Digital Evidence

Table of content
1. Introduction1
2. Description of Digital Evidence2
3. Principles of Cyber Forensics3
4. Examination of Digital Evidence4
4.1 Preserving the evidence5
4.2 Locating the evidence6
4.3 Selecting the evidence 7
4.4 Analysing the evidence 8
4.5 Validating the evidence 9
4.6 Presenting the evidence 12
5. The Importance of Crime Reconstruction
Hypotheses and Alternate Hypotheses 14
6. Conclusion 15
References 16
1. Introduction
With the rapid development of information technology, most countries improve and develop their communication networks, empowering quicker and less demanding systems administration and data trade. Nowadays, there are about 2 billion web clients and in excess of 5 billion cellular telephone connections worldwide. Consistently, 294 billion electronic mail and 5 billion telephone messages are traded. Most individuals now rely on upon predictable access and exactness of these communication channels. As organizations and social gradually rely on internet-based and computer networking, digital attack and cybercrime occurrences have expanded as far and wide as possible.
To solve a crime, forensic investigators mostly cooperate with police. They have to create a crime scene sketch, including the digital evidence, victims, and other objects that critical to the set-up. The investigators need to figure hypothesis about how the wrongdoing occurred and how the evidence focuses to that hypothesis.Social networking, instance, text messaging and electronics mail are information that can be obtained from electronic devices and used very effectively as digital evidence, which can demonstrate basic in supporting the indictment of diverse sorts of crimes. It is extremely important to execute a proper examination on digital evidence to ensure its reliability for presentation in court.
2. Description of Digital Evidence
Digital evidence is defined as any informationsaved ortransferred in binary form using a computer or electronic device that supports or disproves a legal element orrequirement.(National Institute of Justice (U.S.), 2008, p. ix).
Digital evidence can be obtained when electronic devices are seized and secured for examination. It can be hidden, which cannot be seen in nature state, like DNA evidence. Besides, it crosses jurisdictional borderswith ease and speed. Perhaps, digital evidence can be strengthen and damaged with little effort. Also, it is time sensitive and constantly changing(National Institute of Justice (U.S.), 2008, p. ix).
Digital evidence can be categorised, associated, and individualized in several ways.
One of the ways to classify digital evidence is by the contents of the evidence. E-mail message presented as their confirmation of content are documentary evidence to classify it and to determine which computer it came from. Another wayis by function. This is when the functionality of a program is examined. A program that appears to be helpful but adversely allows computer being cracked is defined as a Trojan horse program.Additional, digital evidence can be categorised by characteristics. File names, date stamps, message digestsand other sorts of system data used to reconstruct sequence of event are circumstantial evidence.
3. The Principles of Cyber Forensics
Each jurisdiction has different principles of cyber forensics. In United Kingdom, there are guidelines issued by Association of Chief Police Officers (ACPO)that are usually followed by examiners for the authentication and integrity of evidence(Association of Chief Police Officers of England & National Hi-Tech Crime Unit (Great Britain), 2003, p. 4). The ACPO Guide Electronic Evidence is built upon four main principles:
Principle 1
Actions taken to secure and locate digital evidence should not change the integrity ofthe evidencewhich may consequently be presented in court. In other words, the evidence handed over to court must be matched with the original evidence gathered from the device.
Principle 2
In distinctive situationwherea user finds it is necessary to access original data in a digital deviceor storage media, hemust be knowledgeable to do so and be able to provide evidence on the pertinence and suggestions of the process in retrieving the data;
Principle 3
Activity that associates the seizure, investigation, storage, or transmission of digital evidence should be created and preserved. In order to achieve the same result, an independent third partyought to have the capacity to repeat those;
Principle 4
The person who takes the responsibility on the investigationshould be well-trained for guaranteeing that the law and these standards are adhered to.
4. Examination of Digital Evidence
Figure 1 shows the processes used to investigate digital evidence. Examination of digital evidencefluctuate relying upon technical factors which includes the type of computing or communication device, whether the examination is in a criminal, civil, business, military, or other connection, and case-based elements,for example, the particular claims to be examined. In spite of these varieties,there is a measure of likenessbetween the ways examination of digital evidence are attempted that congruitiesmay be seen from alternate points of view, with the essential ways being transformed, standards, and strategy.

Figure 1. Evidence processing stage (Boddington, Hobbs, & Mann, 2008)
4.1 Preserving the evidence
Preservation of digital evidence is a discriminating initial move to expand the possibilities of an effective investigation. This process ensures the chain of custody not broken by preserving the integrity of the digital evidence (Kruse &Heiser, 2001, p. 9). It is critical to make the evidence presented at trial is the same evidence gathered at the crime scene, and that access was controlled and archived, to prevent for a guard lawyer effectively contend that the evidence was messed around with while it was in custody.
There are some other ways to safeguard the Chain of Custody (Carrier &Spafford, 2003, p. 8):
Duplication of important data
Safe-keeping of original data
Analyse the copy so that investigators can restore the original data if required
Reduce the quantity of collectionsproduced during live analysis asthe evidence might be overwritten in unassigned space
Reduce the number of individuals handling the evidence, either for transportation or storage.
Open files carefully on a suspect system during live analysis to prevent data frombeing modified, such as the last access time
Ensure that all the names, identification numbers, and dates are listed correctly on the chain of custody documents.
Seal the evidence packagingproperly to prevent disclosure and also marked prior to submission.
Signatures or secure receipts are required upon transfer of evidence.
There are some techniques used in preservation of digital evidence. One of the techniques is use of a writer blocker, which can ensure the assurance of the information chain of custody (Christopher, 2009, p. 64). A write blocker is a device that allows read-only access to information storage devices without conceding the integrity of the information. In other words, the writer blocker prevents the original evidence drive from being overwritten.
Another technique in preservation evidence is use of Hash Code, a scientific formula that provides a special outcome when applied to a digital file (Cardwell, 2007, p. 57). The hash code for every area of the suspicious drive is processed a few times throughout the imaging methodology. It is processed on the primary disk before being copied on the image document as it has been taken, and repeated after the image has been taken. Every one of the three must be indistinguishable for the image to be substantial. On the off chance that the hash code of the image does not tally with the hash code of the primary drive, another image must be taken, becausehash codes which is not matched show that the image made was not an accurate match of the original drive. EnCase and Forensic Tool Kit is used to re-process the hash code when an image is opened (Casey, 2002, p. 57). If the result shows that the hash code is matching, it means that the original digital file is not modified.
4.2 Locating the evidence
The following step is to select the evidence to investigate the hardware devices which store the evidence, from electronic files, email, image files, user access logs, rootkit files and so on. During investigation, it is important to locate evidence that both support and refutes the hypothesis(Carrier &Spafford, 2003). In other words, everything that supports the hypothesis of how the attack occurred, from the root it originated, and what happened to the victim is needed to be collected, followed by everything that contradicts the theories.
There are a lot of challenges that the forensic investigator will face while running the investigation to locate relevant evidence. Hence, adequate skill of criminal or civil case, technical expertise, and investigative knowledge are required to locate the digital evidence.
One major issue that confronts cyber forensic in obtaining all the evidenceis the pervasiveness of computing networks(Casey, 2004). There should be a problem for collecting evidence from computer located in other countries even though the international agreements allows digital evidence exchange. Besides, investigators have to preserve the digital evidence speedilyas the data is easily altered or deleted from the network. Also, digital data stored in volatile computer memory isunable to be retrieved after a certain period. Log files may only be kept for few days because of their volume. The difficulty of finding pertinent evidence will be increased due to the large volume of data involved in investigating network-based crime.
In addition, Steganography (Casey, 2004, p.341)and information hiding are other challenges that confront the investigators. Investigators will encounter problems to confirm the presence of hidden data, making it more difficult to retrieve them. Forensic investigator will face many challenges such as encrypted files, password, large data set, email, rootkit files, and so on.
In order to increase the efficiency of the investigation at this stage, a variety of forensic toolkits and methods such as data-mining, file system analysis, file recovery, decryption and Steganography analysis can are used. These methods help the investigators in filtering irrelevant data and identifying hidden or deleted evidence, which is then improved through monotonous, lengthy and repetitive processes trying to reproduce the crime scene to the max.
4.3 Selecting the evidence
After locating the evidence, the process of selecting digital evidence is attempted. In attempts to analyse what can be considered as the truth of the incident, managers should seek legal assistance to assess evidence based on cases. Selection of evidence includes dissection of the located evidence to figure out what occasions happened in the framework, their importance, and probative quality to the case (National Institute of Justice (U.S.), 2008, p. 29). Using digital evidence will help investigators to get a better understanding of what happened (Casey, 2002).Supportive evidence is collated along with the exculpatory evidence, resulting in a more refined hypothesis, or a hypothesis change. An alternative hypothesis should be identified here as well. This is pivotal for guarding gathering to refute the indictment 's case throughout later processes, as numerous wards oblige points of interest of exculpatory confirmation to be supplied.
File system analysis is one of the techniques in selecting the evidence. It examines the data in a volume and also interprets them as a file system(Carrier, 2005, p. 129). Through this method of examination, the data will be listed in a directory. Besides, those deleted files can be recovered. There are five categories of file system analysis, file system, content, metadata, file name and application, as shown in Figure 3.
File system category holds the general file system, and helps the investigators to locate data in other categories (Carrier, 2005, p. 130). Content category holds the actual content of a file. Most of the data can be searched in this category. Metadata holds the data that describe the files, such as the file content, date, its size, its type and also access control information. File name category holds information of all the file names. This information can be searched in the content of a directory and a list of document names with the relating metadata address. Lastly, application category holds information with special feature. These information help in forensics investigation without required for writing and reading a file.

Figure 3.Interaction between the five data categories(Carrier, 2005, p. 129)
4.4 Analysing the evidence
Analysing the evidence is the process of examination after the digital evidence has been obtained and verified. In crime investigations, the investigators focus on the motives, means and opportunity for suspects to commit the crime (Stephenson, 2000, p. 96). Motives vary from internal to external threats,from curiosity to money, power, or revenge. Means may differ according to the technical skills and abilities of criminals and their capability to get to focused on the system. Opportunity is very hard to be pinpointed and as a result, it is essential not to attempt to tie the time of the crime to the time it was found.
There are few methods which are used to analyse the digital evidence. One of the methods is Associational Analysis. On using some graphic tools, investigators are able to model the relationships, whether is between people, organisations or transactions.
A temporal analysis tool is used to organise the flow of events or data over time (Gladyshev & University College Dublin, 2004, p. 21). It is different from Association Analysis, temporal analysis tool allows investigators to visualise the relationship between time and some other entity.
4.5 Validating the evidence
Digital evidence can be altered deliberately or not deliberately, thus, complicating the chain of key events. Hence, validating the evidence, which determines validity of evidence, is a process in organizing the digital evidence for a lawful case. At this process of examination, the examiner will probably return to the previous stages to look for confirmation of validity issues and to create new lines of examination as circumstances direct (Carrier &Spafford, 2003, p. 9).
Figure 4 shows a chain of evidence based on the presented evidence consisting of unrefined facts from which a uncertain hypothesis can be constructed. For instance, with the digital evidence contribution to reconstruction of evidence, it shows that the person may have use a digital device in order to download unlawful substance from the Internet.

Figure 4.Chain of Evidence(Boddington, Hobbs, & Mann, 2008)

Figure 5. Validating the digital evidence (Boddington, Hobbs, & Mann, 2008)
Figure 5 shows the basic process for validating the digital evidence. There are a arrangement of prompts which confirms if the evidence is substantial. Every prompt has three possible responses. However, there should be only one response each time. ‘Yes’ represents that the evidence is valid and it is retained, ‘no’ represents that the evidence is not valid and it is rejected, while ‘unclear’ represents that the evidence is not clear and further explanation required. If the result repeats to be prompted as "unclear",the process will be terminated at that point, and the evidence either is retained or rejected based on the available validation evidence.
Figure 6 shows the decomposition of evidence through validation process. Investigators will evaluate every assertion, and then they will decide if it is confirmed or negated by other assertions of evidence. Example, in Figure 5, the Assertion “1” is determined if it is confirmed or negated by Assertion “2” and “3”. Assertions areneeded to be further confirmed by other available evidence, until interpellation is strong enough to support Assertion “1”.

Figure 6. Decomposition of the evidence through validation process(Boddington, Hobbs, & Mann, 2008)
4.6 Presenting the evidence
Presenting the evidence is the last stage of investigation of digital evidence. Before digital evidence may be conceded in court transactions, investigators must always well-prepared to answer those inquiries which associated with the forensics software used. in other words, investigators have to ensure that they are able to validate the reliability of the forensics tool (Technical Working Group for Digital Evidence in the Courtroom, National Center for Forensic Science, & National Institute of Justice (U.S.), 2007, p.26). There are some interrogation has been established for investigators to prepare for presenting the evidence, as below:
•How to use the tool or equipment?
•Who used it?
•Where was the information obtained?
•How was the information validated?
•What are the benefits and drawbacks of the evidence?
•Are there preference explanations?
•Has this analysis technique or theory been reliably tested?
•What is the known or potential rate of error of the technique?
•Has this technique been subjected to peers ' assessment?
•Is this technique established in general?
These questions are very frequent because the legal profession and judiciary always enrich their knowledge to more familiarize with digital evidence. If investigators are unable to persuade the court of the reliability of the software used , it will result a reasonable doubt with the resultant release of the master evidence.
Before entering the courtroom for a trial, the investigators have to make sure that the computers used for presentation function properly. Besides, the investigators need to confirm that sufficient and proper equipment is presented and in working order, and that cabling and functional outlets are in set up. Court security must be informed that there will be special equipments going to be used in the courtroom.
While presenting the evidence, the investigators need to have clean copies of exhibit. Besides, they need to make sure that they have enough time for setting up. A sufficient court record by completely describing referenced exhibits should be constructed. The investigators are advised not to express how smart they discover the evidence, as judgment towards the case is depend on the evidence if evidence is effectively communicated to those who decide the final (Kerr, Gammack, & Bryant, 2011, p. 48).
5. The Importance of Crime Reconstruction Hypotheses and Alternate Hypotheses
A hypothesis is an assertion, or an idea, which can be formulated to represent the basic function of predicting the final outcome of the examination. The alternative hypothesis cannot be waived as it includes all possible cases which are not examined for the stated hypothesis (Casey, 2004, p. 206).
Not considering the alternative hypothesis mayshow inclination from the examiners. It may demonstrate that even before the results are known, there was at that point a proposition not to consider all sides. As a result, the examiner may not come out a correct statement, by demonstrating something that has been set by them, instead of permitting the information to show all conceivable conclusions or results.
Figure 7 shows a Toulmin Model of Argument. Toulmin’s model, a effective process, helps in hypothesis and presentation of digital evidence(Toulmin, 2003). There are six aspects of argument:
Claim is the root of the argument. The claim may be clearly expressed at the start or end of a contention, or some place in the center, or it may not be expressed anyplace. Data gives the evidence, suppositions, thinking, samples, and genuine data around a claim.
Warrants are presumptions, general standards, assemblies of particular orders, broadly held qualities, normally acknowledged convictions, and appeals to human intentions. Most warrants are not expressed in an argument.
Backing is audience specific and it overcomes any and all hardships between the creator 's warrant and the audience 's judgement.
Rebuttals create what isn 't right or unsatisfactory about an argument and they may present arguments that speak to distinctive perspectives.
Qualifiers are words all through the argument that measure the argument. A few cases include: dependably, never, is, are, all, none, and totally, dependably and never show signs of change to off and on again, is and are change to may be or might, all progressions to numerous or some, none changes to a couple, and completely changes to presumably or conceivably.

Figure 7.Toulmin Model of Argument (Toulmin, 2003)
As connected in the case close by which is reconstructing a wrongdoing, the more that all conceivable conclusions or results must be considered. This is to guarantee equityin leading the reconstruction process. Henceforth, there is a requirement for both the state and alternative hypotheses.
Reconstruction is the final phase in the forensic investigation process. The importance of reconstructing a crime scene is to preserve its integrity(Lee,Palmbach, & Miller, 2001, p. 3). Reconstruction uses investigative data, wrongdoing scene data, and research facility examination of the physical and pattern evidence. Thereconstruction process has been characterized as one that includes the utilization of both inductive and deductive rationale. This could be a complex undertaking in which numerous sorts of physical proof, patterninformation, analytical results, investigative data, andother documentary and testimonial evidence are joined into one substance.The measure of data that a reconstruction may give is constrained by the above components.The more applicable and correct the information ordered in a specific case, the more noteworthy the risk those reconstruction activities will be of quality to the examination.
6. Conclusion
In this report, I have describe the digital evidence and the principle of the cyber forensic. The integrity of digital evidence is very criticalin the digital process of forensic investigation. There is a guideline issued by Association of Chief Police Officers (ACPO) are usually followed by examiners for the authentication and integrity of evidence.A practical process that a forensic investigator will execute to solve a crime is also presented. Chain of custody is important on how evidence is preserved, located, selected and also analyzed. Validation of digital evidence which is a difficult process for the investigatoris executed to determine its validity. Those processes enable reconstruction, and result in producing hypothesis of the crime.
References
Bauchner, E. (2006). Computer investigation. Philadelphia: Mason Crest Publishers.
Boddington, R. G., Hobbs, V. J, & Mann, G. (2008, 1st - 3rd December 2008). Validating digital evidence for legal argument. Paper presented at the SECAU Security Conferences: The 6th Australian Digital Forensics Conference, Perth, WA.
Cardwell, K. (2007). The best damn cybercrime and digital forensics book period. Rockland, Mass: Syngress.
Carrier, B. (2005).File system forensic analysis. Boston, Mass: Addison-Wesley.
Carrier, B. D., &Spafford, E. H. (2003).Getting Physical with the Digital Investigation Process. International Journal of Digital Evidence.Casey, E. (2002). Handbook of computer crime investigation: Forensic tools and technology. San Diego, Calif: Academic Press.
Casey, E. (2004). Digital evidence and computer crime: Forensic science, computers and the Internet. London: Academic Press.
Chaski, C. E. (2005). Who 's At The Keyboard? Authorship Attribution in Digital Evidence Investigations. International Journal of Digital Evidence.Christopher, L. T. (2009). Computer Evidence: Collection and Preservation, Second Edition. S.l.: Course Technology PTR.
Computer Investigations - ACPO Guidelines.(n.d.). Retrieved from http://www.dataclinic.co.uk/computer-acpo/
Cosic, J., & Baca, M. (2010). (Im)proving chain of custody and digital evidence integrity with time stamp.
Gladyshev, P., & University College Dublin (2004). Formalising event reconstruction in digital investigations. Dublin: University College Dublin.
Kerr, D., Gammack, J. G., & Bryant, K. (2011). Digital business security development: Management technologies. Hershey, PA: Business Science Reference.
Kruse, W. G., &Heiser, J. G. (2001). Computer forensics: Incident response essentials. Boston, MA: Addison-Wesley.
Lee, H. C., Palmbach, T., & Miller, M. T. (2001).Henry Lee 's crime scene handbook. San Diego, Calif: Academic.
Marshall, A. M. (2008). Digital forensics: Digital evidence in criminal investigation. Chichester, UK: Wiley-Blackwell.
Mohay, G. M. (2003). Computer and intrusion forensics. Boston: Artech House.
National Institute of Justice (U.S.) (2008). Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition, April 2008.
Sommer, P., &Sommer, P. (2005). Directors and corporate advisors ' guide to digital investigations and evidence.Information Assurance Advisory Council.Stephenson, P. (2000). Investigating computer-related crime. Boca Raton, Fla: CRC Press.
Tapper, C., & Cross, R. (2007). Cross and Tapper on evidence. Oxford: Oxford University Press.
Technical Working Group for Digital Evidence in the Courtroom, National Center for Forensic Science, & National Institute of Justice (U.S.) (2007). Digital evidence in the courtroom: A guide for law enforcement and prosecutors. Washington, DC: U.S. Dept. of Justice, Office of Justice Programs, National Institute of Justice.
Toulmin, S. E. (2003). The uses of argument. Cambridge, U.K: Cambridge University Press.
United States (1999). Forensic science communications. Washington, DC: U.S. Dept. of Justice, Federal Bureau of Investigation.
Whitcomb, C. M. (1999). An Historical Perspective of Digital Evidence: A Forensic Scientist 's View. International Journal of Digital Evidence.

References: Bauchner, E. (2006). Computer investigation. Philadelphia: Mason Crest Publishers. Boddington, R. G., Hobbs, V. J, & Mann, G. (2008, 1st - 3rd December 2008). Validating digital evidence for legal argument. Paper presented at the SECAU Security Conferences: The 6th Australian Digital Forensics Conference, Perth, WA. Cardwell, K. (2007). The best damn cybercrime and digital forensics book period. Rockland, Mass: Syngress. Carrier, B Casey, E. (2004). Digital evidence and computer crime: Forensic science, computers and the Internet. London: Academic Press. Gladyshev, P., & University College Dublin (2004). Formalising event reconstruction in digital investigations. Dublin: University College Dublin. Kerr, D., Gammack, J. G., & Bryant, K. (2011). Digital business security development: Management technologies. Hershey, PA: Business Science Reference. Kruse, W. G., &Heiser, J. G. (2001). Computer forensics: Incident response essentials. Boston, MA: Addison-Wesley. Lee, H. C., Palmbach, T., & Miller, M. T. (2001).Henry Lee 's crime scene handbook. San Diego, Calif: Academic. Marshall, A. M Mohay, G. M. (2003). Computer and intrusion forensics. Boston: Artech House. National Institute of Justice (U.S.) (2008). Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition, April 2008. Sommer, P., &Sommer, P Tapper, C., & Cross, R. (2007). Cross and Tapper on evidence. Oxford: Oxford University Press. Toulmin, S. E. (2003). The uses of argument. Cambridge, U.K: Cambridge University Press. United States (1999). Forensic science communications. Washington, DC: U.S. Dept. of Justice, Federal Bureau of Investigation. Whitcomb, C. M. (1999). An Historical Perspective of Digital Evidence: A Forensic Scientist 's View. International Journal of Digital Evidence.