Computer forensics is a new field in forensic science. This means many people does not understand the techniques applied in computer forensics. Sometimes, people even confuse the difference between extracting and analyzing data. Computer forensic is the utilization of scientifically obtained and approved techniques towards collecting, preserving, validating, identifying, analyzing, interpreting, documenting, and presenting computer evidence obtained from digital sources to enhance or propel the reconstruction of criminal events (Ovie et al., 2016). The digital forensic methodology involves three main steps that are closely related.
Extraction
This stage is also known as the preparation phase. In the extraction process, examiners start by questioning whether there is sufficient data to commence. They ensure that a request for investigation has been submitted and that there is enough information to answer the request. If some information is missing, examiners liaise with the requester for more information. From here, they start to the validation of the software and hardware to ensure they are in good condition. The extraction process ensures that law enforcement has obtained the information legally, and they have developed a forensic image. If the information handed over to examiners is original, another copy must be produced and safeguard the original one, and it remains unaltered ( Ovie et al., 2016) . This process is accomplished by verifying a digital fingerprint, or a hash of the evidence. Data extraction then occurs if the integrity of the data has been confirmed. The forensic request is then converted into answerable questions after refining and organizing the data. Every relevant data extracted by examiners is marked as processed.
Delegate your assignment to our experts and they will do the rest.
Identification
During the identification stage, investigators re-identify all the items on the Extracted Data List. Investigators start by establishing the item type. Unused items in the forensic request should be marked as processed ( Meshram, 2018) . In case the examiner notices a weird item that is incriminating even if it was not included in the search list, the requestor and other important people must be notified.
A good example is where law enforcement may be holding a computer as evidence for tax evasion. But during the examination process, images of child pornography are discovered. If child pornography were among the items under investigation, the investigator would document the item on a third list known as the Relevant Data List ( Ovie et al., 2016) . This Relevant Data List consists of useful data that is identified and will be used to answer the original forensic request. If child pornography was not in items under investigation, a second warrant would be required that will allow for further studies. Identification per se is used to process the Extracted Data List to establish the right data that will be analyzed. A case can only move forward if the correct information is obtained.
Analysis
The analysis involves joining all dots and present a complete image for the requester. The examiner must answer questions such as what, who, where, how, and when for all items that are present on the Relevant Data List. Examiners must also explain which application or user received, created, sent, or edited every item and how it existed initially. The source of the item must also be relieved by the examiner. Significantly, examiners must explain the relevance of the information and its importance to a case. For every useful item, investigators tend to elaborate when it was developed, assessed, received, viewed, modified, launched, and deleted. Examiners further consider and explain the chronology of events and indicate the activities that co-occurred. Next, examiners create the final list known as the Analysis Result List ( Ovie et al., 2016) . After all these steps, the examiner can respond to the forensic request, a phase well known as the Forensic Reporting phase.
Importance of using Forensic Tools to collect and Analyze Evidence
In forensic science, many tools can be used to collect analyze forensic evidence. However, the most commonly used are the Forensic Toolkit and EnCase. Examiners use these two tools because they play a significant role in forensic science.
Forensic Toolkit (FTK) Imager
FTK Imager is used to produce forensic images, and it supports evidence files in all formats. It allows examiners to preview the evidence they have collected before the final image ( Meshram, 2018) . Examiners are also able to do a triage and gather useful data hence minimizing the time required in the collection and analysis stages.
Another importance of using FTK is that it is created as an all-in-one digital forensic solution. FTK allows investigators to analyze email. FTK also has a file decryption. This is considered as a central feature of FTK, which help forensic examiners to decrypt files or crack passwords. Sometimes, it can allow for password retrieval for more than 100 apps (Lopez, 2015). The other feature of FTK is the data carving engine, which enables investigators to look for documents based on type, pixel size, data size, and data type.
EnCase
EnCase is the other tool that facilitates the digital investigation. The device is intuitive and has a useful user interface. As Meshram reports, EnCase supplies all that is required for vast stopover digital analysis in extensive examination with safety and accuracy (2018) . EnCase helps investigators to retrieve deleted data, in slake areas, unallocated cluster files, and paging area ( Meshram, 2018) . The tool also offers full support for Unicode. It also multiplies system analysis. The tool anchors for compressed NTFS file systems. Finally, EnCase obtains data from RAM, pictures, webmail, documents, emails, internet appliances, archives, encrypted files, cache and web history, and chat sessions. No other products offer the same services, functionality, performance, and acceptance like EnCase does (Lopez 2015).
Hashing in the Context of Digital Forensics
Hashing is a digital forensic strategy used to guarantee the integrity and credibility of the information. The technique allows investigators to examine large volumes of data and validate it. In hashing, a digital forensic examiner applies an algorithm to a section of data to create a digital fingerprint that has a fixed-size variable (Lopez, 2015). This fixed-size variable is known as the “hash value” ( Meshram, 2018 ). Once that variable is known, the examiner can periodically rerun the algorithm or "hash it." If the data has been changed since the first hashing, a different output will result. This process achieved through a cryptographic has a function, mainly SH A-1 or MD5, that is put to an individual or the whole target files ( Meshram, 2018) .
Ways of Ensuring that the Evidence Collected is not Tampered with after Collection
In most cases, conducting an investigation is not tricky. The bitter part of the exercise is to ensure that the collected data is valid for use in court. The most effective methods to ascertain that the collected data is not tampered with include;
Drive Imaging
Evidence, particularly one that about to be presented in court, can be tampered with either by investigators themselves or the suspects. Therefore, before the analysis stage, investigators need to image the proof first. This forensic image comprising of digital media assist in retaining evidence for the investigation processes. As a rule, examiners are only permitted to operate on a duplicate when conducting a forensic analysis and never touch the original document. Once a report has been undermined, it is critical to do as little as could be allowed. The system should further be isolated to avert associations into or out of the framework and capturing the information of live memory (RAM), if necessary ( Meshram, 2018) . If the evidence is needed in court, actions on the original computer must be restricted.
Hash Values
Hash values are the best in safeguarding collected evidence. Cryptographic hash values are generated when examiners image a machine for analysis. The hash value is meant to verify the integrity and authenticity of the image if it is the duplicate of the original document ( Meshram, 2018) . Hash values are significant in securing evidence going to court. In case the initial evidence is stored in the form of hash values, any slight alteration of the data just creates an entirely new hash value. When creating a new file or editing a stored record in a computer, it liberates a unique hash value for the same data. This newly created file is not visible to everyone in a standard file explorer window, although an analyst can retrieve it using a special software.
According to Ovie et al., the rule of evidence, it must be proved in the court of law. It is through the evidence that the judge can make a ruling (2016). Before presenting, every detail of the evidence must be looked at to avoid misguided judgments that can prosecute an individual for a crime he or she never committed.
Conclusion
The examination process is an ongoing and endless process used in criminology. The steps can be redone repeatedly, but those associated with the case must establish when to stop. This research has addressed four main areas. First, it has addressed the digital forensic methodology, which comprises three main steps; evaluation, identification, and analysis. It has also provided the importance of using forensic tools such as FTK Imager and EnCase to collect and analyze evidence. Next, it contains an explanation of how hashing is used in the context of digital forensics. The last section addresses how to safeguard collected evidence from being altered.
References
Lopez, A. (2015). Digital Forensics Tools and Techniques . Retrieved from https://www.grin.com/document/470310
Meshram, B. (2018). Digital Forensic Analysis of Hard Disk for Evidence Collection. International Journal of Cyber-Security and Digital Forensics , 7 (2), 100-110. doi: 10.17781/p002372
Ovie L. Brannon, S, Song, T. (2016). Computer Forensics: Digital Forensic Analysis Methodology . Retrieved 16 December 2019, from https://www.crime-scene-investigator.net/computer-forensics-digital-forensic-analysis-methodology.html
