies are responsible for collecting and analyzing evidence. Punishments are harsh and include a fine, jail sentence, or both. The evidence collected and standard of proof needs to be very high. It is difficult to capture certain evidence, e.g., Global Positioning System device evidence.

Administrative Investigations

Administrative investigation generally involves an agency or government performing inquiries to identify facts with reference to its own management and performance. Administrative investigations are non-criminal in nature and are related to misconduct or activities of an employee that include, but are not limited to:

• Violation of organization’s policies, rules, or protocols
• Resource misuse or damage or theft
• Threatening or violent behavior
• Improper promotion or pay raises

Any violation may result in disciplinary action such as demotion, suspension, revocation, penalties, and dismissal. For situations such as promotions, increments, transfers, etc., administrative investigations can result in positive outcomes, like modifications to existing policies, rules, or protocols.

Internal Investigations

An Investigation that is being carried inside an organization, investigating Insider threats or incidents, could also be an employee policy violation. An investigator usually has to follow the organization’s guidelines and policies during all steps of the investigation. Examples of cases that requires internal investigations are: Fraud, Data exfiltration and sexual harassment within the workplace. If the Investigator uncovers more dangerous problems such as terrorism, they have to immediately inform official law enforcement agencies.

In this section we would be learning about Digital evidence, it’s type, rule of evidence and what is the best evidence rule .

Digital Evidence

Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form”. Digital information may be found while examining digital storage media, monitoring the network traffic, or making duplicate copies of digital data found during a forensics investigation. Digital evidence is circumstantial and fragile in nature, which makes it difficult for a forensic investigator to trace criminal activities. According to Locard’s Exchange Principle, “anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave”.

Types of Digital Evidence

Volatile Data

Data that are lost as soon as the device is powered off; examples include system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, command history, etc.

Non-Volatile Data

Permanent data stored on secondary storage devices such as hard disks and memory cards; examples include hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions, hidden partitions, registry settings, event logs, etc.

Examples of cases where digital evidence may assist the forensic investigator in the prosecution or defense of a suspect:

• Identity theft, Malicious attacks on the computer systems themselves, Information leakage, Unauthorized transmission of information, Theft of commercial secrets, Use/abuse of the Internet, Production of false documents and accounts.

Rules of Evidence

Digital evidence collection must be governed by five basic rules that make it admissible in a court of law, here it is explained in short and simple way :

1. Understandable :- Evidence must be clear and understandable to the judges.
2. Admissible :- Evidence must be related to the fact being proved.
3. Authentic :- Evidence must be real and appropriately related to the incident.
4. Reliable :- There must be no doubt about the authenticity or veracity of the evidence.\
5. Complete :- The evidence must prove the attacker’s actions or his/her innocence .

Best Evidence Rule

• It states that the court only allows the original evidence of a document, photograph, or recording at the trial rather than a copy. However, the duplicate can be accepted as evidence, provided the court finds the party’s reasons for submitting the duplicate to be genuine.
• The principle underlying the best evidence rule is that the original evidence is considered as the best evidence.

So this was all for this article. I will be coming up with more such articles in this series. Till then

Stay Safe, Stay masked up and hope everything will be fine soon !!!