INFORMATION Technology (IT) is one of the fastest growing economic sectors in Zambia.
It is widely used to support almost all human and business activities.
Digital Computer Forensic is a new and young professional in Zambia which requires the development of laws and policies from regulatory, legal and professional agencies.
This column will discuss the need for computer forensics to be practised in an effective and legal way as well as outline basic technical issues.
Digital Computer Forensics promotes the idea that the competent practice of computer forensics and awareness of applicable laws is essential for today’s networked organizations.
This subject is important for managers who need to understand how computer forensics fits as a strategic element in overall organizational computer security.
Network administrators and other computer security staff need to understand issues associated with computer forensics.
Those who work in corporate governance, legal departments, or IT should find an overview of computer forensics in an organizational context useful.
Who gained entry?
What did they do?
When did this happen?
Where did they go?
Why the chosen network?
How did they do this?
Damage assessment of what was available for the intruder to see?
What did he take?
What did he leave behind?
Where did he go?
What is Computer Forensics?
If you manage or administer information systems and networks, you should understand computer forensics.
Forensics is the process of using scientific knowledge for collecting, analysing, and presenting evidence to courts of law (the word ‘forensics’ means ‘to bring to the court’). Forensics deals primarily with the recovery and analysis of latent evidence.
Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive.
Because computer forensics is a new discipline, there is little standardization and consistency across the courts and industry.
As a result, it is not yet recognized as a formal “scientific” discipline.
We define computer forensics as the discipline that combines elements of law and computer science to collect and analyse data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law. (US-CERT, 2008)
Why is computer forensics important?
Adding the ability to practice sound computer forensics will help you ensure the overall integrity and survivability of your network infrastructure.
You can help your organization if you consider computer forensics as a new basic element in what is known as a “defence-in-depth” approach to network and computer security.
For instance, understanding the legal and technical aspects of computer forensics will help you capture vital information if your network is compromised and will help you prosecute the case if the intruder is caught.
What happens if you ignore computer forensics or practice it badly?
You risk destroying vital evidence or having forensic evidence ruled inadmissible in a court of law.
Also, you or your organization may run afoul of new laws that mandate regulatory compliance and assign liability if certain types of data are not adequately protected.
Recent legislation makes it possible to hold organizations liable in civil or criminal court if they fail to protect customer data.
Computer forensics is also important because it can save your organization money.
Many managers are allocating a greater portion of their information technology budgets for computer and network security.
From a technical standpoint, the main goal of computer forensics is to identify, collect, preserve, and analyse data in a way that preserves the integrity of the evidence collected so it can be used effectively in a legal case.
What are some typical aspects of a computer forensics investigation?
First, those who investigate computers have to understand the kind of potential evidence they are looking for in order to structure their search.
Crimes involving a computer can range across the spectrum of criminal activity, from child pornography to theft of personal data to destruction of intellectual property.
Second, the investigator must pick the appropriate tools to use.
Files may have been deleted, damaged, or encrypted, and the investigator must be familiar with an array of methods and software to prevent further damage in the recovery process.
Two basic types of data are collected in computer forensics.
Persistent data is the data that is stored on a local hard drive (or another medium) and is preserved when the computer is turned off.
Volatile data is any data that is stored in memory or exists in transit that will be lost when the computer loses power or is turned off.
Volatile data resides in registries, cache, and random access memory (RAM).
Since volatile data is ephemeral, it is essentially an investigator knows reliable ways to capture it.
System administrators and security personnel must also have a basic understanding of how routine computer and network administrative tasks can affect both the forensic process (the potential admissibility of evidence in court) and the subsequent ability to recover data that may be critical to the identification and analysis of a security incident.
Legal aspects of computer forensics
Anyone overseeing network security must be aware of the legal implications of forensic activity.
Security professionals need to consider their policy decisions and technical actions in the context of existing laws.
For instance, you must have authorization before you monitor and collect information related to a computer intrusion.
There are also legal ramifications to using security monitoring tools.
Computer forensics is a relatively new discipline to the courts and many of the existing laws used to prosecute computer-related crimes, legal precedents, and practices related to computer forensics are in a state of flux.
New court rulings are issued that affect how computer forensics is applied.
The important point for forensics investigators is that evidence must be collected in a way that is legally admissible in a court case.
Increasingly, laws are being passed that require organizations (especially banks and health institution) to safeguard the privacy of personal data.
It is becoming necessary to prove that your organization is complying with computer security best practices.
If there is an incident that affects critical data, for instance, the organization that has added a computer forensics capability to its arsenal will be able to show that it followed a sound security policy and potentially avoid lawsuits or regulatory audits.
The areas of law related to computer security are important to know about, though they are not yet fully defined in the laws of Zambia.
The first guide is the Telecommunication Act.
Violations of any laws during the practice of computer forensics could constitute a State felony punishable by a fine and/or imprisonment.
It is always advisable to consult your legal counsel if you are in doubt about the implications of any computer forensics action on behalf of your organization.
I believe the rules of evidence about hearsay, authentication, reliability, and best evidence must be understood.
In the situation, there are two primary areas of legal governance affecting cyber security actions related to the collection of network data: (1) authority to monitor and collect the data and (2) the admissibility of the collection methods.
If system administrators possess the technical skills and ability to preserve critical information related to a suspected security incident in a forensically sound manner and are aware of the legal issues related to forensics, they will be a great asset to their organization. Should an intrusion lead to a court case, the organization with computer forensics capability will be at a distinct advantage. (Source US-CERT, a government organization).
The author is an ICT consultant, forensic investigator, CFIP, PDES, BScIT, DIT, ADip.PM, ITIL. For comments, suggestion, questions email firstname.lastname@example.org, WhatsApp +260977689574, +260955689574, Like the Facebook page: www.facebook.com/tterswithkingstonalimwila.