Chapter 15: Applying Forensic Science to Networks


Overview

Like computers, networks contain digital evidence that can be used to establish that a crime has been committed, determine how a crime was committed, provide investigative leads, reveal links between an offender and victim, disprove or support witness statements, and identify likely suspects. For instance, several hours after the Columbia Space Shuttle crash in 2003, it became evident that a crime was being committed when pieces of the spacecraft were being offered for sale on E-bay. A missing person's e-mail has provided a link between the victim and offender, revealing where she went and who she arranged to meet. Child pornography posted on the Internet has led investigators to victims who were being abused by a family member without the knowledge of other family members, neighbors, or others close to the family. Web proxy logs have been used to demonstrate that an offender took precautions to conceal his illegal activities, shedding doubt on his claims that he did not know what he was doing was wrong. When someone witnesses an unknown offender making a call from his/her mobile phone, it may be possible to obtain records from local base stations for that time period and determine who made calls from the region, thus narrowing the suspect pool.

Processing a hard drive for evidence is a relatively well-defined procedure. When dealing with evidence on a network, however, digital investigators face a number of unpredictable challenges. Data on networked systems are dynamic and volatile, making it difficult to take a snapshot of a network at any given instant. Unlike a single computer, it is rarely feasible to shut a network down because digital investigators often have a responsibility to secure evidence with minimal disruption to business operations that rely on the network. Besides, shutting down a network will result in the destruction of most of the digital evidence it contains. Also, given the diversity of network technologies and components, it is often necessary to apply best evidence collection techniques in unfamiliar contexts.

Additionally, unlike crime in the physical world, a criminal can be several places on a network at any given time. This distribution of criminal activity and associated digital evidence makes it difficult to isolate a crime scene. At the same time, having evidence distributed on many computers can be an advantage in an investigation. The distribution of information makes it difficult to destroy digital evidence. If digital evidence is destroyed on one computer, a copy can often be found on various computers around the network or on backup tapes. Many organizations backup their information regularly and some even store a second copy of all backups in a different location for added protection.

With some adaptation, the methodical approach to processing evidence described in Chapters 4 and 5, and expounded in Chapter 9 can be applied to digital evidence on networks. The initial process of discovery, preparation, and authorization are similar with some added legal and technical complexities. Also, searching for sources of digital evidence on networks requires us to expand the search envelope while maintaining focus and often leads to types of data that require specialized expertise to collect. The general concepts of documentation, collection, and preservation apply to networks but require some adaptation to accommodate different technologies and unique properties of networks.

Although the general analysis techniques described in Chapter 9 (e.g. classification, comparison, individualization) are applicable, analyzing digital evidence from networks often requires specialized knowledge of tools and the underlying network technology. Presenting the resulting findings to nontechnical individuals can be challenging but remains one of the most important stages in a forensic examination because an examiner's findings will likely remain unused if they are not understood. This chapter addresses each of these stages in turn, elaborating on how they apply to evidence on computer networks.




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net