THE SIGNIFICANCE OF COMPUTER FORENSIC ANALYSIS TO LAW

ENFORCEMENT PROFESSIONALS

By

Sanya-Isijola, Ademuyiwa

36641

ABSTRACT

The law enforcement community is constantly in the race to apprehend criminals that commit
various cyber crimes with the aid of digital artifacts. Forensic analysis is used to analyze digital
evidence or trail found in digital artifacts used to commit perpetrate the crime. This report
discusses the history of digital forensic, the tools used and the various stages of forensic analysis.

INTRODUCTION

There is increase in the use of computer and internet technology to commit crime on a daily basis
and the abuse of this technology requires response by those in law enforcement. Cyber crimes
such as Child pornography, financial crimes, fraud, identity theft etc leave clear evidence that
can be investigated and retrieved for the purpose of prosecution. Law enforcement professionals
acknowledge the importance of digital forensics analysis and forensic tools in solving these
crimes.

1.0 What is digital forensics?

Digital forensics is the collection, preservation, analysis and presentation of digital evidence that
can be used to identify criminal activities or other activity that constitutes violation. The four
main areas of digital forensics are Computer, Network, Software and Live system and the digital
evidence found in these areas is:

 Acceptable in court
 Used to assist/further investigation
 Usable for internal disciplinary hearing
Digital evidence shows policy violation, illegal activities and abuse of IT infrastructure and
services. Law enforcement professionals get digital evidence from sources such as Emails, hard
disks, removable media, audit log files, captured network traffic and network infrastructure (IDS,
firewall, proxies) but this evidence cannot presented in court in that manner. Hence, they require
methods to extract such evidence and present it to court in a more meaningful manner. [1]

2.0 History of computer forensic and tools

During the 1980’s, a government agency known as the IRS developed forensic tools to meet their
organization’s specific needs without considering the possibility that other agencies would need
the tools. By mid 1980, two commercial software tools called X-TREE Gold and NORTON
DISK EDIT were made available. These tools were used to recover lost and deleted files but
were not specifically designed as computer forensic tools. By early 1990’s, specialized tools
were available and the INTERNATIONAL ASSOCIATION OF COMPUTER
INVESTIGATIVE SPECIALIST (IACIS) was formed. The IACIS offers training on computer
forensic tools to law enforcement professionals. Today, there are several computer forensic tools
available such as ENCASE and HELIX.

3.0 The Digital Trail

The use of forensic analysis by law enforcement professionals will be meaningless without a
digital trail. At any point in time, anyone that uses a computer for any purpose leaves behind a
digital trail. A digital trail can reveal some of the following information:

 What files are accessed, when and by whom

 What files were modified, when and by whom

 What internet sites have been visited etc

The Operating System creates these digital trails for functional reasons such as speeding up
access to internet websites frequently visited and facilitating file access.

Below are a few examples of how digital trails are left by computer users:

 Sites frequently visited are stored in local RAM or cached to reduce time taken to reload
web pages. This trails become useful pathway to evidence for law enforcement
professionals when an individual uses a computer to commit a crime.
  Users falsely believe that when they delete a file from the recycle bin, that the file is gone
for good. Unknown to them, only a reference to the file is deleted and the actual file
remains on the drive until the disk space it occupies receives a new data which overwrites
the so called deleted file.

Hence, the digital trail provides law enforcement with evidence of intent that can be used for
conviction and sentencing of perpetrator. The combination of digital evidence with traditional
criminal investigation has helped in the conviction of nefarious criminals. [2]

4.0 COMPUTER FORENSIC ANALYSIS AND TOOLS

There are different computer forensic models used by law enforcement professionals, one
popularly used one is CFSAP (Computer forensic SECURE ANALYZE PRESENT) model.

SECURE:

 Involves identifying the source of digital evidence

 Preserving the digital evidence

ANALYZE:

 Extraction of digital evidence

 Processing of digital evidence

 Interpretation of digital evidence

PRESENT:

 Presentation of digital evidence , expert opinion and testimony

5.0 Forensic tools

Computer forensic tools used during investigation can be functionally categorized into 3 basic
types namely Imaging, Analysis and Visualization. Example of forensic tools product include
ENCASE, ILOOK and CFIT 1.

Imaging: Disk and file imaging, write blockers and imaging volatile memory etc

Analysis: File conversion, data and fie recovery, disk and file system integrity checking tools and
data mining tools.
Visualization: Time lining and link analysis tools. [3]

CONCLUSION

Law enforcement professionals need to carry out full computer forensic analysis to get
presentable evidence that can be used in court to support traditional investigation techniques or
to prosecute a cyber criminal. With the aid of computer forensics and forensic tools, digital
evidence can be collected, extracted, interpreted and presented from any computer used to
commit the crime.

References

 Bruce J. Nikkel, The role of digital forensics within a corporate organization

http://digitalforensics.ch/nikkel06a.pdf [1]

 John D. Fernandez, Stephen Smith, Mario Garcia, and Dulal Kar , Texas A&M
University COMPUTER FORENSICS – A CRITICAL NEED IN
COMPUTERSCIENCE PROGRAMS http://www.scribd.com/doc/12750463/computer-
forensic-book [2]

 http://www.scribd.com/doc/12863217/Computer-Fornsics [3]