Computer forensic is application of computer analysis techniques to determine the legal evidence of case. Evidence is of various kinds such as computer fraud, stealing of data, hacking, child pornography, disputes of ownership etc.
Example of different evidence and special content data investigators may need to collect during computer crime case are listed below:
1. Email Evidence - Such as any threat sent to the mail, which a user has clicked and then the hacker program starts running on that computer, because of which the data being sent to another server from the user local computer as he first connects to the computer.
2. Firewall Evidence - Any attack which has not been blocked by you even after the warning of firewall, you must consider the warning so that you can prevent your system. Firewalls run on the secure networks, which make it to work under secure conditions.
3. In person evidence - Such as produced by person for threats by another person related to harm on its personal assets or business functions.
4. Chat evidence - Now a day's several url links sent on the chat windows and if you access that this will harm your system, this harm may wary from software to hardware. It may also lock your system and start sending the personal data on your computer to unsecured networks.
The importance of chain of custody in computer crime cased is to prevent loss of data by following certain set of rules. The chain of custody is a legal term which is used to describe the provable knowledge from all users who are taking care of evidence and have provability for current evidence that it is not different from as the one that was there at the crime scene. The chain of custody is similar to investigation of crime scene programs on TV. The investigator on TV program enters a crime scene, he don't touch the thing if gloves are not wear. In case of computer evidence, things get somewhat complicated. The investigator needs to secure the data on the system as well as of physical hardware. For crime on TV, blood is very important evidence of case. Whereas in computer forensics hidden data is important tool for evidence. The investigator must handle the hidden data very carefully when seizes the system or drive from a crime scene. Here Hacking of server is used as example for evidence.
There are various things that need to be done in order to preserve the chain of custody of evidence:
- Hard drive must be sealed or wrapped if no longer needed. There should be sign during the seal time in order to state that it has not been open since.
- The drive should put into a safe and does not give unauthorized access.
- Whenever the drive is used, relocated or reassigned, there should be entry form by person who is using it with proper date.
Through whole process of chain of custody, there should be some witness present at evidence. If similarly anyone moves the hard drive or hand to anyone else then witnesses should be present. In this case, write down the witnesses and other details in log chain of custody by proper date. When seizing hard drive, it should be tag with evidence which consist of date, time, person name who seize it, the case number, where person found the item and other details depending on the rules of investigation team. After person tag the evidence, it should be bag and give it to an evidence custodian.