Question 1
Computer forensics experts have had their roles in crime evolve over time to become critical players in law enforcement. Particularly, law enforcers incorporate computer forensics experts in obtaining a variety of evidentiary information for their investigations. In the courtrooms, the experts are usually subpoenaed by the courts to help the jury or judge in a case, assist an indigent defendant, or even proffer the much needed expert standpoint on the evidence. It is noteworthy that it is not always a guarantee that computer forensics experts will be called to testify in a courtroom. Even so, they have to prepare. In investigations, my understanding is that computer forensic experts help investigators, for instance, in hacking into the computer systems of the suspected criminals to obtain evidence. While that is completely necessary, it is unlawful and unethical. Intruding the privacy of the criminals without their consent is a crime in itself; therefore, a computer forensics expert, in this case, would be committing a crime to solve a criminal case. To this end, since they have limited choices, I find the role of computer forensics experts in investigations somewhat challenging and risky. Essentially, they are of great help, but use means that can have them indicted if the suspect complains of privacy intrusion and unlawful obtaining of evidence on the grounds of inadmissibility. Unlike in investigations, the role of computer forensics experts as witnesses in courtrooms is entirely useful for the cases and the course of justice. Crimes like espionage and bank fraud often require IT expertise besides legal expertise; thus, a judge will need reinforcement to make an informed ruling. It then follows that in such cases, failure to include a computer forensics expert may lead to erroneous and imprecise decisions. I find computer forensics experts an inalienable part of law enforcement.
Question 2
MAC Times refer to a kind of metadata that functions to record the time files were accessed, created or modified (Olivier, 2009). It is among the critical time zone artifacts that an investigator has to consider. Correspondingly, the responsible party has to authenticate the time zone settings with a view to improving the accuracy of dates on MAC Times. On the same note, it is important to examine the system clock readings and retain the records for reference. MAC Times are different in terms of operating system or file system, therefore, can provide false forensic information for investigation suppose UNIX and Windows machines are used; for instance, in the creation of time analysis. In that respect, the times are caused by creation, modification or access to system files. File creation, modification, and access times are recorded as ‘ctime,' ‘mtime’ and ‘atime’ respectively (Sammons, 2012). Windows system records the creation time and date of the file as ‘ctime’ whereas UNIX systems record neither of the times. However, they assign ‘ctime’ to the last modification time of the file. The times are recorded in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\; but this varies with an operating system as well. During recovery, the clock of the system has to be accessed through a Mac live using tools such as MacQuisition or Single User Mode, whichever is appropriate (Ahmed, 2008; Marshell, 2008; Olivier, 2009; Punja, 2008). MAC Times is important in the articulation of the relationship between the user and the evidence. Essentially, it comprises embedded and system date stamps in the files or data, which would be meaningful for an investigator during analysis. More precisely, the law enforcer can compare the time stamps on the MAC Times and map them to the various activities of the user or suspect with a view to finding a concurrence or some sort of coherence that would implicate or absolve the suspect from the criminal charges.
Question 3
EXIF connotes Exchangeable Image File Format (Wilding, 2012). It is a standard that serves to specify the image formats, data, and sounds that digital cameras, even in smartphones, scanners and related systems use (Ahmed, Natarajan & Rao, 1974). The EXIF tag format is a derivation of the TIFF files and represents descriptive metadata usually attached to a variety of media types like TIFF or JPG files (Huggel, 2012). Exchangeable Image File Format data is found using EXIFReader and EXIFTool. The former is a Windows operating system image file analysis application. It assists in the display and analysis of shutter speed, focal length, flash condition, and other critical EXIF data information, including the format of the image. All digital cameras since 2014 support EXIF image formats. On the other hand, EXIFTool helps in reading, editing, and writing EXIF data in various files. It is available for both Mac OS and Windows operating systems. EXIF data mostly tells us about geolocational data on the photos seized from a suspect (Labarge, n.d). Geolocation data offers law enforcers with a wide variety of information. Among the information includes the date and time, physical location, dimensions, variable camera settings, fixed camera information, and thumbnails. Dimensions include image compressions, height, resolution, and width in pixels, while the variable settings comprise of the metering mode, camera orientation, shutter speed, ISO speed, and aperture size (Harvey, 2011). Other information contained in EXIF data may include description; for instance, an expatiation of photo details, keywords that can help in future searches, image copyright information, and image manipulation data. On that note, forensic investigators can use the Geodata in pinpointing the actual location where the suspect took the photo. EXIF data is particularly useful in investigating kidnapping and child pornography cases, given that they are highly likely to involve taking pictures.