Introduction
Computer forensics refers to the process of analyzing, collecting and reporting digital information in a legal way. It is used to detect and prevent crime, and can also be used in disputes involving digital evidence. Computer forensics is comparable to other forensic disciplines in terms of examination stages and faces the same issues.
This guide
This guide is neutral in its approach to computer forensics. This guide is not intended to promote any company or product or link to specific legislation. It also isn’t biased in law enforcement or commercial computerforensics. This guide is intended for non-technical audiences and gives a high-level overview of computer forensics. Although the term “computer” is used in this guide, the concepts can be applied to any device that can store digital information. These methods are not intended to be used as a guideline or a recommendation. The Creative Commons – Attribution Non-Commercial 3.0 license only permits copying and publishing of this article.
Computer forensics
Computer forensics can be used in a variety of areas, including disputes and crime. Computer forensics has been used extensively by law enforcement agencies, who have been the most prolific users. Computers can be considered a “scene of crime”, such as hacking [1] or denial-of-service attacks [2]; or they could contain evidence in the form emails, internet history or documents that are relevant to crimes like murder, kidnapping, fraud, and drug trafficking. Investigators may not only be interested in the contents of emails, documents, and other files but also the metadata [3] that is associated with these files. Computer forensic examinations can reveal the date and time a document appeared on a computer. It may also reveal whether it was edited or saved last.
Computer forensics has been used by commercial organizations in a number of cases, including;
Intellectual Property Theft
Industrial espionage
Employment disputes
Fraud investigations
Forgeries
Matrimonial problems
Investigations into Bankruptcy
Workplace email and internet usage that is inappropriate
Compliance with regulations
Guidelines
Evidence must be reliable and not prejudicial in order to be admissible. This means that computer forensic examiners should keep the admissibility of evidence at the forefront of their minds at all times. The Association of Chief Police Officers Good Practice Guide to Computer Based Electronic Evidence, or the ACPO Guide, has been widely accepted as a guideline. The ACPO Guide is intended for United Kingdom law enforcement, but its core principles can be applied to any computer forensics under any legislature. Below are the four principles of this guide (with no reference to law enforcement):
It is not appropriate to alter data stored on computers or storage media that could be used in court.
If a person feels the need to access original data stored on a computer or other storage media, they must be competent and able to provide evidence explaining the significance and implications of their actions.
A trail of audits or any other record should be kept. A third party should be able examine the processes and produce the same result.
The investigation’s head is responsible for ensuring the law and principles are followed.
Summary: No changes should be made or added to the original. However, if necessary, the examiner must know the details of the exam and record any actions.
Live acquisition
Principle 2 may be a question. In what circumstances would a computer forensic investigator make changes to the computer of a suspect? The computer forensic examiner would normally make a copy of (or acquire) information from a device that is off. To make a exact copy of the original storage media [5], a write-blocker[4] is used. This copy would be used by the examiner to make a copy of the original storage medium.
Sometimes, however, it may not be possible or desirable to turn a computer off. If the owner would suffer significant financial or other losses, it may not be possible for a computer to be switched off. If the computer is susceptible to losing valuable evidence, it may not be a good idea to turn it off. In these cases, the computer forensic examiner will need to perform a “live acquisition” which involves running a small program on suspect’s computer to copy or acquire the data to examiner’s hard disk.
The examiner can run such a program, attach a destination drive to the suspect’s computer, and make any changes or additions to the computer’s state that were not there before. These actions are admissible so long as the examiner records them, is aware of their effects and can explain them.
Stages for an Examination
The computer forensic examination process is divided into six stages for the purposes of this article. They are listed in chronological order but it is important to be flexible during an examination. An example: During the analysis stage, the examiner might find a new lead that warrants further computer examination. This would result in a return to evaluation.
Readiness
It is often overlooked, but it is an essential stage of the examination process. It can also include teaching clients about system readiness. For example, forensic examinations are more effective if the server’s built in auditing or logging systems have been turned on. Examiners can benefit from prior organisation in many areas. This includes training, regular testing, verification, and dealing with unexpected issues (e.g. what to do if child pornography appears during a commercial job), and making sure that your on-site acquisition kit works properly.
Evaluation
The evaluation stage involves clear instructions, risk analysis, and the allocation of resources and roles. A risk analysis may be used by law enforcement to determine the likelihood that a suspect will become a physical threat and how best they can deal with it. Businesses must also be aware of safety and health issues. Their evaluation should also consider reputational and financial risk when accepting a project.
Collection
Below is the main part of the collection phase, acquisition. This stage includes identifying, documenting and securing the scene if acquisition is to take place on-site. This stage usually includes interviews or meetings with people who might have information read more here that could be useful in the examination. These could include end users, managers and those responsible for providing services to computers. This is where the ‘bagging’ and ‘tagging’ audit trail begins. Materials should be sealed in unique, tamper-evident bags. Also, it is important to transport the material safely and securely to the laboratory of the examiner.
Analysis
Each job is unique and the details of each case will affect how analysis is done. During analysis, the examiner will usually give feedback to the client. This dialogue can lead to a new path or narrowing down to particular areas. Analyses must be thorough, objective, impartial, recorded and repeated within the allocated time and resources. Computer forensics analysis can be done with many tools. We believe that an examiner should choose any tool they are comfortable with, as long as it can be justified. Computer forensic tools must perform their intended function. Examiners should regularly calibrate and test the tools before any analysis can take place. Double-tool verification is a way to confirm the integrity of results during analysis. If tool A finds artifact X at location Y, then tool B should reproduce these results.
Presentation
The examiner will usually produce a structured report of their findings. This includes addressing all points raised in the instructions and any additional instructions. The report would include any additional information that the examiner considers necessary to the investigation. It must be written with the end user in mind. In many cases, the reader will not be technical so terminology should reflect this. It is important that the examiner is available to attend meetings or phone conferences in order to discuss and expand on the report.
Review
The review stage is often ignored or neglected along with the readiness stage. The review stage is often overlooked or ignored due to perceived costs, such as the cost of not billing for work or the desire to ‘get on with the next task’. A review stage can be incorporated into every examination to save money and improve quality. It will also make future examinations faster and more efficient. Reviewing an examination is easy, fast and can be done during any one of the stages. This review may consist of a brief summary of the examination, including a description of what went wrong and how it can be fixed, and an evaluation of the results to see if they can be used in future exams. It is also important to seek feedback from the instructing party. The lessons learned from this stage should then be applied to the next examination.