The Role Of Crime Scene Technicians

Published Date: 02 Nov 2017

Digital evidence is for example,

A sum of unknown materials – it can only be understood, analyzed, presented with and through tools.

Evidence is only show if items are group together with the support of hypothesis.

Fragile and time sensitive – Easily destroyed or mishandled. (Associates, 2006)

In this chapter explain the key principles of cyber forensics which support the handling of digital evidence in order to preserve its integrity in court for legal use.

For example,

The process of collecting, securing and transporting of digital evidence should not change the evidence itself.

Digital evidence should only be examined by well trained personnel on cyber forensics.

Every process done from seizing, transportation, and storing of digital evidence should be fully documented, preserved and be available for review.

First responders must be caution when seizing digital evidence. Legal proceeding must be follow in order not to break the violation. Search warrant must be issued. Missing or lost evidence in the process of collecting evidence could result into exculpatory evidence. (Justice, 2008)

In the investigation to forensic evidence, few stages are adopted accordingly to get the most original evidence without contamination. Figure 1 explain how the process of investigation on gathering digital evidence works. (boddington, Hobbs, & Mann, 2011)

The few stages are: Preservation of evidence, identification of evidence, select of evidence that is useful, validate the evidence and reconstruct the evidence and get the evidence ready for presentation. (Kerr, Gammack, & Bryant, 2011)

digital evidence.jpg

Figure 1. Investigation in processing stages

Preserving of Evidence

Preserving the evidence is the most crucial stage in the whole investigation, and normally overlook by user, who make use of the shortcut and overlook the correct steps to avoid contamination and loss of evidence. (boddington, Hobbs, & Mann, 2011) Even though a device may not even play a part in the act, but the presence of it at the crime scene is a fact, it may be misuse by person involved which leads to a crucial piece of evidence for crime act. (Marshall, 2008)

To preserve evidence, strategies and procedures are to be made. It is important to contain the crime scene fast and efficiently to minimize the contamination of evidence, and also to reduce business impact. Big organizations should always come out with procedure and measures to minimize the impact that brings to the normal workflow and to maintain it. (Johnson, 2005) Following the right procedure to preserve evidence is also important. Documentation must be made at all times to clearly show how evidence preserved, any evidence should be accounted for at all times. Only cyber forensic trained and experience investigator will be able to advise you on the evidence handling and procedures. (Johnson, 2005)

In a crime scene, the process of preserving evidence is always done by a few people: the first responders, the investigator and the investigate team and specialist who process the evidence. An overall in charge is there to make final decision on how the evidence or scene is to be preserved, in which normally is the senior investigator, through experience knowing the right decision at the right time, it is also important for each personal to know their own role in preserving the evidence. (Shinder, 2002)

The role of first responders

In any case that the evidence is deleting or changing, the first responders should take act accordingly to preserve it. Either using a camera to take photos or to write down on what happens so to be preserve every piece of evidence that is available and be prepared to testify in court. Preserving evidence could also involve disconnecting the computer from the network to prevent any suspect or any form of Trojan or virus to contaminate the evidence. (Shinder, 2002)

The role of Investigators

To Establish the chain of command, the investigator in charge are to oversee the whole process of preserving and collecting of evidence, important decision were to be made by them too. Computers and digital equipment are not to be moved, removed or touch by anyone without the permission of the senior investigator. In any case the investigator in charge is to be absent from scene, he/she must appoint another senior investigator to be temporary in charge and to work closely with him/her till all evidence are secured. (Shinder, 2002)

If the search warrant allows, investigator will direct the search to officer to seize all computer hardware, software, manuals, written notes, and logs related to the operation of the computers.

Maintaining the integrity of the evidence is also part of the investigator’s role as they are to protect the evidence. They are to be well prepared to preserve fragile evidence, duplicate the disks, and do a proper shut down of system to prevent lost of information. The investigator will monitor the whole process of preserving evidence when collecting of evidence is done, prevention measure should also be put into considerations. (Shinder, 2002)

The role of Crime Scene Technicians

They are specifically trained in computer forensics. Having a strong foundation in computer technology with any understanding of how disks are structured, how file systems work, and how and where data is recorded.

Preserving volatile evidence and duplicating disks, shutting down system for transportation, tagging and logging the evidence, packaging the evidence, transporting the evidence and processing the evidence is done by the. (Shinder, 2002)

Chain of Custody

When tendering the evidence during legal proceedings, proof is required about the preserving of evidence to make sure that it is the same as the crime scene before it is preserved. In this case, procedure of documenting every process of how the evidence is preserve is needed. This is commonly referred as the chain of custody, any break in the history of the chain will reduce its reliability, as well as its value. Example of items would be hard drive, storage device, or a forensic image of a hard disk of the suspected hard disk or storage device. If the chain of custody is broken, the court defend lawyer could also use this to be an excuse that the seized image is not reliable and may mislead the truth. The court can then deny the availability of the evidence depending on the break if it is serious or, if not, which in the end may affects the weight of the evidence during examination. (Marcella, 2002) The chain of custody must there in order to proof that the preserve evidence is of the original state of the time of preserved in its original state. It may be tedious to keep the original state of the evidence at crime scene but not impossible, forensics tools and various official methods are used to do it, to retain its validity and value of the evidence on court. To produce digital evidence on court, there will be some challenge expected from the court and opposing legal teams, who will ask to justify the verification of main key issues. (Whitcomb, 2002) These include:

To assure the chain of custody is affirm

Proof that the record is in absolutely perfect condition

Proof of record created by

Proof of record creation

Assured the evidence is real, complete and accurate

Assured that the evidence is confidential

Brief introduction to evidence investigation

Identifying and selecting of evidence is important to a legal case. To put it in a simple form, evidence is something that provides proof to a crime. With good, solid evidence can answer several of the five Ws and an H of security violations: who, what, when, where, why and how. But without evidence, you only have a hunch. Understanding computer evidence is therefore the first step in successfully investigating a security violation. (Solomon, Barett, & Broom, 2005) But before we start to search for digital evidence, we must first define it. Digital data that contains digital evidence in which support our hypothesis of a crime that is being investigated. (Carrier & Spafford, 2005) The primary goal of this phase is to locate, identify objects and selecting the right evidence in which plays a part in the hypothesis of investigation. This help to verify its existence of an event and also to support the hypothesis.

Locate and identify, select, collect and validate of evidence is made up of a few phases: crimes scene data preprocessing, target definition, crime scene data preprocessing, and data comparison. Assuming preserved matters is done. (Carrier & Spafford, 2005)

Even till now, information systems like operating systems, application software, communication protocols, cryptographic primitives are still not secure. (Leiwo, 1999)

Locating and Identify evidence

The main purpose of this phase is to organize and tabulate the data as to reduce time search. It consist of data-mining, file analysis, file recovery, decryption, steganography analysis, as the size of storage is getting bigger and bigger by day, tons of information, files and logs could be written onto the storage itself, to locate and identify those information we want therefore becomes a challenge to us now in the more advance world. By following procedures, investigator is able to locate the evidence they need. And through experience, they will be able to identify the evidence that is suspicious to them on the crime scene.

Selecting evidence

In this phase, it is more about understanding what we are looking for, investigating in and what is needed that is used on a legal case. To target the selected object, in which we determine it. To identify and select object is an ‘’art’’, it based on training, experience and also from the evidence found which support the hypothesis in an investigation. (Carrier & Spafford, 2005) The outcome of this process is also to support you hypothesis and also to identify any alternate hypothesis. This is important because many cases require detail of the exculpatory evidence to be provided on the defending party side to allow them to rebut the prosecution in the later stage. (Stephenson, 2000) Same as any other normal crime, investigation are done to look for answers on when the crime occurs, why it occurs and how it occurs. To select the right evidence, the motive of suspect must also be into consideration, as it consist a wide range from sabotaging, mischief to murder or business warfare depending on what our investigation involves. The ways of the suspect committing the crime also depends on the technical skills, knowledge and mindset of the suspect. Opportunity can be difficult to verify as different circumstances can create different possibility. (Stephenson, 2000) Evidence can also be unreliable as there may be misinterpretation in the evidence shown and therefore wrong or mislead hypothesis is made. (MOSTELLER*, 1989)

Collecting evidence

The next phase is to collect and process the crime scene data objects so that they are categories according to each of their format and characteristics. The time to process will then depend on what type of data is collect and the amount. In the earlier time, a few type of tool is needed to complete this phase, but now with the newer and more updated technologies, this phase can be complete with only one tool, which is why many refer to current tools as "automated." (Carrier & Spafford, 2005)It is also important not to overwrite digital evidence at the point of seizure and during the copying process, as the evidence must be preserved in a most original state for the examination and analysis. (Kerr, Gammack, & Bryant, 2011)

Digital crime scenes have a notion of structure imposed by the storage data structure. We can use the abstraction layers to process the digital data and perform searches. For example, processing the data and search the sectors in a particular partition, processing a file system and viewing the names of every file as ASCII characters. The main search is always depending on what type of investigation we are in and what type of evidence we needed, in order to minimize the effort and time used on unnecessary searches. (Carrier & Spafford, 2005)

Validating evidence

The final phase in the searching process is to validate the data by comparing the processed data object and the target object characteristics to verify its validity. If matched, we can then conclude the object to be evidence. For example, to proof that an email message is being deleted, a confirmation of existence of the deleted email message is needed, and also proofing that the content of the deleted message is not alter by anyone or any process of the system in which everything remain at its original state. (Carrier B. , 2005)During the validating stage, investigator may review the digital evidence at certain sector or location to verify they their evidence is valid and to add on alternate hypothesis to it if any. (Carrier B. &., 2003) As evidence is build on hypothesis with the support of digital evidence, things may be missed out. (Associates, 2006) For example:

Failure to identify the right evidence on the right crime

Failure to collect data when fresh

Failure to label and record all evidence correctly and properly

Failure to locate evidence

This phase is a quite tedious phase as the investigator will have to compare the objects and validate the evidence. (Carrier & Spafford, 2005)

Construct and test arguments

Constructing stage involves analysis of the evidence. Using the evidence gathered, digital, physical or human evidence, to rebuild the crime scene at the state of event that occurs. (Casey E. (., 2002) Evidence that supports the initial crime hypothesis is then compared with the exculpatory evidence to justify the hypothesis for analysis. (Carrier B. &., 2003) This may then change the outcome of the final hypothesis as more evidence is analysis and compared which will also create alternate hypothesis. This is crucial as many jurisdictions require details of exculpatory evidence to be presented to the defending party to let them rebut the cause on later proceedings. (Stephenson, 2000) In short, argument relies on evidence that is valid or non valid for a case; based on the available evidence, the defendant is guilty or innocent of a crime. Legal practitioners use logic to chain up each and every piece of evidence together to increase the trustworthiness and weight of the evidence of a case. The smooth flow of the evidence also plays a part in the worthiness of the evidence which enable the adjudicators and juries to justify the accused whether the accused is guilty or innocent. (Silverstone, 2007)

Toulmin’s argument model is an example of an argument, it consist of a claim which is a statement to ask people to accept instead of giving the person a chance to question. A ground, in this case is data and facts which support your claim, a warrant, to link up with the claim to make it more legit and lastly a backing to give the additional support to the warrant by answering different questions. (Toulmin, 1969)

The importance of hypothesis and alternate hypothesis

Coincidence occurs in everyday’s life, which can alter the course of our lives (MOSTELLER, 1989) and in this case, the crime scene.

Conclusion

In this essay, briefly describes digital evidence, the principles of the investigating and gathering digital evidence. Which consist of preserving of evidence, identifying and locating evidence of present crime, selecting the evidence we need, validate the evidence with valid support, construct and test arguments lastly to present it on court with all supported evidence to justify whether the accused is guilty or not. We understand that in procedure like chain of custody is very important to the evidence, slight change of evidence may result a big change in hypothesis and the final result could be different. So in order to be fair, all digital evidence will need to be done with well trained personnel with experienced to investigate the scene, proper procedure must also be followed to retain the chain of custody, and with experience, to sum up all evidence with hypothesis to create an act of event.