Computer Forensics is the act of collecting, analysing , and report on digital data in a manner that is legally admissible. It is used for the prevention and detection of crimes and in any case where evidence is digitally stored. Computer forensics can be compared to examination procedures to other disciplines in forensics and is subject to similar challenges.
This guide explains computer forensics from an impartial standpoint. It is not tied to specific laws or intended to promote a specific business or product. It isn’t written with the bias of police or the commercial sector of computer forensics. The guide is targeted at an audience that is not technical and offers the most basic understanding the forensics of computers. The text uses the term “computer”, but the principles are applicable to any device that is capable of storing digital data. When methodologies are mentioned, they are given to illustrate the concepts and don’t provide advice or recommendations. The copying and publication of the entire or a portion of this article is permitted only by the terms of the Creative Commons – Attribution Non-Commercial 3.0 license.
Computer Forensics uses
There aren’t many instances of criminality or disputes in which computer forensics are not used. Law enforcement agencies are among the first and most frequent user of the computer for forensic process, and consequently , have frequently been in the forefront of new developments on the subject. Computers can be a’scene of a crime’ such as hacking 1or denial of services attacks. Alternatively, might contain evidence through emails or internet history, documents or other documents that are relevant to crimes like kidnap, murder, as well as drug trade. Not only the content of emails documents and other documents that might be of interest to investigators , but too the meta-data that are associated with these documents. A computer forensic investigation could show when a document’s first appeared on a computer the date it was last edited, and when it was last printed or saved and the user who performed these actions.
In recent times, companies have employed computer forensics for their advantage in a range of situations, including;
- Intellectual Property theft
- Industrial espionage
- Employment disputes
- Fraud investigation
- Family issues
- Investigations into bankruptcy
- Use of inappropriate email and the internet at work
- Regulation compliance
To be admissible as evidence, it has to be trustworthy and not prejudicial. This means that throughout the process, admissibility must be on the forefront of the mind of a computer forensic examiner. A set of guidelines that is widely accepted as aids in this regard is the Association of Chief Police Officers Good Practice Guide for Computer Based Electronic Evidence or ACPO Guide for short. While ACPO Guide is primarily a guide for police officers, ACPO Guide is aimed at United Kingdom law enforcement its principal principles can be applied to all computer-based forensics, any legislature. The four fundamental principles in the guide are replicated in the following document (with reference to law enforcement omitted):
- Any action cannot alter the information on a computer or other storage media that could later be used in the court.
- If a person is required to access the original data on a computer, or on storage media, the person should be able to access the data and be able provide proof of the importance and consequences the actions they take.
- A audit trail or any other document of the processes that are that are applied to electronic evidence based on computers should be maintained and created. A third party independent of the organization is able to review these processes and get the same results.
- The person who is in charge of the investigation has the overall responsibility to ensure this law as well as these guidelines are followed.
In the end, no modifications are required to the original file, however when access or changes are required, the examiner should be aware of the procedure they are using and record their actions.
Principle 2 above could be a source of confusion: in what scenario would the modification of the suspect’s computer made by a computer forensic expert be required? Traditionally, a computer forensic examiner will make copies (or take) details from the device that is shut off. A write-blocker could be employed to create an exact bit-for-bit duplicate of the storage medium. The examiner will then work on this copy, but leave the original unchanged.
Sometimes, it’s not feasible or even desirable to shut down a computer. It might not be feasible to turn off a computer in the event that it results in a significant losses in terms of financial or other for the owner. It might not be advisable to shut down a computer when it could mean the possibility that valuable evidence could be lost. In both of these scenarios, the examiner’s computer would have to conduct an “live acquisition” which involves running a small application on the computer that is suspect to transfer (or take) the evidence onto the examiner’s hard drive.
When running a program and connecting the destination drive to the computer under investigation the examiner could make modifications and/or changes to the status of the system that weren’t present prior to his actions. These actions will be legal for as long as the examiner documented their actions and was aware of their effects and could explain the actions.
The stages of an examination
In this article, the computer forensic examination has been separated into six steps. While these stages have been presented according to their normal chronological order, it is important during the exam to have a flexible approach. For instance in the analysis phase, the examiner could discover an unexpected lead that would require further examination of the computer and could lead to returning to the evaluation stage.
Forensic readiness is an essential but often neglected aspect of the process of examining. For forensics in the field of commercial computer, it is possible to educate clients regarding the system’s readiness; for instance, forensic tests can provide more evidence that a computer’s built-in auditing and log systems are in operation. For examiners, there are many areas where prior organization could be beneficial, such as training, regular testing , confirmation of the equipment and software as well as knowledge of legislation managing unexpected problems (e.g. how to do if children’s pornography is on display during a commercial work) and making sure the equipment on site for acquisition is fully functional and in good and in good working.
The evaluation phase consists of receipt of clear instructions for risk analysis, as well as the assignment of resources and roles. A risk assessment for police could consist of a review of the possibility of physical threats when entering the property of a suspect and the best way to handle it. Commercial companies also have to be conscious of safety and health concerns, and their assessment could also consider the financial and reputational risks associated with the acceptance of a specific project.
The most important component of the collection stage that is acquisition has been previously discussed. If the acquisition will be performed on-site instead of in a computer forensic lab this phase would involve recording, identifying and securing the scene. Meetings with staff members who have access to information that may relate to exam (which might include the final clients of the machine as well as the person who is responsible for managing and accountable in providing the computer service) typically conducted at this point. The “bagging and tagging” audit trail begins here by sealing the materials into specific tamper-proof bags. It is also important to consider given to safely and securely transportation of the material to the laboratory of the examiner.