Computer Forensics Fundamentals

WHAT IS COMPUTER FORENSICS?

Computer forensics is the process of methodically examining computer media (hard disks, diskettes,
tapes, etc.) for evidence. In other words, computer forensics is the collection, preservation, analysis,
and presentation of computer-related evidence.
Computer forensics also referred to as computer forensic analysis, electronic discovery, electronic
evidence discovery, digital discovery, data recovery, data discovery, computer analysis, and
computer examination.
Computer evidence can be useful in criminal cases, civil disputes, and human resources/
employment proceedings.

USE OF COMPUTER FORENSICS IN LAW ENFORCEMENT

Computer forensics assists in Law Enforcement. This can include:

Recovering deleted files such as documents, graphics, and photos.

Searching unallocated space on the hard drive, places where an abundance of data often resides.
Tracing artifacts, those tidbits of data left behind by the operating system. Our experts know how to
find these artifacts and, more importantly, they know how to evaluate the value of the information
they find.
Processing hidden files files that are not visible or accessible to the user that contain past
usage information. Often, this process requires reconstructing and analyzing the date codes for each
file and determining when each file was created, last modified, last accessed and when deleted.
Running a string-search for e-mail, when no e-mail client is obvious.

COMPUTER FORENSICS ASSISTANCE TO HUMAN RESOURCES/EMPLOYMENT PROCEEDINGS ***

Computers can contain evidence in many types of human resources proceedings, including sexual
harassment suits, allegations of discrimination, and wrongful termination claims.

Evidence can be found in electronic mail systems, on network servers, and on individual employees
computers.

COMPUTER FORENSICS UNIT I PART I 1

EMPLOYER SAFEGUARD PROGRAM

Employers must safeguard critical business information. An unfortunate concern today is the possibility
that data could be damaged, destroyed, or misappropriated by a discontented individual.

Before an individual is informed of their termination, a computer forensic specialist should come on-site
and create an exact duplicate of the data on the individuals computer. In this way, should the employee
choose to do anything to that data before leaving, the employer is protected.

Damaged or deleted data can be re-placed, and evidence can be recovered to show what occurred. This
method can also be used to bolster an employers case by showing the removal of proprietary
information or to protect the employer from false charges made by the employee.

You should be equipped to find and interpret the clues that have been left behind. This includes
situations where files have been deleted, disks have been reformatted, or other steps have been taken
to conceal or destroy the evidence. For example, did you know?

What Web sites have been visited?

What files have been downloaded?
When files were last accessed?
Of attempts to conceal or destroy evidence?
Of attempts to fabricate evidence?
That the electronic copy of a document can contain text that was removed from the final printed
version?
That some fax machines can contain exact duplicates of the last several hundred pages received?
That faxes sent or received via computer may remain on the computer indefinitely?
That email is rapidly becoming the communications medium of choice for businesses?
That people tend to write things in email that they would never consider writing in a memorandum
or letter?
That email has been used successfully in criminal cases as well as in civil litigation?
That email is often backed up on tapes that are generally kept for months or years?
That many people keep their financial records, including investments, on computers?

COMPUTER FORENSICS UNIT I PART I 2

COMPUTER FORENSICS SERVICES *****
Computer forensics professionals should be able to successfully perform complex evidence recovery
procedures with the skill and expertise that lends credibility to your case.

For example, they should be able to perform the following services:

1. DATA SEIZURE

Following federal guidelines, computer forensics experts should act as the representative, using
their knowledge of data storage technologies to track down evidence.
The experts should also be able to assist officials during the equipment seizure process.

2. DATA DUPLICATION/PRESERVATION

When one party must seize data from another, two concerns must be addressed:
o the data must not be altered in any way
o the seizure must not put an undue burden on the responding party
The computer forensics experts should acknowledge both of these concerns by making an exact
duplicate of the needed data.
When experts works on the duplicate data, the integrity of the original is maintained.

3. DATA RECOVERY

Using proprietary tools, your computer forensics experts should be able to safely recover and
analyze otherwise inaccessible evidence.
The ability to recover lost evidence is made possible by the experts advanced understanding of
storage technologies.

4. DOCUMENT SEARCHES

Computer forensics experts should also be able to search over 200,000 electronic documents in
seconds rather than hours.
The speed and efficiency of these searches make the discovery process less complicated and less
intrusive to all parties involved.

COMPUTER FORENSICS UNIT I PART I 3

5. MEDIA CONVERSION

Computer forensics experts should extract the relevant data from old and un-readable devices,
convert it into readable formats, and place it onto new storage media for analysis.

6. EXPERT WITNESS SERVICES

Computer forensics experts should be able to explain complex technical processes in an easy-to-
understand fashion.
This should help judges and juries comprehend how computer evidence is found, what it consists of,
and how it is relevant to a specific situation.

7. COMPUTER EVIDENCE SERVICE OPTIONS

Computer forensics experts should offer various levels of service, each designed to suit your individual
investigative needs. For example, they should be able to offer the following services:

Standard service: Computer forensics experts should be able to work on your case during nor-mal
business hours until your critical electronic evidence is found.
On-site service: Computer forensics experts should be able to travel to your location to per-form
complete computer evidence services. While on-site, the experts should quickly be able to produce
exact duplicates of the data storage media in question.
Emergency service: Your computer forensics experts should be able to give your case the highest
priority in their laboratories. They should be able to work on it without interruption until your
evidence objectives are met.
Priority service: Dedicated computer forensics experts should be able to work on your case during
normal business hours (8:00 A.M. to 5:00 P.M., Monday through Friday) until the evidence is found.
Priority service typically cuts your turnaround time in half.
Weekend service: Computer forensics experts should be able to work from 8:00 A.M. to 5:00 P.M.,
Saturday and Sunday, to locate the needed electronic evidence and will continue 14 Computer
Forensics, Second Edition working on your case until your evidence objectives are met.

COMPUTER FORENSICS UNIT I PART I 4

8. OTHER MISCELLANEOUS SERVICES

Computer forensics experts should also be able to provide extended services. These services include:

Analysis of computers and data in criminal investigations

On-site seizure of computer data in criminal investigations
Analysis of computers and data in civil litigation.
On-site seizure of computer data in civil litigation
Analysis of company computers to determine employee activity
Assistance in preparing electronic discovery requests
Reporting in a comprehensive and readily understandable manner
Court-recognized computer expert witness testimony
Computer forensics on both PC and Mac platforms
Fast turnaround time

BENEFITS OF PROFESSIONAL FORENSIC METHODOLOGY ****

A knowledgeable computer forensics professional should ensure that a subject computer system is
carefully handled to ensure that:

1. No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to

investigate the computer.
2. No possible computer virus is introduced to a subject computer during the analysis process.
3. Extracted and possibly relevant evidence is properly handled and protected from later mechanical or
electromagnetic damage.
4. A continuing chain of custody is established and maintained.
5. Business operations are affected for a limited amount of time, if at all.
6. Any client-attorney information that is inadvertently acquired during a forensic exploration is
ethically and legally respected and not divulged.

COMPUTER FORENSICS UNIT I PART I 5

STEPS TAKEN BY COMPUTER FORENSICS SPECIALISTS *****

The computer forensics specialist should take several careful steps to identify and attempt to retrieve
possible evidence that may exist on a subjects computer system. For example, the following steps
should be taken:

1. Protect the subject computer system during the forensic examination from any possible alteration,
damage, data corruption, or virus introduction.
2. Discover all files on the subject system. This includes existing normal files, deleted yet remaining
files, hidden files, password-protected files, and encrypted files.
3. Recover all of discovered deleted files.
4. Reveal the contents of hidden files as well as temporary or swap files used by both the application
programs and the operating system.
5. Access the contents of protected or encrypted files.
6. Analyze all possibly relevant data found in special areas of a disk. This includes but is not limited to
what is called unallocated space on a disk, as well as slack space in a file (the remnant area at the
end of a file in the last assigned disk cluster, that is unused by current file data, but once again, may
be a possible site for previously created and relevant evidence).
7. Print out an overall analysis of the subject computer system, as well as a listing of all possibly
relevant files and discovered file data.
8. Provide an opinion of the system layout; the file structures discovered; any discovered data and
authorship information; any attempts to hide, delete, protect, and encrypt information; and
anything else that has been discovered and appears to be relevant to the overall computer system
examination.
9. Provide expert consultation and/or testimony, as required.

Source:

COMPUTER FORENSICS: COMPUTER CRIME SCENE INVESTIGATION, JOHN VACCA

COMPUTER FORENSICS UNIT I PART I 6

Send your feedback to [email protected]