Collecting Evidence As Digital Forensic Manager At Trito

Collecting Evidence as The Digital Forensic Manager At Triton Corporati

Collecting Evidence As the Digital Forensic Manager at Triton Corporation, you receive a request from the Internal Affairs Director that an employee was found to be looking at inappropriate images of children engaged in sex acts. The images were supposed to be on a 10 gigabyte USB drive that was confiscated by the IA Director. The Director advises that the USB drive is the property of the Triton Corporation and that the employee signed a waiver of rights allowing the USB drive to be examined. Compose a 2-3 page paper outlining the steps you’ll take to obtain the USB drive from the IA Director, and explain the options you have for making a forensic copy of the USB drive accurately, including your software and media choices. Please compose paper in APA style format and include 2-3 cited sources of information.

Paper For Above instruction

In the field of digital forensics, acquiring evidence in a forensically sound manner is fundamental to ensuring the integrity and admissibility of digital evidence. When tasked with obtaining and copying a USB drive suspected of containing inappropriate content, such as illegal images involving minors, a systematic and legally defensible process must be followed. This paper outlines the procedural steps for acquiring the USB drive from the Internal Affairs (IA) Director and explores options for creating an exact forensic copy, including software tools and media choices, in accordance with best practices and legal standards.

The initial step involves establishing proper chain of custody. As the Digital Forensic Manager, I would contact the IA Director to formally request physical possession of the USB drive. This involves documenting the date, time, and context of the request, and signing any necessary transfer of custody forms (Casey, 2012). It is essential to ensure that the drive is labeled correctly with unique identifiers such as serial number, make, and model, and that the transfer is witnessed and documented in detail. These procedures help maintain the evidence’s integrity by providing an unbroken chain of custody, which is crucial for the evidence’s admissibility in court.

Once in possession of the USB drive, the next step involves preparing a secure environment for acquiring a forensic image. The workstation used must be isolated from networks to prevent contamination or remote wiping, and write-blockers should be employed to prevent modifications to the original drive (Rogers & Bartlett, 2014). Hardware write-blockers are preferred because they physically prevent any write commands from reaching the device, ensuring that the original evidence remains unaltered during acquisition. The forensic workstation should be equipped with validated software tools designed for forensic imaging, such as FTK Imager, EnCase, or dd (Hargreaves, 2015).

For creating a forensic copy of the USB drive, the primary objective is to generate an exact sector-by-sector duplicate, also known as a bit-stream image. This involves using write-blocker hardware and forensic software to clone the drive onto a secure storage medium, preferably a write-protected external drive or a secure network location designated for forensic images. Software like FTK Imager and dd are reputable options that can produce verified images with hash values computed simultaneously. Hash algorithms such as MD5 and SHA-256 should be used to generate unique digital signatures before and after imaging, allowing for file integrity verification (Carrier, 2013).

When selecting the media for the forensic copy, high-quality external hard drives or SSDs with sufficient capacity and write-protection capabilities are recommended. Use of verified, non-volatile storage ensures that the forensic image remains unaltered. It is also best practice to create multiple copies: one for analysis and another for safekeeping, to prevent data loss or contamination during examination (Casey, 2012).

In summary, acquiring digital evidence like a USB drive involves careful planning, adherence to legal and procedural standards, and use of validated forensic tools and hardware. Employing write-blockers and cryptographic hashing ensures the integrity of the evidence. Additionally, using reliable storage media guarantees the preservation of the forensic copy, facilitating a thorough investigation while maintaining the chain of custody required for legal proceedings.

Adhering to these best practices not only secures the evidence but also upholds the integrity of the forensic process. Proper documentation and verification reinforce the admissibility of digital evidence in court, helping to ensure just outcomes in cases involving illegal or inappropriate materials (Rogers & Bartlett, 2014).

References

- Carrier, B. (2013). File system forensic analysis. Addison-Wesley.

- Casey, E. (2012). Digital evidence and computer crime: Forensic science, computers, and the internet. Academic Press.

- Hargreaves, S. (2015). Computer forensic collection and analysis. Routledge.

- Rogers, M. K., & Bartlett, J. (2014). Computer forensics: Principles and practices. CRC Press.