Computer Forensics Process
Computer forensics involves the meticulous preservation, identification, extraction, interpretation, and documentation of digital evidence. This field encompasses various procedures and methodologies, aiming to analyze data within and generated by computer systems to determine what occurred, when it happened, how it transpired, and who was involved.
Often, the data uncovered during a computer forensics investigation is not readily accessible or visible to the average user. This includes deleted files and fragments of data, known as "slack space," which can be hidden in the allocated space for existing files. Specialized skills and tools are essential to retrieve this type of information.
Typically, computer forensics is employed reactively to investigate potential crimes or violations. However, it is increasingly being used proactively for continuous monitoring of electronic media and as part of the debriefing process when employees leave a company.
Types of Data in Computer Forensics
In computer forensics, we deal with three primary types of data: active, archival, and latent.
- Active Data: This is visible information, including data files, programs, and operating system files. It is the easiest type of data to access.
- Archival Data: This refers to backed-up and stored data, such as backup tapes, CDs, floppies, or entire hard drives.
- Latent Data: This is data that typically requires specialized tools to access, such as deleted or partially overwritten information. Recovering latent data is the most time-consuming and expensive part of a forensic examination.
Goals and Phases of Computer Forensics
The primary objective of computer forensics is to gather proof of illegal activities or policy breaches that can lead to prosecution. The process involves several critical phases:
- Initial Consultation: Discussing suspicions and concerns regarding potential abuse.
- Data Harvesting: Collecting all relevant electronic data.
- Violation Identification: Identifying any violations or areas of concern.
- Evidence Protection: Ensuring the integrity of the evidence.
- Evidence Verification: Confirming that the evidence is qualified and verifiable.
- Reporting: Delivering a detailed report with the examiner's findings and comments.
If you suspect an issue, it's crucial to act swiftly, as digital evidence can be easily destroyed. Seeking confidential advice from a Certified Computer Forensic Examiner is recommended, as handling the situation independently can be risky and may have significant consequences. Ensuring evidential integrity is paramount, and shortcuts should be avoided.
Forensic Examination Process
A proper forensic analysis of computer systems can yield valuable evidence that might otherwise be lost. However, incorrect handling of this process can lead to the dismissal of cases against guilty parties. The steps in a forensic examination are as follows:
- Establish Chain of Custody: Ensuring the examiner knows the location of all items related to the investigation at all times. Secure storage, such as a safe or cabinet, is often used.
- Catalog Information: Documenting active, archival, and latent data. Deleted information is recovered as much as possible, encrypted and password-protected data is identified, and any attempts to hide or obfuscate data are noted. The original media's integrity is maintained by creating an exact copy of the hard drive image and authenticating it against the original.
- Gather Additional Sources: Collecting additional information as needed, including logs from firewalls, proxy servers, Kerberos servers, and sign-in sheets.
- Analyze and Interpret Data: Determining possible evidence, including both exculpatory (evidence indicating innocence) and inculpatory (evidence indicating guilt) elements. Encrypted files and password-protected files are cracked if necessary.
- Report Findings: Submitting a written report to the client detailing the examiner's findings and comments.
- Expert Testimony: Providing expert witness testimony at depositions, trials, or other legal proceedings if required.