A Beginners Guide to Computer Forensics

With the prevalent use of technology in today’s society, a significant amount of data resides inside of people’s computers. This information can be relevant to civil and criminal investigations. Computer forensics involves the collection, analysis, and reporting of digital data to use this information in an investigation. Computer forensics experts must understand how to extract this information in a way that makes it admissible as evidence in court.

Uses of Computer Forensics

Computer forensics has a variety of applications. Law enforcement uses computer forensics to examine computers when investigating crimes such as murder, kidnapping, and fraud. Investigators might examine emails, Internet browsing history, and files located on a computer to gather evidence. Companies also use computer forensics to investigate cases involving inappropriate use of company computers, system and network security, and internal issues such as intellectual property theft.

Computer Forensics Guidelines

For evidence to be admissible, investigators must follow guidelines carefully. No actions performed by investigators can change the data in any way. The investigator extracting data must have training to ensure competence. This professional must also be able to explain the process and the reasons for it in court, if applicable. Investigators must be able to document the processes performed. A third party must be able to examine this documentation and follow along to arrive at the same end result. One person on the forensics team must have the ultimate responsibility for the process, ensuring that the actions of all team members were in compliance with the law.

Stages of an Examination

A computer forensics examination includes six separate stages. The readiness stage involves training, testing, and verification of any applicable computer software or equipment. Review of laws and potential issues as well as communication with clients and preparing a computer system for examination are also included in the readiness stage. The evaluation stage involves receiving and clarifying instructions to ensure understanding. Evaluation also involves assessing potential risks involved with the examination. During the collection stage, experts extract and examine information from computers. This process might occur on site or in a forensic laboratory. Members of a team may also collect physical evidence if any is found, placing items into labeled plastic bags. The next stage involves analysis of the evidence. Team members must analyze, record, and repeat their analysis to ensure accuracy. During presentation, team members share their findings and address specifics connected to the purpose of the examination. The report created must be prepared in a way that the people reading it will understand the information. Often, these people will have limited technical knowledge. Elaboration and explanation by team members may be necessary to help people understand the findings. The final review stage involves applying the information gathered. For example, a company engaging in computer forensics might use the information collected to make policy changes or to institute stronger network security.

Issues Facing Computer Forensics

Computer forensics teams might encounter a number of issues. Encrypted data on a computer might be impossible to access without a password. In this situation, a team may need to use special acquisition techniques. Adequate processing power may be necessary to examine large storage devices for computers. With new developments in computer software and hardware, computer forensics must continually evolve to match new technology. Testing and experimentation may be necessary in these situations. Some people may utilize anti-forensics tactics to keep investigators from accessing data. Encryption, overwriting data, modifying metadata, and disguising files are examples of anti-forensics tactics. Legal issues may also arise. A computer owner may devise a legal defense designed to create a distraction from the findings. Various administrative issues could also affect how groups accept findings from a computer forensic investigation.

Computer Forensics Glossary

  • Hacking: Hacking involves a modification of a computer or a mobile device to change it from its original intent or purpose. A hacker might hack a system maliciously, or people might hack their own devices to change how they operate.
  • Metadata: Metadata is simply data about other data. Files may contain metadata, or this data could be located in a separate file elsewhere. Metadata usually includes the creation date of the data, its format, and its author.
  • Write Blocker: A write blocker can be either a software application or a special hardware device. The purpose of a write blocker is to protect data and prevent modifications or theft.
  • Bit Copy: Bit copy is the sequential copy of each binary digit located in a storage medium. Bit copy may even be invisible to the standard user.
  • RAM: RAM stands for random access memory. This type of memory is the temporary working memory of a computer or device. When a user turns off a device, anything left in RAM disappears.
  • Key-Logging: Key-logging involves the capture of a user’s information typed into a computer or device. Key-logging enables a remote user to capture passwords and other sensitive information.

Miscellaneous Computer Forensics Resources

The Computer Forensics Challenge and Anti-Forensics Techniques (PDF): Explore some of the processes performed by computer forensics experts as they extract and collect data from a computer.