This research essay will be discoursing cyber forensics, its cardinal rules, description of digital grounds, the procedure used to continue, turn up, choose, analyse, validate and eventually the presentation of these digital grounds as grounds in tribunal. Besides, there will be treatment and the importance of offense Reconstruction hypotheses and alternate hypotheses Cyber Forensics.

Key Principles of Cyber Forensics.

There are four cardinal rules when it comes to cyber forensics. Association of Chief Police Officers and 7safe came out with the undermentioned rules:

Principle 1: No activity taken by weaponries of the jurisprudence administration or their administration should change inside informations held on a notebook or any engineering ( including devices and stuffs ) used to put, maintain, and recover informations which may upcoming be depend upon in tribunal.

Principle 2: In status where an single finds it requisite to entry initial inside informations held on a notebook or any engineering ( including devices and stuffs ) used to put, maintain, and recover informations, that single must be adept to make so and in a place to give cogent evidence describe the related and the deductions of their activity.

Principle 3: An official review trail or other history of all stairss applied to computer-based electronic cogent evidence should be green goodss and preserve. An individualistic go-between should be able to inspect those procedures and accomplished the similar result.

Principle 4: An person with overall duty of the probe ( the instance officer ) has across-the-board control for assure that the statute law and these rules are upheld to.

( ACPO, 7safe, n.d. , page 7 )

Computerized cogent evidence is concern to the same regulations and ordinances that implement to documented cogent evidence. The theory of documented cogent evidence may be interpreted therefore: the duty is on the trail to expose to the court-room that the cogent evidence made is either no more or no less in the present than when it was initial taken into the clasp of the jurisprudence hatchet man. The low-level package supports a computing machine ‘s basic maps and other package frequently alteration and count to the inside informations of electronic capacity. This may happen non manually in the absence of the user no uncertainty being witting of that the inside informations has been alter. With the purpose to obey with the constructs of computerized cogent evidence, wherever operable, a image should be making of the whole mark appliance. Half or selective papers copying may be give idea to as another manner in certain state of affairss e.g. when the volume of inside informations to be picture makes this infeasible. However, tester should be cautiousness to do certain that all related cogent evidence is taken down if this attack is used. In a non bulk of event, it possibly will be impossible to get an image utilizing a known imagination appliance. In these state of affairss, it may go indispensable for the initial appliance to be accessed to recover the cogent evidence. With this in head, it is needed that a spectator, who is capable to manus up the cogent evidence to a tribunal of regulations and ordinance makes any such entree. It is mandatory to demo objectiveness in a tribunal, every bit good as the continuity and honestness of cogent evidence. It is besides of import to demo how cogent evidence has been retrieve, demoing each process through which the cogent evidence was gained. Proof should be kept to such an extent that a minor party is capable to travel through once more the same sequence and make the same result as that submitted to a tribunal.

( ACPO, 7safe, n.d. , page 7 )

Digital Evidence defines Digital grounds as “ Digital cogent evidence or electronic cogent evidence is any grounds informations maintain or reassign non alphabetical and a party to a legal dissension in tribunal can use the similar during the hearing. ” ( USLegal, n.d. parity. 1 )

Any come-at-able appliance otherwise construction that is for maintaining, send, obtain digital inside informations are those come-at-able beginning of digital cogent evidence. A notebook is a sample that could maintain many assorted sort of digital cogent evidence ; some of them are made by user whereas construction can do certain of them besides. ( USLegal, n.d. parity. 1 )


Phases of Evidence Processing

In the cogent evidence processing sequence, it makes up of different degree gimmick by research workers in cogent evidence saving, location, choice and proof that semen before the degree in the legal sphere that includes legitimate practicians building and so showing lawful wrangle. ( Boddington et al, 2008 )


Computer cogent evidence is really frail and can be likely to be effortless tear down, even by computing machine ‘s simple operation. ( SETEC, n.d. , page 2 ) Angstrom incorrect measure or a misreckoning here could render the grounds useless, particularly when it involves legal demands. Hence, it ‘s of extreme importance that computing machine grounds are preserved in its original and unchanged signifier. ( Albert, Doug, 2008, page 6 )

The Preservation phase of the electronic engineering that procedure informations lawbreaking site includes protects the entree and manner out to the digital location and continuing the digital cogent evidence that might change. In the existent planet, this includes minimize walkers walking and gather physical cogent evidence that could be gone because of the clime. In the digital term, this comprises segregate the construction from the web, assemble the volatile inside informations that would travel losing when the organisation is switch out, and nail any wary procedures that are fluxing In the system. Distrust users that entered into the system should be cognizant of and see a hunt on them. Log paperss can be besides treated as a spectator to the improper act and should be kept if there is a danger that they will be losing before the construction is duplicate. Make certain that other theoretical accounts apply “ saving ” to associate to continuing digital cogent evidence. In this theoretical account, the whole digital milieus will be safeguard. Actually, no digital cogent evidence has been recognized yet when this period go on. One of the advantages of the digital term comparison to physical term is that the surrounding can be easy duplicated. Hence, it is usual in this period to do a full forensic image modesty of the construction so that it can be examined in a trial Centre. This is tantamount to physical tester being holding the ability to take an accurate transcript of a edifice into the research topographic point for farther research. Duplicate of the full phonograph record safeguard the whole digital improper location while autotype that are merely system modesty protect merely the allocated inside informations in the digital improper topographic point. An of import system can usually be build once more after a forensic image has been made so that it can be back on the cyberspace every bit shortly as possible. Other illustration will necessitate the initial difficult phonograph record to remain as physical cogent evidence for the clip being of the instance. When neting proctors rescue web traffic, they are already protecting the province of the web. ( Carrier, Spafford, 2003, page 11 )


In the placement stage, research workers will make the analysis on the replica image of the seized computing machine to turn up any grounds that might perchance hold a nexus with the offense or act committed, whether the grounds support or belie the hypotheses of the incident. ( Boddington et al, 2008, page 4 )

In bulk state of affairss, this period frequently happens in the workshop supervised by a controlled supervise surrounding, where the tester can hold a entire oversee of what is traveling on and competent to double the decision on another construction. ( Carrier, Spafford, 2003, page 12 ) Despite this, there might be some case where this period is finish in the field itself before make up one’s minding whether if the organisation shall be conveying back for more review. ( Carrier, Spafford, 2003, page 12 ) When this is needed, the system will be turn on in a counted on sphere to protect that intervention of the digital cogent evidence. ( Carrier, Spafford, 2003, page 12 )

Besides, from the illegal act made text of the review, tester would establish out the noticeable cogent evidence beforehand. Cases of lewdness, the individual who inspect should get down initial glimpse at image papers to verify which of the material is to be treat as cogent evidence. ( Carrier, Spafford, 2003, page 12 ) Another scenario should peek at aggregation and past positions of Google chrome, cyberspace, and besides IP reference log which could make up one’s mind the clip slot of the work stoppage or improper act and take out IP reference and web information. ( Carrier, Spafford, 2003, page 12 ) From now on research worker might necessitate aid by specializer in peculiar field, e.g. encoding, feasible research worker, or inside informations retrieve professional. ( Carrier, Spafford, 2003, page 12 )


At this point, every statistic gather in the locating period will be inspected to make up one’s mind the importance of the inside informations ; to see if the inside informations gathered can help in going a cogent evidence to be useable in tribunal. ( Carrier, Spafford, 2003 ) For more information, farther rigorous hunt analysis should be executed here after seeking the cogent evidence found before manus, illustrations is ; happening value words with great significance or inside informations inside the cogent evidence. ( Carrier, Spafford, 2003 ) At times, it may be suited to inspect the of every group ( physical determination ) or every paperss ( legit determination ) . ( Carrier, Spafford, 2003 )


In the show to be true process, the full cogent evidence that was chosen in the choosing process will be show to be true to do certain that the inside informations in that cogent evidence is accurate and proven. To be specific, if the cogent evidence pulls a statement on some juncture, the research worker must be adept to turn out that. Those people examine this besides need to retrace their stairss and travel antecedently to the locating process to happen more inside informations to help on the cogent evidence found. ( Richard et al, 2008 page 4 )

For a cogent evidence to be valid in this process, it goes through a sequence of question. Each question either hold yes or no answer, yes will bespeak the cogent evidence is prove to be true and no agencies that the cogent evidence is opposite of yes and should be declined, a non clear response would necessitate the tester to return antecedently to garner more cogent evidence to turn out this statement. ( Richard et al, 2008 page 8 ) During the declaration procedure, if a declaration void the cogent evidence, the research worker might look into confirmation that statement before truly throwing the cogent evidence as it might be possible that the averment was non wholly right or sometimes may be ill-defined.

A record worksheets shall be apply in this topographic point in helping the research worker to give reminder to supply belongingss of the digital cogent evidence and advise the tester if a digital cogent evidence demands any longer verifying. With a record worksheet, the individual who investigates can bring forth more solid determination of the cogent evidence after dual cheque through all its averment and reminder written down. ( Richard et al, 2008 page 13 )


When all cogent evidence is combined and verified, tester will compose a investigator’s written description which consists the decision of looking for, inside informations and factors that help to help the looking for & A ; the result find besides. ( National Institute of Justice, 2004 )

The sequel motion here is to bring forth the confirmation so that it can be shown in tribunal. The justice will non grok the linguistic communications and methods implement by the research worker to retrieve the cogent evidence, what truly pull them is the cogent evidence and whether it is accurate or non. Thus it ‘s of import that digital cogent evidence should non be ill-defined, compendious and most critical, it can be understand without much account. ( Sherman, 2006 )

Crime Scene Reconstruction

Forensic offense scene Reconstruction is the processs which have an impact on the series of happening about what happened in between and behind an improper act.

Carrier and Spafford states that there are 5 chief events in the process of offense scene examine. They are as followed ;

1. Evidence Examination

2. Role Categorization

3. Event Construction and Testing

4. Event Sequencing

5. Hypothesis Testing

( Carrier, Spafford, 2004 )

Evidence Examination

The grounds scrutiny period inspect every portion of digital cogent evidence to recognize it & amp ; custom-make it.

In this process, the category and individual characteristic will hold made a steadfast determination. Sample of the category characteristic of digital inside informations involve any common inside informations format values, like those title signatures and paperss add-on. Single features are those might be particular to that booklet and involves the existent inside informations of the paperss non inside of the norm constellation inside informations. ( Carrier, Spafford, 2004 ) This measure will affect focal point at neting traffic and logs from neting appliance, non merely inside informations from difficult phonograph record. The contents related with inside informations features require extra probe to acknowledge which is really utile & A ; give the upper limit inside informations. The trusty & A ; can be believed of the digital cogent evidence is investigate in this period. ( Carrier, Spafford, 2004 )

Role Classification

The function categorization process inspects every point & A ; besides recognizes what assortment of inside informations the points have inside or might able to do. Using item’s inside informations, hypotheses were made about the sequence of happening that point might be a root or beginning. ( Carrier, Spafford, 2004 ) All points in the digital improper act site are the result of the happening. An illustration ; an action is the cause of the nucleus devising it and information on a phonograph record is a cause of it being put in composing at that place by the nucleus, which most likely a cause of a process doing a construction call juncture. ( Carrier, Spafford, 2004 )

Event Construction and Testing

The event building and proving process have the duty assignments and tally with the root and outcome point. This process needed excess effort as procedures & A ; nucleus inside informations frequently removed when the notebook is switch out. ( Carrier, Spafford, 2004 ) In many state of affairss, a hypothesis was made about the operation that acted a portion in happening. Transport out paperss on the construction can be investigated to turn out the portion of a sequence might play it, it were unfastened from the carry out paperss. ( Carrier, Spafford, 2004 )

Event Sequencing

This process demands the juncture be anchored in when the juncture happen, a few juncture have an car green goods timestamp on the paperss or in a log paperss on the system, however these inside informations will be adjust by one more happenings besides. If the tester is cognizant of how the feasible plants, the inside informations can be used to treat the juncture. ( Carrier, Spafford, 2004 )

Hypothesis Testing

So for this phase of examine, we had decided on a sequence of juncture and some hypotheses about lost happening. Examiner will look into each of these hypotheses and which decide which is more likely and which is easy disapprove by the cogent evidence gather. ( Carrier, Spafford, 2004 )

Alternate Hypothesis

Alternate Hypothesis is used to oppose the hypothesis that the individual which is guilty is the 1 answerable for the incident. ( Carrier, Spafford, 2004 )


Cyber Forensics is so a difficult occupation. The process taken from analyzing to trading cogent evidence into something which can be use as a cogent evidence in tribunal is truly non something that can larn and get the hang rapidly. Old ages of experience or more and working with cyber forensics is needed to cognize how to response consequently to assorted offense state of affairss and take the right actions.

I personally feel that working with cyber forensics will be in demand non merely in the present and besides the close hereafter. Most offenses are now utilizing engineering and the webbing to discourse. Nowadays all administrations communicate through webbing. However, it is besides of import for the tester to hold the cognition and experience in order to track down and catch the people who commit offense.


Association of Chief Police Officers ( ACPO ) , 7safe. ( n.d. ) . Good Practice Guide for Computer-Based Electronic Evidence: The rules of computer-based electronic grounds. Retrieved January 19, 2014, from hypertext transfer protocol: //

USLegal. ( n.d. ) . Digital Evidence Law & A ; Legal Definition. Retrieved January 19, 2014, from hypertext transfer protocol: //

SETEC Investigation. ( n.d. ) . The Proper Acquisition, Preservation, & A ; Analysis of Computer Evidence: Guidelines & A ; Best-Practices. Retrieved January 20, 2014 from hypertext transfer protocol: //

Richard, Boddington. , Valerie, Hobbs. , & A ; Graham, Mann. ( 2008 ) . Validating digital grounds for legal statement. Retrieved January 20, 2014 from hypertext transfer protocol: //

National Institute of Justice. ( 2004 ) . Forensic Examination of Digital Evidence: A Guide for Law Enforcement. Retrieved 21 January, 2014 from hypertext transfer protocol: //

Brian, Carrier. & A ; Eugene H. Spafford. ( 2003 ) . GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Retrieved January 27, 2014 from hypertext transfer protocol: //

Shayne, Sherman. ( 2006 ) A digital forensic practician ‘s usher to giving grounds in a tribunal of jurisprudence. Retrieved 30 January, 2014 from hypertext transfer protocol: // article=1032 & A ; context=adf

Brian, Carrier. & A ; Eugene H. Spafford. ( 2004 ) . DEFINING EVENT RECONSTRUCTION OF DIGITAL CRIME SCENES. Retrieved January 30, 2014 from hypertext transfer protocol: //

USLegal. ( n.d. ) . Crime Scene Reconstruction Law & A ; Legal Definition. Retrieved January 31, 2014 from hypertext transfer protocol: //

Information Security and Forensics Society ( ISFS ) . ( 2004, April ) . Computer Forensics Part 1: An Introduction to Computer Forensics. Retrieved January 19, 2014, from hypertext transfer protocol: //