In this paper, I am going to show the many steps on how to obtain information from a computer and also talk about the chain of command when transporting a computer for forensic evidence.
Computer forensics involves preservation, identification, extraction and interpretation of the documentation of any and all computer evidence. There are many different levels to the field of computer science.
At a very basic level, computer forensics is the analysis of information contained within and created with computer systems, typically figuring out what happened, when it happened, how it happened and who was involved.
In many cases, the information gathered during a computer forensics investigation is not readily available or viewable by the average user. This might include items like deleted files and fragments of data that can be found in the space allocated for existing files, which is known by computer forensic practitioners as “slack space”. Special skills and tools are necessary to be able to obtain this type of information or evidence.
Typically, confirming or preventing a crime or violation through computer forensics examination is a reactive measure to a circumstance. However, today, computer forensic examinations are often used pro-actively for the continuous monitoring of electronic media. In some cases, computer forensics is even used in a debriefing process for employees exiting a company.
There are three types of files that a forensic computer person is interested in.
- Active Data is the information that we can actually see. This includes data files, programs, and files used by the operating system. This is the easiest type of data to obtain.
- Archival Data is data that has been backed up and stored. This could mean backup tapes, CDs, floppies, or entire hard drives.
- Latent Data is the information that one typically needs specialized tools to access. An example of latent data would be information that has been deleted or partially overwritten.
Computer forensics is all about obtaining proof of a crime or breech of policy. It focuses on obtaining proof of illegal misuse of computers in a way that could lead to the prosecution of the misuser.
Primary phase of computer forensics examination are:
- Discussion of suspicion and concerns of potential abuse
- Harvesting of all electronic data
- Identification of violations or concern
- Protection of the proof
- Confirming qualified, verifiable evidence
- Delivery of a written report and comments of the examiner
Computer forensic investigations should always be conducted by a Certified Computer Forensic Examiner. They will use licensed equipment which prevents tainting of the evidence and ensures its validity in court. The steps involved for a computing investigation are summarized below:
I) A chain of custody is to be established. The examiner makes sure they are aware at all times where any items related to the investigation are located. A safe or cabinet is often used to secure items.
II) All relevant information is cataloged. This includes active, archival, and latent data. Information that has been deleted will be recovered to whatever extent possible. Encrypted information and information that is password-protected is identified, as well as anything that indicates attempts to hide or obfuscate data. The integrity of the original media is maintained to the highest extent possible, which means that the original source of information should not be altered. An exact copy of a hard drive image is made and that image is authenticated against the original to make sure that it is indeed exact.
III) Additional sources of information are obtained as the circumstances dictate. This includes firewall logs, proxy server logs, Kerberos server logs, sign-in sheets, etc.
IV) The information is analyzed and interpreted to determine possible evidence. Both exculpatory (they didn’t do it) and inculpatory (they did do it) evidence is sought out. If appropriate, encrypted files and password protected files are cracked.
V) A written report will be submitted to the client with the investigator’s findings and comments.
VI) If necessary, the investigator will provide expert witness testimony at a deposition, trial, or other legal proceeding. (Casey, 2004).
The information contained in this document covers the basics, and really doesn’t do full justice to all facets of computer forensics. However, you should now have a better understanding of what steps are involved in the process.
Time is of the essence when it comes to retrieving critical electronic data.
If the computer in question happens to be a personal model or laptop computer, it is imperative that the machine be cordoned off from the potential perpetrator. While it is preferable to keep the machine powered on, it is just as important to keep the accused from deleting or erasing any material from his or her hard drive. Computer forensic science investigators should recover as much material as possible before removing the computer from the scene.
If the computer happens to be networked with other computers across a network, even if they are in the same building, the same measures described above should be applied. The computer should be disconnected from the network as soon as possible to dissuade anyone from altering material on the computer that may be used for evidence at a later date. As mentioned earlier, modern computer software may help with recovering vital information from the implicated person and machine. (Kruse, 2002).
Once the machine in question has been located and secured, the first step should be a thorough photographic survey of the computer as it was found. At the same time, the computer system should be secured to ensure that the equipment and data are safe. This means the detectives must make sure that no unauthorized individual can access the computers or storage devices involved in the search. If the computer system connects to the Internet, detectives must sever the connection. (Noblett, 2000).
The computer forensic science experts should be extra careful to document every step that makes up their investigation along with whatever was discovered. Investigators need to carefully document every step of the procedure. It’s important for detectives to provide proof that their investigations preserved all the information on the computer system without changing or damaging it. Years can pass between an investigation and a trial, and without proper documentation, evidence may not be admissible. Officials report that the collected documentation should include not only all the files and data recovered from the system, but also a report on the system’s physical layout and whether any files had encryption or were otherwise hidden. (Noblett, 2000).
Obviously, performing a thorough investigation is futile if the appropriate documentation is not secured. All of the obtained data should be accurate and protected in its own right to keep the criminals from avoiding prosecution and returning any valuable information from any victims. A group of investigators surely do not want to let a deviant go free just because they were sloppy with their investigation! It is therefore critical that the examiners be properly trained to avoid any missteps along the way of finding out the truth and bring the perpetrators to justice.
Casey, E. (2004) Digital Evidence and Computer Crime, Second Edition. Elsevier.
Kruse, W. (2002) Computer forensics: incident response essentials. Addison-Wesley. pp. 392.
Noblett, M. (2000) “Recovering and examining computer forensic evidence”. http://bartholomewmorgan.com/resources/RecoveringComputerEvidence.doc. Last accessed August 5, 2011.
Phillip, A. (2009) Hacking Exposed: Computer Forensics. McGraw Hill