CSC 106 INTRODUCTION TO COMPUTER FORENSICS-2.docx

Full Transcript

**CSC 106 INTRODUCTION TO COMPUTER FORENSICS**

**Introduction**

Digital forensics, the art of recovering and analysing the contents
found on digital devices such as desktops, notebooks/netbooks, tablets,
smartphones, etc., was little-known a few years ago.

However, with the growing incidence of cybercrime, and the increased
adoption of digital devices, this branch of forensics has gained
significant importance in the recent past, augmenting what was
conventionally limited to the recovery and analysis of biological and
chemical evidence during criminal investigations.

**The Need for Forensics**

The world has become a global village since the advent of computer,
digital devices & the internet.

Life seems impossible without these technologies, as they are necessary
for our workplace, home, street, and everywhere. Information can be
stored or transferred by desktop computers, laptop, routers, printers,
CD/DVD, flash drive, or thumb drive. The variations and development of
data storage and transfer capabilities have encouraged the development
of forensic tools, techniques, procedures and investigators.

In the last few years, we have witnessed the increase in crimes that
involved computers. As a result, computer forensics and digital
investigation have emerged as a proper channel to identify, collect,
examine, analysis and report the computer crimes.

**Cybercrime**

Computer crime, or cybercrime, is any crime that involves a computer and
a network. The computer may have been used in the commission of a crime,
or it may be the target.

It can also be defined as \"Offences that are committed against
individuals or groups of individuals with a criminal motive to
intentionally harm the reputation of the victim or cause physical or
mental harm, or loss, to the victim directly or indirectly, using modern
telecommunication networks such as Internet (Chat rooms, emails, notice
boards and groups) and mobile phones (SMS/MMS)\".

Digital forensics is traditionally associated with criminal
investigations and, as you would expect, most types of investigation
centre on some form of computer crime. This sort of crime can take two
forms; computer-based crime and computer-facilitated crime.

- **Computer-based crime**

This is a criminal activity that is conducted purely on computers, for
example, cyber-bullying or spam. As well as crimes newly defined by the
computing age it also includes traditional crime conducted purely on
computers (for example, child pornography).

- **Computer facilitated crime**

Crime conducted in the \"real world\" but facilitated by the use of
computers. A classic example of this sort of crime is a fraud: computers
are commonly used to communicate with other fraudsters, to record/plan
activities or to create fraudulent documents.

Not all digital forensics investigations focus on criminal behavior;
sometimes the techniques are used to incorporate (or private) settings
to recover lost information or to rebuild the activities of employees.

**Evolution of Computer Forensics**

Most of the experts agree that the field of computer forensics began to
develop more than 40 years ago.

By the 1970s, electronic crimes were increasing, especially in the
financial sector. Most computers in this era were mainframes, used by
trained people with specialized skills who worked in finance,
engineering, and academia. White-collar fraud began when people in these
industries saw a way to make money by manipulating computer data. One of
the most well known crimes of the mainframe era is the one-half cent
crime. Banks commonly tracked money in accounts to the third decimal
place or more. They used and still use the "rounding up" accounting
method when paying interest. If the interest applied to an account
resulted in a fraction of a cent, that fraction was used in the
calculation for the next account until the total resulted in a whole
cent. It was assumed that sooner or later every customer would benefit.

Some computer programmers corrupted this method by opening an account
for themselves and writing programs that diverted all the fractional
monies into their accounts. In small banks, this practice amounted to
only a few hundred dollars a month. In large banks with many branch
offices, however, the amount reached hundreds of thousands of dollars.

The history of forensic science dates back thousands of years.
Fingerprinting was one of its first applications. The ancient Chinese
used fingerprints to identify business documents.

In 1984, FBI Magnetic Media program, which was later renamed to Computer
Analysis and Response Team (CART), was created and it is believed to be
the beginning of computer forensic.

With the rise in cybercrime, the G8 nations realized the importance of
computer forensics, and in 1997 declared that - Law enforcement
personnel must be trained and equipped to address high-tech crimes. In
1998, G8 appointed IICE to create international principles, guidelines
and procedures relating to digital evidence. In the same year, INTERPOL
Forensic Science Symposium was held. The First FBI Regional Computer
Forensic Laboratory established in 2000 at San Diego.

As computer technology continued to evolve, more computer forensics
software was developed. "ILook", is a Cyber forensic tool maintained by
the IRS Criminal Investigation Division and limited to law enforcement,
can analyze and read special files that are copies of a disk. Access
Data Forensic Toolkit (FTK) has become a popular commercial product that
performs similar tasks in the law enforcement and civilian markets.

Computers are getting more powerful day by day, so the field of computer
forensics must rapidly evolve. Previously, we had many computer forensic
tools that were used to apply forensic techniques to the computer.

However, we have listed a few best forensic tools that are promising for
today's computers:

SANS SIFT

ProDiscover Forensic

Volatility Framework

The Sleuth Kit (+Autopsy)

CAINE (Computer Aided Investigative Environment)

Xplico

X-Ways Forensics

**Types of digital forensics**

Digital forensics is a constantly evolving scientific field with many
sub-disciplines. Some of these sub-disciplines are:

1\) **Computer Forensics**: the identification, preservation, collection,
analysis and reporting on evidence found on computers, laptops and
storage media in support of investigations and legal proceedings.

2\) **Network Forensics**: the monitoring, capture, storing and analysis
of network activities or events in order to discover the source of
security attacks, intrusions or other problem incidents, i.e. worms,
virus or malware attacks, abnormal network traffic and security
breaches.

3\) **Mobile devises Forensics**: the recovery of electronic evidence
from mobile phones, smartphones, SIM cards, PDAs, GPS devices, tablets
and game consoles.

4\) **Digital Image Forensics**: the extraction and analysis of digitally
acquired photographic images to validate their authenticity by
recovering the metadata of the image file to ascertain its history.

5\) **Digital Video/Audio Forensics:** the collection, analysis and
evaluation of sound and video recordings. The science is the
establishment of authenticity as to whether a recording is original and
whether it has been tampered with, either maliciously or accidentally.

6\) **Memory forensics:** the recovery of evidence from the RAM of a
running computer, also called live acquisition.

7\) **Cloud Forensics:** Cloud Forensics is actually an application
within Digital Forensics which oversees the crime committed over the
cloud and investigates on it.

**Computer Forensics Process**

Computer forensics work procedure or work process can be divided into 5
major parts:

- **Identification**

The first process of computer forensics is to identify the scenario or
to understand the case. At this stage, the investigator has to identify
the purpose of investigation, type of incident, parties that involved in
the incidence, and the resources that are required to fulfill the needs
of the case.

- **Collection**

The collection (chain of custody) is one of the important steps because
your entire case is based on the evidence collected from the crime
scene. Collection is the data acquisition process from the relevant data
sources while maintaining the integrity of data. Timely execution of the
collection process is crucial in order to maintain the confidentiality
and integrity of the data. Important evidence may lost if not acted as
required.

- **Examination**

The aim of third process is to examine the collected data by following
standard procedures, techniques, tools and methodology to extract the
meaningful information related to the case.

- **Analysis**

Since all five processes are linked together, the analysis is the
procedure to analyze the data acquired after examination process. At
this stage, the investigator search for the possible evidence against
the suspect, if any. Use the tools and techniques to analyze the data.
Techniques and tools should be justified legally, because it helps you
to create and present your report in front of the court.

- **Reporting**

This is the final, but the most important step. At this step, an
investigator needs to document the process used to collect, examine and
analyze the data. The investigation report also consists the
documentation of how the tools and procedures were being selected. The
objective of this step is to report and present the findings justified
by evidences.

Every step mentioned above can be further divided into many parts and
every part has its own standard operating procedures, we look into them
in detail in the coming chapters.

**Computer Forensics Team**

Here are the key people that a computer investigation firm should have:

**Investigators:** This is a group of people (number depends on the
size of the firm) who handle and solve the case. It is their job to use
the forensic tools and techniques in order to find the evidence against
the suspect. They may call the law enforcement agencies, if required.
Investigators are supposed to act immediately after the occurrence of
the event that is suspected of criminal activity.

**Photographer:** To record the crime scene is as important as
investigating it. The photographer's job is to take photographs of the
crime scene (IT devices and other equipment).

**Incident Handlers (first responder):** Every organization,
regardless of type, should have incident handlers in their IT
department. The responsibility of these people is to monitor and act if
any computer security incidence happen, such as breaching of network
policy, code injection, server hijacking, RAT or any other malicious
code installation. They generally use the variety of computer forensics
tools to accomplish their job.

**IT Engineers & technicians (other support staff):** This is the
group of people who run the daily operation of the firm. They are IT
engineers and technicians to maintain the forensics lab. This team
should consist of network administrator, IT support, IT security
engineers and desktop support. The key role of this team is to make sure
the smooth organizational functions, monitoring, troubleshooting, data
recovery and to maintain the required backup.

**Attorney:** Since computer forensics directly deal with
investigation and to submit the case in the court, so an attorney should
be a part of this team.

**Rules of Computer Forensics**

There are certain rules and boundaries that should be keep in mind while
conducting an investigation.

1\. **Minimize or eliminate the chances to examining the original
evidence:**

Make the accurate and exact copy of the collected information to
minimize the option of examining the original. This is the first and the
most important rule that should be considered before doing any
investigation, create duplicates and investigate the duplicates. You
should make the exact copy in order to maintain the integrity of the
data.

2\. **Don\'t Proceed if it is beyond your knowledge**

If you see a roadblock while investigating, then stop at that moment and
do not proceed if it is beyond your knowledge and skills, consult or ask
an experienced to guide you in a particular matter.

This is to secure the data, otherwise the data might be damaged which is
unbearable. Do not take this situation as a challenge, go and get
additional training because we are in the learning process and we love
to learn.

3\. **Follow the rules of evidence**

You might be worried because we have not discussed any rule of evidence
yet, but the next topic will be about evidence. The rule of evidence
must be followed during the investigation process to make sure that the
evidence will be accepted in court.

**4. Create Document**

Document the behavior, if any changes occur in evidence. An investigator
should document the reason, result and the nature of change occurred
with the evidence. Let say, restarting a machine may change its
temporary files, note it down.

5\. **Get the written permission and follow the local security policy**

Before starting an investigation process, you should make sure to have a
written permission with instruction related to the scope of your
investigation. It is very important because during the investigation you
need to get access or need to make copies of the sensitive data, if the
written permission is not with you then you may find yourself in trouble
for breaching the IT security policy.

**6. Be ready to testify**

Since you are collecting the evidence than you should make yourself
ready to testify it in the court, otherwise the collected evidence may
become inadmissible.

7\. **Your action should be repeatable**

Do not work on trial-and -error, else no one is going to believe you and
your investigation. Make sure to document every step taken. You should
be confident enough to perform the same action again to prove the
authenticity of the evidence.

8\. **Work fast to reduce data loss**

Work fast to eliminate the chances of data loss, volatile data may lost
if not collected in time. While automation can also be introduced to
speed up the process, do not create a rush situation. Increase the human
workforce where needed.

Always start collecting data from volatile evidence.

**9. Don\'t shut down before collecting evidence**

This is a rule of thumb, since the collection of data or evidence itself
is important for an investigation. You should make sure not to shut down
the system before you collect all the evidence. If the system is shut
down, then you will lose the volatile data. Shutdown and rebooting
should be avoided at all cost.

10. **Don\'t run any program on the affected system**

Collect all the evidence, copy them, create many duplicates and work on
them. Do not run any program, otherwise you may trigger something that
you don\'t want to trigger. Think of a Trojan horse.

**3 A\'s of Computer Forensics**

3 A\'s of computer forensics that are applicable for Windows and other
OS as well.

1\. Acquire the evidence without altering or damaging the original.

2\. Authenticate that the recovered evidence is same as the original
seized data.

3\. Analyze data without any alterations

**Evidence**

Evidence is the key to prove the case in the court, evidence from a
legal point of view can be divided into many types and each type do have
its own characteristics in it. To keep the characteristics in mind
during evidence collection helps an investigator to make the case
stronger.

Admissible is the important characteristics of any evidence, it is
generally the first rule of every evidence.

**Types of Evidence**

1\. Real / tangible evidence: As the name suggests, real evidence is
consists of a

tangible/physical material e.g hard-drive, flash drive, etc. Apart from
the material, human can also be treated as real evidence e.g. an eye
witness.

2\. Original evidence: Evidence of a statement made by a person other
than the testifying witness, which is offered to prove that the
statement was actually made rather than to prove its truth. This is
generally an out of court statement.

3\. Hearsay evidence: It is also referred as "out of court statement", it
is made in court, to prove the truth of the matter declared.

4\. Testimony: When a witness takes oath in a court and give his/her
statement in front of the court.

Evidence should be admissible, accurate and authentic; otherwise, it can
be challenged while presenting the case in the court.

**Digital Evidence**

Digital devices are not limited to computer, mobile phones and internet
only; every electronic device having processing and storage capability
can be used in crime. For example, mp3 player can be used to transfer
the encoded message; electronic appliances might be used as storage to
store the illegal documents.

The duty of investigator or first responder is to identify and seize the
digital device for further investigation.

Digital information expressed or represent by the binary units of 1\'s
(ones) and 0\'s (zeros). Digital information is stored in electronic
devices by sending the instructions via software, program or code. The
same way this information can be retrieved from the electronic device by
using the program, here computer forensics software comes.

**Characteristics of Digital Evidence:**

- Timing is one of the important characteristics of digital evidence,
first responder has responded immediately; otherwise, the data may
be lost. For example, devices run on batteries may shutdown and
current network connection may be lost.

- Just like fingerprints or any other biometric evidence, digital
evidence is also hidden or latent, which requires a process to
unearth.

- Digital evidence might be destroyed or damaged. Quick response and
chain of custody is the key in computer forensics, you need to act
according to the situation otherwise the important data might be
damaged (intentionally or unintentionally).

**Rules of Evidence**

There are five rules of evidence:

**1. Admissible**

The first and the most important rule is that your evidence should be
able to use in court as an evidence.

**2.** **Authentic**

Evidence should be authentic and it should be related and relevant to
the case, you need to prove in front of the court that the collected
evidence is authentic. Fail to do so, means the failure of the
investigation.

**3. Complete or Whole**

The court will not accept half evidence, you should be unbiased during
your investigation and your evidence should not show the one prospective
of the incident. As Matthew says, "it is vital to collect evidence that
eliminates alternative suspects. For instance, if you can show the
attacker was logged in at the time of the incident, you also need to
show who else was logged in and demonstrate why you think they didn't do
it. This is called Exculpatory Evidence and is an important part of
proving a case. "

**4. Reliable**

Reliability of the evidence is important, but the process is also
important and it should not create any doubt on the evidence.

**5. Believable or Acceptable**

The evidence presented in the court should be in layman's language,
clear and easy to understand.

You should present a well-crafted version of the document with the
reference to the technical document.

**Chain of Custody**

This particular term is not only related to the computer forensics, any
case or even any investigation has this important aspect. "**Chain of
Custody**" is the process to acquire, secure, move and store the
evidence until the time it is presented in court. While seizing the
electronic device, you should tag it with the date/time of acquiring,
case number and evidence numbers. This information is crucial while
creating a case in the court. Evidence custodian is responsible to
collect, transfer and store the evidence in the forensics lab. Anyone
doing this job should understand its importance and he/she

should not waste the valuable time.

Chain (strong metal use to connect or link between stuff) of custody, as
the name says, "chain of custody shows how the evidence is acquired,
managed, transferred or transported during the investigation process.
And who involve in the process, what their responsibilities are and for
how much time they store the evidence and how they transfer it to
someone else." This important process tells the story of the evidence,
if not carefully done then the opposite attorney can challenge and even
dismiss the presented evidence.

In order to justify the chain of custody, you need to provide the
evidence. You must provide the evidence that you maintained, documenting
the chain-of-custody during the investigation process and you or anyone
has not damaged or altered the evidence whether intentionally or
unintentionally.

"Chain of custody form" is the tool used to keep record of every
important aspect, here is the sample chain-of-custody form:

Chain of Custody Form

Case number:
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Case officer Name:
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Officer ID \#:
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Date/time of seized:
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Location of seizure:
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

----------------- -------------- --------------------------------------------------------------

**Item number** **Quantity** **Description (model number,vendor name,current condition)**

----------------- -------------- --------------------------------------------------------------

------------- --------------- ----------------- ----------------- ------------------------

**Item \#** **Date/Time** **Released by** **Received By** **Comments & remarks**

------------- --------------- ----------------- ----------------- ------------------------

As you can see the aforementioned chain-of-custody form, this is the
evidence that says about the parties who involved in maintaining the
evidence. Court may call anyone to testify the process of how he/she
delivered the evidence to the other party and how he/she stored the
evidence in the lab.

As discussed in the previously that Authentication is the foremost rule
of the evidence, you need to prove that the evidence is authentic and
chain of custody plays a tremendous role along the way of
authentication. It\'s not enough in order to just testify following the
fact by what was compiled. Having a documented process in place that can
track compiled information as well as ensure it is preserved but not
manipulated with is also required.

**Sources of Evidence**

Since evidence could be anything and could be everywhere. In one case,
you need to get evidence from mp3 player, and in some other case,
evidence has to be retrieved from iPhone. The source is not limited and
it depends on the nature of the case you are working on. Highly
technical skills and expertise are required to examine and acquire the
evidence from these sources. This is why this mini course has been
designed. We look into the structure of many hardware devices as well as
the file format of many operating systems. Apart from real evidence
(tangible), sometimes you need to investigate for human testimony. So
social engineering or the human skill set is also required to
investigate the human and get the valuable information.

While investigating or acquiring evidence, you need to maintain the
integrity and confidentiality of the data. This is very important as you
might damage or retire the evidence, which you should not do.

As a rule, an investigator look for evidence in every electronic devices
directly or indirectly related to the crime scene.

These are a few sources from where the evidence might be collected:

1\. Hard-drive

2\. Firewall logs

3\. System logs

4\. Social networking websites

5\. Website that was visited

6\. Email

7\. GPS devices

8\. Security camera\'s

9\. Networking equipment

10\. PDA (personal digital assistant)

11\. Chat room or chat server

**Gathering Digital Evidence -- The Procedure**

The process to gather the digital evidence is simple and it should be
followed to avoid any damage. There are four steps in Evidence
gathering;


**Identification**

There is a difference between data, information and an evidence, you
should have a clear idea and you should distinguish between data and
evidence. You need to extract evidence from the data, so identify the
possible source from which you can extract the evidence.

**Collection & Preservation**

Once identified, collect it. Make sure to preserve the evidence to as
close as original state. Document any change, if made.

**Analysis**

Mark the qualified people to analyze the collected evidence to find the
cause and effect relationship.

**Verification & Presentation**

Verify the steps taken and the tools that were used. Presentation is
vital, craft the document to be presented in front of non-technical
personnel and linked every step with the technical document for
reference purpose, the presentation is very important to share your work
otherwise it has no value.

**VOLATILE EVIDENCE**

There are generally two sets of data:

Persistent

Volatile

**Persistent data:**

Persistent data is stored in the nonvolatile storage devices, for
example; hard-drive, USB, CD/DVD and other external storage device. This
type of data usually not lost after rebooting or shutting down the
machine. At the start of the investigation process, you need to
differentiate between persistent and volatile data. You should make a
policy to get the volatile data first; else, it may be lost.

Persistent data is usually collected in the forensics lab.

**Volatile Data:**

Volatile data is stored in the system memory. This data will be lost if
the system is rebooted or shut down. Collecting Electronic Evidence
after a System Compromise has created a list of evidence sources ordered
by relative volatility. An example Order of Volatility would be:

Registers and Cache

Routing Tables

Arp Cache

Process Table

Kernel Statistics and Modules

Main Memory

Temporary File Systems

Secondary Memory

Router Configuration

Network Topology

**Computer Forensics - Systematic Approach**

An investigator should have a standard guideline and steps to use during
the investigation, which we call a systematic approach. Every step is
based on specific reasons and they are linked together.

Systematic approaches may differ, and it depends on the local laws and
your own organization policy.

1**. Initial assessment of the case:** Before starting the actual
investigation, you should look at the broader prospective of the case
and the possible outcomes. Keep in mind that you have to be suspicious
of everyone and everything. Do not try to imagine the result at first,
because if you do so then you unintentionally work in that particular
direction. Communicate with the relevant people about the incident; try
to gather as much information as you can.

**2. Create a design to approach the case:** You should have everything,
every possible step in your mind and you should write them down. Create
the process to handle this particular case. How you are going to
approach the authority, the victim and the suspect? How you are going to
seize the machines? What legal documents you might need to do this and
how you are going to get the legal documents?

**3. Required resources:** What resources does this case might require?
Human resources, technical, and the software that required. Do you have
the necessary software or do you need to get it?

If you need assistance from any other company or team, this also comes
under the required resources, create the list and get them at first
place.

**4. Identify the risks:** Risk assessment should be done to evaluate
the possible risks that are involved in the particular case. Based on
the experience, your organization should have the list of possible
problems occurred during an investigation, even you can judge the risk
based on your own experience. After identification, take the necessary
steps to minimize or mitigate the risks.

**5. Analyze the data:** This is the time to collect/gather evidence
from the captured devices, use the software and processes that you have
defined earlier to extract the information.

**6. Investigation:** All right, you have collected the data. Now
investigate the extracted evidence and point out the culprit.

**7. Complete report:** Creation a report is very important; write a
complete report; mentions the taken steps, tools/processes and the
outcomes.

**8. Critique the case:** Self-evaluation is the key, since you need to
forward your report to court.

After completing the report, you should thoroughly review the entire
case. Find your

weaknesses and improve them for future cases.

**DIGITAL ETHICS**

Digital ethics is the area of ethics that deals with the collection of
laws and moral principles that regulate how people interact with one
another inside of businesses as well as more widely in markets and
society when computer technology is used as a medium. This digital
ethics code\'s goal is to outline the standards of behavior that
charities should adhere to when engaging in digital activities including
expanding their reach through social media and using donor information
to guide fundraising efforts.

**How does it work?**

Ethics plays a crucial role in digital forensics as it involves the
analysis of sensitive information. Failure to act ethically in digital
forensics investigations can compromise the evidence extracted. It is
your duty to carry out a thorough investigation, to tell the truth, and
to maintain objectivity. Your baseline behavior is determined by your
personal and professional principles.

Digital Forensics professionals have to follow a particular set f codes
of ethics to successfully execute investigations. This entails upholding
discretion, preventing conflicts of interest, and making sure that their
conduct adheres moral and legal standards.

Analysts of digital forensics must remain neutral and objective
throughout the course of the investigation. Any prejudice or biases
affecting their examination and interpretation of the evidence must be
avoided.

In some circumstances, getting permission to gather and examine digital
evidence may be necessary. This is especially true when it comes to
communications or personal gadgets when people have a reasonable
expectation of privacy.

Digital forensic investigators must abide by all applicable laws and
rules, including those governing intellectual property, data privacy,
and data protection. Digital forensic investigators should continue
their education and training to stay current with the newest methods and
tools available.

**Legal Process:**

The legal process depends on your local laws and rules. Somehow, we can
make a standard process because every case should have the following in
it:

Complaint

Investigation

Prosecution

The steps mentioned are actually the stages of a case.

In the first stage, a complaint received, the investigator will
investigate the complaint, and with the help of prosecutor, collect,
analyze and report to build a case.

You can\'t start a criminal investigation by yourself. A criminal
investigation requires evidence of an illegal act. If evidence is not
found, then the criminal investigation cannot be started. Someone should
inform the police about the crime that has been committed and based on
receiving the complaint the further investigation would be started. At
the very first step, the police investigates the crime. They report the
type of the case to the top management and then a specialist will be
assigned to look after the case.

Not every policeman is not a computer expert. Sometimes they only know
the basics about digital devices. During the seizure process, they might
damage the critical evidence. To avoid any mishaps, the team involved
have their various responsibilities;

1\. The Police officer is responsible for acquiring and seizing the
digital evidence on the crime scene.

2\. Managing high-tech investigations, teaching investigators what to ask
for, and

understanding computer terminology and what can and can't be retrieved
from digital

evidence. The assigned detectives usually handle the case.

3\. Specialist training in retrieving digital evidence, is normally
conducted by a data recovery or computer forensics expert, network
forensics expert, or Internet fraud investigator. This person might also
be qualified to manage a case, depending on his or her background.

You, as an investigator should have knowledge and expertise of computer
forensics, and how to handle cyber-crime cases. You have to judge the
level of expertise of the other team members and assign their roles,
responsibilities and the expected performance. Follow the systematic
approach, look for the evidence and then create a strong case supported
by the evidences.

Your job as a computer investigator is to investigate the digital
devices, extract the evidence and create the report.

From this point onward, the job of a prosecutor is started. As an
investigator, you

need to submit the final report with the evidences to the government
attorney, the level of authority depends on the nature of the case, and
your local laws.

**Legal Issues in Digital Forensics Investigation**

To ensure that the data gathered is acceptable in court and does not
break any laws, the digital forensics process must follow legal
requirements. Here are a few legal concerns for digital forensics.

- Before executing a search or seizure, digital forensic investigators
are required to follow legal procedures, get a warrant, or have
other solid grounds.

- The chain of custody records how the evidence was obtained and
transported before being presented in court. To maintain the chain
of custody and guarantee the integrity and admissibility of the
evidence, digital forensic investigators must adhere to tight rules.

- The legal requirements for admission of digital evidence must be
met, including relevance, authenticity, and dependability. To make
sure that the data gathered complies with legal standards, digital
forensic investigators must adhere to established norms and
processes.

- Data privacy and protection laws that are applicable must be
complied with by digital forensic investigators. Investigators are
required to maintain the confidentiality of personal data and make
sure they do not access or divulge any information that is not
necessary Data privacy and protection laws that are applicable must
be complied with by digital forensic investigators. Investigators
are required to maintain the confidentiality of personal data and
make sure they do not access or divulge any information that is not
necessary

- Data privacy and protection laws that are applicable must be
complied with by digital forensic investigators. Investigators are
required to maintain the confidentiality of personal data and make
sure they do not access or divulge any information that is not
necessary they collect.

- Analyzing intellectual property such as trade secrets, copyrighted
content, and other items may be part of digital forensic
investigations. To avoid violating any copyright or other
intellectual property rights, investigators must adhere to all
applicable intellectual property laws.

- Legal consideration must be followed throughout digital forensics
investigations to guarantee that the evidence gathered is valid for
use in court and does not break any rules. Legal problems such as
search and seizure, a chain of custody, admissibility of evidence,
data privacy and protection, jurisdiction, and intellectual property
must be understood by digital forensic investigators.

**Nigerian Laws related to Computer Forensics**

Nigerian laws related to computer forensics are primarily covered under
the Cybercrimes (Prohibition, Prevention, etc.) Act of 2015, along with
amendments and related regulations. Here are the key aspects:

1\. Cybercrimes (Prohibition, Prevention, etc.) Act of 2015:

- Section 84 of the Evidence Act: This section is crucial for computer
forensics as it governs the admissibility of electronic evidence.
For electronic evidence to be admissible in court, it must be
relevant and its accuracy must be verifiable. The conditions include
that the data was produced during a period when the computer was
used regularly, and the computer was operating properly during that
period.

- Data Retention: The Act mandates that financial institutions and
service providers retain traffic data and subscriber information,
which is critical for forensic investigations. They are also
required to authenticate customers' identities using the National
Identification Number before issuing electronic devices like ATM
cards.

- Reporting Requirements: Incidents such as cyberattacks must be
reported to the National Computer Emergency Response Team (CERT)
within 72 hours, which is important for timely forensic analysis.

2\. Nigeria Data Protection Regulation (NDPR):

- Enacted in 2019 and subsequently updated, the NDPR imposes
obligations on data controllers to ensure the confidentiality,
integrity, and availability of personal data. This regulation
supports forensic activities by ensuring that data is properly
managed and protected.

3\. Evidence Act of 2011:

- Section 84: This section specifies the conditions under which
electronic records are admissible as evidence. It is essential for
computer forensics as it provides the legal framework for the use of
digital evidence in court.

4\. Advance Fee Fraud and Other Related Offences Act of 2006:

- While primarily aimed at curbing fraudulent activities, this Act
also supports computer forensic investigations by providing legal
grounds for tracking and prosecuting cyber fraud.

5\. Telecommunications Regulations:

- The Nigerian Communications Act of 2003 and the Wireless Telegraphy
Act provide the framework for telecommunications and ensure that
data transmission and communication channels are monitored and
regulated. These laws facilitate forensic investigations by
regulating the communication infrastructure