What is computer forensics?

Computer forensics is a science that deals with computer crimes. This may involve illegal computer hacking, creating computer viruses, forging software, theft, fraud and child pornography. It is also often used to attempt to retrieve any data that has been supposedly wiped. Computer crime does not just involve the use of PCs and laptops, but basically anything that contains chips that store and process data. This may include cameras, mobile phones, video recorders and fax machines. However most computer crimes involve home personal computers. Computer forensics does not just involve computer and ‘cyber crimes’. Examining the computers of victims and suspects in thefts or homicides, for example, may yield clues to cases not really related to computer forensics.

Computer forensics can be split up into three main specialities. These are obtaining and documenting digital information, expert testimony concerning computers, and the third is basic investigation.

The computer forensics expert must also take precautions when dealing with possible evidence in order to protect it. When searching for evidence, it is important to check all places evidence could be located. These locations include home systems, phone systems, modem pool, victim computer, deleted files, undeleted files, components, peripherals, network and external sources, print spool files, Cookies, temp files, swap files, slack space, caches,in log files and other media. Possible evidence must never be damaged, destroyed or in any way compromised. No possible computer viruses are to be introduced to a computer being investigated. Extracted evidence is to be handled properly and kept away from mechanical or electromagnetic devices. A continuing chain of custody is to be established and always maintained. Business operations should not be affected, or if it is necessary, for a short time only. Any non-related information is to be respected and treated with discreetly.

The computer forensics expert also takes several steps in order to retrieve possible evidence from a system. The overall computer forensics process is often viewed as four stages; Acquire, Analyse, Evaluate, Present. The subject computer must first be protected from any possible damage or alteration. The files must be discovered, including any hidden or encrypted files, then as much as possible is to be extracted. All hidden files are then revealed, and password-protected or encrypted files are made accessible if possible. All files are analysed, then relevant data is printed off, along with an analysis.

What Do Computer Forensic Experts Look For?

When examining a subject computer, there are certain files and pieces of data that the computer forensic investigator will look for:

Saved Files – Any basic files that have been saved on the computer. Some may be marked as hidden.

Deleted Files – Files that an individual have attempted to delete. Sometimes they will still exist on the system.

Temporary Files – The files temporarily stored by the computer.

Metadata – This means the information that is stored with the data. This can tell us dates of creating, modifying and last accessed.

Disk Slack – Data that is accidentally captured and stored along with other data.

When dealing with a computer the forensic expert must also look at tape back-ups, external hard-drives, thumb drives, zip disks, zip drives, DVDs, CDs, and floppy diskettes.

Investigating Personal Computers

When dealing with PCs, there are several important steps an investigator takes.

# When collected the PC, it is important to documents all connections and cables attached to the PC. This could be important in court, and could also help identify other devices attached to the computer.

# If the computer is running when collected, photographs of what screens are open should always be taken.

# The PC should never be turned off without having proper write blocking devices or software set up, as turning on a PC could alter data on the system.

# Never work from the original data from the subject computer, always work from a copy.

Uses Of Computer Forensics

File Deletion

It is believed by many that deleting a file means it is gone permanently, and cannot be retrieved. However this is incorrect. When a file is deleted it is hidden from the user but still actually remains, until of course it is written over by other data. If the files have been deleted but not overwritten by anything else, the data can be retrieved. Even if the file has been completely deleted, it may still be possible to retrieve the data. Computers are constantly swapping data from the RAM to the hard disc, and this process creates a file called a “swap file”. If the data that was deleted was previously ‘swapped’, it may still exist in a swap file. However these swap files are changed every the computer is switched on, which of course presents problems for the investigators. However forensic scientists have created a solution that copies the computer contents without the computer being switched on. It can take from six to eight hours to copy everything off the computer, but then the data can then be analysed without the risk of losing it.

Encryption

Criminals who are slightly more advanced often use techniques to make sure their incriminating files remain hidden, such as encryption. Fortunately there may be ways to get around this. Once data has been sent over the internet, almost anybody could access it. Therefore computers often encrypt the data using a code. This encryption can be solved using cryptography. Symmetric encryption is one form of deciphering a code. This uses one particular ‘key’ to encode a message, and the same ‘key’ to decode a message. Asymmetric encryption works the same, but uses a different key to encode and decode a message.

Email Crime

Email is used by millions of people worldwide, proving to be a very useful communication tool. Unfortunately email has also opened up a world of SPAM and virus emails, which can cause problems. Fortunately there are ways to track down email criminals. IP addresses are an effective way to track down computers. Each computer as a unique IP address, and this IP address is recorded every time a computer makes contact with a server. IP addresses can be used to track down a computer’s location.

Each time emails are sent email logs are kept on all servers, storing information on the sender, the receiver and the time and date the email was sent. However some servers use a circular logging, which stores a certain amount of data before overwriting it, wiping out possibly vital information.

Digital Forensics

Digital forensics is the process of identifying, preserving, analysing and presenting digital evidence. However as digital evidence can be altered or damaged quite easily, so the evidence must be dealt with in a way that is legally accepted, or else vital evidence could be disallowed in court.

What May Be Discovered?

Through this work there are several different types of evidence or information that may be discovered. Some examples of these are stolen or copied data, dates and time of key event, duplicate accounts indicating fraud, contact details, important calendar entries, deleted pornographic images, cookies, files indicating illegal possession of confidential information, and conspiratorial email correspondence.