What is Computer Forensics?
Technology is a daily part of our lives, making it more convenient. For the investigator, technology presents challenges as well as opportunities. Not only does a good computer forensics investigator need to have a pedigree of technical savvy in terms of certifications, background, skills, network and a cadre of hardware and software investment; he/she needs to be well versed in identity theft and privacy laws. This being said, the smoking gun and its evidence usually can be found in the suspects' emails, internet history, documents or other files relevant to crime.
Brief Overlook of Data Gathering and Commercial Use
Computer Forensics Investigators gather and preserve evidence from a computer device with investigative and analytical techniques for presentation in a court of law. Following the chain of evidence just like in a murder mystery, to find who was responsible. Furthermore, these set of procedures isolate the devices in question, to make sure the storage media is not contaminated intentionally or accidentally.
The original media is copied bit by bit, creating an identical digital "image" of the data while maintaining its original condition, while the investigation is done on the digital copy. The investigators use a wide array of techniques and software to examine the copy, searching hidden folders and deleted, encrypted or damaged files. Evidence found is documented within an Investigative Report which is then verified on the original device.
Outside of law enforcement, Computer Forensics is used commercially to assist with in a variety of circumstances such as:
- Intellectual Property theft
- Employment disputes
- Invoice fraud often enabled by phishing emails
- Inappropriate email and internet use in the workplace
- Regulator compliance
- Encryption--encrypted data makes it impossible to view without the correct key or password. When encryption is present, the examiner may need to do a 'live acquisition'. A live acquisition runs an application on a suspect computer to acquire data to the examiner's data repository, such as a USB drive making changes to the original. Normally making any changes to the original digital copy is not a forensic best practice, but often is necessary to collect protected data. As long as the examiner can show his actions were necessary to divulge the consequences of evidence, then it will still be admissible in a court of law.
- Increasing storage space--Analysis systems require sufficient processing power and available storage capacity to search data efficiently.
- New technologies--with evolving technology in hardware, software and operating systems, no single examiner can be expert in all. Therefore, it is crucial for computer forensic examiners to network and share knowledge with others in the field
- Anti-forensics-- the practice of attempting to thwart computer forensic analysis – through encryption, over-writing data to make it unrecoverable, modifying files' metadata and file obfuscation (disguising files).
- Legislative domains – Since data is often stored remotely on the 'cloud,' it may be in a different country, and subject to conflicting laws and regulations complicating legal acquisition and making it more expensive to collect.
- Legal arguments – Legal issues can confuse or distract from a computer examiner's findings. One example of this is the 'Trojan Defense'. A Trojan is a piece of computer code disguised as something benign but which has a hidden and malicious purpose. Trojans have many uses, including key-logging, up/downloading files and installing viruses.
A lawyer may be able to argue that actions on a computer were not carried out by a user, but instead automated by a Trojan without the user's knowledge. In such cases, a competent opposing lawyer supplied with evidence from a competent computer forensic analyst should be able to dismiss the argument. A good examiner will have identified and addressed possible arguments from the opposing counsel during the analysis and writing stages of their report.
This article will try to give you a brief perspective of what computer forensics examiners do and how they use and gather the data as well as briefly go over some of the issues involved. For more information and definitions, please see forensic control. Computer Forensics examiners can be in an attorney's arsenal in gathering evidence to present in court. Do you have your go-to-investigator, and is his expertise court worthy?