ClearData Forensics LLC

 
Home    |     Services    |       About Us    |     Contact Us
 
Types of Services
Articles
White Papers

 

 

 


What is Computer Forensics

Judd Robbins, in An Explanation of Computer Forensics states “Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence.”  In simpler terms, computer forensics is the analysis of information contained within or created by computing devices, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved.

In simpler terms, computer forensics is the analysis of computer data to determine who did what when.

This can be for the purpose of performing a root cause analysis of a computer system that is not operating properly, or to find out who is responsible for misuse of computer systems, or perhaps who committed a crime using a computer system or against a computer system. Computer forensic techniques and methodologies are commonly used for conducting computing investigations in the interest of figuring out what happened, when it happened, how it happened, and who was involved.

In many cases, information is gathered during a computer forensics investigation that is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files known by computer forensic practitioners as slack space. Special skills and tools are needed to obtain this type of information or evidence.  Think of a case where the specific firearm that fired a bullet needs to be identified.  This information could not be readily ascertained by just any member of law enforcement, so ballistics professionals with special skills and tools are needed.

ClearData Forensics LLC expands this to include the preservation, identification, extraction, interpretation, and documentation of computer evidence, in conformance with the rules of evidence, legal processes, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found.

Let's break this definition down.

Preservation

When performing a computer forensics analysis, we must do everything possible to preserve the original media and data.  Typically this involves making a forensic image or forensic copy of the original media, and conducting our analysis on the copy versus the original.

Identification

In the initial phase, this has to do with identifying the possible containers of computer related evidence, such as hard drives, external devices, floppy disks, and log files to name a few.  A computer or hard drive itself is not evidence; it is a container of potential evidence.

Extraction

The analysis phase has to do with identifying the information and data that is pertinent to the situation at hand: sifting through Gigabytes of information, conducting keyword searches, looking through log files, etc.

Then any relevant evidence will need to be extracted from the working copy media and typically saved to another form of media as well as printed out.

Interpretation

This is important.  Just about anyone can perform a computer forensics "analysis."  Some of the tools available make it extremely easy.  Being able to find evidence is one thing, the ability to properly interpret it is another story.  Entire books could be written citing examples of when computer forensics “experts” misinterpreted their results of a forensic analysis.

For example, the experts for the prosecution in a case using a popular tool identified a list of pornographic websites visited by the defendant.

When the experts for the defense examined the same evidence, they determined that the list was actually websites that the security software was blocking because they were known to propagate viruses and other malware and the defendant had not visited them.

The experts for the prosecution took for granted that their automated tool was accounting for any variables, a big mistake.  Theses experts lacked the technical skills to authenticate their results, so they depended entirely on a single automated tool.

This leads to a very important lesson.  Results from any tool should always be thoroughly checked by someone versed in the underlying technology to be certain that what they see is what is really there.

In another case, the experts for the defense recovered reams of email that the prosecution experts did not find.  This was due to the fact that the prosecution experts simply did not know how to find it.

It is interesting to note that both the experts for the defense and the prosecution used the same primary tool in their analysis.  The differences in what was found by one side versus the other, as well as the differences in interpretation was due to the experience and education levels of the experts - it had nothing to do with the tool being used.

Documentation

Documentation needs to be kept from beginning to end.  This includes what is commonly referred to as a chain of custody form, as well as documentation pertinent to what is done during analysis.

Integrity of Evidence

This has to do with keeping control over everything related to the situation.  Including establishing and keeping a chain of custody, as well as making sure that nothing is altered in any way.

Active, Archival, and Latent Data

In computer forensics, there are three types of data that we are concerned with - active, archival, and latent.

Active data is the information that you and I can see.  Data files, programs, and files used by the operating system.  This is the easiest type of data to obtain.

Archival data is data that has been backed up and stored.  This could consist of backup tapes, CD's, floppies, or entire hard drives to cite a few examples.

Latent (also called ambient) data is the information that one typically needs specialized tools to get at.  An example would be information that has been deleted or partially overwritten.

A computer investigation could entail looking at one or more of these data types depending on the circumstances.  Obtaining latent data is by far the most time consuming and costly.

Here are some examples of cases where forensics techniques and methodologies have been applied.

Medical Malpractice

In a medical malpractice/wrongful death suit, a computer was examined to extract evidence relevant to the decedents part time business.  The information recovered was used to determine how much the decedent would have made had they lived another thirty or so years, and helped to determine the settlement amount for the surviving spouse.

Lost Email

A man had arranged for insurance on his new barn.  Unfortunately, during the time period between inadvertently deleting the email binding insurance and receiving the paper policy, the barn down and the insurance company denied coverage.  An in depth examination of the hard drive was able to reveal enough of the deleted email to establish coverage.

Finding a Will

In this case, a decedent’s computer was examined to determine if there was any information relevant to a will.  The decedent was a cryptologist, and many files had to "cracked" as they were encrypted.  Information was recovered that helped settle the decedents estate.

Computer Forensics is essectially the science of gathering and analyzing evidence to establish facts that can be presented in a legal proceeding.  Its application requires an intimate understanding of the computer hardware, operating system, and software while observing the rules of evidence to collect, analyze and report on the evidence found.  ClearData Forensics LLC has these skills.


WAHTCIA logo></A>

	           
          <a href= CSFA logo       IEEE logo      
Home | Top of Page | Privacy Policy | Contact Us
Copyright © 2011-2017 ClearData Forensics LLC all rights reserved.  Reproduction in whole or in part in any form or medium without the expressed written permission of ClearData Forensics LLC is prohibited.  CyberSecurity Institute, CyberSecurity Forensic Analyst (CSFA) and CSFA logo are trademarks of CyberSecurity Institute, used by permission.