Cyber Forensics: Development of a Case Hypothesis Essay

Throughout time past, forensic science disciplines have helped solved numerous crime investigations and it has given impelling testimony in the area of court trials. In order to reduce the sagacity of siding or bias situation and avoidance in prosecuting innocent victims, it is important to analyse, validate and have proper presentation of digital evidence in the context of cyber forensics examinations. [1] (Noblett et al, 2000) in this essay we will discuss on various topics that describe, explain or illustrate on issues such as the processes that assist in the development of a case hypothesis and as well as alternative hypothesis. It will also cover the processes in which how validation check and test are conducted to determine the accuracy of the digital evidence. Furthermore, we will look into the deductive, inductive and abductive reasoning in the field of cyber forensics. Lastly, the essay will also cover on the processes that would improve the communication and presentation of case analysis to the solicitors and courts. INTRODUCTION Before the term cyber forensics was introduced in the late 1960s, most crimes are formally solved using traditional forensic science disciplines. Before the first PC computer was invented, crimes in those days were not as complicated as compared to today. In this introduction section, we will distinguish between what is forensic science and how it is different from cyber forensics. Forensic science depends on the capability of the research scientists to develop a case report based on the outcome of a scientific review. For instance , a DNA report analysis of a murder case can be undertaken without the prior knowledge of the victim’s name or exact situation of the crime.[2] (Chakraborty, R.1990) On the contrary, cyber forensics science’s main focus is driven on information discovered during the investigation. However the challenge lies in the search hunt of valid and admissible evidence in the media storage of a computer. The average storage capacity of a PC is approxima tely 300-500 Gigabytes; therefore it is tough to totally scan through every single file stored on a suspect’s computer system, let alone those computer networks. [3] [Casey, E. (2004] PROCESSES THAT ASSIST TO DEVELOP CASE HYPOTHESIS /ALTERNATE HYPOTHESIS Before  we develop a case hypothesis or alternate hypothesis, there are several procedures and guidelines that a forensic investigator must follow and do. Firstly, the investigators must construct a hypothesis of the occurrence which is based on the study of the evidence. On the other hand, the degree of rigidity of this hypothesis also relies upon the type of investigation. For instance, an Interpol police investigation would require the preparation of a detailed hypothesis with discreet and meticulous proper documentation to support specimens identified during the examination.[4] [Ó Ciardhuà ¡in, 2004]In the case of a police investigation , the hypothesis will be presented before a jury however the hypothesis drawn in a company will be handled by the management. Technically the hypothesis will be verified and an alternate hypothesis as well as supporting evidence will be presented before a jury. The investigators will need to affirm the legitimacy of their hypothesis and protect it against any critics or provocation. In the event if the challenge is successful, there will be a need to backtrack to the earlier stages to collect and search for more evidences so as to construct a better hypothesis. Talking to the experts AKA† Hot tubbing† is widely used for coexisting evidence. This process involves the court to put several expert witnesses on the stand together which will in turn saves much time and resources. Moreover, there are two main types of witnesses’ testimony at a trial, deposition or hearing. They are technical or scientific witness testimony and expert witness testimony. [5][Enfinger, 2006] As for technical or scientific witness, the investigator would need to present details of evidence that were discovered during the investigation. They would be asked to describe what was discovered and how it was acquired. During the compilation of the evidence , the investigator must ensure that the evidence collected must be legal and done appropriately with the permission of the owner and the suspect as well as a search warrant or hot pursuit. Also, it is essential that exculpatory and inculpatory evidence is presented. [6] [Cohen, 2006] On the other hand , the investigator would draft out the chains of events that have certain connections and linkage to form the chain of custody which is basically a documentation or paper trail displaying the seizure, control, transfer, analysis, custody and deposition of physical or digital. Apart from the chain of custody, there is another process known as the chain of Inference which is also referred as concatenate inferences.  These inferences between the weak and the strong ones build upon one another until they reduce the gap between the defendant and the conclusion to a manageable distance. The concatenate inferences process may be interpreted by fabricating a hypothetical scenario. The purpose of constructing a chain of inferences is to convince a fact finder that the desired conclusion is the most plausible sequence of events. On top of this, it is also vital to internalise the difference between evidence and inference before the development of a hypothesis or the reconstruction of the crime scene. With that comes the formation of crime scene timelines which is an efficient method to derive a conclusion. It is a graphical chart that illustrates the activity time line of crime scene sorted based on the sequence of events. These log entries displayed a unique chain of events that culminate in the incident which is a closer step towards proving a case. [8] [Stephenson, 2000] Another important process is testing, analysing and reporting. Testing is to ensure that all evidence both physical and electronic gathered must be verified and gone through quality check by scientific personnel to affirm the originality [without contamination] as well as how this proof of evidence would be of any aid to solve the crime. Analysis deals with what are the issues identify and intention of the crime act and for each issue how it can be addressed, documented, tested and verified. Lastly this analysis will be written down and documented as a report. [9] [Robert F. Winch and Donald T. Campbell, 1969]