Introduction
Computer forensics is that the practice of collecting, analyzing and reporting on digital information during a way that's legally admissible. It are often utilized in the detection and prevention of crime and in any dispute where evidence is stored digitally. Computer forensics has comparable examination stages to other forensic disciplines and faces similar issues.
About this guide
This guide discusses computer forensics from a neutral perspective. it's not linked to particular legislation or intended to market a specific company or product and isn't written in bias of either enforcement or commercial computer forensics. it's aimed toward a non-technical audience and provides a high-level view of computer forensics. This guide uses the term "computer", but the concepts apply to any device capable of storing digital information. Where methodologies are mentioned they're provided as examples only and don't constitute recommendations or advice. Copying and publishing the entire or a part of this text is licensed solely under the terms of the Creative Commons - Attribution Non-Commercial 3.0 license
Uses of computer forensics
There are few areas of crime or dispute where computer forensics can't be applied. enforcement agencies are among the earliest and heaviest users of computer forensics and consequently have often been at the forefront of developments within the field. Computers may constitute a 'scene of a crime', for instance with hacking [ 1] or denial of service attacks [2] or they'll hold evidence within the sort of emails, internet history, documents or other files relevant to crimes like murder, kidnap, fraud and drug traffic . it's not just the content of emails, documents and other files which can be of interest to investigators but also the 'meta-data' [3] related to those files. A computer forensic examination may reveal when a document first appeared on a computer, when it had been last edited, when it had been last saved or printed and which user administered these actions.
More recently, commercial organisations have used computer forensics to their benefit during a sort of cases such as;
Intellectual Property theft
Industrial espionage
Employment disputes
Fraud investigations
Forgeries
Matrimonial issues
Bankruptcy investigations
Inappropriate email and internet use within the work place
Regulatory compliance
Guidelines
For evidence to be admissible it must be reliable and not prejudicial, meaning that in the least stages of this process admissibility should be at the forefront of a computer forensic examiner's mind. One set of guidelines which has been widely accepted to help during this is that the Association of Chief cops Good Practice Guide for Computer Based Electronic Evidence or ACPO Guide for brief . Although the ACPO Guide is aimed toward uk enforcement its main principles are applicable to all or any computer forensics in whatever legislature. The four main principles from this guide are reproduced below (with references to enforcement removed):
No action should change data persisted a computer or storage media which can be subsequently relied upon in court.
In circumstances where an individual finds it necessary to access original data persisted a computer or storage media, that person must be competent to try to to so and be ready to give evidence explaining the relevance and therefore the implications of their actions.
An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third-party should be ready to examine those processes and achieve an equivalent result.
The person responsible of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
In summary, no changes should be made to the first , however if access/changes are necessary the examiner must know what they're doing and to record their actions.
Live acquisition
Principle 2 above may raise the question: In what situation would changes to a suspect's computer by a computer forensic examiner be necessary? Traditionally, the pc forensic examiner would make a replica (or acquire) information from a tool which is turned off. A write-blocker[4] would be wont to make a particular bit for bit copy [5] of the first data-storage medium . The examiner would work then from this copy, leaving the first demonstrably unchanged.
However, sometimes it's impossible or desirable to modify a computer off. it's going to not be possible to modify a computer off if doing so would end in considerable financial or other loss for the owner. it's going to not be desirable to modify a computer off if doing so would mean that potentially valuable evidence could also be lost. In both these circumstances the pc forensic examiner would wish to hold out a 'live acquisition' which might involve running alittle program on the suspect computer so as to repeat (or acquire) the info to the examiner's disk drive .
By running such a program and attaching a destination drive to the suspect computer, the examiner will make changes and/or additions to the state of the pc which weren't present before his actions. Such actions would remain admissible as long because the examiner recorded their actions, was conscious of their impact and was ready to explain their actions.
Stages of an examination
For the needs of this text the pc forensic examination process has been divided into six stages. Although they're presented in their usual chronological order, it's necessary during an examination to be flexible. for instance , during the analysis stage the examiner may find a replacement lead which might warrant further computers being examined and would mean a return to the evaluation stage.
Readiness
Forensic readiness is a crucial and infrequently overlooked stage within the examination process. In commercial computer forensics it can include educating clients about system preparedness; for instance , forensic examinations will provide stronger evidence if a server or computer's built-in auditing and logging systems are all switched on. For examiners there are many areas where prior organisation can help, including training, regular testing and verification of software and equipment, familiarity with legislation, handling unexpected issues (e.g., what to try to to if kiddie porn is present during a billboard job) and ensuring that your on-site acquisition kit is complete and in working order.
Evaluation
The evaluation stage includes the receiving of clear instructions, risk analysis and allocation of roles and resources. Risk analysis for enforcement may include an assessment on the likelihood of physical threat on entering a suspect's property and the way best to affect it. Commercial organisations also got to remember of health and questions of safety , while their evaluation would also cover reputational and financial risks on accepting a specific project.
Collection
The main a part of the gathering stage, acquisition, has been introduced above. If acquisition is to be administered on-site instead of during a computer forensic laboratory then this stage would come with identifying, securing and documenting the scene. Interviews or meetings with personnel who may hold information which might be relevant to the examination (which could include the top users of the pc , and therefore the manager and author for providing computer services) would usually be administered at this stage. The 'bagging and tagging' audit trail would start here by sealing any materials in unique tamper-evident bags. Consideration also must tend to securely and safely transporting the fabric to the examiner's laboratory.
Analysis
Analysis depends on the specifics of every job. The examiner usually provides feedback to the client during analysis and from this dialogue the analysis may take a special path or be narrowed to specific areas. Analysis must be accurate, thorough, impartial, recorded, repeatable and completed within the time-scales available and resources allocated. There are myriad tools available for computer forensics analysis. it's our opinion that the examiner should use any tool they feel comfortable with as long as they will justify their choice. the most requirements of a computer forensic tool is that it does what it's meant to try to to and therefore the only way for examiners to make certain of this is often for them to regularly test and calibrate the tools they use before analysis takes place. Dual-tool verification can confirm result integrity during analysis (if with tool 'A' the examiner finds artefact 'X' at location 'Y', then tool 'B' should replicate these results.)
Presentation
This stage usually involves the examiner producing a structured report on their findings, addressing the points within the initial instructions along side any subsequent instructions. it might also cover the other information which the examiner deems relevant to the investigation. The report must be written with the top reader in mind; in many cases the reader of the report are going to be non-technical, therefore the terminology should acknowledge this. The examiner should even be prepared to participate in meetings or telephone conferences to debate and elaborate on the report.
Review
Along with the readiness stage, the review stage is usually overlooked or disregarded. this might flow from to the perceived costs of doing work that's not billable, or the necessity 'to get on with subsequent job'. However, a review stage incorporated into each examination can help economize and lift the extent of quality by making future examinations more efficient and time effective. A review of an examination are often simple, quick and may begin during any of the above stages. it's going to include a basic 'what went wrong and the way can this be improved' and a 'what went well and the way can it's incorporated into future examinations'. Feedback from the instructing party should even be sought. Any lessons learnt from this stage should be applied to subsequent examination and fed into the readiness stage.
Issues facing computer forensics
The issues facing computer forensics examiners are often weakened into three broad categories: technical, legal and administrative.
Encryption
Encrypted files or hard drives are often impossible for investigators to look at without the right key or password. Examiners should consider that the key or password could also be stored elsewhere on the pc or on another computer which the suspect has had access to. It could also reside within the volatile memory of a computer (known as RAM [6] which is typically lost on computer shut-down; one more reason to think about using live acquisition techniques as outlined above.
Increasing space for storing - Storage media holds ever greater amounts of knowledge which for the examiner means their analysis computers got to have sufficient processing power and available storage to efficiently affect searching and analysing enormous amounts of knowledge .
New technologies
Computing is an ever-changing area, with new hardware, software and operating systems being constantly produced. No single computer forensic examiner are often an expert on all areas, though they'll frequently be expected to analyse something which they haven't addressed before. so as to affect this example , the examiner should be prepared and ready to test and experiment with the behaviour of latest technologies. Networking and sharing knowledge with other computer forensic examiners is additionally very useful during this respect as it's likely somebody else may have already encountered an equivalent issue.
Anti-forensics
Anti-forensics is that the practice of attempting to thwart computer forensic analysis. this might include encryption, the over-writing of knowledge to form it unrecoverable, the modification of files' meta-data and file obfuscation (disguising files). like encryption above, the evidence that such methods are used could also be stored elsewhere on the pc or on another computer which the suspect has had access to. In our experience, it's very rare to ascertain anti-forensics tools used correctly and regularly enough to totally obscure either their presence or the presence of the evidence they were wont to hide.
Legal issues
Legal arguments may confuse or distract from a computer examiner's findings. An example here would be the 'Trojan Defence'. A Trojan may be a piece of code disguised as something benign but which features a hidden and malicious purpose. Trojans have many uses, and include key-logging [7], uploading and downloading of files and installation of viruses. A lawyer could also be ready to argue that actions on a computer weren't administered by a user but were automated by a Trojan without the user's knowledge; such a Trojan Defence has been successfully used even when no trace of a Trojan or other malicious code was found on the suspect's computer. In such cases, a competent opposing lawyer, furnished with evidence from a competent computer forensic analyst, should be ready to dismiss such an argument.
Accepted standards - There are a plethora of standards and guidelines in computer forensics, few of which appear to be universally accepted. this is often thanks to variety of reasons including standard-setting bodies being tied to particular legislations, standards being aimed either at enforcement or commercial forensics but not at both, the authors of such standards not being accepted by their peers, or high joining fees dissuading practitioners from participating.
Fitness to practice - In many jurisdictions there's no qualifying body to see the competence and integrity of computer forensics professionals. In such cases anyone may present themselves as a computer forensic expert, which can end in computer forensic examinations of questionable quality and a negative view of the profession as an entire .
Resources and further reading
There doesn't appear to be an excellent amount of fabric covering computer forensics which is aimed toward a non-technical readership. However the subsequent links at links at rock bottom of this page may convince be of interest convince be of interest:
Glossary
1. Hacking: modifying a computer in way which wasn't originally intended so as to profit the hacker's goals.
2. Denial of Service attack: an effort to stop legitimate users of a computing system from having access thereto system's information or services.
3. Meta-data: at a basic level meta-data is data about data. It are often embedded within files or stored externally during a separate file and should contain information about the file's author, format, creation date then on.
4. Write blocker: a hardware device or software application which prevents any data from being modified or added to the data-storage medium being examined.
5. Bit copy: bit may be a contraction of the term 'binary digit' and is that the fundamental unit of computing. a touch copy refers to a sequential copy of each bit on a data-storage medium , which incorporates areas of the medium 'invisible' to the user.
6. RAM: Random Access Memory. RAM may be a computer's temporary workspace and is volatile, which suggests its contents are lost when the pc is powered off.
7. Key-logging: the recording of keyboard input giving the power to read a user's typed passwords, emails and other tip .
0 Comments