Why is having the technical knowledge and the legal knowledge so important in the computer forensics field?
Why is having the technical knowledge and the legal knowledge so important in the computer forensics field?
Forensics refers to the study of scientific tests and techniques, which are used in the investigation of crimes. It is the application of scientific knowledge to decipher legal problems. Computer forensics therefore is the use of or application of computer data from analysis and investigation techniques to acquire evidence that is suitable for presentation in a court of law. It is often referred to as cyber forensics or electronic evidence retrieval (EEC), where investigations are done using various techniques and forensic applications to examine different components of a computer. Evidence, if any, found on the digital copy is documented and verified with the original, and thereafter prepared for legal proceedings, which involve depositions, discovery or actual litigation (Farmer et al, 2005).
Modern times have seen a tremendous rise in the use of computers, more so the internet. The internet has succeeded in making the world a global village where people from different countries share one platform for various purposes, whether social or official like in the case of business transactions. However, the lack of proper systems to monitor the use of internet has led to misappropriation of what was initially a good invention. Cyber or computer crime has been on the increase since several years ago with a variety of crime being witnessed across the internet. It is interesting to note that these crimes are not only concentrated in specific areas but instead transcend to various regions due to the wide network made available through the internet. These crimes are very difficult to prosecute because of lack of evidence that can prove the liability of a criminal. This is what computer forensics aspires to achieve, by treading a path less taken. Its inception has helped to bring to book numerous criminals who would otherwise be on the loose still engaging in unlawful activities.
The above background information helps shed some light on the importance of computer forensics. With it comes the legal and technical expertise that makes it a necessary profession. Because of the importance of computer forensics in the legal arena, the subject has risen to become an area of scientific expertise and has been accorded coursework and certification in various educational institutions. This field of study is important for many reasons including its application in solving crimes involving computer systems. Evidence from computers is used to solve cases such as fraud, homicides, harassment, and theft of trade secrets among other complicated cases like child pornography. In these situations, data or evidence is retrieved from then suspect’s computer. A notable feature is that these crimes are not only prevalent in homes but also in the corporate world where there can be theft of important data whose disappearance leads to heavy losses. The rising trend of computer forensics is attributed to the present age where there is heavy dependence on the internet and other computer advancements. It has increasingly become easy to commit crimes using computers because it is used by many people and few doubt they will be caught. Therefore, computer forensics has become necessary in these modern times as a preventive or corrective measure against computer crime.
With the above in mind, it is obvious that a lot of technical and legal knowledge has to be input into the investigations to ensure satisfactory results are attained. Technical expertise is of particular importance as it forms the basis for the entire process of gathering evidence. This means that without such knowledge then evidence retrieval will not be possible. Specially trained persons are the ones that handle the computer during these exercises. Anyone can find a missing file in a computer but not everyone can trace a file that someone else does not want to be found. Such files are usually hidden from other users and only those who are specifically trained for the job can trace them. In this case, the work is left to computer forensics experts. Furthermore, there are various processes required to retrieve information from an identified computer. These procedures offer the basis for technical expertise.
Once a criminal case has been identified, forensics experts determine the potential evidence they are looking for before structuring their search. This implies that the type of evidence depends on the kind of crime committed and only those with the technical knowledge can positively identify the components of the computer on which the search is based on. Technical knowledge also involves use of the right tools as files may have been deleted, damaged or encrypted and the technician is required to be familiar with the methods and software needed to prevent further damage in the recovery process.
There are two types of data collected in computer forensics, volatile and persistent data. Volatile data is any data which is stored in the computer’s memory or exists in transit and that is lost when the computer is turned off or otherwise loses power (Nelson, 2004). Such data resides in random access memory, cache and in registries and due to its being ephemeral, it is essential that the forensics expert knows the best ways to capture it. Persistent data on the other hand is stored on a local hard drive or any other medium and is retained or preserved in case the computer is turned off. It is important to have the necessary knowledge and understanding of computer systems to determine the appropriate methods to apply when retrieving computer evidence. As mentioned earlier, technical knowledge is what carries the weight of the forensic process involving computers. It cannot be left to anyone other than those tasked with the expertise especially because of the legal relevance of the evidence gathered.
Some of the tools needed to extract volatile data require that a computer be taken to a forensic lab for two reasons. One is to maintain a legitimate chain of evidence while the other is to facilitate extensive work on the machine. This means that it may not be practical to do this work while on a field trip or in the place where the computer was retrieved. Saving RAM data on a disk is one of the most efficient ways of capturing computer data. It is necessary to RAM under low temperatures to preserve residual data and increase the chances of successful recovery.
After evidence has been acquired through use of technical knowledge of computers, it is presented in court, which is another area where expertise is crucial. Due to its importance, more legal experts are being trained in computer forensics to increase efficiency in solving criminal cases. Everything from the collection of evidence to its organization and final presentation in court should be carried out in the line of the legal system which is applicable in case of a crime. The problem of network security principles that have been violated should also be taken into consideration. That notwithstanding, the legal implications that can possibly occur due to the errors and policies at the data organization level have a huge bearing on the final result. This means they should also be kept within the legal boundaries.
Technicians in this field are therefore trained on the legal aspect of their jobs which covers the larger scope of computer forensics. This being the case, it is important that legal knowledge be imparted on computer forensics experts to guide them in their work, without which the whole process could be rendered useless. Such professionals should keep their decisions and technical actions under wraps to ensure they do not cause any legal violations. This may lead to the case they are working on being thrown out of court despite the strong evidence at hand, a fact that ultimately results in lack of justice to crime victims.
Legal knowledge is not necessarily that of the lawyers arguing a particular case but instead refers to the laws governing collection of computer evidence through forensic examination. This means that forensic experts have to collect evidence in a manner that is legally admissible in any court case. This is because of the existence of laws that bar the use of digital evidence in court cases. Over the years, various courts have disregarded evidence acquired through computer forensics. As aforementioned, computer forensics is relatively new in courts and its use is yet to be fully confirmed (Casey, 2000). There are new rules formulated to point the way forward for this practice but until their full implementation, it remains a rarely used platform for convicting suspected criminals.
Forensic experts have to be aware of the jurisdiction under which they are operating and whether or not it is legally accepted. Furthermore, there are also laws that dictate respect of privacy for personal property and data and this includes computers. Organizations are increasingly adopting these laws as a measure to safeguard their data. Although it is a measure of computer security, it may also hinder the course of justice when it comes to retrieving data from their computers. Any organization that resorts to the use of computer forensics must be able to account for its action when legal action is taken (Kiely, 2001).
Additionally, those people undertaking computer forensics must be aware of the statutory laws present within their political jurisdiction and how they affect them. For instance, the United States has three statutory laws, the Wiretap Act, Pen Registers and Trap and Trace Devices Statute and the Stored Wired and Electronic Communication Act. Any violation of these laws while in the course of their work is tantamount to a federal felony punishable by law. This requires prior consultation before conducting any forensic exercise to acquaint oneself with the existent laws. Adherence must also be paid to the reliability of evidence collected, as there are laws that govern the entire collection process. One must therefore have the authority to collect data and use admissible methods to do so.
Many countries have undergone transformation of their laws to support computer forensics. As mentioned earlier, it is a relatively new form of crime solving yet to be fully accepted into the legal systems. As a measure of accepting it, many improvements have been made in the computer forensics field to offer relief to forensics professionals. Existent laws are being tightened to as a measure of dealing with cyber or computer criminals. Their increase has led to the necessity of computer forensics and the fact that these acts are criminal means the law always takes precedence in such matters.
Conclusively, computer forensics is best practiced when there is proper technical knowledge and the experts are fully aware of the laws that govern the field of forensics. Technical knowledge coupled with sound legal knowledge is a guarantee of a conclusive forensics operation. Given the importance placed on computer forensics for its help in solving cyber related crime, it is of equal essence to ensure that it is conducted in the best manner possible. This is to ensure that the evidence that reaches the court is credible and not derived from hearsay. In order for this to happen, technical and legal knowledge are essential in the part of the forensics expert. For instance technical knowledge as seen from the above report ensures successful data retrieval. The capturing of data from the computer cannot take place without a certified technician with adequate computer knowledge. In a situation where a technician is not well equipped then the amount of evidence collected may not be sufficient enough for presentation in a court of law, especially because some components of the computer may have been overlooked. Legally, it is equally important to understand the aspects of law that relate to computer forensics or else the job conducted will not be satisfactory.