Case Study: Digital Forensics

Digital forensics provides an approach to both investigating and recovering issues on digital devices. Often related to computer crime, the approach is utilized in both criminal law as well as private investigations. The digital forensics process seeks to uncover evidence from a crime related through three distinct stages that include the acquisition of evidence, the analysis of the evidence and the reporting of that evidence. While each computer or digital device related activity is often different, the approach usually follows a systematic pattern of trying to recover lost or deleted files from the computer registry and conducting a thorough search of the keyboard.

It is appropriate for digital forensic methodology to be used to determine if the employee's system has been hacked. Determining whether the investigation is high risk or not, demands a more complex and IT security approach. It can be reasoned that this case is high security and thus, to investigate whether the employee at Canada Canadian Capital and Widget Holdings Inc. has been hacked, a TEMPEST-qualified lab may be needed. According to Nelson et al. (2010) TEMPEST-qualified labs are the costliest in terms of forensics examination and should be "considered only for large regional computer forensics that demand absolute security" (pg.80). It will be beneficial to use Metadata analysis and extraction in this particular case. Metadata analysis provides information such as "the dates a file was created, accessed [and/or] modified; the location of a file on a computer or network; the name of the user account through which a document was last saved; [and] address book and identity information of the user account from which an e-mail was sent" ("Digital Evidence Analysis: Metadata Analysis and Extraction," 2013). 

The steps that would be taken to see if the employee's computer has been hacked would be to use an Enhanced Metadata Analysis Tool, which will "identify and extra a wide variety of specific metadata from recovered files in large data sets, summarize file relationships and search for specific terms" ("Digital Evidence Analysis: Metadata Analysis and Extraction," 2013). This will provide extensive information on the last three to four days and beyond that given the employee noticed an issue with the computer running extremely slow for several days.

Whatever is found from the employee's computer will have to be validated. "Validating digital evidence requires using a hashing algorithm utility, which is designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such a file or disk drive" (Nelson et al., 2010). Another interesting aspect of digital evidence is connecting remotely using network acquisition tools. These particular tools vary in their configurations and capabilities, but they allow the ability to "connect to a suspect computer remotely via a network connection and copy data from it" (Nelson et al.,2010). Once it is discovered that an issue has taken place with the employee's computer, this will be an important tool to use in order to ensure anonymity in the workplace so they can find out if this is happening to many employees or if this was an isolated case.

While digital forensics evidence collection can be used to determine if there was an issue of hacking such as in the case of Edward Snowden, there are some obstacles that investigations do encounter such as criminals "changing default location[s] of history files; moving or renaming [a] history file or folder; hiding and/or protecting history files with file system attributes and permissions; [and] formatting the entire hard drive in an attempt to destroy evidence" (Gubanov, 2012). 

These are just a few of the issues that the investigators may run into. Rationale suggests that the criminals, while somewhat knowledgeable about hiding information, are not computer gurus; so, it should be easy for the investigators to determine if the employee's computer was indeed hacked and information was not handled appropriately.

References

Digital Evidence Analysis: Metadata Analysis and Extraction. (2013). Retrieved September 3, 2013, from National Institute of Justice website: http://nij.gov/nij/topics/forensics/evidence/digital/analysis/metadata.htm

Gubanov, Y. (2012). Retrieving Digital Evidence: Methods, Techniques and Issues. Retrieved September 3, 2013, from Belkasoft website: http://forensic.belkasoft.com/en/retrieving-digital-evidence-methods-techniques-and-issues

Nelson, B., Phillips, A., & Steuart, C. (2010). Guide to Computer Forensics and Investigations (4th ed.). Boston, MA: Course Technology/Cengage Learning.