Computer forensics involves a series of actions such as preserving, presenting digital information, identifying, and analyzing data in a manner permitted by law. Everybody agrees that computers are so much valuable in playing a role in both computer crime and computer related crimes. When identifying the required digital evidence the XYZ Company will have to consider the following information:
• Actions taken to secure and collect digital evidence should not affect the integrity of the evidence.
• Persons conducting an examination of digital evidence should be trained for that purpose.
• Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review (NIJ the Forensic Examination of Digital Evidence: A Guide to Law Enforcement).
Computer forensics investigators process the digital evidence by assessing it thoroughly considering the scope of the case to determine the next action. Improper handling of this digital media can cause damage to it since the media is extremely fragile. XYZ Company forensics investigators should acquire the digital evidence in a manner that protects the integrity of that data (NIJ, Forensic Examination of Digital Evidence: A Guide to Law Enforcement). Some of the tools that are essential in the process of identification and collection of these data include authentication, backing up data, file auditing, decryption, data recovery, IP tracking, and document examination (Pladna B., Computer Forensics Procedures, Tools, and Digital Evidence Bags). Authorization must be sought from the relevant authority before the XYZ Forensic Company investigators decide to access or monitor any information relevant to the computer intrusion. The investigators must also adhere to laws that have requirements for safeguarding the data.
In preparing for the digital evidence, search the XYZ forensic investigators must be always ready before conducting the process. The goal of the search phase is to recognize the digital objects that may contain information about the incidence (DEARSTYNE, June 2006). Success in this process depends on the team’s ability to retain the information, planning the response, training and accelerating investigation, preventing anonymous activities and protecting the evidence (Rowlingson R, 2004).
Forensic investigation readiness must be able to cover two objectives. One of the objectives is to maximizing the environment ability to collect credible digital evidence. The other one is to reduce the cost of forensics during an incident response. This is necessary for the investigating firm to be able to reduce the time and cost of a forensic examination. The efficiency and competency of the whole process must be ensured.
Good forensic evidence readiness can offer any organization benefits. For example, evidence can be gathered to act in the company's defense only when it has a subject to a lawsuit. Nevertheless, complete evidence searching can be used as a restriction to the threat that is inside the organization. In the occurrence of a major occasion, an efficient and effective rapid investigation can be carried out. The action will then be taken with minimal disruption to the organization. A systematic approach to evidence storage can considerably reduce the time and cost of an internal research or examination. A well-thought out approach to the storage of the evidence can reduce the cost of any court ruling or legal need to disclose data. The readiness of forensic can increase the target of data or information security to the greater threat from cyber crime such as extortion, fraud, and intellectual property protection. It shows outstanding diligence and valuable corporate control of the enterprise information assets. It can demonstrate that regulatory requirements have been met. It can improve and facilitate the interface to law enforcement when involved. Additionally, it can improve the prospects for a successful legal action. It can provide evidence to resolve a commercial dispute. Finally, it can support employee sanctions based on digital evidence (Rowlingson, 2004).
After the XYZ team has ensured its readiness to tackle the investigation, they must have clear steps to be followed in gathering the digital evidence. The general process has four steps, and they are Acquisition, Identification, evaluation, and admission.
The Acquisition phase ensures that the evidence was gathered in an acceptable manner with approval from the authority. The next process that follows is the Identification phase and involves identifying the digital mechanisms from the obtained evidence and translating it to the format valued by human beings. The Evaluation phase involves the process of determining if the components identified in the phase are indeed relevant and can be used as legitimate evidence. The Admission phase, which is the final one, allows the acquired & extracted evidence to be presented in the court of law (Yusoff Y, Ismail R & Hassan z, 2011). For a successful forensic investigation, the XYZ team will have to follow the above steps (Yusoff Y, Ismail R & Hassan z, 2011).
For the outcomes of the forensic examination to be accepted, proper documentation must be done. The process involves documenting the digital evidence when it is found. Each piece of the digital evidence image found in the analysis/examination stage must be clearly documented. The documentation phase is used in creating individual pieces of evidence and does not create the final incident report, which is created in the presentation phase (Spafford H. E & Carrier B, 2003). The documentation must be done properly since the digital evidence always exists in many forms. An example is the documentation of a file. It can be done using its full file name path, the clusters in the file system that it uses, and the sectors on the disks that it uses and also considering the Network data, the documentation is done with the source and target addresses at various network layers (Spafford H. E & Carrier B, 2003).
Digital evidence can be changed with little trace being left for ensuring the integrity. For example, it can be enhanced through the use cryptographic hash value such as MD5  or SHA-1. It should be calculated for the evidence when collected so that its integrity can be proven to the courts (Spafford H. E & Carrier B, 2003).
Proper storage/chain of evidence must be guaranteed. Therefore, its purpose is to secure the evidence for the longer term once it is collected. It also facilitates its retrieval. It is necessary to note that the storage process is concerned with the long-term storage of information that might later be required for evidence. The XYZ team must ensure there are physical security measures such as access control and replication of storage locations. The policy comprises measures to ensure authenticity of the data and procedures to ensure that the evidence integrity is preserved whenever it is used. Access to the evidence should be denied unless the user has priorities (Sutton, 2012).
The problem was dominant at HCC Partners in Life Company after receiving a blank mail thus making it the leading cause of the problem. Therefore, there is a need to check on the image of her drives.
In the process of acquiring digital evidence, the first step that is considered is the creation of an exact copy of the evidence often called a bit-stream image. Doing this is valuable due to certain factors. One of the objectives of the creation of this image is that it may act as evidence to the courts.
The investigative XYZ team must access the hard drive on the administrator computer to create an image. One way of sourcing the hard drive is to remove it from the source computer and connect it to the XYZ team forensic machine. Since the servers operate on Windows, the imaging will also be using windows. As a result, the writer blocker must be used to ensure no data is written back to the subject’s hard drive. Failure to this, Windows will automatically mount the hard drive as read write. The hard drive is connected to the write-block, which in turn is connected to the forensic server (Craiger P. J, Computer Forensics Procedures, and Methods). GNU utilizes from the command prompt is used to create the forensic image.
After the creation of a forensic image, verification is done by calculating the MD5 hash for the original disk and comparing it with the forensic image. The difference between the contents of the disk and the forensic image is indicated in the hash. The XYZ forensic team can also apply imaging to avoid the removal of the hard drive. This will require computers to have a network interface cards (NICS; i.e., Ethernet cards), a network crossover cable, and a bootable Linux CD. The network crossover cable allows the investigators to connect two computers without a hub or switch (Craiger P. J, Computer Forensics Procedures, and Methods).
Several bootable Linux-based CD-ROMs are available, and they are mostly based on the popular Knoppix CD (www.knoppix.com). This equipment contains over 1.7 gigabytes of software on a 700MB because of compression. Utilities present in the CD are useful for forensics imaging and previewing. During booting, the software loads itself into a ram disk and does not access the hard drive of the subject’s computer. Knoppix boots into a graphical user interface that allows the investigator read-only access to the hard drives on the subject computer, which is tremendously useful for previewing the contents of the source drive (Craiger P. J, Computer Forensics Procedures, and Methods).
Several bootable Linux-based CD-ROMs are available, and they are mostly based on the popular Knoppix CD (www.knoppix.com). It contains over 1.7 gigabytes of software on a 700MB CD because of compression. Utilities present in the CD are useful for forensics imaging and previewing. During booting, the software loads itself into a ram disk and does not access the hard drive of the subject’s computer. Knoppix boots into a graphical user interface that allows the investigator read-only access to the hard drives on the subject computer, which is extremely useful for previewing the contents of the source drive (Craiger P. J, Computer Forensics Procedures, and Methods).
Once the extraction of relevant information has been done, the XYZ forensic team analysts should study and analyze the data to draw conclusions from it. This is the process that includes identifying places, peoples, events and items as well as determining these how aspects are related for the purpose of reaching a conclusion. The effort will include correlation of data among several sources. For example, a "Network intrusion Detection System (IDS) log" may link an event to a host. The host audit logs may link the event to a certain user account, and in the end, the host IDS log may indicate the actions that the user performed. Examples of tools used in the facilitation and gathering of data automatically are centralized logging and security event management software. Eventually doing a comparison between systems characteristics to known baselines can identify various types of changes made to the system (Kent K, Chevalier S, Grance T & Dang H, 2006).
The areas to be investigated for any digital evidence on the database administration side would include Hardware and software forming the administration system.
This would include hard drives, CD drives, floppy disks, the operating system, installed software, and many other components. The investigation process, which mainly involves analysis of the collected evidence, can be physical or logical. Logical analysis view evidence from a perspective of the file system whereby the investigation team graphical tools, i.e. file managers, and viewers. When doing physical analysis, the view is purely physical, and no file system is considered (Casey, 2000).
Some of the activities in the analysis process examining file content, identifying the operating system, and assessing file name patterns. Additionally, it is used to identify correlating files from the installed applications by considering their relationships. For example, identify correlating history to cache files and e-mail files to e-mail attachments. It also involves identifying unknown file types to determine their value. It is in this process where one examines the users default storage location for applications and the file structure. Finally, one should examine the user-configuration settings review (NIJ, Forensic Examination of Digital Evidence: A Guide to Law Enforcement).
After analysis of the database administrator’s computer at HCC, the XYZ forensic team will then have to process the database server for further evidence. This is one of the most significant areas to be investigated since it has much control of what happens within the whole HCC computerized system. In database administration, the goal is to keep the system running while gathering the evidence. In other words, it is reducing the size of unauthorized persons that can enter the crime scene. The XYZ forensic team investigators will need to search for the evidence and document the scene. The number has to be minimized, and the people authorized should have training.
Forensic investigation of the database server will also include making images of the disks. The importance of imaging is that images of evidence can be used in the court. They are used when a complete or original image that is the real evidence is not available.
The investigative team will identify networks, peripherals, disks, software and use the necessary/available tools and utilities to carry out forensic investigation on the database server. This will require skilled people who understand their actions to guard against any information loss. A proper time plan must be followed. Every result must be recorded correctly and presented to the team leaders for the verification process.
Any undertaking outside the plan of the team should not interfere with the general investigation process. This is to ensure that the necessary investigation procedures are followed, and the results are accurate to have a clear base to produce the case to the court.
In the imaging process, The XYZ forensic team can apply imaging over a network to avoid the removal of the hard drive. This will require computers to have a network interface cards, a network crossover cable, and a bootable Linux CD. The network crossover cable allows the investigators to connect two computers without a hub or switch (Craiger P. J, Computer Forensics Procedures, and Methods). Several bootable Linux-based CD-ROMs are available, and they are mostly based on the popular Knoppix CD (www.knoppix.com). It contains over 1.7 gigabytes of software on a 700MB CD because of compression. Utilities present in the CD are useful for forensics imaging and previewing. When booting, the software loads itself into a ram disk and does not access the hard drive of the subject’s computer. Knoppix boots into a graphical user interface that allows the investigator read-only access to the hard drives on the subject computer, which is tremendously useful for previewing the contents of the source drive (Craiger P. J, Computer Forensics Procedures, and Methods).
Any person required to be an expert witness has to testify whereby he has to deal with anticipated occurrence of events or questions that he might be asked. The witness is expected to be ready with the anticipated questions, which are the key part of doing well. When the witness is ready he, he overcomes any challenges that the judge might ask him or her. Nowadays, forensic accountants are regarded as forensic experts because they help solve the financial problems that are experienced in the company. Nowadays, in the open court, the advisors submit scrutiny from a judge, the court personnel, attorneys, jury as well as the trial spectators (Candilis, Weinstock, & Richard Martinez, 2007).
In this sense, arbitration panels, judges, or juries are charged with solving disputes in the financial aspects often knows little about the financial analysis, budgeting, tax collection, damages or profit. To help solve this problem, any person will get a lot of assistance when he follows the following steps in achieving the goal to become a good expert.
One of the things that experts witness has to look at is the qualification of the person who wants to become a good expert witness. This is reviewing your qualifications such as career prominence, academic training, requisite knowledge, professional qualification, and experience. The person should have experience in a certain discipline to become a witness in a certain case. Nevertheless, the person should specify his competency. Skill is one of the aspects that anyone should have. Once expert witness has skills he can interact with all parties to a trial.
Secondly, the person is supposed to get his credentials in order. This is where the federal rules of civil procedures permit anyone to disclose his identity. It also permits him or her to disclose professional qualifications, and the issue their opinion will address.
Thirdly, a person has to be realistic whether he is the appropriate person for that job. Expert witness should review his or her abilities. Note: serving views of your abilities will not help dealing with the opposing attorneys if truly expert witnesses are not well versed in the area in which the person gives testimony. Nevertheless, to become a good witness, one should not be given or should not engage in the area that does not suit him. This means that one should match his qualifications with the topic of the trial (Brodsky, 1999).
In spite of the fact that expert witnesses are not required to testify from their personal knowledge or their experience, they must give their opinions. The other attribute that the expert witness should have is that he should prepare in depth. This means that one should be creative, complete, and professional. The witness should learn the aspects of various disputes in the field. Moreover, he should know the protocols, and procedure for the stand of the witness. The expert witness has the ability of analyzing the background of the issues. He should review material attorneys, furnish, analyze the background of the issues involved. Finally, the expert witness has to work closely with the counsel to review the policies of the jurisdiction that the case is pending.
The other thing the one is required to know is that he should not let attorneys mold your conclusion. This means that when expert witness see expert witness cannot testify, or expert witness are uncomfortable in answering certain questions, suggests a different approach that can be independently supported. The other thing is that try to meditate about how expert witness will solve the question asked appropriately in various ways that suits expert witness. Try to express your information in clear and comprehensible ways.
When the expert witness in court day reaches, he should be careful, precise, and truthful in deposition and on stand. When expert witness observe these attributes, expert witness are going to prevent the judge from deriving questions and the omissions or the mistakes to get your testimony excluded or embarrass (Barnett, 2001).
The other steps that one has to follow are the use of visual aids, which is simply the presentation of complex matters by using power point charts or graphs. Again, do not answer ambiguous questions. If the expert witness are not able to answer the questions, say so and request for clarification. The next thing that the expert witness should learn is how to maintain his exposure. In the sense, when your testimony has a detrimental impact the opposing counsel may attempt to destroy self-confidence. Another thing is that being patient when there are delays, a lot of motions that can lead frustrations. Maintain a sense of humor, i.e. a well-timed humor in necessary in the right situations and helps an expert witness to appear spontaneous and natural.
Expert witness has to know his or her limitations. For example, do not bluff when expert witnesses do not know an answer. He should have courage confidence in answering the questions asked by the counsel. Moreover, never forget the person who is going to decide the case. Direct your feedbacks or replies to the jury or the judge. This is because expert witness are talking to people who normally base their acceptance and understanding of your testimony professionalism.
Finally, do not be defensive or argumentative. This means that avoid the showing negative behaviors regardless of the fact that it may be hard to show.
Expert witness should have ethics such as he must not fail to attend to the court during the time of trial. Failure of not going to the court show, the counsel can sue him where he may be arrested when he is found guilty. Expert witness must maintain records of prior. He must be aware of the risks of conflict interest. Experts should have expert impartiality, which means that he shall at all times, serve with objectivity independence regardless to the consequences of the client. He should also impartially assist the court with essential information within the expert area of expertise. He is expected to provide a complete and biased picture of the report relevant to the case and to the expert opinion. Finally, he has to cooperate with retaining counsel and remain professional. This means that he should not be an advocate of the client.
Another proposed ethics for expert witness is that he should be confident, i.e. he should try to get the regulations of confidentiality applicable to the case and jurisdiction in which the expert witness is retained. Moreover, the witness should assume that all communication with the client might be subject to the closure through testimony and discovery.
Expert witness is entitled to fair reimbursement for all the good work he has done. However, he may charge on the bases he wants provided it is based on reasonable value of his work. He should remain free from any financial operations that might interfere with his ability to testify impartially and truthfully. He may charge money that is nonrefundable to the retainer in the case where the expert may be precluded from accepting other clients. He should neither contract nor accept any amount of money that is contingent on case outcome.
Expert shall not talk with the adverse counsel except through the process of judicial procedure and formal discovery. Nevertheless, he should not engage in expert conversation with the judge. Expert might ethically agree in engagements that are both convenient with similar party. They have to close any interests the expert may have in its outcome. They should be on one side even during the period of release or discharge. However, it will depend on several factors, i.e. communication between the original client and the expert, nature and information the client provided to the expert.
Experts witness should be professional, i.e. he shall only accept the engagement, which is within the area of his training and competent. He should not knowingly present information that is misleading to the court. Another ethic is that he shall not destroy the evidence, conceal, or destroy the document. The expert should try to understand the admissibility of the expert opinion and jurisdiction to the use. He should indicate the when an opinion is inclusive because inadequate research of data (Tindall, 2003).