Question:

Using the internet or online library, find an article, case study, or publication about your favorite topic covered in this computer forensics course. 

Summarize your findings. Be sure to provide a link to the article, case study, or publication.

 

SUMMARY: Digital Evidence Management- Mayo (2019)

Digital evidence management in Computer Forensics is a crucial facet of court preparation as it affects the relevancy, admissibility and interpretation of digital evidence. Mayo’s (2019) excerpt from Sachowski’s (2015) book ‘Implementing Digital Forensic Readiness: From Reactive to Proactive Process’ phases the appropriate safeguards forensic investigators must follow to ensure that digital evidence presented for court process is forensically sound. The first control provided is to understand and differentiate the types of digital evidence that are admissible and those that are not. Technology-Generated Data, Technology-Stored Data, Background Evidence and Foreground Evidence in any ESI (Electronically Stored Information) are admissible types of evidence. However, the know-how of the historical legal systems that viewed Technology Generated and Technology Stored Data and other digital artifacts as hearsay rendering digital evidence inadmissible in courts is critical. Therefore, digital evidence should be multi-tenancy and cross-borderly to include aspects such as security logs, chats and communication history to increase authenticity and trustworthiness.

Again, evidence should be multi-sourced to aid the preexisting traditional sources; computers and servers. Today, structured and unstructured ESI digital evidence can come from cloud computing environments, mobile devices, USBs and many more. Mayo (2019) identifies log files as one of the most important sources. Digital evidence can be generated from systems and applications through authorization, errors, continuous security monitoring, use of UTC, source IP address, RAM browsing history, Registry Hives and Keys in the OS, caches, external network connections and many more. The author also underlines malicious codes such as rootkits and runtime instructions as part of these structured and unstructured sources of ESI. While virtual systems and infrastructural devices have expanded access to evidence beyond the enterprise network access to proxies, routers etc., Cloud Computing presents a unique challenge in maintaining service-oriented architectures to enhance forensic capabilities. The dynamic nature of computing has revolutionized the way ESI is stored, shared and transmitted reducing control over physical assets and thus collection and process of evidence. Cloud computing is still not fully mature and there exist legal gaps governing cloud-based methodologies and techniques. Mobile devices are changing every day and dynamism is also becoming a challenge. A multi-tenure approach is the best solution to address these problems.

When presenting evidence, it is important to understand the federal rules that govern conclusions derived from those facts. In the 20th century, evidence was governed by case laws. Currently, evidence relies on the FRE (Federal Rules of Evidence) first enacted in 1975 and later amended in 2015. For instance, FRE 401 governs relevancy, FRE 901 satisfies the requirement of authenticity and FRE 803(6) presents the view of ESI as a hearsay exception. The excerpt also highlights that a high standard Forensics Investigative Model (FIM) must follow 4 phases: presentation, gathering, processing and presentation.

The cornerstone of evidence management in preparation for court presentation is Evidence Storage Networks (ESNs). This is the last thing Mayo (2019) talks about in this excerpt. ESI has become very pervasive across technologies and gone are the days when computer forensics were limited to a single computer lab. Primarily, two effective contemporary evidence storage solutions exist; Network Area Storage (NAS) and Storage Area Networks (SAN). Effective evidence data storage solution can be achieved by combining both NAS and SAN. However, the author states that Sachowski (2015) recommends an Enterprise Data Warehouse (EDW) to provide timeless integrity and authenticity of digital evidence while providing zero probability of damage that might render digital evidence inadmissible in courts. Thus, the excerpt from Sachowski’s (2015) book ensures potential evidence can be used in courts by providing fact-based technology, physical and administrative controls to ensure security, relevance, authenticity and interiority of electronic information.