The Computer Forensics Process
What is computer forensics?
Computer forensics involves the preservation, identification, extraction, interpretation, and documentation of computer evidence. The field of computer forensics has different facets, and is not defined by one particular procedure. At a very basic level, computer forensics is the analysis of information contained within and created with computer systems, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved.
In many cases, the information gathered during a computer forensics examination is not readily available or viewable by the average computer user. This might include items like deleted files and fragments of data that can be found in the space allocated for existing files, which is known by computer forensics practitioners as “slack space”. Special skills and tools are necessary to be able to obtain this type of information or evidence.
Typically, confirming or preventing a crime or violation through a computer forensics examination is a reactive measure to a circumstance. However, today, computer forensics examinations are often used pro-actively for the continuous monitoring of electronic media. In some cases, computer forensics is even used in a debriefing process for employees exiting a company.
Active, Archival, and Latent Data
In computer forensics, there are three types of data that we are concerned with – active, archival, and latent.
- Active Data is the information that we can actually see. This includes data files, programs, and files used by the operating system. This is the easiest type of data to obtain.
- Archival Data is data that has been backed up and stored. This could mean backup tapes, CDs, floppies, or entire hard drives.
- Latent Data is the information that one typically needs specialized tools to access. An example of latent data would be information that has been deleted or partially overwritten.
A computer forensics examination could involve looking at all of these data types, depending on the circumstances. Obtaining latent data is by far the most time consuming and costly.
Computer forensics is all about obtaining the proof of a crime or breach of policy. It focuses on obtaining proof of illegal misuse of computers in a way that could lead to the prosecution of the culprit.
The primary phases in a computer forensics examination are:
- Discussion of suspicion and concerns of potential abuse by telephone
- Harvesting of all electronic data
- Identification of violations or concern
- Protection of the proof
- Confirming qualified, verifiable evidence
- Delivery of a written report and comments of the examiner
If you think you may have a problem, it is best to act quickly, since computer evidence is volatile and can be readily destroyed. It is also better to know for certain than to risk possible consequences. If you are unfortunate enough to uncover a potential problem, it may be prudent to seek confidential advice from a Certified Computer Forensic Examiner before determining a solution. Handling this situation on your own is a risky strategy which may have far-reaching effects. If you are committed to using in-house staff, remember the basics of evidential integrity – and don’t be tempted to use shortcuts.
When carried out correctly, the forensic analysis of computer systems involved in abuse can provide valuable evidence which might otherwise have been lost or overlooked. Performed incorrectly, your evidence could give guilty parties the opportunity they need to get a case dismissed.
Steps in the Forensic Examination Process
Computer forensic examinations should always be conducted by a Certified Computer Forensic Examiner. They will use licensed equipment which prevents tainting of the evidence and ensures its validity in court. The steps involved for a computing examination are briefly summarized below:
A chain of custody is established. The examiner makes sure they are aware at all times where any items related to the examination are located. A safe or cabinet is often used to secure items.
All relevant information is cataloged. This includes active, archival, and latent data. Information that has been deleted will be recovered to whatever extent possible. Encrypted information and information that is password-protected is identified, as well as anything that indicates attempts to hide or obfuscate data. The integrity of the original media is maintained to the highest extent possible, which means that the original source of information should not be altered. An exact copy of a hard drive image is made and that image is authenticated against the original to make sure that it is indeed exact.
Additional sources of information are obtained as the circumstances dictate. This includes firewall logs, proxy server logs, Kerberos server logs, sign-in sheets, etc.
The information is analyzed and interpreted to determine possible evidence. Both exculpatory (they didn’t do it) and inculpatory (they did it) evidence is sought out. If appropriate, encrypted files and password protected files are cracked.
A written report will be submitted to the client with the examiner’s findings and comments.
If necessary, the examiner will provide expert witness testimony at a deposition, trial, or other legal proceeding.
The information contained in this document covers the basics, and really doesn’t do full justice to all facets of computer forensics. However, you should now have a better understanding of what steps are involved in the process.
If you’re a professional with a computer forensics application, why not get answers and information from a live person? Please call us at (202) 360-4356, or click the big green button below to schedule a free consultation. There’s no charge and no commitment.