Computer forensics is the practice of Graet Gossip collecting, analyzing, and reporting digital information in a legally admissible way. It can be used to detect and prevent crime and in any dispute where evidence is stored digitally. Computer forensics has comparable examination stages to other forensic disciplines and faces similar issues.
About this guide
This guide discusses computer forensics from a neutral perspective. It is not linked to particular legislation or intended to promote a particular company or product and is not written in bias of either law enforcement or commercial computer forensics. It is aimed at a non-technical audience and provides a high-level view of computer forensics. This guide uses the term “computer,” but the concepts apply to any device that stores digital information. Where methodologies have been mentioned, they are provided as examples only and do not constitute recommendations or advice. Copying and publishing the whole or part of this article is licensed solely under the terms of the Creative Commons – Attribution Non-Commercial 3.0 license.
Uses of computer forensics
There are few areas of crime or dispute where computer forensics cannot be applied. Law enforcement agencies have been among the earliest and heaviest users of computer forensics and consequently have often been at the forefront of developments in the field. Computers may constitute a ‘scene of a crime, for example with hacking [ 1] or denial of service attacks [2] or they may hold evidence in the form of emails, internet history, documents or other files relevant to crimes such as murder, kidnap, fraud and drug trafficking. It is not just the content of emails, documents, and other files that may interest investigators but also the ‘meta-data [3] associated with those files. A computer forensic examination may reveal when a document first appeared on a computer, when it was last edited, when it was last saved or printed, and which user carried out these actions.
Related Articles :
- Eight Days Itinerary to Discover Sri Lanka With Kids in Tow
- How To Wisely Buy A New Computer
- Notes to Self: On Becoming Lighthouse Innkeepers
- Society’s Shift From Free Play to Sports
- Top 10 SEO Tips to Make Your Site Into Google Top 10
More recently, commercial organizations have used computer forensics to their benefit in a variety of cases such as;
Intellectual Property theft
Industrial espionage
Employment disputes
Fraud investigations
Forgeries
Matrimonial issues
Bankruptcy investigations
Inappropriate email and internet use in the workplace
Regulatory compliance
Guidelines
For evidence to be admissible, it must be reliable and not prejudicial, meaning that at all stages of this process, admissibility should be at the forefront of a computer forensic examiner’s mind. One set of guidelines that has been widely accepted to assist in this is the Association of Chief Police Officers Good Practice Guide for Computer-Based Electronic Evidence or ACPO Guide for short. Although the ACPO Guide is aimed at United Kingdom law enforcement, its main principles apply to all computer forensics in whatever legislature. The four main principles from this guide have been reproduced below (with references to law enforcement removed):
No action should change data held on a computer or storage media which may be subsequently relied upon in court.
In circumstances where a person finds it necessary to access original data held on a computer or storage media, that person must be competent to do so and give evidence explaining the relevance and the implications of their actions.
An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
In summary, no changes should be made to the original. However, if access/changes are necessary, the examiner must know what they are doing and record their actions.
Live acquisition
Principle 2 above may raise the question: In what situation would changes to a suspect’s computer by a computer forensic examiner be necessary? Traditionally, the computer forensic examiner would copy (or acquire) information from a device that is turned off. A write-blocker[4] would make an exact bit for bit copy [5] of the original storage medium. The examiner would then work from this copy, leaving the original demonstrably unchanged.
However, sometimes it is not possible or desirable to switch a computer off. It may not be possible to switch a computer off if doing so would result in considerable financial or other loss for the owner. It may not be desirable to switch a computer off if doing so would mean that potentially valuable evidence may be lost. In both these circumstances, the computer forensic examiner would need to carry out a ‘live acquisition’ involving running a small program on the suspect computer to copy (or acquire) the data to the examiner’s hard drive.
By running such a program and attaching a destination drive to the suspect computer, the examiner will make changes and/or additions to the state of the computer which were not present before his actions. Such actions would remain admissible as long as the examiner recorded their actions, was aware of their impact, and was able to explain their actions.
Stages of an examination
For this article, the computer forensic examination process has been divided into six stages. Although they are presented in their usual chronological order, it is necessary during an examination to be flexible. For example, during the analysis stage, the examiner may find a new lead which would warrant further computers being examined and would mean a return to the evaluation stage.
Readiness
Forensic readiness is an important and occasionally overlooked stage in the examination process. Commercial computer forensics can include educating clients about system preparedness; for example, forensic examinations will provide stronger evidence if a server or computer’s built-in auditing and logging systems are all switched on. For examiners, there are many areas where a prior organization can help, including training, regular testing, and verification of software and equipment, familiarity with legislation, dealing with unexpected issues (e.g., what to do if child pornography is present during a commercial job) and ensuring that your on-site acquisition kit is complete and in working order.
Evaluation
The evaluation stage includes receiving clear instructions, risk analysis, and allocation of roles and resources. Risk analysis for law enforcement may include assessing the likelihood of a physical threat entering a suspect’s property and how best to deal with it. Commercial organizations also need to be aware of health and safety issues, while their evaluation would also cover reputational and financial risks on accepting a particular project.
Collection
The main part of the collection stage, acquisition, has been introduced above. If the acquisition is to be carried out on-site rather than in a computer forensic laboratory, this stage would include identifying, securing, and documenting the scene. Interviews or meetings with personnel who may hold information relevant to the examination (which could include the end-users of the computer and the manager and person responsible for providing computer services) would usually be carried out at this stage. The ‘bagging and tagging’ audit trail would start by sealing any materials in unique tamper-evident bags. Consideration also needs to be given to securely and safely transporting the material to the examiner’s laboratory.
Analysis
The analysis depends on the specifics of each job. The examiner usually provides feedback to the client during analysis, and from this dialogue, the analysis may take a different path or be narrowed to specific areas. The analysis must be accurate, thorough, impartial, recorded, repeatable, and completed within the time-scales available and resources allocated. There are myriad tools available for computer forensics analysis. Our opinion is that the examiner should use any tool they feel comfortable with as long as they can justify their choice. The main requirement of a computer forensic tool is that it does what it is meant to do, and the only way for examiners to be sure of this is to regularly test and calibrate the tools they use before analysis takes place. Dual-tool verification can confirm result integrity during analysis (if with the tool ‘A’ the examiner finds artifact ‘X’ at location ‘Y,’ then tool ‘B’ should replicate these results.)