Naslov
Search and seizure data in cyber space : mechanism to preserve and reproduce data in non-volatile format

Autori
Škrtić, Dražen ; Kralj, Damir ; Švegar, Mirna

Vrsta, podvrsta i kategorija rada
Sažeci sa skupova, sažetak, stručni

Izvornik
Criminalistics/criminal investigation in Europe : State of the Art and Challenges for the Future : conference proceedings / Maver, Drako - Ljubljana : Faculty of criminal justice and security, 2011, 87-89

ISBN
978-961-6821-12-4

Skup
Criminalistics/criminal investigation in Europe : State of the Art and Challenges for the Future

Mjesto i datum
Ljubljana, Slovenija, 22.09.2011. - 23.09.2011

Vrsta sudjelovanja
Predavanje

Vrsta recenzije
Međunarodna recenzija

Ključne riječi
cyberspace; cloud; remote search; search and seizure data; criminal investigation; criminalistics; forensics; investigative

Sažetak
The purpose of the article is to present the origins, developments and trends in criminal investigation science /criminalistics in order to preserve digital evidence obtained by search and seizure data in cases of the remote computer, cyberspace and cloud search. The article is based on a review and analysis of professional literature on criminal investigation, published in books and periodicals. Electronic data held on computer hard disks and other rewritable physical digital media can be considered as very volatile form of evidence. This evidence can be easily altered or destroyed if left unprotected or without proper handling. As in the case of traditional evidence, the proponent of evidence normally carries the burden of offering sufficient support to authenticate electronic evidence. Therefore, a mechanism to preserve or reproduce the data in a non-volatile format is required. Physical acquisition (disk imaging) allows an entire hard disk drive to be reproduced or analyzed without the need to access the original hard disk. This process provides safe mechanism to analyze, test and interact with data, while still providing the most accurate reproduction of the original. In this case the data copied can be said to be an exact duplication of the original, a more exact duplication than, for example, a photocopy of a page, as disk image allows you to recover deleted and ambient data. In cases where data were obtained by searching in cyberspace, e.g. remote searching and browsing in the cloud, it is necessary to ensure the authenticity of the information searched and seized. Computer forensic examiners frequently use a number of methods to ensure the validity of the data copied including creating a digital signature (called a mathematical hash) of the data as it is read from the hard disk drive or similar physical media, so that the signature can be compared to the copied data. The mathematical hashing algorithm allows the examiner to detect if data have been altered or an error has occurred during the copy process. A number of commercial forensic acquisition products even embed the mathematical hash into the electronic container that holds the forensic image. The authors give an overview of standard procedures of ensuring the authenticity of digital evidence by using a specific write-protection devices, either hardware or software that will eliminate the inadvertent or deliberate alteration of data in the case where only file or files are copied (logical acquisition), and when there does not exist a copy of the entire hard disk or similar physical media (physical acquisition). This process is essential if the original evidence needs to be interacted in some way, such as producing a forensic copy or performing a preview of the data to determine reasonable grounds to believe a thing (computer) will afford evidence in investigation. The paper is the systematic overview of history and development of procedures ensuring the authenticity of digital evidence obtained by remote searching, searching in cyberspace and cloud.

Izvorni jezik
Engleski

Znanstvena područja
Elektrotehnika, Pravo

POVEZANOST RADA