Andrew Frowen offers the following royalty-free article for you to publish online or in print. Feel free to use this article in your newsletter, website, ezine, blog, or forum. ----------- PUBLICATION GUIDELINES - You have permission to publish this article for free providing the "About the Author" box is included in its entirety. - Do not post/reprint this article in any site or publication that contains hate, violence, porn, warez, or supports illegal activity. - Do not use this article in violation of the US CAN-SPAM Act. If sent by email, this article must be delivered to opt-in subscribers only. - If you publish this article in a format that supports linking, please ensure that all URLs and email addresses are active links. - Please send a copy of the publication, or an email indicating the URL to [email protected] - Article Marketer (www.ArticleMarketer.com) has distributed this article on behalf of the author. Article Marketer does not own this article, please respect the author's copyright and publication guidelines. If you do not agree to these terms, please do not use this article. ----------- Article Title: Should Digital Evidence Be Stored In Perpetuity? Author: Andrew Frowen Category: Security, Information Technology Word Count: 546 Keywords: computer forensics, acpo, digital evidence, hard drive deterioration, computer crime Author's Email Address: [email protected] Article Source: http://www.articlemarketer.com ------------------ ARTICLE START ------------------
Where it is suspected that a computer has been used in the commission of a crime, the equipment is usually passed by law enforcement officials to computer forensic experts for analysis. In the event that any of the evidence extracted is successfully used to secure a conviction, the question then arises as to how long the evidence should be stored. Generally, there is a legal requirement to retain all forms of evidence unless the police seek permission to lawfully dispose of it, which is usually not granted until all avenues of appeal have been exhausted. In the case of digital evidence, the reasoning behind this is quite clear: as new information or scientific methodologies come to light, it is possible that an appeal could be lodged, and the computer forensic analysts could be asked to go back and analyse the drive again. For example, in recent years, the 'Trojan horse defence' has developed where an accused person claims that a Trojan - a form of malware which allows third party control of a computer by an unauthorised person - was responsible for the illegal activity that has been proven to have taken place on their computer. If a convicted criminal were to appeal on these grounds, analysts would need to revisit the evidence to attempt to prove or disprove the presence of malware. To ensure that evidence is not corrupted or contaminated during the analysis, the first stage of a forensic investigation is to create a 'forensic image', where an exact copy of the hard drive is created. It is this perfect copy of the drive that is analysed by computer forensic experts, while the original drive is moved to a secure storage area. How long, then, should the original media be preserved, given that the forensic image is an exact and verified copy? The original, in most cases, would only be required if the validity of the forensic image was called into question. As a rule, this should not be an issue, since imaging must be carried out in a fully auditable fashion in line with the best practice guidelines for computer based evidence set out by the Association of Chief Police Officers (ACPO). However, in cases where a conviction carries a sentence of 20-30 years, it is possible that the original media could naturally degrade over time, rendering it inaccessible should an appeal be lodged on these grounds. For police high tech crime units and computer forensic laboratories, the natural deterioration of the digital media used to store the copied image is also a problem. A hard drive in regular use could be expected to last two to five years, with the potential to fail at any time, sometimes causing the permanent loss of the data held within it. While media containing copied images can be kept in heat and moisture controlled environments to limit degradation, there is therefore some question as to whether the fidelity of all data could be guaranteed for the full duration of a conviction. It seems then that new technologies will become increasingly necessary to fulfil the need for a long term storage solution for digital evidence. Until that time, there is always the real danger that evidence could be lost at the expense of the thorough investigation of a crime. IntaForensics a BS EN ISO 9001:2000 registered firm providing Computer Forensics, Expert Witness, Mobile Phone Forensics, and Forensic Data Recovery to the Legal Sector, Police Forces, Local Authorities and Commercial organisations internationally. Visit http://www.intaforensics.com. ------------------ ARTICLE END ------------------ [Non-text portions of this message have been removed]
