(forensic science) The study of evidence from attacks on computer systems in order to learn what has occurred, how to prevent it from recurring, and the extent of the damage.
Computer forensics
| Sci-Tech Dictionary: computer forensics |
(kəm¦pyüd·ər fə′ren·ziks)
| 5min Related Video: Computer forensics |
| Computer Desktop Encyclopedia: computer forensics |
The investigation of a computer system believed to be involved in cybercrime. Forensic software provides a variety of tools for investigating a suspect PC. Such programs may include a function that copies the entire hard drive to another system for inspection, allowing the original to remain unaltered.
Another utility compares file extensions to the data content in order to determine if files have been camouflaged with phony file extensions. For example, an image file might be renamed as a text document and vice versa.
Network Forensics
In order to identify attacks, "network forensics" deals with the capture and inspection of packets passing through a selected node in the network. Packets can be inspected on the fly or stored on disk for later analysis. See forensically clean, slack space, write blocker, file wipe, IDS, Internet forensics and security event management software.
NIST Phases
The National Institute of Standards and Technology "Guide to Integrating Forensic Techniques into Incident Responses" covers four phases, which are briefly summarized below. For the complete 121-page NIST publication, download draft SP 800-86 at http://csrc.nist.gov/publications/nistpubs. 1 - Collection: Identify, label, record and acquire data from possible sources, while preserving the integrity of the data. 2 - Examination: Use manual and automated methods to assess and extract data of particular interest, while preserving the integrity of the data. 3 - Analysis: Use legally justifiable methods and techniques to derive useful information. 4 - Reporting: Describe actions used, explain how tools and procedures were selected, determine what other actions need to be performed, including forensic examination of additional data sources, securing identified vulnerabilities and improving existing security controls. Recom
Download Computer Desktop Encyclopedia to your iPhone/iTouch
| Wikipedia: Computer forensics |
| Forensic science |
 |
| Physiological sciences |
| Forensic pathology Forensic dentistry Forensic anthropology Forensic entomology Forensic archaeology |
| Social sciences |
| Forensic psychology Forensic psychiatry |
| Other specializations |
| Fingerprint analysis Forensic accounting Ballistics Body identification DNA profiling Forensic arts Forensic toxicology Forensic footwear evidence Questioned document examination |
| Cybertechnology |
| Information forensics Computer forensics |
| Related disciplines |
| Forensic engineering Forensic linguistics Forensic materials engineering Forensic polymer engineering Fire investigation Vehicular accident reconstruction |
| People |
| Auguste Ambroise Tardieu Edmond Locard Bill Bass |
| Related articles |
| Crime scene CSI effect Trace evidence Skid mark Use of DNA in forensic entomology |
Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage media. Computer forensics is also known as digital forensics.
The goal of computer forensics is to explain the current state of a digital artifact. The term digital artifact can include a computer system, a storage medium (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network. The explanation can be as straightforward as "what information is here?" and as detailed as "what is the sequence of events responsible for the present situation?"[1]
The field of computer forensics also has sub branches within it such as firewall forensics, network forensics, database forensics and mobile device forensics.
There are many reasons to employ the techniques of computer forensics:
- In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases).
- To recover data in the event of a hardware or software failure.
- To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.
- To gather evidence against an employee that an organization wishes to terminate.
- To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.
Special measures should be taken when conducting a forensic investigation if it is desired for the results to be used in a court of law. One of the most important measures is to assure that the evidence has been accurately collected and that there is a clear chain of custody from the scene of the crime to the investigator---and ultimately to the court. In order to comply with the need to maintain the integrity of digital evidence, British examiners comply with the Association of Chief Police Officers (A.C.P.O.) guidelines[2]. These are made up of four principles as follows:-
Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
Contents |
The Forensic Process
There are five basic steps to the computer forensics:[3]
- Preparation (of the investigator, not the data)
- Collection (the data)
- Examination
- Analysis
- Reporting
The investigator must be properly trained to perform the specific kind of investigation that is at hand.
Tools that are used to generate reports for court should be validated. There are many tools to be used in the process. One should determine the proper tool to be used based on the case.
Collecting Digital Evidence
Digital evidence can be collected from many sources. Obvious sources include computers, cell phones, digital cameras, hard drives, CD-ROM, USB memory devices, and so on. Non-obvious sources include settings of digital thermometers, black boxes inside automobiles, RFID tags, and web pages (which must be preserved as they are subject to change).
Special care must be taken when handling computer evidence: most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken. For this reason it is common practice to calculate a cryptographic hash of an evidence file and to record that hash elsewhere, usually in an investigator's notebook, so that one can establish at a later point in time that the evidence has not been modified since the hash was calculated.
Other specific practices that have been adopted in the handling of digital evidence include:
- Imaging computer media using a writeblocking tool to ensure that no data is added to the suspect device.
- Establish and maintain the chain of custody.
- Documenting everything that has been done.
- Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.
Some of the most valuable information obtained in the course of a forensic examination will come from the computer user. An interview with the user can yield valuable information about the system configuration, applications, encryption keys and methodology. Forensic analysis is much easier when analysts have the user's passphrases to access encrypted files, containers, and network servers.
In an investigation in which the owner of the digital evidence has not given consent to have his or her media examined (as in some criminal cases) special care must be taken to ensure that the forensic specialist has the legal authority to seize, copy, and examine the data. Sometimes authority stems from a search warrant. As a general rule, one should not examine digital information unless one has the legal authority to do so. Amateur forensic examiners should keep this in mind before starting any unauthorized investigation.
Live vs. Static analysis
Traditionally computer forensic investigations were performed on data at rest, for example, the content of hard drives. This can be thought of as a static analysis. Investigators were told to shut down computer systems when they were impounded for fear that digital time-bombs might cause data to be erased.
In recent years there has increasingly been an emphasis on performing analysis on live systems. One reason is that many current attacks against computer systems leave no trace on the computer's hard drive; the attacker only exploits information in the computer's memory. Another reason is the growing use of cryptographic storage: it may be that the only copy of the keys to decrypt the storage are in the computer's memory, turning off the computer will cause that information to be lost.
Imaging electronic media (evidence)
The process of creating an exact duplicate of the original evidentiary media is often called Imaging. Using a standalone hard-drive duplicator or software imaging tools such as DCFLdd, IXimager or Guymager, the entire hard drive is completely duplicated. This is usually done at the sector level, making a bit-stream copy of every part of the user-accessible areas of the hard drive which can physically store data, rather than duplicating the filesystem. The original drive is then moved to secure storage to prevent tampering. During imaging of static data, a write protection device or application is normally used to prevent changes from being introduced to the evidentiary media during image acquisition.
The imaging process is verified by using the SHA-1 message digest algorithm (with a program such as sha1sum) or other still viable algorithms such as MD5. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state. In corporate environments seeking civil or internal charges, such steps are generally overlooked due to the time required to perform them. Instead, the defensibility of the evidence often relies on a consistent and appropriate process. However, hash verification is essential for evidence that will be presented in a court room.
Collecting Volatile Data
If the machine is still active, any intelligence which can be gained by examining the applications currently open is recorded. If the machine is suspected of being used for illegal communications, such as terrorist traffic, not all of this information may be stored on the hard drive. If information stored solely in RAM is not recovered before powering down it may be lost. This results in the need to collect volatile data from the computer at the onset of the response.
Several Open Source tools are available to conduct an analysis of open ports, mapped drives (including through an active VPN connection), and open or mounted encrypted files (containers) on the live computer system. Utilizing open source tools and commercially available products, it is possible to obtain an image of these mapped drives and the open encrypted containers in an unencrypted format. Open Source tools for PCs include Knoppix, Helix and DEFT Linux. Commercial imaging tools include Access Data's Forensic Toolkit and Guidance Software's EnCase application.
The aforementioned Open Source tools can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently accessed local email applications including MS Outlook.
In the event that partitions with EFS are suspected to exist, the encryption keys to access the data can also be gathered during the collection process. With Microsoft's most recent addition, Vista, and Vista's use of BitLocker and the Trusted Platform Module (TPM), it has become necessary in some instances to image the logical hard drive volumes before the computer is shut down.
RAM can be analyzed for prior content after power loss. Although as production methods become cleaner the impurities used to indicate a particular cell's charge prior to power loss are becoming less common. However, data held statically in an area of RAM for long periods of time are more likely to be detectable using these methods. The likelihood of such recovery increases as the originally applied voltages, operating temperatures and duration of data storage increases. Holding unpowered RAM below − 60 °C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination.
Analysis
All digital evidence must be analyzed to determine the type of information that is stored upon it. For this purpose, specialty tools are used that can display information in a format useful to investigators. Such forensic collection and analysis tools include: AccessData's FTK, Guidance Software's EnCase, Technology Pathways' ProDiscover, Dr. Golden Richard III's file carving tool Scalpel, and Brian Carrier's Sleuth Kit. In many investigations, numerous other tools are used to analyze specific portions of information.
Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review.
Reporting
Once the analysis is complete, a report is generated. This report may be a written report, oral testimony, or some combination of the two.
Comparison to Physical Forensics
There are many core differences between computer forensics and "physical forensics." [1] At the highest level, the physical forensic sciences focus on identification and individualization. Both of these processes compare an item from a crime scene with other substances to identify the class of the item (i.e. is the red liquid fruit juice or blood?) or the source of the item (i.e. did this blood come from person X?). Computer forensics on the other hand focuses on finding the evidence and analyzing it. Therefore, it is more analogous to a physical crime scene investigation[4] than the physical forensic processes.
Computer Forensics Certifications
There are several computer forensics certifications available. Many state laws in the United States require computer forensic expert witnesses to have a professional certification or a private investigator's license.
The IACRB sponsors the Certified Computer Forensics Examiner (CCFE) certification. The test candidate must pass a multiple choice exam with a score of 70% or higher. Candidates that pass the multiple choice exam are then given mock evidence files in the form of a computer image. These files must be analyzed and then a report must be submitted for grading. There are over 1000 CCFEs certified as of July, 2009.
Other computer forensic software companies offer product specific certifications, such as the Encase Certified Examiner (EnCE) certification and the AccessData ACE certification.
Examples of Computer forensics
Computer forensics has played a pivotal role in many cases.
BTK Killer
Dennis Rader was convicted of a string of serial killings that occurred over a period of sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy disk. Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church"; this evidence helped lead to Rader's arrest.
Aside from uncovering evidence to assist the prosecution in high-profile murder cases, an in-depth knowledge of computer forensics is integral when presenting digital evidence for legal proceedings.
See also
- Counter forensics
- Cross-drive analysis
- Cryptanalysis
- Data recovery
- Data remanence
- Disk encryption
- Electronic discovery
- Encryption
- Hidden file and hidden directory
- Information forensics
- Information technology audit
- MAC times
- Steganalysis
- United States v. Arnold
References
- ^ http://cqresearcherblog.blogspot.com/2009/07/examining-forensics.html Examining Forensics. CQ Researcher Blog
- ^ ACPO guidelines - http://www.acpo.police.uk/asp/policies/Data/ACPO%20Guidelines%20v18.pdf
- ^ Electronic Crime Scene Investigation Guide: A Guide for First Responders, National Institute of Justice, 2001. http://www.ncjrs.gov/pdffiles1/nij/187736.pdf
- ^ Brian Carrier, Eugene H. Spafford Getting Physical with the Digital Investigation Process International Journal of Digital Evidence Fall 2003, Volume 2, Issue 2
Related Journals
- Journal of Digital Forensics, Security and Law
- International Journal of Digital Crime and Forensics
- Journal of Digital Investigation
- International Journal of Digital Evidence
- International Journal of Forensic Computer Science
- Journal of Digital Forensic Practice
- Cryptologia
- Small Scale Digital Device Forensic Journal
- The Journal of Applied Digital Forensics and eDiscovery
Further reading
- Casey, Eoghan; Stellatos, Gerasimos J. (2008). "The impact of full disk encryption on digital forensics". Operating Systems Review 42 (3): 93–98. doi:.
Incident Response and Computer Forensics, Second Edition (Paperback) by Chris Prosise (Author), Kevin Mandia (Author), Matt Pepe (Author) "Truth is stranger than fiction..." (more)
A Practice Guide to Computer Forensics, First Edition (Paperback) by David Benton (Author), Frank Grindstaff (Author)
External links
- US NIST Digital Data Acquisition Tool Specification (PDF)
- Forensics Wiki, a Creative Commons wiki of computer forensics information.
- Computer Forensics World Forum
- IT Crime Investigation: An overview of techniques
- Original Computer Forensics Wiki
- Electronic Evidence Information Center
- Forensic Focus
- Digital Forensic Research Workshop (DFRWS)
This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)
Learn More
 | write blocker (technology) |
| forensically clean (technology) |
| Internet forensics (technology) |
 | Computer forensic salaries? Read answer... |
| How much money does a computer forensic specialist make? Read answer... |
| Can computer forensics be used when no crime is committed? Read answer... |
Help us answer these
 | What is forensic computer and digital analysis? |
| What is csi computer forensic? |
| What is a computer forensics in french? |
Post a question - any question - to the WikiAnswers community:
Copyrights:
 |
 | Sci-Tech Dictionary. McGraw-Hill Dictionary of Scientific and Technical Terms. Copyright © 2003, 1994, 1989, 1984, 1978, 1976, 1974 by McGraw-Hill Companies, Inc. All rights reserved. Read more |
 |
| Computer Desktop Encyclopedia. THIS COPYRIGHTED DEFINITION IS FOR PERSONAL USE ONLY. All other reproduction is strictly prohibited without permission from the publisher. © 1981-2009 Computer Language Company Inc. All rights reserved. Read more |
 |
| Wikipedia. This article is licensed under the Creative Commons Attribution/Share-Alike License. It uses material from the Wikipedia article "Computer forensics". Read more |
Related answers
- What is the Salary for a computer forensic investigator?
- Conclusion for computer forensics?
- How much can you earn in computer forensics?
ADVERTISEMENT
Answer these
- What is forensic computing?
- What is computer forensic?
- History of computer forensics?
- The challenges of computer forensic in the judiciary?
Mentioned in
- write blocker (technology)
- forensically clean (technology)
- Internet forensics (technology)
- slack space (technology)
- Kroll Inc. (Subsidiary Company)
- Kroll Ontrack Inc. (Subsidiary Company)
- Guidance Software Inc
- EC-Council certification (technology)
- Computer and Electronic Data Destruction (intelligence)
- First Advantage Corp
- NIST Computer Security Division, United States (intelligence)
- First American Corp
- Mantech International Corp
- Reynaldo Anzaldua Jr.
