Computer forensics

Computer forensics (sometimes known as computer forensic science^[1]) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.

Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.

Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high profile cases and is becoming widely accepted as reliable within US and European court systems.

Overview

In the early 1980s personal computers became more accessible to consumers leading to their increased use in criminal activity (for example, to help commit fraud). At the same time, several new "computer crimes" were recognized (such as hacking). The discipline of computer forensics emerged during this time as a method to recover and investigate digital evidence for use in court. Today it is used to investigate a wide variety of crime, including child pornography, fraud, cyberstalking, murder and rape. The discipline also features in civil proceedings as a form of information gathering (for example, Electronic discovery)

Forensic techniques and expert knowledge are used to explain the current state of a digital artifact; such as a computer system, storage medium (e.g. hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image).^[2] The scope of a forensic analysis can vary from simple information retrieval to reconstructing a series of events. In a 2002 book Computer Forensics authors Kruse and Heiser define computer forensics as involving "the preservation, identification, extraction, documentation and interpretation of computer data".^[3] They go on to describe the discipline as "more of an art than a science", indicating that forensic methodology is backed by flexibility and extensive domain knowledge.

Use as evidence

In court computer forensic evidence is subject to the usual requirements for digital evidence; requiring information to be authentic, reliably obtained and admissible. Different countries have specific guidelines and practices for the recovery of evidence. In the United Kingdom examiners often follow guidelines from the Association of Chief Police Officers which help ensure the authenticity and integrity of evidence. While the guidelines are voluntary they are widely accepted in courts of Wales, England and Scotland.

Computer forensics has been used as evidence in criminal law since the mid 1980s, some notable examples include:^[4]

BTK Killer: Dennis Rader was convicted of a string of serial killings that occurred over a period of sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy disk. Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church"; this evidence helped lead to Rader's arrest.

Joseph E. Duncan III: A spreadsheet recovered from Duncan's computer contained evidence which showed him planning his crimes. Prosecutors used this to show premeditation and secure the death penalty.^[5]

Sharon Lopatka: Hundreds of emails on Lopatka's computer lead investigators to her killer, Robert Glass.^[4]

Corcoran Group: This case confirmed parties' duties to preserve digital evidence when litigation has commenced or is reasonably anticipated. Hard drives were analyzed by a Computer Forensics expert and could not find relevant emails which the Defendants should have. Although no evidence of deletion on the hard drives were found, evidence came out before the Court that the Defendants were found to have intentionally destroyed emails, misled and failed to disclose material facts to the Plaintiffs and the Court.

UK Employment Tribunals.

The last decade we have seen an increase of digital evidence being used in Employment Tribunals in the UK. In a recent case, in Tracy Kennedy v Greater Glasgow NHS Trust, digital evidence was used to dismiss Ms Kennedy, but the same evidence was used to prove her innocence. Not only that, but the same evidence interpreted correctly proved beyond any reasonable doubt that the dismissal was wrongful and unfair. It was used by HR people who did not understand it. Several white papers exist with regards to Employment Tribunals and Computer Forensics.^[6]

Forensic process

Computer forensic investigations usually follow the standard digital forensic process (acquisition, analysis and reporting).^[4] Investigations are performed on static data (i.e. acquired images) rather than "live" systems. This is a change from early forensic practices which, due to a lack of specialist tools, saw investigations commonly carried out on live data.

Techniques

A number of techniques are used during computer forensics investigations.

Cross-drive analysis: A forensic technique that correlates information found on multiple hard drives. The process, which is still being researched, can be used for identifying social networks and for performing anomaly detection.^[7]^[8]

Live analysis: The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.^[9]

Deleted files: A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data.^[10] Most operating systems and file systems do not always erase physical file data, allowing it to be reconstructed from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.

Volatile data

When seizing evidence, if the machine is still active, any information stored solely in RAM that is not recovered before powering down may be lost.^[5] One application of "live analysis" is to recover RAM data (for example, using Microsoft's COFEE tool, windd, WindowsSCOPE) prior to removing an exhibit.

RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate. The length of time for which data recovery is possible is increased by low temperatures and higher cell voltages. Holding unpowered RAM below −60 °C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination.^[11]

Analysis tools

A number of open source and commercial tools exist for computer forensics investigation. Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review.^[4]

Certifications

There are several computer forensics certifications available. Many state laws in the United States require computer forensic expert witnesses to have a professional certification or a private investigator's license.

In the UK there are no direct legal requirements for a computer forensics expert. However the ACPO (ACPO Guideline Compliance in the UK)Guidelines and its four (4) principles are widely accepted as the best practice. ^{[citation needed]}

References

^ Michael G. Noblett (2000). "Recovering and examining computer forensic evidence". Retrieved 26 July 2010. {{cite web}}: Unknown parameter |coauthors= ignored (|author= suggested) (help); Unknown parameter |month= ignored (help)
^ A Yasinsac (2003). "Computer forensics education". IEEE Security & Privacy. Retrieved 26 July 2010. {{cite web}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
^ Warren G. Kruse (2002). Computer forensics: incident response essentials. Addison-Wesley. p. 392. ISBN 0201707195. Retrieved 6 December 2010. {{cite book}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
^ ^a ^b ^c ^d Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.
^ ^a ^b Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN 0123742676. Retrieved 27 August 2010.
^ Cite error: The named reference Tribunals was invoked but never defined (see the help page).
^ Garfinkel, S. (2006). "Forensic Feature Extraction and Cross-Drive Analysis" (PDF). {{cite web}}: Unknown parameter |month= ignored (help)
^ "EXP-SA: Prediction and Detection of Network Membership through Automated Hard Drive Analysis".
^ Maarten Van Horenbeeck (24). "Technology Crime Investigation". Retrieved 18 August 2010. {{cite web}}: Check date values in: |date= and |year= / |date= mismatch (help); Unknown parameter |month= ignored (help)
^ Aaron Phillip (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional. p. 544. ISBN 0071626778. Retrieved 27 August 2010. {{cite book}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
^ J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten (2008-02-21). "Lest We Remember: Cold Boot Attacks on Encryption Keys". Princeton University. Retrieved 2009-11-20. {{cite journal}}: Cite journal requires |journal= (help)CS1 maint: multiple names: authors list (link)

^[1]

External links

US NIST Digital Data Acquisition Tool Specification (PDF)
Forensics Wiki, a Creative Commons wiki of computer forensics information.
Computer Forensics World Forum
Original Computer Forensics Wiki
Electronic Evidence Information Center
Forensic Focus
Digital Forensic Research Workshop (DFRWS)
Computer Forensic Whitepapers (SANS)
Forensic Science Information and Resources

gr:Εγκληματολογική Ανάλυση Υπολογιστων

^ "White Paper: Employment Tribunals and the use of Digital Evidence" (PDF).

[noblett-1] Michael G. Noblett (2000). "Recovering and examining computer forensic evidence". Retrieved 26 July 2010. {{cite web}}: Unknown parameter |coauthors= ignored (|author= suggested) (help); Unknown parameter |month= ignored (help)

[cf-education-2] A Yasinsac (2003). "Computer forensics education". IEEE Security & Privacy. Retrieved 26 July 2010. {{cite web}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)

[kruse-3] Warren G. Kruse (2002). Computer forensics: incident response essentials. Addison-Wesley. p. 392. ISBN 0201707195. Retrieved 6 December 2010. {{cite book}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)

[casey-4] Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.

[handbook-5] Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN 0123742676. Retrieved 27 August 2010.

[Tribunals-6] Cite error: The named reference Tribunals was invoked but never defined (see the help page).

[garfinkel-7] Garfinkel, S. (2006). "Forensic Feature Extraction and Cross-Drive Analysis" (PDF). {{cite web}}: Unknown parameter |month= ignored (help)

[nsf-8] "EXP-SA: Prediction and Detection of Network Membership through Automated Hard Drive Analysis".

[horenbeeck-9] Maarten Van Horenbeeck (24). "Technology Crime Investigation". Retrieved 18 August 2010. {{cite web}}: Check date values in: |date= and |year= / |date= mismatch (help); Unknown parameter |month= ignored (help)

[exposed-10] Aaron Phillip (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional. p. 544. ISBN 0071626778. Retrieved 27 August 2010. {{cite book}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)

[ColdBoot-11] J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten (2008-02-21). "Lest We Remember: Cold Boot Attacks on Encryption Keys". Princeton University. Retrieved 2009-11-20. {{cite journal}}: Cite journal requires |journal= (help)CS1 maint: multiple names: authors list (link)

[tribunal-12] "White Paper: Employment Tribunals and the use of Digital Evidence" (PDF).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[1]

v t e Digital forensics
Branches	Computer forensics Mobile device forensics Network forensics Database forensics Software forensics
Hardware	Forensic disk controller
Software	ADF Solutions Digital Evidence Investigator EnCase Foremost FTK PTK Forensics The Sleuth Kit The Coroner's Toolkit COFEE HashKeeper Xplico
Certification	Certified Forensic Computer Examiner (CFCE) Global Information Assurance Certification
Processes	Digital forensic process Data acquisition Digital evidence eDiscovery Anti–computer forensics
Organisations	National Software Reference Library Department of Defense Cyber Crime Center National Hi-Tech Crime Unit (NHTCU) Australian High Tech Crime Centre (AHTCC)
People	Mary Aiken Annie Antón Rebecca Bace Josh Brunty Eoghan Casey Hany Farid Simson Garfinkel Clifford Stoll Robert Zeidman
Glossary of digital forensics terms