With the increasing rate of high-tech crime, do you have the right sense of restoring the evidence data?
With sustainable development of the advanced technology, the rate of high-tech crime is also increasing, such as fishing website, fraud and Trojans etc. Under the investigation, the investigator needs to collect every computers or storage media, such as USB, hard drive etc and bring them back to backup these criminal records and analyze evidences.
The department of forensic science usually use these documents to collect and verified the evidence to rebuild the crime scene. Therefore, it's important to keep the evidence remains the same as original.
Otherwise, it would not be reliable enough to use as court evidence. To keep the original safe, forensic investigator usually create a copy, then, investigate and analyze the copy without any modification.
However, it faced some difficulties in copying and storing the evidence. 1. Hard to restore them, would get physical destruction easily.
Most of the time, the evidence usually store in storage such us hard drive, usb, and other hardware.And these kind of storage would be effected by the environment, such as humidity, magnetic force, even the physical destruction. So, it usually be stored in the box which is shockproof, shatterproof and water repellent when it brings back from the crime scene, and then store in the place with consistent humidity and temperature.
2. Be tampered and deleted easily
It's possible that the evidence would be changed while reading a document every time. For example, anyone can erase or copy the file easily if the device wasn't encrypted. Furthermore, sometimes even during copying the original as carbon copy, the system would add some strange file in the hard drive without notice. Even the tiny modification would lower the reliance and become invalid evidence.
To verify the integrity of the evidence, the usual way is recording hash code in the form. If there is confusion to the evidence, they only need to calculate the hash value to know whether it's been changed or not. Also, to prevent the original one from changing or damaging, it needs to make at least two copies and need to copy bit by bit to make sure the space which is omitted and the deleted files are copied as well.
Another way is restoring the encrypted data. To avoid the evidence from damaging, the usual way is to use digital signature, MD5 and other encryption techniques to archive the evidence. Then, choose the forensic tool which pass the certification. In America, as long as using the digital forensics passing the certification from the court, the evidence would usually valid to the court. However, there is no such certificate mechanism in Taiwan, and because of this, it seems that there are no identical standards for the device while making the carbon copy.