|A simple definition of computer forensics as described by Chris L.T. Brown from the book Computer Evidence Collection and Preservation published in 2006:
Computer forensics is the art and science of applying computer science to aid the legal process. Although plenty of science is attributable to computer forensics, most successful investigators possess a nose for investigations and a skill for solving puzzles, which is where the art comes in.
A more detailed definition of computer forensics comes from dns (www.dns.com):
Computer forensics is the generic name that we use for the analysis and reporting of our findings from the forensic analysis of all computer or digital-related media. This not only includes PC/Laptop or server hard drives but also other storage devices such as USB drives, MP3 players, memory cards, SIMS and data gathered via network analysis.
Computers and other electronic devices are being used more and more to commit, support or even just enable unwanted activity perpetrated against individuals, organisations or even assets.
Since “cyber crime”, as the media so blatantly name it, has been steadily rising in recent years, computer forensics was born and has developed as steadily if not at a faster rate than cyber crime and thus have become a vital tool for providing evidence in cases like computer misuse as well as the numerous attacks against computer systems but surprisingly enough computer forensics have also played a vital role in gaining evidence for the more traditional crimes like murder, money laundering, drugs etc.
Justice systems all over the world are constantly being inundated by the sheer volume of cases that involve electronic evidence, which means that the demand for the services of computer forensic experts is just as sheer which in many cases means that less experienced personnel end up being drafted in, the man problem with this is that these less-experienced members of staff are more likely to end up corrupting the vital data then their more experienced counter-parts due to a lack of knowledge and understanding of the basic principles.
A key rule and a main principal within computer forensics “Understand the suspect”. Basically collect as much information on the suspect as possible, from qualifications and jobs to little details like their hobbies. If you build up a profile on the suspect you will be able to identify what sort of level of counter measures you are likely to come across due to their computing knowledge. If you do not have sufficient information to build a solid profile on the suspect then you always assume that the suspect is an expert and will have installed medium to advanced counter measures against computer forensics. Because of this you must deceive the computer into thinking that you are a normal user for as long as possible until you are able to identify the counter measures and successfully shut them down else you may find that the evidence you did have has become corrupted beyond recovery.
Rule two is kind of two rules in one. First off make sure that you have all appropriate warrants to perform the computer forensics tasks like seizing the equipment, scanning and recording the data etc.
You also need to make sure that you only use tools and methods that have been tested and evaluated to validate their accuracy and reliability. There are two ways in which you can make sure that the tools are forensically sound. One, you can setup a mock forensic environment and test the tool that way or two, contact one of the numerous international government agencies like the Defense Cyber Crime Institute (www.dc3.mil/dcci/form10.htm) that do accept requests to test specific digital forensic tools and methods as no cost for the person requesting.
Rule three; make sure that you and your team handle the original evidence as little as possible so there is little chance of any data being modified.
Rule four; make sure you document every little thing that you do so that if anything does go missing or goes wrong then you have your evidence that will be your lifeline if anyone tries to sue you due to incompetence or something similar.
And finally, rule number five. Never exceed your personal knowledge, every single person knows what their limits are, by trying to go beyond your limits you are endangering the evidence, for example a computer forensic that expertise in windows systems would not go into the same level of detail on a *nix system.
As soon as you are able to secure the machine and the data on it, there are six simple steps you need to follow to make sure that you obtain as much information as possible.
First of all you need to examine the surrounding of the secured machine, is there any other electronic devices lying around, or maybe some notes lying around either in plain sight or concealed that may contain passwords, passphrases or even security instructions like how to disable that pesky worm that will eat of the data. Whenever you spot anything that you may find useful you must make sure you document what you found and where you found it, photograph it and where possible bag it and ship it back to the lab.
Next you need to examine the system if it is still live because if you shut it down any volatile information like open windows and any data stored on the RAM will more than likely be destroyed when you reboot the system back in the lab. It is important to note that that when performing a live analysis that the order of volatility be followed. The data that is most likely to be modified or damaged first should be captured first. The order of volatility is.
1. Network Connections
Network connections can close quickly and often leave no evidence of where they were connected to or the data being transferred.
2. Running Processes
It is important to note which programs are running on a computer before further analysis is conducted.
The systems Random Accessing Memory contains information on all running programs as well as recently run programs. The information that can be gained from the system ram includes Passwords, encryption keys, and personal information and system and program settings.
4. System Settings
The Operating system settings can now be extracted. This includes User lists, currently logged in users, system date and time, currently accessed files and current security policies.
5. Hard Disk
The hard disk can then be imaged. It is important to note that it is not forensically sound to image a hard drive while it is running live unless there is extenuating circumstances.
Next, if the seized machine is still running, once you have done your live analysis of the machine you must carefully and cautiously power down the machine in such a way that it poses the least threat to the data currently within the memory as well as the hard disk. The only problem with powering down a machine is that you could unintentionally activate malicious scripts that could destroy the hard drive at data level.
The last thing you need to do before taking the seized machine to the labs is to duplicate the electronic media, this is a process that is known as imaging. To create a hard drive image you use either hard-drive duplicator or software imaging tools like Norton Ghost (www.symantec.org), which will completely duplicate every last byte stored on that hard drive onto a new hard drive.
Once all of that is done you can then take the seized machine back to the lab and you can start the main forensic tests.
Within computer systems there are three types of files, user-created files, user-protected files and system created files all of which need to be thoroughly inspected for evidence.
With user-created files the main places to look for any clues or evidence are within any address books that they may store onto the computer for any contacts that are oddly named or that are on a list of suspect names. You can also check any emails that are stored on the computer for anything important. Especially within paedophilia cases, searching through audio/video files as well as any graphics is always an obvious place to search. You also need to check any spreadsheets, databases, internet bookmarks etc.
Users now have the opportunity to hide evidence in a variety of forms. An example of this is that they will more than likely password protect or encrypt important files but more importantly they may also conceal files on a hard disk or within other files as well as deliberately hiding incriminating files under inconspicuous filenames. Other ways that they may try to conceal files is within compressed files, misnamed/renamed files, and hidden files and through the art of stenography.
So as computer forensic experts as well as coders have developed tools to help them crack passwords and encryptions without a passkey, search images for modification and stenography, but windows is especially helpful by showing when a file was created, renamed and modified.
Now there is the computer created files thatlog everything you do, this can be especially useful to a computer forensic because if you delete any logs it will show up in the timeline which shows that there is something suspect that needs to be investigated further.
So to conclude, computer forensics is a highly profitiable trade but it is also a very complex trade to go into, not only do you need to have detailed knowledge of the operating systems that you could come across but you also need to be highly methodical and you need to be able to delve into great detail.
I realize that I have barely covered much in this article but computer forensics is so vast that I could have written a one hundred page article and still only have scratched the surface. Below are few links to help you with a few basic computer forensic tools like hex editors, undelete programs etc. As well as a few links for you to be able to make your own way on research into computer forensics.
1 www.porcupine.org/forensics/forensic-discovery/appendixB.html - order of volatility
• Active@DELETE http://www.active-undelete.com
• Norton Utilities http://www.symantec.com
• Restorer 2000 http://www.bitmart.net
• Undelete http://www.execsoft.com
Executive Software, the makers of Undelete also has a free Deleted File Analysis Utility, which basically examines you Hard Disk and shows you what deleted files may still be recoverable.
• X-Ways have a variety of computer forensic tools, both freeware and shareware at http://www.x-ways.net
Computer Forensics World Forum – http://www.computerforensicsworld.com
Forensics: Electronic Trail of Evidence – http://www.nhscpa.org/May2002News/fornsics.htm
The Original Computer Forensics Wiki – http://www.computer-forensics.safemode.org
Electronic Evidence Information Center – http://www.e-evidence.info
Forensic Focus - http://www.forensicfocus.com
Digital Forensic Research Workshop (DFRWS) – http://drfws.org
Computer forensics toolkit - http://computer-forensics.privacyresources.org