The Electronic Research of a crime differs significantly from “traditional research” looking for tangible evidence. The electronic researcher is not looking in a drawer or in some space but in electronic folders, files, storage devices, computing systems.
The digital evidence collected are considered particularly sensitive.Therefore, important piece of electronic research is to preserve them and ensure non-alteration.
The eResearch of a crime must be conducted in accordance with existing law, as many doubts are raised about the adequacy of knowledge of the researcher and whether the analysis and preservation of data follow the procedures.Therefore, many times, we face the phenomenon in a trial to dispute either the investigation, or to confiscate the information because there is no specific legislative framework in the case of research in cyberspace.
During an investigation, it is important to not violate the privacy of individuals. Therefore generally it requires a warrant which should specify precisely the objects that can be searched and even if the researcher believes he could draw data from other than these items, these items do not have probative value to the courtroom .
The researcher of a cybercrime uses specialized tools by following specific steps in the process of research:
- Identification of means of data recording and photographing in order to be able to demonstrate the natural environment and condition of items.
- Creation of security areas for data.Usually a secure cabinet is used.
- List of items that may include: laptop computers, hard disk or external drives, backup recording media, DVD, CD, etc., keys USB, pocket PCs, smart phones, analysis of network activities.
- Creation of a folder for forensic evidence which can not be deleted or removed to ensure data integrity.
- Registration and insurance of the electronic image of the forensic data disk and labor on the working image of the disk by the researcher.
- Search for other sources of data extraction, as indicated by the progress of the case.
- Examination of the data with appropriate software to make the searched data readable and usage of keywords to identify data relevant to the case. Aggravating and non data are collected, files are decrypted and security codes get broken.
- Afterwards a report is recorded with each stage of electronic forensic research findings, signed by the customer.
- If considered necessary, the investigator shall attend as a witness in the courtroom.
The electronic forensic investigation should be made with the following principles:
- No action may alter data held on computer or storage medium, which can be presented in court.
- Χρήση αρχέτυπων δεδομένων από τρίτο άτομο, κατόπιν εξουσιοδότησης.
- Using original data from third person, delegated powers.
- The person designated as responsible for the investigation, is charged with overall responsibility for ensuring compliance with forthcoming legislation and principles.