Computer forensics is defined as a branch of forensic science used in discovering legal evidence in digital storage media and computers. The purpose of computer forensics is to identify, recover, preserve, analyze and present the facts gathered through examining digital media. It involves techniques similar to data recovery. However, some additional practices and guidelines are also involved.
Computer forensics is often associated with computer crime investigation, but it is also used in investigating crimes such as frauds, child pornography, rape, murder and cyber-stalking. It can be used in civil proceedings as well. The discipline has been used since 1980s for finding evidence in criminal law. It is considered reliable and many European and US courts accept evidence gathered using CF.
Investigations that involve computer forensics follow the standard process, which includes acquisition, analyses and reports.
Computer Forensics Techniques
Forensic techniques are used to determine the state of a computer system, electronic documents (JPEG images or email messages), and storage media (CDs or hard disks). The analysis may only cover information retrieval, but it can also go deeper and help reconstruct a series of events.
Computer forensics investigations involve several techniques:
Live analysis, which means using the existing sys-admin tools or custom forensics to examine a computer from within the OS in order to find evidence.
Cross-drive analysis correlates data found on several hard drives. This technique is still being studied. However, it is considered quite reliable in detecting anomalies and identifying social networks.
“Deleted files” technique is commonly used in data recovery. Most file systems and operating systems don’t always delete physical file information and this allows data to be reconstructed.
Computer Forensics Tools
Various tools are used in forensics investigations. The analysis usually involves reviewing the registry to find any suspect data, cracking passwords, extracting pictures and e-mails and sometimes keyword searches for anything related to the crime. Here are some of the tools used in computer forensics: Digital Forensics Framework, EnCase, SIFT (SANS Investigative Forensics Toolkit), The Sleuth Kit, Open Computer Forensics Architecture, The Coroner’s Toolkit, Forensic Assistant, PTK Forensics, X-Way Forensics and OSForensics.
To be acceptable in court, the information gathered using computer forensics must be authentic, admissible and reliably obtained. Specific guidelines may vary, depending on a country and its evidence recovery practices and guidelines.
Computer forensics has been used in numerous high profile cases. Notable cases include:
Dennis Rader (“BTK Killer”), who used floppy disks to send letters to the police. Metadata showed that an author’s name was Dennis at Christ Lutheran Church, which helped the police identify and find Rader.
Robert F. Glass, the man who killed Sharon Lopatka in 1996 in North Carolina, was found thanks to the e-mail messages found in her computer.
In case of Joseph E. Duncan, a serial killer, computer forensics was used to recover a spreadsheet that had evidence of his plans to commit crimes.
Comparative review of:
- Computer Forensics: Incident Response Essentials
- Computer Forensics and Privacy
- Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes
- Handbook of Computer Crime Investigation: Forensics Tools and Technology
Presentation on using computer forensics techniques on web-based e-mail.
Personal Digital Assistants (PDAs) are a relatively recent phenomenon, not usually covered in classical computer forensics. This guide attempts to bridge that gap by providing an in-depth look into PDAs and explaining the technologies involved and their relationship to forensic procedures. It covers three families of devices – Pocket PC, Palm OS, and Linux-based PDAs – and the characteristics of their associated operating system. This guide also discusses procedures for the preservation, acquisition, examination, analysis, and reporting of digital information present on PDAs, as well as available forensic software tools that support those activities.
This handbook targets a critical training gap in the fields of information security, computer forensics, and incident response. In today’s networked world, it is essential for system and network administrators to understand the fundamental areas and the major issues in computer forensics. Knowledgeable first responders apply good forensic practices to routine administrative procedures and alert verification, and know how routine actions can adversely affect the forensic value of data. This awareness will greatly enhance system and network administrators’ effectiveness when responding to security alerts and other routine matters. This capability is a crucial and an often overlooked element of defense-in-depth strategies for protecting the availability, integrity, and survivability of IT and network infrastructures. For instance, the step of collecting data from a live system is often skipped because of time constraints, lack of preparation, and the common practice of returning the corrupted live system to its original state by either a fresh software installation or a system reboot.
This article explains how to conduct a computer forensic investigation of a system in response to the suspicion, or actual occurrence, of an attack on that system. It discusses computer forensic analysis at different levels and provides information that is useful to a wide audience, including CIOs, DSOs, auditors, and system administrators.
This article helps organizations prepare systems for faster recovery and recommends ways of preserving evidence so that it can possibly be used in a prosecution. This article describes a range of options for responding to a computer attack, including the ramifications of each option, and provides recommendations for determining the best course of action given the specific circumstances of the attack. It provides a list of tools that are useful for investigating attacks on Sun Solaris? systems. Finally, this article walks readers through a step-by-step example of a computer forensic investigation.
The roots of computer forensics start with the first time a system administrator had to figure out how and what a hacker had done to gain unauthorized access to explore the system. This was mainly a matter of discovering the incursion, stopping the incursion if it was still in progress, hunting down the hacker to chastise him or her, and fixing the problem allowing the unauthorized access to begin with. In the beginning, the classic hackers breaking into computer systems were more interested in how things work than actually being malicious. So, collecting evidence for a hearing was not a process a system administrator needed to worry about. Just plug the hole, and often get back to personal hacking projects.
Overview of computer forensics techniques from Purdue University.
The concept of storing and processing information at incredible speeds and across vast distances has generated an environment where the mysteries of technology can propagate a clouded perception that leads to a lack of trust and market confidence. Data theft, industrial espionage, employee misconduct and intellectual property theft are among other computer security incidents that increasingly plague corporate organizations. Additionally, the vast majority of information in the workplace is now stored on PCs and servers, meaning that no internal investigation of any form should ignore computer evidence.
Law mandates the proper capture and analysis of computer evidence in any investigation where a computer is the means of a crime or may contain evidence relevant to a criminal or civil litigation matter. Computer forensics is commonly defined as the collection, preservation, analysis and presentation of computer-related evidence in court of law.
Conducting web application forensics is heavily based on the assumption that all HTTP data is kept in the log files, and is easily accessed when needed. Sadly, many contemporary web and application servers do not include proper handling of HTTP communications logging. Those that do, present the user with difficulties when trying to extract the data in a manner that will help to conduct a proper investigation of a hacking attempt (or even worse- a hacking attempt that succeeded!).
Presentation on forensics evaluation of Cisco routers in reponse to DDOS and worm attacks.
This purpose of this document is to provide an introduction to the GNU/Linux (Linux) operating system as a forensic tool for computer crime investigators. There are better books written on the subject of Linux (by better qualified professionals), but my hope here is to provide a single document that allows a user to sit at the shell prompt (command prompt) for the first time and not be overwhelmed by a 700-page book.