Judd Robbins, in An Explanation of Computer Forensics states “Computer forensics is simply the application of computer investigation and analysis techniques in the
interests of determining potential legal evidence.” In simpler terms, computer forensics is the analysis of information contained within or created by computing
devices, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved.
In simpler terms, computer forensics is the analysis of computer data to determine who did what when.
This can be for the purpose of performing a root cause analysis of a computer system that is not operating properly, or to find out who is responsible for misuse of computer
systems, or perhaps who committed a crime using a computer system or against a computer system. Computer forensic techniques and methodologies are commonly used for
conducting computing investigations in the interest of figuring out what happened, when it happened, how it happened, and who was involved.
In many cases, information is gathered during a computer forensics investigation that is not typically available or viewable by the average computer user, such as deleted
files and fragments of data that can be found in the space allocated for existing files known by computer forensic practitioners as slack space. Special skills and tools
are needed to obtain this type of information or evidence. Think of a case where the specific firearm that fired a bullet needs to be identified. This information
could not be readily ascertained by just any member of law enforcement, so ballistics professionals with special skills and tools are needed.
ClearData Forensics LLC expands this to include the preservation, identification, extraction, interpretation, and documentation of computer evidence, in conformance with the
rules of evidence, legal processes, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative
proceeding as to what was found.
Let's break this definition down.
Preservation
When performing a computer forensics analysis, we must do everything possible to preserve the original media and data. Typically this involves making a forensic image or
forensic copy of the original media, and conducting our analysis on the copy versus the original.
Identification
In the initial phase, this has to do with identifying the possible containers of computer
related evidence, such as hard drives, external devices, floppy disks, and log files to name
a few. A computer or hard drive itself is not evidence; it is a container of potential evidence.
Extraction
The analysis phase has to do with identifying the information and data that is pertinent
to the situation at hand: sifting through Gigabytes of information, conducting keyword searches,
looking through log files, etc.
Then any relevant evidence will need to be extracted from the working copy media and
typically saved to another form of media as well as printed out.
Interpretation
This is important. Just about anyone can perform a computer forensics "analysis." Some of
the tools available make it extremely easy. Being able to find evidence is one thing, the
ability to properly interpret it is another story. Entire books could be written citing examples of when computer forensics “experts” misinterpreted their results of a
forensic analysis.
For example, the experts for the prosecution in a case using a popular tool identified a
list of pornographic websites visited by the defendant.
When the experts for the defense examined the same evidence, they determined that the list
was actually websites that the security software was blocking because they were known to
propagate viruses and other malware and the defendant had not visited them.
The experts for the prosecution took for granted that their automated tool was accounting
for any variables, a big mistake. Theses experts lacked the technical skills to authenticate
their results, so they depended entirely on a single automated tool.
This leads to a very important lesson. Results from any tool should always be thoroughly
checked by someone versed in the underlying technology to be certain that what they see is
what is really there.
In another case, the experts for the defense recovered reams of email that the prosecution
experts did not find. This was due to the fact that the prosecution experts simply did not know
how to find it.
It is interesting to note that both the experts for the defense and the prosecution used the
same primary tool in their analysis. The differences in what was found by one side versus the other, as well as the differences in interpretation was due to the experience and
education levels of the experts - it had nothing to do with the tool being used.
Documentation
Documentation needs to be kept from beginning to end. This includes what is commonly referred
to as a chain of custody form, as well as documentation pertinent to what is done during analysis.
Integrity of Evidence
This has to do with keeping control over everything related to the situation. Including
establishing and keeping a chain of custody, as well as making sure that nothing is altered in any way.
Active, Archival, and Latent Data
In computer forensics, there are three types of data that we are concerned with - active,
archival, and latent.
Active data is the information that you and I can see. Data files, programs, and files used
by the operating system. This is the easiest type of data to obtain.
Archival data is data that has been backed up and stored. This could consist of backup tapes,
CD's, floppies, or entire hard drives to cite a few examples.
Latent (also called ambient) data is the information that one typically needs specialized
tools to get at. An example would be information that has been deleted or partially overwritten.
A computer investigation could entail looking at one or more of these data types depending
on the circumstances. Obtaining latent data is by far the most time consuming and costly.
Here are some examples of cases where forensics techniques and methodologies have been applied.
Medical Malpractice
In a medical malpractice/wrongful death suit, a computer was examined to extract evidence
relevant to the decedents part time business. The information recovered was used to determine
how much the decedent would have made had they lived another thirty or so years, and helped to
determine the settlement amount for the surviving spouse.
Lost Email
A man had arranged for insurance on his new barn. Unfortunately, during the time period
between inadvertently deleting the email binding insurance and receiving the paper policy, the
barn down and the insurance company denied coverage. An in depth examination of the
hard drive was able to reveal enough of the deleted email to establish coverage.
Finding a Will
In this case, a decedent’s computer was examined to determine if there was any information
relevant to a will. The decedent was a cryptologist, and many files had to "cracked" as they
were encrypted. Information was recovered that helped settle the decedents estate.
Computer Forensics is essectially the science of gathering and
analyzing evidence to establish facts that can be presented in a legal
proceeding. Its application requires an intimate understanding of
the computer hardware, operating system, and software while observing
the rules of evidence to collect, analyze and report on the evidence
found. ClearData Forensics LLC has these skills.