Computer forensics

Computer forensics (sometimes computer forensic science^[1]) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media.

The goal of computer forensics is to explain the current state of a digital artifact; such as a computer system, storage medium (e.g. hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image).^[2] The scope of a forensic analysis can vary from simple information retrieval to reconstructing a series of events.

Use as evidence

As well as the normal requirements for digital evidence and number of guidelines and practices exist specifically for computer forensics.

UK legal guidelines

In order to comply with the need to maintain the integrity of digital evidence British examiners follow guidelines issued by the Association of Chief Police Officers (ACPO).^[3]^[4] The guidelines consist of four principles:

No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

However the use of these "guidelines" is a voluntary action. They are widely accepted in courts of England and Scotland, but they do not constitute a legal requirement.

Examples

Computer forensics has played a pivotal role in many cases.

BTK Killer: Dennis Rader was convicted of a string of serial killings that occurred over a period of sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy disk. Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church"; this evidence helped lead to Rader's arrest.

Joseph E. Duncan III: A spreadsheet recovered from Duncan's computer contained evidence which showed him planning his crimes. Prosecutors used this to show premeditation and secure the death penalty.^[5]

Sharon Lopatka: Hundreds of emails on Lopatka's computer lead investigators to her killer, Robert Glass.^[6]

Forensic process

Computer forensic investigations usually follow the standard digital forensic process.^[6] Traditionally investigations are performed on static data (i.e. acquired images) rather than "live" systems. Investigators were told to shut down computer systems when they were impounded for fear that digital time-bombs might cause data to be erased.^{[citation needed]}

Volatile data

When seizing evidence, if the machine is still active, any information stored solely in RAM that is not recovered before powering down may be lost.^[5]

RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate. The length of time for which data recovery is possible is increased by low temperatures and higher cell voltages. Holding unpowered RAM below −60 °C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination.^[7]

Techniques

Cross-drive analysis: A forensic technique that correlates information found on multiple hard drives. The technique, which is still being researched, can be used for identifying social networks and for performing anomaly detection.^[8]^[9]

Live analysis: The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.^[10]

Deleted files: A common technique used in computer forensics is the recovery of deleted files. Most modern forensic software have their own tools for recovering or carving out deleted data.^[11]

Analysis tools

A number of open source and commercial tools exist for computer forensics investigation:

Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review.^{[citation needed]}

Certifications

There are several computer forensics certifications available. Many state laws in the United States require computer forensic expert witnesses to have a professional certification or a private investigator's license.^{[citation needed]}

Common certifications

The GIAC Certified Forensic Analyst (GCFA) certification from the Global Information Assurance Certification organization.^[12] There are currently over 2100 GCFA certified individuals.^[13]
The Certified Computer Examiner (CCE) certification governed by the International Society of Forensic Computer Examiners. Presently there are over 1000 active CCEs representing 28 different countries.^[14]
The Certified Computer Forensics Examiner (CCFE) certification sponsored by the IACRB.^[15] There are over 1000 CCFEs certified as of July, 2009.^{[citation needed]}
Certified Forensic Computer Examiner (CFCE) offered by IACIS.^[16]
IFS Cyber Forensic, Cyber Law, Cyber Crime and Cyber Security Certifications - offered by IFS INDIA.^[17]

Certified Ethical Hacker - offered by EC-Council.^[18]

Other computer forensic software companies offer product specific certifications, such as the EnCase Certified Examiner (EnCE) certification and the AccessData ACE certification.

References

^ Michael G. Noblett (2000). "Recovering and examining computer forensic evidence". Retrieved 26 July 2010. {{cite web}}: Unknown parameter |coauthors= ignored (|author= suggested) (help); Unknown parameter |month= ignored (help)
^ A Yasinsac (2003). "Computer forensics education". IEEE Security & Privacy. Retrieved 26 July 2010. {{cite web}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
^ Pollitt, MM. "Report on digital evidence". Retrieved 24 July 2010.
^ "ACPO Good Practice Guide for Computer-Based Evidence" (PDF). ACPO. Retrieved 24 July 2010.
^ ^a ^b Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN 0123742676. Retrieved 27 August 2010.
^ ^a ^b Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.
^ J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten (2008-02-21). "Lest We Remember: Cold Boot Attacks on Encryption Keys". Princeton University. Retrieved 2009-11-20. {{cite journal}}: Cite journal requires |journal= (help)CS1 maint: multiple names: authors list (link)
^ Garfinkel, S. (2006). "Forensic Feature Extraction and Cross-Drive Analysis" (PDF). {{cite web}}: Unknown parameter |month= ignored (help)
^ "EXP-SA: Prediction and Detection of Network Membership through Automated Hard Drive Analysis".
^ Maarten Van Horenbeeck (24). "Technology Crime Investigation". Retrieved 18 August 2010. {{cite web}}: Check date values in: |date= and |year= / |date= mismatch (help); Unknown parameter |month= ignored (help)
^ Aaron Phillip (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional. p. 544. ISBN 0071626778. Retrieved 27 August 2010. {{cite book}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
^ "GIAC Certified Forensic Analyst (GCFA)". Retrieved 31 July 2010.
^ "2,146 GCFA Credentials Granted - 199 GCFA Gold". Retrieved 31 July 2010.
^ "International Society of Forensic Computer Examiners". Retrieved 23 August 2010.
^ Information Assurance Certification Review Board
^ International Association of Computer Investigative Specialists, Official website
^ IFS Education Department, Official website
^ EC-Council, Official website

Related journals

External links

US NIST Digital Data Acquisition Tool Specification (PDF)
Forensics Wiki, a Creative Commons wiki of computer forensics information.
Computer Forensics World Forum
IT Crime Investigation: An overview of techniques
Original Computer Forensics Wiki
Electronic Evidence Information Center
Forensic Focus
Digital Forensic Research Workshop (DFRWS)
Computer Forensic Whitepapers (SANS)

[noblett-1] Michael G. Noblett (2000). "Recovering and examining computer forensic evidence". Retrieved 26 July 2010. {{cite web}}: Unknown parameter |coauthors= ignored (|author= suggested) (help); Unknown parameter |month= ignored (help)

[cf-education-2] A Yasinsac (2003). "Computer forensics education". IEEE Security & Privacy. Retrieved 26 July 2010. {{cite web}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)

[pollitt-3] Pollitt, MM. "Report on digital evidence". Retrieved 24 July 2010.

[ACPO-4] "ACPO Good Practice Guide for Computer-Based Evidence" (PDF). ACPO. Retrieved 24 July 2010.

[handbook-5] Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN 0123742676. Retrieved 27 August 2010.

[casey-6] Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.

[ColdBoot-7] J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten (2008-02-21). "Lest We Remember: Cold Boot Attacks on Encryption Keys". Princeton University. Retrieved 2009-11-20. {{cite journal}}: Cite journal requires |journal= (help)CS1 maint: multiple names: authors list (link)

[garfinkel-8] Garfinkel, S. (2006). "Forensic Feature Extraction and Cross-Drive Analysis" (PDF). {{cite web}}: Unknown parameter |month= ignored (help)

[nsf-9] "EXP-SA: Prediction and Detection of Network Membership through Automated Hard Drive Analysis".

[horenbeeck-10] Maarten Van Horenbeeck (24). "Technology Crime Investigation". Retrieved 18 August 2010. {{cite web}}: Check date values in: |date= and |year= / |date= mismatch (help); Unknown parameter |month= ignored (help)

[exposed-11] Aaron Phillip (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional. p. 544. ISBN 0071626778. Retrieved 27 August 2010. {{cite book}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)

[12] "GIAC Certified Forensic Analyst (GCFA)". Retrieved 31 July 2010.

[13] "2,146 GCFA Credentials Granted - 199 GCFA Gold". Retrieved 31 July 2010.

[14] "International Society of Forensic Computer Examiners". Retrieved 23 August 2010.

[15] Information Assurance Certification Review Board

[16] International Association of Computer Investigative Specialists, Official website

[17] IFS Education Department, Official website

[18] EC-Council, Official website

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

v t e Digital forensics
Branches	Computer forensics Mobile device forensics Network forensics Database forensics Software forensics
Hardware	Forensic disk controller
Software	ADF Solutions Digital Evidence Investigator EnCase Foremost FTK PTK Forensics The Sleuth Kit The Coroner's Toolkit COFEE HashKeeper Xplico
Certification	Certified Forensic Computer Examiner (CFCE) Global Information Assurance Certification
Processes	Digital forensic process Data acquisition Digital evidence eDiscovery Anti–computer forensics
Organisations	National Software Reference Library Department of Defense Cyber Crime Center National Hi-Tech Crime Unit (NHTCU) Australian High Tech Crime Centre (AHTCC)
People	Mary Aiken Annie Antón Rebecca Bace Josh Brunty Eoghan Casey Hany Farid Simson Garfinkel Clifford Stoll Robert Zeidman
Glossary of digital forensics terms