Computer forensics is the practice of collecting, analyzing and reporting on digital data in a way that is

legally admissible. It can be used in the detection and prevention of crime and in any dispute where
evidence is stored digitally.

Stages of an examination

We’ve divided the computer forensic examination process into six stages, presented in their usual
chronological order.

Readiness

Forensic readiness is an important and occasionally overlooked stage in the examination process. In
commercial computer forensics it can include educating clients about system preparedness; for
example, forensic examinations will provide stronger evidence if a device’s auditing features have been
activated prior to any incident occurring.

For the forensic examiner themself, readiness will include appropriate training, regular testing and
verification of their software and equipment, familiarity with legislation, dealing with unexpected issues
(e.g., what to do if indecent images of children are found present during a commercial job) and ensuring
that the on-site acquisition (data extraction) kit is complete and in working order.

Evaluation

The evaluation stage includes the receiving of instructions, the clarification of those instructions if
unclear or ambiguous, risk analysis and the allocation of roles and resources. Risk analysis for law
enforcement may include an assessment on the likelihood of physical threat on entering a suspect’s
property and how best to counter it.

Commercial organisations also need to be aware of health and safety issues, conflict of interest issues
and of possible risks – financial and to their reputation – on accepting a particular project.

Collection

The main part of the collection stage, acquisition, has been introduced above.

If acquisition is to be carried out on-site rather than in a computer forensic laboratory, then this stage
would include identifying and securing devices which may store evidence and documenting the scene.
Interviews or meetings with personnel who may hold information relevant to the examination (which
could include the end users of the computer, and the manager and person responsible for providing
computer services, such as an IT administrator) would usually be carried out at this stage.

The collection stage also involves the labelling and bagging of evidential items from the site, to be sealed
in numbered tamper-evident bags. Consideration should be given to securely and safely transporting the
material to the examiner’s laboratory.

Analysis
Analysis depends on the specifics of each job. The examiner usually provides feedback to the client
during analysis and from this dialogue the analysis may take a different path or be narrowed to specific
areas. Analysis must be accurate, thorough, impartial, recorded, repeatable and completed within the
time-scales available and resources allocated.

There are myriad tools available for computer forensics analysis. It is our opinion that the examiner
should use any tool they feel comfortable with as long as they can justify their choice. The main
requirements of a computer forensic tool is that it does what it is meant to do and the only way for
examiners to be sure of this is for them to regularly test and calibrate the tools they rely on before
analysis takes place.

Dual-tool verification can confirm result integrity during analysis (if with tool ‘A’ the examiner finds
artefact ‘X’ at location ‘Y’, then tool ‘B’ should replicate these results).

Presentation

This stage usually involves the examiner producing a structured report on their findings, addressing the
points in the initial instructions along with any subsequent instructions. It would also cover any other
information which the examiner deems relevant to the investigation.

The report must be written with the end reader in mind; in many cases the reader will be non-technical,
and so reader-appropriate terminology should be used. The examiner should also be prepared to
participate in meetings or telephone conferences to discuss and elaborate on the report.

Review

As with the readiness stage, the review stage is often overlooked or disregarded. This may be due to the
perceived costs of doing work that is not billable, or the need ‘to get on with the next job’.

However, a review stage incorporated into each examination can help save money and raise the level of
quality by making future examinations more efficient and time effective.

A review of an examination can be simple, quick and can begin during any of the above stages. It may
include a basic analysis of what went wrong, what went well, and how the learning from this can be
incorporated into future examinations’. Feedback from the instructing party should also be sought.

Any lessons learnt from this stage should be applied to the next examination and fed into the readiness
stage.

6. Issues facing computer forensics

The issues facing computer forensics examiners can be broken down into three broad categories:
technical, legal and administrative.

Technical issues
Encryption – Encrypted data can be impossible to view without the correct key or password. Examiners
should consider that the key or password may be stored elsewhere on the computer or on another
computer which the suspect has had access to. It could also reside in the volatile memory of a computer
(known as RAM [6]) which is usually lost on computer shut-down; another reason to consider using live
acquisition techniques, as outlined above.

Increasing storage space – Storage media hold ever greater amounts of data, which for the examiner
means that their analysis computers need to have sufficient processing power and available storage
capacity to efficiently deal with searching and analysing large amounts of data.

New technologies – Computing is a continually evolving field, with new hardware, software and
operating systems emerging constantly. No single computer forensic examiner can be an expert on all
areas, though they may frequently be expected to analyse something which they haven’t previously
encountered. In order to deal with this situation, the examiner should be prepared and able to test and
experiment with the behaviour of new technologies. Networking and sharing knowledge with other
computer forensic examiners is very useful in this respect as it’s likely someone else has already come
across the same issue.

Anti-forensics – Anti-forensics is the practice of attempting to thwart computer forensic analysis. This
may include encryption, the over-writing of data to make it unrecoverable, the modification of files’
metadata and file obfuscation (disguising files). As with encryption, the evidence that such methods
have been used may be stored elsewhere on the computer or on another computer which the suspect
has had access to. In our experience, it is very rare to see anti-forensics tools used correctly and
frequently enough to totally obscure either their presence or the presence of the evidence that they
were used to hide.

Legal issues

Legal issues may confuse or distract from a computer examiner’s findings. An example here would be
the ‘Trojan Defence’. A Trojan is a piece of computer code disguised as something benign but which
carries a hidden and malicious purpose. Trojans have many uses, and include key-logging [7]), uploading
and downloading of files and installation of viruses. A lawyer may be able to argue that actions on a
computer were not carried out by a user but were automated by a Trojan without the user’s knowledge;
such a Trojan Defence has been successfully used even when no trace of a Trojan or other malicious
code was found on the suspect’s computer. In such cases, a competent opposing lawyer, supplied with
evidence from a competent computer forensic analyst, should be able to dismiss such an argument. A
good examiner will have identified and addressed possible arguments from the “opposition” while
carrying out the analysis and in writing their report.

Administrative issues

Accepted standards – There are a plethora of standards and guidelines in computer forensics, few of
which appear to be universally accepted. The reasons for this include: standard-setting bodies being tied
to particular legislations; standards being aimed either at law enforcement or commercial forensics but
not at both; the authors of such standards not being accepted by their peers; or high joining fees for
professional bodies dissuading practitioners from participating.

Fit to practice – In many jurisdictions there is no qualifying body to check the competence and integrity
of computer forensics professionals. In such cases anyone may present themselves as a computer
forensic expert, which may result in computer forensic examinations of questionable quality and a
negative view of the profession as a whole.

7. Resources and further reading

There does not appear to be very much material covering computer forensics which is aimed at a non-
technical readership. However the following links may prove useful:

Forensic Focus An excellent resource with a popular message board. Includes a list of training courses in
various locations.
NIST Computer Forensic Tool Testing Program The National Institute of Standards and Technology
(America) provides an industry respected testing of tools, checking that they consistently produce
accurate and objective test results.
Computer Forensics World A computer forensic community web site with message boards.
Free computer forensic tools A list of free tools useful to computer forensic analysts, selected by
Forensic Control.
The First Forensic Forum (F3) A UK based non-profit organisation for forensic computing practitioners.
Organises workshops and training.

8. Glossary

1. Hacking: modifying a computer in a way which was not originally intended in order to benefit
the hacker’s goals.

2. Denial of Service attack: an attempt to prevent legitimate users of a computer system from
having access to that system’s information or services.

3. Metadata: data about data. It can be embedded within files or stored externally in a separate
file and may contain information about the file’s author, format, creation date and so on.

4. Write blocker: a hardware device or software application which prevents any data from being
modified or added to the storage medium being examined.

5. Bit copy: ‘bit’ is a contraction of the term ‘binary digit’ and is the fundamental unit of
computing. A bit copy refers to a sequential copy of every bit on a storage medium, which
includes areas of the medium ‘invisible’ to the user.

6. RAM: Random Access Memory. RAM is a computer’s temporary workspace and is volatile, which
means its contents are lost when the computer is powered off.
 7. Key-logging: the recording of keyboard input giving the ability to read a user’s typed passwords,
emails and other confidential information.

Computer forensics is the application of investigation and analysis techniques to gather and preserve
evidence from a particular computing device in a way that is suitable for presentation in a court of
law. The goal of computer forensics is to perform a structured investigation while maintaining a
documented chain of evidence to find out exactly what happened on a computing device and who
was responsible for it.

Forensic investigators typically follow a standard set of procedures: After physically isolating the device
in question to make sure it cannot be accidentally contaminated, investigators make a digital copy of the
device's storage media. Once the original media has been copied, it is locked in a safe or other secure
facility to maintain its pristine condition. All investigation is done on the digital copy.

Investigators use a variety of techniques and proprietary software forensic applications to examine the
copy, searching hidden folders and unallocated disk space for copies of deleted, encrypted, or damaged
files. Any evidence found on the digital copy is carefully documented in a "finding report" and verified
with the original in preparation for legal proceedings that involve discovery, depositions, or actual
litigation.Computer forensics has become its own area of scientific expertise, with accompanying
coursework and certification.

The goal of computer forensics is to examine digital media in a forensically sound manner with the aim
of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital
information.

Although it is most often associated with the investigation of a wide variety of computer crime,
computer forensics may also be used in civil proceedings. The discipline involves similar techniques and
principles to data recovery, but with additional guidelines and practices designed to create a legal audit
trail.

Evidence from computer forensics investigations is usually subjected to the same guidelines and
practices of other digital evidence. It has been used in a number of high-profile cases and is becoming
widely accepted as reliable within U.S. and European court systems.

Use as evidence[edit]

In court, computer forensic evidence is subject to the usual requirements for digital evidence. This
requires that information be authentic, reliably obtained, and admissible.[6] Different countries have
specific guidelines and practices for evidence recovery. In the United Kingdom, examiners often
follow Association of Chief Police Officers guidelines that help ensure the authenticity and integrity of
evidence. While voluntary, the guidelines are widely accepted in British courts.

Computer forensics has been used as evidence in criminal law since the mid-1980s, some notable
examples include:[7]
  BTK Killer: Dennis Rader was convicted of a string of serial killings that occurred over a period of
sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy
disk. Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran
Church"; this evidence helped lead to Rader's arrest.

 Joseph E. Duncan III: A spreadsheet recovered from Duncan's computer contained evidence that
showed him planning his crimes. Prosecutors used this to show premeditation and secure
the death penalty.[8]

 Sharon Lopatka: Hundreds of emails on Lopatka's computer lead investigators to her killer,
Robert Glass.[7]

 Corcoran Group: This case confirmed parties' duties to preserve digital

evidence when litigation has commenced or is reasonably anticipated. Hard drives were
analyzed by a computer forensics expert who could not find relevant emails the Defendants
should have had. Though the expert found no evidence of deletion on the hard drives, evidence
came out that the defendants were found to have intentionally destroyed emails, and misled
and failed to disclose material facts to the plaintiffs and the court.

 Dr. Conrad Murray: Dr. Conrad Murray, the doctor of the deceased Michael Jackson, was
convicted partially by digital evidence on his computer. This evidence included medical
documentation showing lethal amounts of propofol.

Forensic process

A portable Tableau write blocker attached to a Hard Drive

Computer forensic investigations usually follow the standard digital forensic process or phases:
acquisition, examination, analysis and reporting. Investigations are performed on static data
(i.e. acquired images) rather than "live" systems. This is a change from early forensic practices where a
lack of specialist tools led to investigators commonly working on live data.

Techniques
A number of techniques are used during computer forensics investigations and much has been written
on the many techniques used by law enforcement in particular.See, e.g., "Defending Child Pornography
Cases".

Cross-drive analysis

A forensic technique that correlates information found on multiple hard drives. The process, still being
researched, can be used to identify social networks and to perform anomaly detection.[9][10]

Live analysis

The examination of computers from within the operating system using custom forensics or
existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File
Systems, for example, where the encryption keys may be collected and, in some instances, the logical
hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.

Deleted files

A common technique used in computer forensics is the recovery of deleted files. Modern forensic
software have their own tools for recovering or carving out deleted data.[11] Most operating
systems and file systems do not always erase physical file data, allowing investigators to reconstruct it
from the physical disk sectors. File carving involves searching for known file headers within the disk
image and reconstructing deleted materials.

Stochastic forensics

A method which uses stochastic properties of the computer system to investigate activities lacking
digital artifacts. Its chief use is to investigate data theft.

Steganography

One of the techniques used to hide data is via steganography, the process of hiding data inside of a
picture or digital image. An example would be to hide pornographic images of children or other
information that a given criminal does not want to have discovered. Computer forensics professionals
can fight this by looking at the hash of the file and comparing it to the original image (if available.) While
the image appears exactly the same, the hash changes as the data changes.[12]

Volatile data[edit]

When seizing evidence, if the machine is still active, any information stored solely in RAM that is not
recovered before powering down may be lost.[8] One application of "live analysis" is to recover RAM
data (for example, using Microsoft's COFEE tool, windd, WindowsSCOPE) prior to removing an exhibit.
CaptureGUARD Gateway bypasses Windows login for locked computers, allowing for the analysis and
acquisition of physical memory on a locked computer.
RAM can be analyzed for prior content after power loss, because the electrical charge stored in the
memory cells takes time to dissipate, an effect exploited by the cold boot attack. The length of time that
data is recoverable is increased by low temperatures and higher cell voltages. Holding unpowered RAM
below −60 °C helps preserve residual data by an order of magnitude, improving the chances of
successful recovery. However, it can be impractical to do this during a field examination.[13]

Some of the tools needed to extract volatile data, however, require that a computer be in a forensic lab,
both to maintain a legitimate chain of evidence, and to facilitate work on the machine. If necessary, law
enforcement applies techniques to move a live, running desktop computer. These include a mouse
jiggler, which moves the mouse rapidly in small movements and prevents the computer from going to
sleep accidentally. Usually, an uninterruptible power supply (UPS) provides power during transit.

However, one of the easiest ways to capture data is by actually saving the RAM data to disk. Various file
systems that have journaling features such as NTFS and ReiserFS keep a large portion of the RAM data
on the main storage media during operation, and these page files can be reassembled to reconstruct
what was in RAM at that time.[14]

Analysis tools[edit]

A number of open source and commercial tools exist for computer forensics investigation. Typical
forensic analysis includes a manual review of material on the media, reviewing the Windows registry for
suspect information, discovering and cracking passwords, keyword searches for topics related to the
crime, and extracting e-mail and pictures for review.[7]

Certifications[edit]

There are several computer forensics certifications available, such as the ISFCE Certified Computer
Examiner, Digital Forensics Investigation Professional (DFIP) and IACRB Certified Computer Forensics
Examiner.

The top vendor independent certification (especially within EU) is considered the [CCFP - Certified Cyber
Forensics Professional [1]].[15]

Others, worth to mention for USA or APAC are the: IACIS (the International Association of Computer
Investigative Specialists) offers the Certified Computer Forensic Examiner (CFCE) program.

Computer Forensics Investigator

A Computer Forensics Investigator or Forensic Analyst is a specially trained professional who works
with law enforcement agencies, as well as private firms, to retrieve information from
computers.Equipment can often be damaged either externally or internally corrupted by hacking or
viruses.

The Forensic Analyst is most well known for working within the law enforcement industry; however,
he or she can also be tasked to test the security of a private company's information systems. The
Analyst should have an excellent working knowledge of all aspects of the computer including but not
limited to hard drives, networking, and encryption. Patience and the willingness to work long hours
are qualities that are well-suited for this position.

Computer Forensics Traning

Computer Forensics is one of the fastest growing areas of the tech industry and InfoSec Institute
is proud to offer a Combined Computer and Mobile Forensics Boot Camp. This course prepares
students for the three industry recognized computer forensic certifications, the IACRB Certified
Computer Forensics Examiner (CCFE), IACRB Certified Mobile Forensics Examiner (CMFE), and (ISC)2
Certified Cyber Forensics Professional (CCFP).

The purpose of computer forensics techniques is to search, preserve and analyze information on
computer systems to find potential evidence for a trial. Many of the techniques detectives use
in crime scene investigations have digital counterparts, but there are also some unique aspects to
computer investigations.

For example, just opening a computer file changes the file -- the computer records the time and date it
was accessed on the file itself. If detectives seize a computer and then start opening files, there's no
way to tell for sure that they didn't change anything. Lawyers can contest the validity of the evidence
when the case goes to court.

Some people say that using digital information as evidence is a bad idea. If it's easy to change
computer data, how can it be used as reliable evidence? Many countries allow computer evidence in
trials, but that could change if digital evidence proves untrustworthy in future cases.

Computers are getting more powerful, so the field of computer forensics must constantly evolve. In
the early days of computers, it was possible for a single detective to sort through files because storage
capacity was so low. Today, with hard drives capable of holding gigabytes and even terabytes of data,
that's a daunting task. Detectives must discover new ways to search for evidence without dedicating
too many resources to the process.
https://forensiccontrol.com/resources/beginners-guide-computer-forensics/

https://www.infosecinstitute.com/careers/computer-forensics-investigator