What term is used to describe the discovery collection and analysis of evidence found on computers and networks?

My name is Blaine Price – I’m a Senior Lecturer in Computing at the Open University. In the last video you saw me gather evidence against one of our Course Managers who was suspected of selling exam solutions on eBay. There were a number of problems with the way I conducted the investigation. Hopefully you spotted some of these while you were watching the video. But let’s go through now and see what could have been done better.

The investigation starts OK with the initial indication that something illegal might be happening, but I quickly got carried away and started getting people to order things for me on eBay. Stumbling across some evidence is one thing, but carrying out an entire investigation on my own is another. Once I had the initial evidence, I should have reported it to senior management. After considering all the relevant laws, regulations and any other obligations the University may have, management may then choose to commission me, or someone else, to carry out an investigation. But any investigation must have a clear purpose and scope defined in advance. For example, am I to try to find all instances of exam selling in the University? Or just track down the one culprit behind this ad? Am I to search one individual’s computer or try to look at central emails servers or ask eBay for access to their data? Are my findings to be kept confidential? It’s very easy for an investigation to have ‘scope creep’, so answering these questions up front is crucial. I also need to make sure that management is advised of any relevant legal issues. For example, if I have an indication that a criminal law has been violated, then management should contact the Police. But even if it is a strictly internal, confidential matter, we still have to comply with the law in terms of privacy and permitted surveillance. We also need to make sure that the person being investigated has signed the Computing Code of Conduct or Acceptable Use Policy and is aware of the rules regarding exam security and confidentiality. So let’s assume that I am now conducting a properly commissioned and scoped investigation. Let’s see what happens next.

Setting aside the fact that I had an unknown person purchase this, the first big issue is the continuity of evidence. I took the USB drive out of a previously opened envelope. We don’t know who might have touched the drive from the point the postman delivered it until I showed it to you. It should have been placed unopened, in an evidence bag, by the person who took custody of it and he or she should have signed and dated it and kept it strictly secure until the bag was personally handed to me, by which point I should have signed and dated it to show I now had custody. Now, ignoring the fact that I didn’t handle the drive using gloves, so any fingerprint or DNA evidence is now tainted, the second issue is just as crucial. I insert it into my Windows laptop which will certainly be writing information to the drive, contaminating the original evidence. Instead, I should have used a ‘write blocker’ with a forensically sound copy of the original so I could show I haven’t altered the original data. I could also use an approved forensic program like Helix, which will mount the copy ‘read-only’.

Next, I lied to Crispin to get him away from his computer and I lied to Rehana about having his permission to use the computer. As you will learn in the legal section of M889, Article 8 of the European Convention on Human Rights guarantees an individual’s right to privacy with only a few exceptions. In the UK, this is enacted in the Human Rights Act of 1998 and most other jurisdictions also have similar privacy laws. The Open University’s Computing Code of Conduct prohibits me from accessing computers without authorisation. In order to violate Crispin’s right to privacy I would need specific authorisation from senior management who should have noted why it was necessary. Further, the level of my violation of Crispin’s privacy must be proportionate to the alleged offence. For example, asking Security to strip search him would certainly be disproportionate. Most jurisdictions also have laws prohibiting unauthorised access, such as the UK’s Computer Misuse Act of 1990. So by now I’ve probably committed at least one criminal offence.

Now the remainder of my investigation reveals a number of smoking guns on Crispin’s machine. The evidence of the USB drive being plugged in, the remnants of the eBay ad in the internet cache and the exam files in the ‘recently used files’ list. I also jumped to the conclusion that he placed the ad just because I can see it in his cache. He could claim that he also discovered the ad and was about to report it. We would need to find cached pages showing the ad uploading to eBay to have a real smoking gun. The main problem with this evidence is that I found it while working directly on Crispin’s machine. This means that I was actually causing modifications to Crispin’s machine as I was examining it. Crispin could now claim that any of the things on his disk were due to my actions since it is no longer possible to separate the consequences of my actions from his and it will be impossible for someone else to reproduce the evidence because my actions have irreparably changed the contents of the disk.

Except in specialised circumstances, such as if hard disk encryption is suspected, I should work on a forensic copy of Crispin’s machine so anything I do is repeatable by another expert. Finally, I should have kept contemporaneous notes either in a notebook or on another computer in a tamper-evident format like CaseNotes. Although having a full video record is probably just as good, you probably won’t be able to afford an independent video crew in all your investigations.

These three issues are embodied in the principles for handling digital evidence produced by the UK Association of Chief Police Officers, or ACPO.

One, no action should be taken which changes data held on a computer or storage device if the evidence is to be relied on in court.

Two, if it is necessary to access live data then the person doing so must be competent and give evidence as to the relevance and implications of his actions.

And three, an audit trail must be created so a third party could examine the process and evidence and produce the same result if necessary.

So, the lessons learned from this investigation are:

Always make sure your investigation is properly commissioned and scoped by management.

If you’re going to violate someone’s privacy, make sure that you have signed authorisation from senior management and that they determined that it is both necessary and proportionate.

Make sure any evidence you gather is collected in a forensically sound manner so that others can reproduce your actions.

Take care not to contaminate the evidence unnecessarily by your actions.

Make sure evidence is stored and handled securely, preferably in tamper-proof evidence bags which are signed and dated as they’re passed from person to person.

Finally, if you can’t afford a video crew to follow you around, make sure you make contemporaneous notes, either in a bound notebook or in specialised note-taking software like CaseNotes that prevents editing after an entry has been made.

So if you do find yourself being called to perform an investigation or secure evidence, follow the Boy Scout motto and be prepared! Make sure you have the necessary tools to hand before you begin.

Branch of digital forensic science

Part of a series on
Forensic science
Physiological Anthropology Biology Bloodstain pattern analysis Dentistry DNA phenotyping DNA profiling Entomology Epidemiology Limnology Medicine Palynology Pathology Podiatry Toxicology
Social Psychiatry Psychology Psychotherapy Social work
Criminalistics Accounting Body identification Chemistry Colorimetry Election forensics Facial reconstruction Fingerprint analysis Firearm examination Footwear evidence Forensic arts Profiling Gloveprint analysis Palmprint analysis Questioned document examination Vein matching Forensic geophysics Forensic geology
Digital forensics Computer exams Data analysis Database study Malware analysis Mobile devices Network analysis Photography Video analysis Audio analysis
Related disciplines Electrical engineering Engineering Fire investigation Fire accelerant detection Fractography Linguistics Materials engineering Polymer engineering Statistics Traffic collision reconstruction
Related articles Crime scene CSI effect Perry Mason syndrome Pollen calendar Skid mark Trace evidence Use of DNA in forensic entomology
Outline Category
v t e

Computer forensics (also known as computer forensic science[1]) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.

Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high-profile cases and is accepted as reliable within U.S. and European court systems.

Overview

In the early 1980s personal computers became more accessible to consumers, leading to their increased use in criminal activity (for example, to help commit fraud). At the same time, several new "computer crimes" were recognized (such as cracking). The discipline of computer forensics emerged during this time as a method to recover and investigate digital evidence for use in court. Since then computer crime and computer related crime has grown, and has jumped 67% between 2002 and 2003.[2] Today it is used to investigate a wide variety of crime, including child pornography, fraud, espionage, cyberstalking, murder and rape. The discipline also features in civil proceedings as a form of information gathering (for example, Electronic discovery)

Forensic techniques and expert knowledge are used to explain the current state of a digital artifact, such as a computer system, storage medium (e.g. hard disk or CD-ROM), or an electronic document (e.g. an email message or JPEG image).[3] The scope of a forensic analysis can vary from simple information retrieval to reconstructing a series of events. In a 2002 book, Computer Forensics, authors Kruse and Heiser define computer forensics as involving "the preservation, identification, extraction, documentation and interpretation of computer data".[4] They go on to describe the discipline as "more of an art than a science", indicating that forensic methodology is backed by flexibility and extensive domain knowledge. However, while several methods can be used to extract evidence from a given computer the strategies used by law enforcement are fairly rigid and lack the flexibility found in the civilian world.[5]

Cybersecurity

Computer Forensics is often confused with Cybersecurity but they both are quite different. Cybersecurity is about prevention and protection whilst Computer Forensics is more reactionary and active such as tracking and exposing. There are usually two teams, Cybersecurity and Computer Forensics that work co in hand. They complement each other as Cybersecurity team would create systems and programs to protect data and if they fail then the Computer Forensics team recovers and finds out how it happened and tracks etc. There are many similarities however which is why these two fields help each other. They both require knowledge of computer science and both fields are apart of IT/STEM.[6]

Computer Related Crimes

Computer Forensics are used to convict people who have performed physical and digital crimes. Some of these computer related crimes include Interruption, Interception, Copyright Infringement, and Fabrication. Interruption relates to the destruction and stealing of computer parts and digital files. Interception is the unauthorized access of files and information stored on technological devices. Copyright Infringement is using, reproducing, and distributing copyrighted information, including software piracy. Fabrication is accusing someone of using false data and information put in the system through an unauthorized source. Examples of Interceptions are The Bank NSP Case, Sony.Sambandh.com Case, and Business Emails Compromise Scams. The Bank NSP Case was a situation where a bank's management employee's ex-girlfriend created fraudulent emails, which were sent to the bank client to gain money. The Sony.Sambandh.com Case was a call center worker using a foreigner's credit card information to buy a TV and headphones. The Business Emails Compromise Scams refer to hackers gaining access to the CEO/CFO email and using it to gain money from their employees.[7]

Use as evidence

In court, computer forensic evidence is subject to the usual requirements for digital evidence. This requires that information be authentic, reliably obtained, and admissible.[8] Different countries have specific guidelines and practices for evidence recovery. In the United Kingdom, examiners often follow Association of Chief Police Officers guidelines that help ensure the authenticity and integrity of evidence. While voluntary, the guidelines are widely accepted in British courts.

Computer forensics has been used as evidence in criminal law since the mid-1980s, some notable examples include:[9]

• BTK Killer: Dennis Rader was convicted of a string of serial killings that occurred over a period of sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy disk. Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church"; this evidence helped lead to Rader's arrest.
• Joseph Edward Duncan: A spreadsheet recovered from Duncan's computer contained evidence that showed him planning his crimes. Prosecutors used this to show premeditation and secure the death penalty.[10]
• Sharon Lopatka: Hundreds of emails on Lopatka's computer lead investigators to her killer, Robert Glass.[9]
• Corcoran Group: This case confirmed parties' duties to preserve digital evidence when litigation has commenced or is reasonably anticipated. Hard drives were analyzed by a computer forensics expert who could not find relevant emails the Defendants should have had. Though the expert found no evidence of deletion on the hard drives, evidence came out that the defendants were found to have intentionally destroyed emails, and misled and failed to disclose material facts to the plaintiffs and the court.
• Dr. Conrad Murray: Dr. Conrad Murray, the doctor of the deceased Michael Jackson, was convicted partially by digital evidence on his computer. This evidence included medical documentation showing lethal amounts of propofol.

Forensic process

Main article: Digital forensic process

Computer forensic investigations usually follow the standard digital forensic process or phases which are acquisition, examination, analysis and reporting. Investigations are performed on static data (i.e. acquired images) rather than "live" systems. This is a change from early forensic practices where a lack of specialist tools led to investigators commonly working on live data.

Computer Forensics Lab

The computer forensic lab is a safe and protected zone where electronic data can be managed, preserved, and accessed in a controlled environment. There, there is a very much reduced risk of damage or modification to the evidence. Computer forensic examiners have the resources needed to elicit meaningful data from the devices that they are examining.[11]

Techniques

A number of techniques are used during computer forensics investigations and much has been written on the many techniques used by law enforcement in particular.

Mobile Devices Forensics

Phone Logs: Phone companies usually keep logs of calls received, which can be helpful when creating timelines and gathering the locations of persons when the crime occurred.[16]

Contacts: Contact lists help narrow down the suspect pool due to their connections with the victim or suspect.[16]

Text messages: Messages contain timestamps and remain in company servers indefinitely, even if deleted on the original device. Because of this, messages act as crucial records of communication that can be used to convict suspects.[16]

Photos: Photos can be critical in either supporting or disproving alibis by displaying a location or scene along with a timestamp of when the photo was taken.[16]

Audio Recordings: Some victims might have been able to record pivotal moments of the struggle, like the voice of their attacker or extensive context of the situation.[16]

Volatile data

Volatile data is any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off. Volatile data resides in registries, cache, and random access memory (RAM). The investigation of this volatile data is called “live forensics”.

When seizing evidence, if the machine is still active, any information stored solely in RAM that is not recovered before powering down may be lost.[10] One application of "live analysis" is to recover RAM data (for example, using Microsoft's COFEE tool, WinDD, WindowsSCOPE) prior to removing an exhibit. CaptureGUARD Gateway bypasses Windows login for locked computers, allowing for the analysis and acquisition of physical memory on a locked computer.[citation needed]

RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate, an effect exploited by the cold boot attack. The length of time that data is recoverable is increased by low temperatures and higher cell voltages. Holding unpowered RAM below −60 °C helps preserve residual data by an order of magnitude, improving the chances of successful recovery. However, it can be impractical to do this during a field examination.[17]

Some of the tools needed to extract volatile data, however, require that a computer be in a forensic lab, both to maintain a legitimate chain of evidence, and to facilitate work on the machine. If necessary, law enforcement applies techniques to move a live, running desktop computer. These include a mouse jiggler, which moves the mouse rapidly in small movements and prevents the computer from going to sleep accidentally. Usually, an uninterruptible power supply (UPS) provides power during transit.

However, one of the easiest ways to capture data is by actually saving the RAM data to disk. Various file systems that have journaling features such as NTFS and ReiserFS keep a large portion of the RAM data on the main storage media during operation, and these page files can be reassembled to reconstruct what was in RAM at that time.[18]

Analysis tools

See also: List of digital forensics tools

A number of open source and commercial tools exist for computer forensics investigation. Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review.[9] Autopsy (software), Belkasoft Evidence Center, COFEE, EnCase are the some of tools used in Digital forensics.

Jobs in Computer Forensics

Computer Digital Forensic Investigator

Computer digital forensic investigators look through suspects devices and data in order to get incriminatory evidence that could be used in the case.[19]

Computer Programmer

Computer programmers program systems and programs for computers to run. Computer Forensics work with programming and are eligible to work in this career.[19]

Cyber Forensics Analyst

Cyber forensics analysts support the detectives and investigators on the crime by analyzing data and evidence and using processes that make it eligible in court.[19]

Computer Forensics Technician

A computer forensics technician searches for information that may be relevant to an ongoing case. They search through personal devices and storage devices to uncover and submit evidence.[19]

Certifications

There are several computer forensics certifications available, such as the ISFCE Certified Computer Examiner, Digital Forensics Investigation Professional (DFIP) and IACRB Certified Computer Forensics Examiner.

The top vendor independent certification (especially within EU) is considered the [CCFP - Certified Cyber Forensics Professional [1]].[20]

Others, worth to mention for USA or APAC are: The International Association of Computer Investigative Specialists offers the Certified Computer Examiner program.

The International Society of Forensic Computer Examiners offers the Certified Computer Examiner program.

Many commercial based forensic software companies are now also offering proprietary certifications on their products. For example, Guidance Software offering the (EnCE) certification on their tool EnCase, AccessData offering (ACE) certification on their tool FTK, PassMark Software offering certification on their tool OSForensics, and X-Ways Software Technology offering (X-PERT) certification for their software, X-Ways Forensics.[21]

Laws

Laws Related to Computer Forensics (India)

Indian Laws Sections 65-77 relate to computer crimes. All the laws are enforced by evidence left digitally and remotely on the computer due to the permanent tracking of our actions on databases.[7]

Section 66: Law preventing the hacking of computers. The crime is punishable by three years in prison or a five lakhs rupee fine.[7]

Section 66F: Law focused on cyber-terrorism such as malware, phishing, unauthorized access, identity theft, etc. If caught, it usually leads to a life sentence.[7]

Section 67B: Law to prevent the spread and publishing of child porn. It could lead to up to 7 years in prison and a ten lakhs rupee fine.[7]

See also

• Certified Computer Examiner
• Certified Forensic Computer Examiner
• Counter forensics
• Cryptanalysis
• Data remanence
• Disk encryption
• Encryption
• Hidden file and hidden directory
• Information technology audit
• MAC times
• Steganalysis
• United States v. Arnold

References

1. ^ Michael G. Noblett; Mark M. Pollitt; Lawrence A. Presley (October 2000). "Recovering and examining computer forensic evidence". Retrieved 26 July 2010.
2. ^ Leigland, R (September 2004). "A Formalization of Digital Forensics" (PDF).
3. ^ Yasinsac, A.; Erbacher, R.F.; Marks, D.G.; Pollitt, M.M.; Sommer, P.M. (July 2003). "Computer forensics education". IEEE Security & Privacy. 1 (4): 15–23. doi:10.1109/MSECP.2003.1219052.
4. ^ Warren G. Kruse; Jay G. Heiser (2002). Computer forensics: incident response essentials. Addison-Wesley. p. 392. ISBN 978-0-201-70719-9. Retrieved 6 December 2010.
5. ^ Gunsch, G (August 2002). "An Examination of Digital Forensic Models" (PDF).
6. ^ "What Is Computer Forensics?". Western Governors University. Retrieved 2022-03-04.
7. ^ a b c d e Rajesh, K.V.N; Ramesh, K.V.N. (2016). "Computer Forensics: An Overview". I-manager's Journal on Software Engineering. 10 (4): 1–5. doi:10.26634/jse.10.4.6056. ProQuest 1816335831.
8. ^ Adams, R. (2012). "'The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice".
9. ^ a b c Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 978-0-12-163104-8.
10. ^ a b Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN 978-0-12-374267-4. Retrieved 27 August 2010.
11. ^ "Chapter 3: Computer Forensic Fundamentals - Investigative Computer Forensics: The Practical Guide for Lawyers, Accountants, Investigators, and Business Executives [Book]". www.oreilly.com. Retrieved 2022-03-04.
12. ^ Garfinkel, S. (August 2006). "Forensic Feature Extraction and Cross-Drive Analysis".
13. ^ "EXP-SA: Prediction and Detection of Network Membership through Automated Hard Drive Analysis".
14. ^ Aaron Phillip; David Cowen; Chris Davis (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional. p. 544. ISBN 978-0-07-162677-4. Retrieved 27 August 2010.
15. ^ Dunbar, B (January 2001). "A detailed look at Steganographic Techniques and their use in an Open-Systems Environment".
16. ^ a b c d e Pollard, Carol (2008). Computer Forensics for Dummies. John Wiley & Sons, Incorporated. pp. 219–230. ISBN 9780470434956.
17. ^ J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten (2008-02-21). "Lest We Remember: Cold Boot Attacks on Encryption Keys". Princeton University. Retrieved 2009-11-20. {{cite journal}}: Cite journal requires |journal= (help)CS1 maint: multiple names: authors list (link)
18. ^ Geiger, M (March 2005). "Evaluating Commercial Counter-Forensic Tools" (PDF). Archived from the original (PDF) on 2014-12-30. Retrieved 2012-04-02.
19. ^ a b c d "What is Computer Forensics?". devry.edu. Retrieved 2022-03-04.
20. ^ "CCFP Salaries surveys". ITJobsWatch. Archived from the original on 2017-01-19. Retrieved 2017-06-15.
21. ^ "X-PERT Certification Program". X-pert.eu. Retrieved 2015-11-26.

Further reading

• A Practice Guide to Computer Forensics, First Edition (Paperback) by David Benton (Author), Frank Grindstaff (Author)
• Casey, Eoghan; Stellatos, Gerasimos J. (2008). "The impact of full disk encryption on digital forensics". Operating Systems Review. 42 (3): 93–98. CiteSeerX 10.1.1.178.3917. doi:10.1145/1368506.1368519. S2CID 5793873.
• YiZhen Huang; YangJing Long (2008). "Demosaicking recognition with applications in digital photo authentication based on a quadratic pixel correlation model" (PDF). Proc. IEEE Conference on Computer Vision and Pattern Recognition: 1–8. Archived from the original (PDF) on 2010-06-17. Retrieved 2009-12-18.
• Incident Response and Computer Forensics, Second Edition (Paperback) by Chris Prosise (Author), Kevin Mandia (Author), Matt Pepe (Author) "Truth is stranger than fiction..." (more)
• Ross, S.; Gow, A. (1999). Digital archaeology? Rescuing Neglected or Damaged Data Resources (PDF). Bristol & London: British Library and Joint Information Systems Committee. ISBN 978-1-900508-51-3.
• George M. Mohay (2003). Computer and intrusion forensics. Artech House. p. 395. ISBN 978-1-58053-369-0.
• Chuck Easttom (2013). System Forensics, Investigation, and Response. Jones & Bartlett. p. 318. ISBN 978-1284031058. Archived from the original on 2013-06-14. Retrieved 2013-09-23.

Related journals

• IEEE Transactions on Information Forensics and Security
• Journal of Digital Forensics, Security and Law
• International Journal of Digital Crime and Forensics
• Journal of Digital Investigation
• International Journal of Digital Evidence
• International Journal of Forensic Computer Science
• Journal of Digital Forensic Practice
• Cryptologia
• Small Scale Digital Device Forensic Journal

Retrieved from "https://en.wikipedia.org/w/index.php?title=Computer_forensics&oldid=1112437621"