Computer Forensics 1

Computer Forensics
 Computer Forensics 2

Introduction

The introduction of computers and internet has created a global revolution in many ways.

Business processes have been streamlined and automated as a consequence of such

operations. The productivity and output has been enhanced through the use of computer

applications (Baryamureeba & Tushabe, 2004: Pg 23). Organizations are able to use the

internet as a means of accessing new global markets. Individuals use the internet as a

means of accessing and exchanging information. The revolution in computers and

internet has a profound and deep impact on human lifestyle. It has altered the nature of

human society in a proficient and effectual manner. Yet this has also posed a serious

challenge in terms of criminal activities and malicious behaviors. Identity fraud and cyber

crimes pose a serious threat at the individual and social levels. The need to adopt a

reliable, scalable, and flexible response has been felt by international organizations and

governments. This means that appropriate procedures need to be adopted in order to

create a uniform set of guidelines (Baryamureeba & Tushabe, 2004: Pg 23). Such an

approach will help in the fight against malicious activities and affairs. It would create a

comprehensive strategy for attaining excellence in the business environment. Computer

forensics is a rapidly emerging field that is concerned with the collection, preservation,

and presentation of digital information. Such information can be used in criminal

prosecution and civil cases (Baryamureeba & Tushabe, 2004: Pg 23). The scope and

intensity of computer forensics is very broad and comprehensive. It seeks to use

technology which can be used to obtain information on digital devices. This information
 Computer Forensics 3

can be used as evidence in criminal and civil cases. Computer forensics investigators

engage in a plethora of activities which include examining and assessing the computer

system. Operating system, applications, hardware, and software are assessed in a smart

manner. The evidence is imaged and duplicated to prevent alteration or tampering. It

must be presented in a clear manner because many legal systems have different

guidelines about the admissibility of digital information. The developed world does not

have uniform guidelines in computer forensics. Specific issues like jurisdiction, evidence

collection, preservation, and privacy must be tackled in a systematic and methodical

manner. This means that a systematic approach needs to be adopted in order to create a

robust and flexible formula for success. The use of strategic initiatives through dialogue

and consensus is essential for the development of best practices. Similarly computer

forensics investigators need to be trained in the use of various practices. Quality should

be the criteria along with the knowledge of specific applications and tools. However the

focus should not only be on the skilled use of proprietary software and tools. Computer

forensics investigators must exhibit a commitment towards critical analysis and

assessment. This paper will conduct a literature review about the computer forensics

field. It will identify the national guidelines that exist in EU, US, and UK for computer

forensics field. Finally it will seek to develop a generic model that adopts uniform

guidelines for evidence collection.

 Computer Forensics 4

Literature Review

Computer Forensics

Computer forensics has emerged as a new branch of forensic science that seeks to extract

appropriate evidence from digital storage media. The overall aim is to analyze and assess

the information that is present in digital artifacts (Baryamureeba & Tushabe, 2004: Pg

23). Any digital device which uses electronic documents and sequence of packets can be

assessed and investigated by this discipline. Empirical studies have documented the need

for computer forensic techniques in a number of cases. They can be used in criminal

cases to assess and evaluate computer systems that have been used by defendants. Data

can be retrieved in the event of accidents, malicious activities, and emergencies. Intrusion

attempts can be successfully assessed and evaluated by using this process. Information

about the computer systems for troubleshooting and debugging can be obtained by using

computer forensics (Baryamureeba & Tushabe, 2004: Pg 23). The entire process of

investigation should be conducted by using a scientific approach. The computer forensic

investigator should have appropriate and clear objectives. The originality of the data

should be taken into account when conducting an investigation. Accessibility to the

original data should be conducted in an efficient and effective manner. A complete audit

of the various processes that have been performed on the computer should be conducted

by using a proactive and dynamic approach. Normally the investigator is held

accountable for ensuring that the entire procedure is conducted in a legal and transparent

manner. Computer forensics has been constantly updated through the advent of new tools

and applications. There has been a growing trend towards sophistication of technology

and human skills. Empirical studies document that successful computer forensics
 Computer Forensics 5

investigators must have analytical and critical skills. They should be able to develop a

complete formula which can be used to attain success. The development of different

strategies is critical for the success of the approach. The use of multifaceted and dynamic

strategies helps to create an optimized result. It leads to the development of efficient and

effective procedures. Computer forensics is a rapidly changing field due to the new types

of threats. Vulnerability assessments are periodically conducted as a means of

strengthening defenses on computer systems. Appropriate backup and recovery

procedures are in place as a means of retrieving information which can be used as digital

information. The use of superior mechanisms enables the critical success of all

approaches. It uses a smart approach that is based upon authentic facts and figures

because it seeks to develop a robust formula for success. The use of different strategies is

critical for attaining success in the business environment. Similarly incidents reporting

process should be strengthened through the use of various strategies. Estimation about the

nature of the incident should be properly safeguarded through the use of smart and

proactive measures. The development of a comprehensive strategy is critical for the

success of the program. The use of multifaceted approaches is essential for producing an

excellent outcome in the business environment. Rogue processes need to be terminated in

an efficient and effective manner. The entire time and date stamps need to be collected in

an efficient and effective manner. Further system patches should be applied through the

use of a vigorous and dynamic process.

Skills and Competencies

 Computer Forensics 6

Computer forensics investigators must have a number of competencies and skills in order

to accomplish their tasks in an efficient and effective manner. They must exhibit critical

decision making and thinking abilities. They should have proper analytical and

assessment skills. They must be able to utilize a neutral and objective approach when

conducting investigations (Baryamureeba & Tushabe, 2004: Pg 23). However empirical

studies conclude that the greatest skill for computer forensics investigators is the ability

to maintain the originality and authenticity of the evidence. Computer forensics

investigators are concerned with cyber crimes and internet technologies. They need to

apply proper knowledge in order to conduct threat assessments. Specific strategies are

executed as a means of ensuring dynamic and smart processes (Baryamureeba &

Tushabe, 2004: Pg 25). Clear procedures need to be applied while an understanding of

the legal framework is crucial for the success of the entire program. Computer forensics

investigators need to have constant training and preparation. This approach helps them to

utilize critical thinking skills. Successful computer forensics investigators demonstrate

their ability to apply theoretical concepts in practical situations. The ability to apply

innovative and creative methods to resolve problems is a key competency for the field.

The development of a multifaceted strategy is considered to be essential for the success

of the entire program (Baryamureeba & Tushabe, 2004: Pg 26). An appropriate and

robust strategy should be conducted so that superior outcomes are initiated. Investigators

need to implement best practices by writing extensive manuals. Senior personnel should

be used to train and develop the competencies of junior investigators. The entire process

should be strengthened as a means of attaining efficiency and effectiveness.

Forensic Process
 Computer Forensics 7

The forensic process is divided into several steps because such an approach helps

investigators to resolve complex problems. They must be able to apply specific strategies

for the success of the entire program. They must have access to tools that can be used to

generate accurate and reliable reports. Appropriate strategies can help to create robust

initiatives and protocols.

Collecting Digital Evidence

Digital evidence needs to be collected from multiple sources in a proficient and effectual

manner. Electronic devices are the primary source of digital information because they are

easily available. The investigator must seek to adopt special procedures during the

collection process. This is due to the fact that digital information can be altered or

tampered in an accident manner. Further the ability to identify or assess changes can

become a time consuming and cumbersome process. Imaging software is often used as a

means of preventing any changes or alteration in the digital media (Carrier & Spafford,

2003: Pg 56). Chain of custody is created with the sole purpose of saving digital

information. Extensive documentation is performed by skilled and competent

investigators to ensure accuracy and reliability. Tested tools are usually recommended as

a means of ensuring accurate outcomes for the entire process. The digital collection

process cannot ignore the human side of the story. The user needs to be interrogated in an

intelligent and smart manner. This helps the investigators with information about

computer systems, software applications, encryption protocols, and security mechanisms

(Carrier & Spafford, 2003: Pg 56). The user’s information about the network, hardware,

and software can augment the entire process of digital collection. This can create legal
 Computer Forensics 8

issues because users might not cooperate with the investigators. Inside the United States,

the law enforcement departments need to obtain special permit from the courts for

collecting digital information. This is done as a means of protecting and safeguarding the

privacy rights of the computer user.

Live vs. Static analysis

Static analysis is a procedure in computer forensics that assesses digital information when

computer systems are shut down. This analysis was also performed to prevent any

alteration or tampering of the digital evidence. It was generally believed that such an

approach would help to prevent or reduce cyber crime incidents. However static analysis

has been dubbed to be inaccurate and unreliable in several cases (Carrier & Spafford,

2003: Pg 56). This has prompted the investigators to initiate live analysis. The benefits of

this approach are that proper encryption techniques can be initiated. Data loss can be

prevented by using an efficient and effective strategy. Further many intruders and hackers

do not leave any trail when committing malicious attacks. The information on computer

memory is abused in order to fool investigators. Live analysis can help to plug this gap

by using a logical and methodical approach (Carrier & Spafford, 2003: Pg 59).

Cryptographic storage has also prompted many computer forensic investigators to apply

live analysis as a means of collecting digital evidence. Live analysis helps in the

development of encryption protocols. Appropriate network security mechanisms need to

be developed as a means of creating powerful strategies against online criminal threats.

Imaging Electronic Evidence

 Computer Forensics 9

Imaging has emerged as a major tool in the computer forensics discipline because it seeks

to create exact replicas of computers and other electronic devices. Several imaging tools

can be used to obtain exact duplicates of hard drives (Carrier & Spafford, 2003: Pg 64).

The user-accessible areas are imaged because of their efficiency and effectiveness. This

helps to safeguard the data from any intentional or unintentional tampering. Various

algorithms like MD5 and SHA-1 hash function are used in the imaging process. Hashing

helps to create high levels of efficiency and effectiveness. It leads to the creation of a

robust and viable evidence system that can be used in a number of situations. Imaging

software needs to be selected for interoperability with various operating systems. The

challenge for investigators is the use of open source vs. proprietary software. Open

source is beneficial because it is cost effective (Carrier & Spafford, 2003: Pg 71). Bugs

can be removed through the open source forums present on the internet. However

proprietary software is standardized and interoperable in many different operating

systems.

Collecting Volatile Data

Sometimes computer forensics investigators need to collect evidence from active and

open machines. This is done through analysis and assessment of the applications and

network ports (Casey, 2004: Pg 90). Linux based tools are available for obtaining

information about the network. Surrounding applications and their ports can be analyzed

by using such applications. Registry and RAM can be assessed using such tools since

they play a vital role in helping computer forensics investigators to analyze the use of

emails and other software. Windows partition can be analyzed and assessed by using
 Computer Forensics 10

smart and vibrant strategies. BitLocker and Trusted Platform Module are efficient

applications that help in the collection of volatile data (Casey, 2004: Pg 90).

Analysis and Reporting

The entire process of computer forensics requires extensive analysis and reporting. This

needs to be done through the presence of skilled and qualified computer forensics

experts. Analytical skills must be strengthened in an attempt to achieve high levels of

efficiency and effectiveness (Casey, 2004: Pg 90). The use of different skills is

considered vital for the entire process. Computer forensics experts must utilize a

combination of different skills as a means to attaining excellence in the entire

environment. The development of a superior strategy helps to attain goals. The material is

collected as bits of data and information is compiled. Windows registry is analyzed in an

attempt to decipher information about suspected activities. Passwords and keyword

searches are utilized as a means of attaining excellence. E-mail, documents, and pictures

are amalgamated in order to determine appropriate strategies. The reporting process

usually involves having precise knowledge of various protocols and procedures.

Extensive documentation plays a critical role in the development of smart objectives

(Casey, 2004: Pg 92). It creates a supportive environment in which the objectives can be

attained by using a smart strategy. The analysis and reporting should be done through

professionalism and dedication. Appropriate presentation of evidence is often crucial for

the success of smart initiatives.

Computer Forensics: Legal Guidelines USA

 Computer Forensics 11

The United States has been leading the information communication technology as

witnessed by the presence of major companies like Microsoft, IBM, Cisco, Nortel, Dell,

Oracle, etc. A set of comprehensive and robust guidelines for computer forensics has

been established in the country. The Fourth Amendment provides protection against

unwarranted search and seizure (National Institute of Justice, 2002: Pg 32). Similarly the

Fifth Amendment provides safeguards against self-incrimination. Wiretap act, Pen

Registers and Trap and Trace Devices Statute, and Stored Wired and Electronic

Communication Act are concerned with the process of regulating the computer forensics

industry in a legal and transparent manner. US guidelines call for safeguarding the

authenticity and value of the evidence. Computer forensic investigators must seek to

apply various safeguards to protect the integrity of the evidence. The target computer

needs to be disconnected with an analysis of its CMOS system. Disk imaging has become

mandatory because it helps to prevent alteration in data and information. This means that

the target media must be replicated in an open and transparent manner. This becomes

crucial because it helps to create an efficient and effective framework. It leads to the

development of smart and prudent procedures that provide high levels of efficiency and

effectiveness (National Institute of Justice, 2002: Pg 32). Computer forensics

investigators are mandated to analyze and examine the various components of the

computer. This means that operating system, windows, registry, RAM, hardware, and

software need to be evaluated in a smart and intelligent manner. The development of a

comprehensive framework has led to the production of smart outcomes. It has enabled the

creation of efficient and effectual goals. Law enforcement departments in the United
 Computer Forensics 12

States cannot conduct illicit searches and seizures. They need to obtain court orders in

which they can access the computers for legitimate purposes (National Institute of

Justice, 2002: Pg 34). However new legislation that has been enacted in the aftermath of

9/11 means that the process of issuing court warrants has been expedited. This has been

due to the sheer threat of terrorism which can threaten the interests of the United States.

Pre-9/11 laws were considered to hinder the ability of law enforcement officers to

successfully fight against terrorists and criminals. The legislation in the United States

also seeks to create a collaborative and efficient framework in the fight against online

threats. The United States has a well developed and advanced system for computer

forensics (National Institute of Justice, 2002: Pg 32). This system has been instrumental

in thwarting new types of threats. However there are concerns that the system is rigid and

inflexible since it does not lead to efficient outcomes. The law enforcement departments

do not have adequate training in collection of digital evidence. Further static analysis of

data is still pursued despite extensive legislation. This calls for policy makers to develop

superior outcomes which can allow success in the business environment. The

development of robust and appropriate procedures is critical for the success of the entire

program (National Institute of Justice, 2002: Pg 32). The use of a multifaceted strategy is

essential for producing superior outcomes. Multiple approaches need to be enhanced

through a systematic and logical approach. American law stipulates a number of

important principles during the digital information collection process. The seizure of

information must not prevent its alteration or tampering. Only qualified computer

forensics investigators must be able to intervene during the digital evidence collection

process. Collection, preservation, storage and transfer of evidence must be reported in

 Computer Forensics 13

proper documentation (Baryamureeba & Tushabe, 2004: Pg 23). This is done in order to

prevent human errors from interfering in the entire process. Every computer forensics

investigator is responsible for the preservation and safety of the evidence. This is done in

order to ensure high levels of efficiency and effectiveness. Private agencies involved in

the entire process must ensure compliance with government procedures and regulations.

However despite the presence of such overwhelming guidelines, the margins of error and

failure continue to exist. The lack of proper documentation has been recognized as the

greatest threat in the computer forensics industry. The lack of accurate information for

the decision making structures can lead to problems (Baryamureeba & Tushabe, 2004: Pg

29). Accessibility to digital evidence must be safeguarded by using a smart and proactive

approach. Similarly incidents reporting process should be strengthened through the use of

various strategies. Estimation about the nature of the incident should be properly

safeguarded through the use of smart and proactive measures. The development of a

comprehensive strategy is critical for the success of the program. The use of multifaceted

approaches is essential for producing an excellent outcome in the business environment.

Rogue processes need to be terminated in an efficient and effective manner. The entire

time and date stamps need to be collected in an efficient and effective manner. Further

system patches should be applied through the use of a vigorous and dynamic process. The

development of smart strategies is critical for the success of the entire program. The use

of multifaceted strategies helps to produce significant gains for computer forensics

investigators (Baryamureeba & Tushabe, 2004: Pg 32). Computer forensics investigators

need to utilize a number of tools and software. The use of various applications helps to

create superior outcomes for the entire process.

 Computer Forensics 14

Computer Forensics: Legal Guidelines European Union

The European Union has established an organization called “The Council of Europe

Convention on Cybercrime”. This organization has created a number of consistent and

reliable guidelines to regulate the discipline of computer forensics. The objectives have

been to create high levels of consistency and reliability between the various elements of

the law. It seeks to empower local law enforcement departments with the required

training to successfully implement the guidelines of the computer forensics discipline.

Finally it seeks to create consensus among member states to create uniform guidelines in

the discipline of computer forensics. It seeks to prevent cyber crimes like identity theft,

fraud, and hackers. It seeks to create a robust framework against illegal access, data

interference, system interference, and misuse of devices. The European Union believes

that quality assurance is essential for the successful implementation of computer

forensics (Reith, Carr, & Gunsch, 2002: Pg 123). This can be achieved only if verifiable

and reliable procedures for audit exist in various departments. Computer forensics

investigators must demonstrate a set of competencies which are essential for the success

of the program. They should have practical knowledge and expertise which can help them

in the field. Further they also need to achieve high levels of efficiency and effectiveness.

The development of a comprehensive strategy is essential for the success of the program.

The use of multidimensional and multifaceted approaches is critical for the attainment of

objectives and targets. The competencies of investigators are checked in a formal and
 Computer Forensics 15

logical manner. Specific performance measurements and objectives are outlined in order

to strengthen the entire process (Reith, Carr, & Gunsch, 2002: Pg 123). The EU

guidelines are robust since they focus on quality assurance. They take up vigorous tests in

order to ensure quality assurance and control in the environment. This helps in the

process of recruiting competent and qualified computer forensics investigators who can

assist in the process. A major plus point of the guidelines is that scientific research and

review is periodically conducted about tools and processes. This approach helps the

departments to obtain valuable information about the strengths and weaknesses of their

approach. It helps to create a collaborative environment in which efficiency and

effectiveness can be attained. However a major problem with EU guidelines is that some

member states have refused to collaborate with each other (Reith, Carr, & Gunsch, 2002:

Pg 123). Each country has different approaches towards empowering law enforcement

departments with the powers to engage in computer forensics. Also despite extensive

guidelines, the goal of quality assurance and excellence remains an elusive goal. The EU

needs to take into account various factors. Appropriate methods for data collection should

exist on the efficacy of computer forensics approaches. Different strategies should be

utilized in order to create a generic model (Reith, Carr, & Gunsch, 2002: Pg 125).

This approach will lead to high levels of efficiency and effectiveness. It would create a

collaborative framework in which efficiency and effectiveness can be attained. Further it

would help to eradicate problems that are faced in the business environment. Cyber

crimes need to be thwarted by using a professional and collective response from member

states.
 Computer Forensics 16

Computer Forensics: Legal Guidelines United Kingdom

The United Kingdom has a set of broad legal guidelines for computer forensics. The local

governments and national governments have separate laws that guide the entire process.

The most important difference in the national and state systems is the type of evidence

that can be collected. There is a focus on providing autonomy to each county because of

the legal system (Steinke, 1997: Pg 49). The results are that there are no uniform or

consistent guidelines in the entire process. There is a trend towards accepting certain

types of digital evidence while rejecting others. This creates numerous problems as cases

can become vague and ambiguous. However the British system helps to use new laws

that have accepted the validity of the computer forensics. The principles for digital

evidence collection are to preserve its authenticity. Further there is a focus towards

ensuring that computer systems are not altered or tampered. The evidence must be

duplicated through the use of imaging software. Specific protocols are present for

analyzing and assessing the evidence in an effective and efficient manner (Vacca, 2002:

Pg 102). The United Kingdom under the government of Tony Blair implemented a

number of laws which were designed to fight cyber crimes. The threat of terrorism in the

UK has led the government to implement different laws. This has led to the development

of protocols which enable the creation of efficient and effective approaches. Digital

evidence collection involves the process of identifying malicious files and documents. It

also involves investigating and assessing the financial assets of suspected groups. Law

enforcement departments can investigate financial assets through legal orders (Vacca,

2002: Pg 123). The development of different protocols has led to the creation of new
 Computer Forensics 17

dynamics. The UK system needs to be modified by adopting a number of measures and

approaches. At the basic level it should seek to have standardized collection,

preservation, and presentation standards. A regulatory manual should exist that can act as

a source of guidance for investigators. The telecommunications infrastructure needs to

be monitored and assessed because it is the key for success in computer forensics. The

development of different approaches is critical for the success of the program. The use of

innovative and creative approaches is essential if it must succeed (Vacca, 2002: Pg 125).

However there are concerns that the system is rigid and inflexible since it does not lead

to efficient outcomes. The law enforcement departments do not have adequate training in

collection of digital evidence. Further static analysis of data is still pursued despite

extensive legislation. This calls for policy makers to develop superior outcomes which

can allow success in the business environment. The development of robust and

appropriate procedures is critical for the success of the entire program. Quality should be

the main performance measurement for computer forensics investigators. This is essential

because investigators need to exhibit smart skills in collection, preservation, and

presentation of evidence. Similarly the legal workforce should be taught about the basics

of computer forensics. The development of a robust structure will produce superior

expectations in the entire discipline. The United Kingdom has set of authentic and

verifiable procedures for computer forensics investigations. It seeks to improve the

efficiency by using multiple strategies (Baryamureeba & Tushabe, 2004: Pg 35).

Qualified experts are needed in order to ensure the success of the program. The UK has

an efficient system that mandates the use of proper documenting and reporting. The

estimates about the nature of the threat are deemed to be crucial for the success of the
 Computer Forensics 18

entire program. The use of multifaceted strategies is critical for ensuring a robust

formula. Computer forensics needs to be developed through the use of smart and robust

strategies. Flexible, reliable, and scalable models are needed in order to ensure the

success of the program. The use of dynamic strategies helps to create an excellent

outcome for the entire model. Appropriate validation techniques must be implemented

while rogue processes need to be terminated (Baryamureeba & Tushabe, 2004: Pg 36).

The system should remain in a safe state to prevent file corruption or tampering. It must

be safeguarded from physical threats that could destroy the integrity of the evidence. The

development of a safe and smart approach is essential for the entire system. The use of

multifaceted approaches helps to create excellent outcomes for the entire program.

Generic Model

Computer forensics is rapidly emerging as a necessity for many countries in the world. It

plays a critical role in criminal and civil cases. Moreover it can be used as a powerful tool

in many different types of cases. It leads to scalable, reliable, and agile criminal

investigation procedures (Forcht & Ayers, 2001: Pg 55). Cyber crimes are changing as

criminals seek to develop new tactics to subvert security mechanisms. An international

consensus needs to be applied through the development of common standards and

protocols. The use of such strategy is based upon superior outcomes. A generic model for

computer forensics investigation needs to be created and applied. The development of

smart and prudent procedures is critical for the success of the program (Forcht & Ayers,

2001: Pg 55). The evolution of computer forensics is strongly interlinked with the
 Computer Forensics 19

development of technologies and applications. The first important aspect of the process is

to strengthen the preparation part. This is crucial for the success of a forensic

investigation. Preparation should focus on attaining the evidence in an efficient and

effective manner. The veracity of the evidence should be outlined in a cost effective and

smart manner. The data must be analyzed and assessed by using a proactive approach.

Collection, examination, analysis, and reporting are key components of preparation. They

seek to obtain evidence in an efficient and effective manner (Forcht & Ayers, 2001: Pg

55). They strive to create an environment in which superior outcomes can be attained

through the development of various approaches. The investigation stages should provide

a complete range of activities which are vital for the success of the generic model. The

basic standards should be uniform and consistent in recognition with consensus taken

from the international community. Appropriate policies and procedures should be

implemented as a means of ensuring smart investigations. The training of employees

should be conducted in a vigorous and authentic manner (Forcht & Ayers, 2001: Pg 55).

Appropriate legal information should be investigated and analyzed within the framework

of national legal systems. The investigation stage should seek to search and recognize

evidence found on computers. The evidence must be safeguarded in a safe environment

while proper tools should be used to prevent destruction of evidence. Analysis is a key

component of the generic model because it seeks to identify the value of the evidence. It

seeks to ensure appropriate findings can be derived by computer forensics investigators.

Further there is the need to present and prove the analysis in a smart and productive

manner. The development of multifaceted strategies is vital for the success of the

program (Baryamureeba & Tushabe, 2004: Pg 40). A generic model has been developed
 Computer Forensics 20

through constant analysis and assessment of the literature review. Best practices have

been identified for the success of the entire program. The use of different strategies is

crucial for attaining excellence in the environment. The use of multifaceted approaches

helps to create optimized results. It creates innovative and creative mechanisms for

change in a field that is characterized by new challenges and threats.

Search and Seizure

Search and seizure of digital evidence is a major bone of contention among various legal

systems. There is the need to apply smart procedures that can be used to strengthen the

entire process. Further such a strategy can be attained through the development of

efficient and effective procedures (Volonino & Anzaldua, 2006: Pg 176). The key to

success is to develop a set of standards that can be used to distinguish a proper search and

seizure from an illegal one. The presence of smart procedures needs to be performed in

an efficient and effective manner. Warrants need to be implemented in a robust and

efficient manner so that the privacy of citizens is safeguarded. Verbal and written consent

for search and seizure is essential for implementing legal safeguards. This will help to

strengthen the entire process through a systematic and logical manner. It is critical to find

a middle way between the desire to strengthen law enforcement departments and protect

civil liberties. There should be focus on excellence and quality so that search and seizure

processes do not become intrusive (Volonino & Anzaldua, 2006: Pg 180). Further

appropriate measures should be undertaken to prevent criminals from taking advantage of

 Computer Forensics 21

relaxed rules and regulations in the developed world. Collection, examination, analysis,

and reporting are key components of preparation. They seek to obtain evidence in an

efficient and effective manner. They strive to create an environment in which superior

outcomes can be attained through the development of various approaches.

Qualified Experts

There is an urgent need to modify procedures for the determination of computer forensics

investigators. This can be done by determining the tools which provide authentic and

valid evidence for digital information collection. Further the professional should not

remain an expert on applications because other competencies need to be determined to

create a talented workforce (Volonino & Anzaldua, 2006: Pg 193). The expert must be

able to apply analytical and critical thinking skills for the success of the approach.

Understanding the various standards is essential for the success of the approach.

Computer forensic investigators need to adhere to several standards during the digital

evidence collection process (Volonino & Anzaldua, 2006: Pg 192). Unallocated file

space needs to be investigated and assessed during the entire process. This is due to the

fact that any data which is deleted remains in the unallocated file space. Information

contained in such space can provide valuable information which is crucial for the

investigation process. Several types of temporary files might be stored in the computer.

This provides a set of robust tools at the disposal of the computer forensics investigator.

A set of consistent and uniform guidelines for qualified experts will help to enhance the

entire process. A generic model for computer forensics should look into various aspects

of the problem (Volonino & Anzaldua, 2006: Pg 193). It should seek to develop a robust
 Computer Forensics 22

framework that can enhance quality in the entire process. Proprietary tools that have been

known for their efficacy should be utilized as a means of augmenting the skills and

competencies of the computer forensics investigators.

Flexible Model

A generic model for computer forensics should be able to be flexible, reliable, and

scalable since it must respond to the requirements of new challenges and threats.

Computer security is rapidly evolving field that requires the application of innovative and

creative strategies. New tools and applications must be developed along with

administrative and legal procedures (Volonino & Anzaldua, 2006: Pg 193). Such a

strategy helps to create proficiency and competence in the computer forensics

environment. Computer forensics investigators must follow a set of procedures that help

to create superior outcomes. The generic model described in this report details the steps

which an investigators must pursue during analysis and assessment of cases.

Protection

Computer forensics investigators must ensure the safety of the computer system from

intentional or unintentional destruction. This process is crucial for preservation of digital

evidence because it helps in the resolution of criminal and civil cases. Specific threats

could include hackers or intruders attempting to tamper or alter the data. This creates

high levels of risk during the legal process as tampered evidence might not be sufficient

to resolve cases (Volonino & Anzaldua, 2006: Pg 154).

 Computer Forensics 23

Inspection and Analysis

Computer forensics investigators must have the required skills to successfully analyze

and assess the evidence. This step is crucial because the investigators must find all types

of files that are present in the system. Such a step can occur only if the experts are trained

in variety of tools and applications. They must be able to demonstrate a strong

commitment towards excellence and quality (Volonino & Anzaldua, 2006: Pg 154).

Training of computer forensics investigators must be undertaken by using a number of

performance measurements and objectives.

Recovery, Reveal and Access

Computer forensics investigators must be able to recover deleted files in an efficient and

effective manner. They must be skilled in the process of deducing the content that is

present in deleted and hidden files. Such a strategy should lead to the success of the

program. They must be equipped with specific competencies that can be used to ensure

quality and standard in the discipline (Volonino & Anzaldua, 2006: Pg 154). Computer

forensics investigators must be able to apply critical thinking and analytical skills for the

success of the approach. The utilization of smart strategies is crucial for creating

conclusive results during the investigation process. Collection, examination, analysis, and

reporting are key components of preparation. They seek to obtain evidence in an efficient

and effective manner. They strive to create an environment in which superior outcomes

can be attained through the development of various approaches.

 Computer Forensics 24

Analysis, Reporting and Testimony

Computer forensics investigators must be able to successfully analyze and assess the

various components of the digital evidence. Relevant information should be properly

documented and reported in an efficient and effective manner. This strategy helps to

create a collaborative framework in which the objectives can be attained. The

development of a logical and rational approach helps to produce excellent outcomes in

the process (Bryant, 2008: Pg 154). The final task for computer forensics investigators is

to provide testimony in criminal or civil cases. This is an important competency for

investigators because it helps to resolve cases. The testimony can play a conclusive role

in the development of smart and prudent approaches.

Jurisdictional Issues

Countries throughout the world need to resolve the jurisdictional issues that can occur

inside their territories. The difference between national and local laws needs to be

resolved in a systematic and logical manner. A robust framework will help to remove

ambiguities and vagueness in the process (Brown, 2006: Pg 123). Computer forensic

investigators need to adhere to several standards during the digital evidence collection

process. Unallocated file space needs to be investigated and assessed during the entire

process. This is due to the fact that any data which is deleted remains in the unallocated

file space. Information contained in such space can provide valuable information which is

crucial for the investigation process. Several types of temporary files might be stored in

the computer. It will lead to the development of a legal system that is tuned to the

problem of resolving the issue (Brown, 2006: Pg 123). Computer forensics investigators
 Computer Forensics 25

need to be equipped with the legal safeguards that can enable them to conduct research in

a practical and logical manner. The use of smart strategies will help to create optimum

conditions. The development of an efficient and effective framework is crucial for the

success of different approaches.

Computer Evidence Presentation

There is need to develop a consensus about the admissibility of computer evidence in

courts. The lack of robust guidelines means that the process has become inefficient and

flawed in many legal systems. The various forms of digital evidence need to be closely

studied and analyzed by the legal experts (Fisher & Koloswski, 2007: Pg 93).

Standards need to be uniform and consistent for evidence like email, video files, and

word documents. Requirements should be based upon current trends and industry norms.

This process will help to create a smart procedure for evidence handling procedures.

Similarly qualified experts must be present in order to create efficient and effective

procedures. A generic model for computer evidence presentation should exist through the

use of strategic initiatives. Privacy regulation is a major factor that needs to be tackled by

using analytical and assessment skills (Fisher & Koloswski, 2007: Pg 93). Evidence

needs to be thoroughly checked for its veracity and authenticity in order to prevent

problems.

Best Practices Guide

Computer forensics is a rapidly changing field with the advent of new threats and

technologies. The expertise of senior personnel should be used as the criteria for creating
 Computer Forensics 26

a best practices guide. Such a guide would help in the collection, analysis, preservation,

and presentation of the evidence. It would create innovative and creative industry

standards that can be used to resolve problems (Britz, 2004: Pg 102). An international

methodology for computer forensics is essential for the success of the discipline. This

will help to remove legal problems that are often encountered in the courts. The

development of reliable and uniform measures is crucial for the success of the approach.

Best practices guide should be frequently updated in order to meet the challenges of the

twenty first century. A robust formula for success can ensure that appropriate measures

will be adapted (Fisher & Koloswski, 2007: Pg 93). There is the need to focus on

efficiency and effectiveness. Such an approach leads to the development of smart and

prudent approaches. It creates a powerful framework for efficiency and effectiveness.

Appropriate standards will help to create a powerful framework that can be flexible and

innovative. The use of several approaches is recommended in order to develop a

collaborative network for smart outcomes.

Computer Literacy in the Legal Sector

A crucial aspect of the strategy to develop a generic model must be the creation of

computer literacy in the legal sector. Lawyers and judges need to be aware about the

fundamentals of the field. This will help to create a realistic and correct approach towards

computer forensics (Heizer & Kruse, 2002: Pg 23). It would lead to the development of a

collaborative framework in which efficiency and effectiveness can be attained. Further it

would lead to the development of smart and prudent objectives. It would help to create
 Computer Forensics 27

high levels of efficiency and effectiveness. It would lead to smart objectives in which the

goals would be accomplished by using a systematic and logical approach. Collection,

examination, analysis, and reporting are key components of preparation (Heizer & Kruse,

2002: Pg 23). They seek to obtain evidence in an efficient and effective manner. They

strive to create an environment in which superior outcomes can be attained through the

development of various approaches. The investigation stages should provide a complete

range of activities which are vital for the success of the generic model. The basic

standards should be uniform and consistent in recognition with consensus taken from the

international community. Appropriate policies and procedures should be implemented as

a means of ensuring smart investigations. The training of employees should be conducted

in a vigorous and authentic manner (Volonino & Anzaldua, 2006: Pg 193).

Confidential Records and Business Systems

Evidence collection needs to be strengthened by using a logical and developed

framework. The use of multiple strategies will help to create a collaborative framework.

It would remove uncertainty in the process through the development of correct

proceedings. It would lead to legislative mechanism which can be used for proper

management and planning (Heizer & Kruse, 2002: Pg 23). Law enforcement departments

need to be provided with adequate safeguards that would enable them to fight crime using

computer forensics. The development of a collaborative structure is crucial for the

success of the entire program. The use of multiple strategies has been recommended as a

means of attaining excellence in the business environment. Several approaches need to be

applied as a means of resolving problems. Computer forensic investigators need to adhere

 Computer Forensics 28

to several standards during the digital evidence collection process. Unallocated file space

needs to be investigated and assessed during the entire process (Volonino & Anzaldua,

2006: Pg 193). This is due to the fact that any data which is deleted remains in the

unallocated file space. Information contained in such space can provide valuable

information which is crucial for the investigation process. Several types of temporary

files might be stored in the computer. This provides a set of robust tools at the disposal of

the computer forensics investigator.

Criminal Prosecution versus Civil Trial

This generic model recommends that policy makers make research into the issues that are

faced in criminal prosecutions and civil trials. It is important to understand the

differences so that different guidelines can be developed. Further there is the need to

define computer forensics in a broad and comprehensive manner. Many corporate

organizations seek to deter intruders and implement adequate safeguards in their

computer systems (Nelson, Philips, Enfinger & Steuart, 2004: Pg 67). The key

stakeholders need to be engaged in differentiating the processes of criminal prosecutions

and civil trials.

Privacy Issues and Workplace Surveillance

Privacy remains a major issue in the developed world that has adequate safeguards

against interference and violation of personal rights. This creates a level of ambiguity in

the computer forensics. There is the need for creating permissible behavior that will be

used for legitimate purposes. Computer forensics needs to be conducted in a proficient

 Computer Forensics 29

and competent manner (Mandia & Prosise, 2001: Pg 102). Employee’s privacy rights

should be respected by using a dynamic and smart approach. There should be no breaches

because there is the need to adopt a balance between security and privacy. Safety

measures need to be taken during the collection and extraction of data from computers.

Access and Exchange of Information

Information accessibility and exchange between various organizations is essential for the

success of a generic model. There is the need to ensure that privacy and confidentiality of

the clients can be protected in a safe and transparent manner. Further there is the need to

ensure that the private sector will cooperate with law enforcement officers and

departments (Nelson, Philips, Enfinger & Steuart, 2004: Pg 67). An integrated effort

should be applied for the development of strategic initiatives in computer forensics.

Private organizations must be given adequate guidelines about their duty to collect and

access information. This is done in order to protect the privacy of consumers.

International Cooperation

This is the key to success in computer forensics when developing a generic model.

International conventions and protocols need to be studied and analyzed in a systematic

manner. Such an approach helps the development of universal standards as law

enforcement departments can easily exchange and access information (Cairdhuain, 2004:

Pg 54). Since cyber crime is cross border in nature, international cooperation is valid for

the success of the program. The internet traverses conventional boundaries hence flexible

protocols should be developed for overcoming problems that international agencies might
 Computer Forensics 30

face during cross country investigations. This means calling for interoperability in digital

evidence collection procedures. The laws about information exchange and accessibility

by foreign agencies should be made clear and transparent (Solms & Lourens, 2006: Pg

90). The development of a smart framework is crucial for the success of innovative and

creative approaches. Free exchange of information between nations should be based upon

local interests and guidelines. Computer forensic investigators need to adhere to several

standards during the digital evidence collection process (Solms & Lourens, 2006: Pg 90).

Unallocated file space needs to be investigated and assessed during the entire process.

This is due to the fact that any data which is deleted remains in the unallocated file space.

Information contained in such space can provide valuable information which is crucial

for the investigation process. Several types of temporary files might be stored in the

computer. Computer forensics as a field has been growing at exponential rates in many

countries. A collaborative framework needs to be established for resolving problems by

devising standardized protocols and procedures. Computer Forensics departments

throughout the world need to exchange and access information with each other. This

approach will produce a force multiplier as it will help to combat the diverse nature of

threats that are faced by computer forensics investigators. The development of a complete

strategy is essential for the success of the entire program. Several strategies need to be

implemented in order to create an efficient and effective approach. The development of

smart strategies is crucial for creating an optimized effort against the entire array of

threats. The widespread international implementation of computer forensics will create a

reservoir of diversified expertise (Cairdhuain, 2004: Pg 54). This can be utilized in the

fight against various threats. It can create optimized solutions that are flexible and
 Computer Forensics 31

reliable instead of adopting a conservative attitude. A holistic model for computer

forensics needs to be devised through the use of effective and efficient strategies. The

development of a comprehensive approach is critical for the success of the entire

program. The use of different strategies has been recommended as a means of measuring

success and excellence in the field (Cairdhuain, 2004: Pg 54).

 Computer Forensics 32

References

Baryamureeba, V. and Tushabe, F.: The Enhanced Digital Investigation Process

Model Digital Forensics Research Workshop. 2004.

Carrier, B. and Spafford, EH.: Getting Physical with the Investigation Process
International Journal of Digital Evidence. Fall 2003, Volume 2, Issue 2, 2003.

Casey, E.: Digital Evidence and Computer Crime, 2nd Edition, Elsevier Academic
Press, 2004.

National Institute of Justice. Results from Tools and Technologie Working Group,
Goverors Summit on Cybercrime and Cyberterrorism, Princeton NJ, 2002.

Reith, M., Carr, C. and Gunsch, G.:An Examination of Digital Forensic Models,
International Journal of Digital Evidence. Fall 2002, Volume 1, Issue 3, 2002.

Ciardhuáin, SO.: An Extended Model of Cybercrime Investigations, International

Journal of Digital Evidence. Summer 2004, Volume 3, Issue1, 2004.

Van Solms, SH. and Lourens, CP.: A Control Framework for Digital Forensics,
IFIP 11.9, 2006.

Nelson, B., A. Phillips, F. Enfinger, and C. Steuart. Guide to Computer Forensics and
Investigations. Canada: Thomson, 2004.

Mandia, K. and C. Prosise. Incident Response: Investigating Computer Crime. California:

McGraw-Hill, 2001.

Steinke, G. "A Task-Based Approach to Implementing Computer security," Journal of

Computer Information Systems, 38:1, 1997, pp. 47-53.

Vacca, J.R. Computer Forensics: Computer Crime Scene Investigation. Hingham, MA:
Charles River Media, 2002.

Forcht, K.A. and W.C. Ayers, W.C. "Developing a Computer security Policy for
Organizational Use and Implementation," Journal of Computer Information Systems,
41:2, 2001, pp. 52-57.

Heizer, J. and W. Kruse. Computer Forensics: Incident Response Essentials. Boston:

Addison-Wesley, 2002.

Britz. T, M (2004) Computer Forensics and Cyber Crime: An introduction.Pearson

Prentice Hall
 Computer Forensics 33

Brown, T.L.C (2006) Computer Evidence Collection & Preservation.Charles River

Media

Bryant, R (2008) Investigating Digital Crime.John Wiley & Sons, Ltd

Volonino, L. & Anzaldua, R. & Godwin, J. (2006) Computer Forensics: Principles and P

Fisher, B & Fisher, D & Kolowski, J (2007) Forensics Demystified: A self teaching
guide.Mc Graw Hill
 Computer Forensics 34

Bibliography
DiGregory, K. V. Statement to the United States Department of Justice before the
Subcommittee on the Constitution of the House Committee on the Judiciary on the
Fourth Amendment and the Internet,
http://www.usdoj.gov/criminal/cybercrinie/inter4th.htm, April 6, 2000.2.

Forcht, K.A. and W.C. Ayers, W.C. "Developing a Computer security Policy for
Organizational Use and Implementation," Journal of Computer Information Systems,
41:2, 2001, pp. 52-57.3.

Foroughi, A. and W.C. Perkins, "Ensuring Internet security," Journal of Computer

Information Systems, 37:1, 1997, pp. 33-38.4. G8 Online: An Online University-Level
Course About the G8 and its Annual Summit, http://www.g8online.org.

\Gottfried, G. "Taking a Byte Out of Crime." Network, 2001, p. 90.

Heizer, J. and W. Kruse. Computer Forensics: Incident Response Essentials. Boston:

Addison-Wesley, 2002.

Kros, J.R., C.B. Foltz, and CL. Metcalf. "Assessing & quantifying the Loss of Network
Intrusion," Journal of Computer Information Systems, 45:2, pp. 36-42.8. Lam, C.C. U.S.
Department of Justice, Southern District of California,
http://www.usdoj.gov/criminal/cybercrime/okeefeArrest.htm, press release, September
29, 2003.

Mandia, K. and C. Prosise. Incident Response: Investigating Computer Crime. California:

McGraw-Hill, 2001.

Nelson, B., A. Phillips, F. Enfinger, and C. Steuart. Guide to Computer Forensics and
Investigations. Canada: Thomson, 2004.

Seymour, J. and E. Robinson. "International Viruses and the Computer Network," v

Journal of Computer Information Systems, 35:1, 1995, pp. 23-27.

Steinke, G. "A Task-Based Approach to Implementing Computer security," Journal of

Computer Information Systems, 38:1, 1997, pp. 47-53.

United States Department of Justice. Field Guidance on New Authorities That Relate to
Computer Crime and Electronic Evidence Enacted in the USA Patriot Act of 2001.
http://www.usdoj.gov/criminal/cybercrime/PatriotAct. htm.

Vacca, J.R. Computer Forensics: Computer Crime Scene Investigation. Hingham, MA:
Charles River Media, 2002.
 Computer Forensics 35

Villafania, A.F. "Philippine Government Agencies Eye Computer Forensics,"

WashingtonPost Newsweek Interactive, 2002, NWSB02142004.