Computer forensics

Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.

Computer forensics adheres to standards of evidence admissible in a court of law. Computer forensics experts investigate data storage devices, (such as hard drives, USB Drives, CD-ROMs, floppy disks, tape drives, etc.), identifying, preserving, and then analyzing sources of documentary or other digital evidence.

Electronic evidence considerations
Electronic evidence can be collected from a variety of sources. Within a company’s network, evidence will be found in any form of technology that can be used to transmit or store data. Evidence should be collected through three parts of an offender’s network: at the workstation of the offender, on the server accessed by the offender, and on the network that connects the two. Investigators can therefore use three different sources to confirm the data’s origin.

Like any other piece of evidence used in a case, the information generated as the result of a computer forensics investigation must follow the standards of admissible evidence. Special care must be taken when handling a suspect’s files; dangers to the evidence include viruses, electromagnetic or mechanical damage, and even booby traps. There are a handful of cardinal rules that are used to ensure that the evidence is not destroyed or compromised: In order to verify that a tool is forensically sound, the tool should be tested in a mock forensic examination to verify the tool's performance. There are government agencies such as the Defense Cyber Crime Institute that accept requests to test specific digital forensic tools and methods for governmental agencies, law enforcement organizations, or vendors of digital forensic products at no cost to the requestor. If such steps are not followed the original data may be changed, ruined or become tainted, and so any results generated will be challenged and may not hold up in a court of law. Other things to take into consideration are: In any investigation in which the owner of the digital evidence has not given consent to have his or her media examined – as in most criminal cases – special care must be taken to ensure that you as the forensic specialist have legal authority to seize, image, and examine each device. Besides having the case thrown out of court, the examiner may find him or herself on the wrong end of a hefty civil lawsuit. As a general rule, if you aren't sure about a specific piece of media, do not examine it. Amateur forensic examiners should keep this in mind before starting any unauthorized investigation.
 * 1) Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.
 * 1) Handle the original evidence as little as possible to avoid changing the data.
 * 2) Establish and maintain the chain of custody.
 * 3) Document everything done.
 * 4) Never exceed personal knowledge.
 * 1) The time that business operations are inconvenienced.
 * 2) How sensitive information which is unintentionally discovered will be handled.

Some of the most valuable information obtained in the course of a forensic examination will come from the computer user. An interview with the user can yield valuable information about the system configuration, applications, and encryption keys and methodology. Forensic analysis is much easier when analysts have the users's passphrases to access encrypted files, containers, and network servers.

Incident Response
The suspect computer and related devices are first identified and prepared for forensic analysis. In a corporate environment, this usually means locating the perpetrator's computer workstation and collecting forensic images of the hard drive and any related media. If it's preferable that an employee is not conspicuously made a targeted suspect, the computer itself might be left behind. A police investigation requires serving a search warrant and seizing any suspicious hardware and media.

Media Collection


The computer forensic team takes digital photographs of the area, and they search for removable storage devices, (such as keydrives, MP3 players or security tokens), and notes, (concealed or in plain view), that may contain passwords or security instructions. Any recordable media, including music mixes, is secured. All printouts, disks, notes, and other physical evidence are collected for eventual laboratory analysis. The evidence is locked away securely, with limited access granted to authorized team members only.

Collecting Volatile Data
If the machine is still active, any intelligence which can be gained by examining the applications currently open is recorded. If the machine is suspected of being used for illegal communications, such as terrorist traffic, not all of this information may be stored on the hard drive. If information stored solely in RAM is not recovered before powering down it may be lost. This results in the need to collect volatile data from the computer at the onset of the response.

Several Open Source tools are available to conduct an analysis of open ports, mapped drives (including through an active VPN connection), and open or mounted encrypted files (containers) on the live computer system. Utilizing open source tools and commercially available products, it is possible to obtain an image of these mapped drives and the open encrypted containers in an unencrypted format. Open Source tools for PCs include Knoppix and Helix. Commercial imaging tools include Access Data's Forensic Tool Kit and Guidance Software's EnCase application.

The aforementioned Open Source tools can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently access local email applications including MS Outlook.

In the event that partitions with EFS are suspected to exist, the encryption keys to access the data can also be gathered during the collection process. With Microsoft's most recent addition, Vista, and Vista's use of BitLocker and the Trusted Platform Module (TPM), it has become necessary in some instances to image the logical hard drive volumes before the computer is shut down.

RAM can be analyzed for prior content after power loss. Although as production methods become cleaner the impurities used to indicate a particular cell's charge prior to power loss are becoming less common. However, data held statically in an area of RAM for long periods of time are more likely to be detectable using these methods. The likelihood of such recovery increases as the originally applied voltages, operating temperatures and duration of data storage increases. Holding unpowered RAM below − 60 °C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination.

Imaging electronic media (evidence)
The process of creating an exact duplicate of the original evidenciary media is often called Imaging. Using a standalone hard-drive duplicator or software imaging tools such as DCFLdd or IXimager, the entire hard drive is completely duplicated. This is usually done at the sector level, making a bit-stream copy of every part of the user-accessible areas of the hard drive which can physically store data, rather than duplicating the filesystem. The original drive is then moved to secure storage to prevent tampering. During imaging, a write protection device or application is normally used to ensure that no information is introduced onto the evidentiary media during the forensic process.

The imaging process is verified by using the SHA-1 message digest algorithm (with a program such as sha1sum) or other still viable algorithms such as MD5. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state. In corporate environments seeking civil or internal charges, such steps are generally overlooked due to the time required to perform them. They are essential for evidence that is to be presented in a court room, however.

Forensic Analysis
All digital evidence must be analyzed to determine the type of information that is stored upon it. For this purpose, specialty tools are used that can display information in a format useful to investigators. Such forensic tools include: AccessData's FTK, Guidance Software's EnCase, and Brian Carrier's Sleuth Kit. In many investigations, numerous other tools are used to analyze specific portions of information.

Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and images for review.

Examples of Computer forensic
Computer forensics has supplied important evidence to help indict a murderer and almost locate a missing person.

Chandra Levy
Chandra Levy was a Washington, D.C. intern who disappeared on April 30, 2001. She had used the web and e-mail to make travel arrangements and communicate with her parents. Information found on her computer led police to search most of Rock Creek Park, where her body was eventually found one year later by a man walking his dog.

BTK Killer
Dennis Rader was convicted of a string of serial killings that occurred over a period of sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy disk. Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church"; this evidence helped lead to Rader's arrest.

Comparison to Physical Forensics
There are many core differences between computer forensics and "physical forensics." At the highest level, the physical forensic sciences focus on identification and individualization. Both of these processes compare an item from a crime scene with other substances to identify the class of the item (i.e. is the red liquid fruit juice or blood?) or the source of the item (i.e. did this blood come from person X?). Computer forensics on the other hand focuses on finding the evidence and analyzing it. Therefore, it is more analogous to a physical crime scene investigation than the physical forensic processes.

Related Journals

 * Journal of Digital Investigation
 * International Journal of Digital Evidence
 * International Journal of Forensic Computer Science
 * Journal of Digital Forensic Practice
 * Cryptologia
 * Small Scale Digital Device Forensic Journal

طب شرعي الحاسوب IT-Forensik Informatique légale 컴퓨터 포렌식 Informatica forense Informatyka śledcza Программно-техническая экспертиза 電腦鑑識