1.In a forensic investigation, it is not possible to over document. It is likely
ID: 3882198 • Letter: 1
Question
1.In a forensic investigation, it is not possible to over document. It is likely that some cases will depend more on certain aspects of the documentation than others; however, you won't know what is really important until the case is done.
Starting at the crime scene, give five examples of what should be documented.
2. While speaking with the lead investigator on a case, you survey the room in which the computer equipment is located. On one side of the room there is a large bookshelf with up-to-date books on computer topics; a nearby table has current computer magazines; a new scanner is attached to the computer; and the computer is a new model with state-of-the-art equipment.
a. With this information, what can you deduce about the user?
b. How will this affect your investigation?
3. You have extracted a word processing document that was deleted hours before the computer was seized. The file is 80KB in length and was created and modified within a week before it was deleted. After extracting this file, you proceed to open it and view the contents. The first thing you notice is a big blank screen. (Open the attachment in this assignment.) It appears as if nothing is typed in this document. You have learned a little about the user. She is an able secretary, with years of experience in word processing. Ask yourself "How could I hide a document in plain view?" The forensic software you were using knew there was a deleted file, registered the date and time attribute, and even detected how big it was. What the software doesn't know is.....how did the user hide the information. Document similar to the one in your case is attached.
Explanation / Answer
If you have any problems with the answer or want me to edit the answer, just let me know in the comments and I will try to get on to it as soon as possible. Do give a positive rating if you think this answer helped.
In a forensic investigation, no data is redundant, that means the possibility of over documentation is minimal as any information could be the key to the investigation especially in the digital realm. Some cases do require different data and approach to be worked out than others and could mean that the huge amount of data and not categorizing it properly would later make it a challenge to investigate the crime. Yet, it is worse because the incriminating evidence may not be found properly and no case could be created in such a scene.
With that information, it can be deduced that the person in question is technically inclined and knows about the latest exploits, knows how to hide their tracks and aware of all the rights they have in case they made a mistake in handling the data. It is also possible that the evidence is fabricated and created to confuse the examiner.
If that is the case, the investigation needs to be conducted on a different level. It would mean more efforts needs to be put into decrypting files, recovery of deleted sectors and processing all the evidence.
In the case of the document being empty and still having a filesize could mean that the color of the text could be the same as the background, this will make the data essentially hidden to the eyes of the examiner.
Please do not repost the answer outside of your own personal use.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.