Computer Forensics

A non-technical introduction

Computer forensics is the practice of collecting, analysing and reporting on digital information in a way which is legally admissible. It can be used in the detection and prevention of crime and in any dispute where evidence is believed to be stored digitally. Computer forensics has comparable examination stages to other forensic disciplines and faces a number of unique challenges.

Introduction

Computer forensics is the practice of collecting, analysing and reporting on digital information in a way which is legally admissible. It can be used in the detection and prevention of crime and in any dispute where evidence is believed to be stored digitally. Computer forensics has comparable examination stages to other forensic disciplines and similarly faces a number of issues.

About this knol

This knol discusses computer forensics from a neutral perspective; that is, it is not linked to a particular legislation or intended to promote a particular company or product and is not written in bias of either law enforcement or commercial computer forensics. It is aimed at a non-technical audience and provides a high-level view of computer forensics. This knol uses the term "computer", but the concepts apply to any device which is capable of storing digital information. Where methodologies have been mentioned they are provided as examples only and do not constitute recommendations or advice.


Uses of computer forensics

Almost all information about individuals and organisation is, or can be, stored electronically so there are few areas of crime or dispute where computer forensics cannot be applied. Law enforcement agencies have been among the earliest and the heaviest users of computer forensics and consequently have often been at the forefront of development and advances in the field. Computers may constitute a 'scene of a crime', for example with hacking[1] or denial of service attacks[2] or they may hold evidence in the form of emails, internet history, documents or other files relevant to other crimes such as murder, kidnap, fraud or drug trafficking.

It is not just the content of emails, documents and other files which may be of interest to investigators but also the 'meta-data'[3] associated with those files.  A computer forensic examination may reveal when a document first appeared on a computer, when it was last edited, when it was last saved or printed and which user carried out these actions.

More recently, commercial organisations have used computer forensics to their benefit in a variety of cases such as;

  • Intellectual Property theft
  • Industrial espionage
  • Employment disputes
  • Fraud investigations
  • Forgeries
  • Matrimonial issues
  • Bankruptcy investigations
  • Inappropriate email and internet use in the work place
  • Regulatory compliance


Guidelines

For evidence to be admissible it must be reliable and not prejudicial, meaning that at all stages of this process admissibility should be at the forefront of a computer forensic examiner's mind. One set of guidelines which has been widely accepted to assist in this is the Association of Chief Police Officers Good Practice Guide for Computer Based Electronic Evidence [links to PDF] or ACPO Guide for short. Although the ACPO Guide is aimed at United Kingdom law enforcement its main principles are applicable to all computer forensics in whatever legislature. The four main principles from this guide have been reproduced below (with references to law enforcement removed):

  1. No action should change data held on a computer or storage media which may be subsequently relied upon in court.
  2. In circumstances where a person finds it necessary to access original data held on a computer or storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
  3. An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
  4. The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

In summary, no changes are made to the original, however if access/changes are necessary the examiner must know what they are doing and the examiner needs to record their actions.

Live acquisition

Principle 2 above may raise the question: in what situation would changes to a suspect's computer by a computer forensic examiner be necessary? Traditionally, the computer forensic examiner would make a copy (or acquire) information from a device which is turned off. A write-blocker[4] would be used to make an exact bit for bit copy[5] of the original storage medium. The examiner would work then from this copy, leaving the original demonstrably unchanged.

However, sometimes it is not possible or desirable to switch a computer off. It may not be possible to switch a computer off if doing so would result in considerable financial or other loss for the organisation which owns it. It may not be desirable to switch a computer off if by doing so would mean that potentially valuable evidence may be lost. In both these circumstances the computer forensic examiner would need to carry out what is known as a 'live acquisition' which would involve running a small program on the suspect computer in order to copy (or acquire) the data it holds to the examiner's destination hard drive.

By running such a program and attaching a destination drive to the suspect computer, the examiner will make changes and/or additions to the state of the that computer which were not present before his actions. Such actions would remain admissible as long as the examiner recorded their actions, was aware of their impact and was able to explain their actions.



Stages in an examination

For the purposes of this article the computer forensic examination process has been divided into six separate stages. Although they are presented in what is their usual chronological order, it will probably be necessary during an examination to be flexible; for example during the analysis stage the examiner may find a new lead which would warrant further computers being examined and would mean a return to the evaluation stage.

 

Readiness

Forensic readiness is an important and occasionally overlooked stage in the examination process. In commercial computer forensics it can include educating clients about system preparedness; for example, forensic examinations always benefit from sufficient logging and auditing of system events to be in place before any incident occurs.

For examiners there are many areas where prior organisation can help, ranging from training, regular testing and verification of software and equipment, familiarity with legislation, how to deal with unexpected issues (i.e., what to do if child pornography material is present during a commercial job) and ensuring that your on-site acquisition kit is complete and in working order.

Evaluation

The evaluation stage includes the receiving of clear instructions, risk analysis and allocation of roles and resources. Risk analysis for law enforcement may include an assessment on the likelihood of physical threat on entering a suspect's property and how this would be best dealt with. Commercial organisations also need to be aware of health and safety issues, while their evaluation would also cover reputational and financial risks on accepting a particular project. 

Collection

The main part of the collection stage, acquistion, has already been touched on above. If acquisition is to be carried out on-site as opposed to in a computer forensic laboratory then this stage would include identifying, securing and documenting the scene. Interviews or meetings with personnel who may hold information which could be relevant to the examination (which could include the end users of the computer and the manager and person responsible for providing computer services) would usually be carried out at this stage.The 'bagging and tagging' audit trail would start here where by any material taken would be sealed and uniquely identified in a tamper-evident bags. Consideration also needs to be given on securely and safely transporting the material back to the examiner's laboratory.

Analysis

Analysis is dependent on the specifics of each job and is based upon the instructions and requirements the examiner has received. It would be usual for the examiner to provide feedback during analysis to the instructing party and from this dialogue analysis may take a different path or be narrowed to concentrate on specific areas. Analysis must be accurate, thorough, impartial, recorded, repeatable and completed within the time-scales available and resources allocated.

A wide number of tools are available for computer forensics analysis; it is the writer's opinion that the examiner should use any tool they feel comfortable with as long as they can justify their choice as appropriate for the task in hand. The main requirements of a computer forensic tool is that it does what it is meant to do and the only way for examiners to be sure of this is for them to regularly test and calibrate the tools they use before analysis takes place. A check on result integrity during analysis can be done using dual-tool verification; if with tool 'A' the examiner finds artefact 'X' at location 'Y', then tool 'B' should identically replicate these results.

Presentation

This stage usually involves the examiner producing a structured report on their findings which addresses the points received in the initial instructions along with any subsequent instructions and would also cover any other information which the examiner deems of relevance to the investigation. The report must be written with the end reader in mind; in many cases the reader of the report will be non-technical and terminology of the report should acknowledge this. The examiner may also be asked to participate in meetings or telephone conferences to discuss and elaborate on the report, for which the examiner should be prepared for.

Review

Along with the readiness stage, the review stage is often overlooked or disregarded. This may be due to perceived costs associated with doing work which is not billable or with the need 'to get on with the next job'. Converse to these views, a review stage incorporated into each examination can help save money and raise the level of quality by making future examinations both more efficient and time effective.

A review of an examination can be simple and quick to carry out, and can begin during any of the above stages. It may include a basic 'what went wrong and how can this be improved' and a 'what went well and how to incorporate it in future examinations'. Feedback from the instructing party should also be sought as it can prove very instructive.  Any lessons learnt from this stage should be applied to the next examination and should be fed into the readiness stage.


Issues facing computer forensics

The issues which computer forensics examiners have been broken down into three broad sets; technical, legal and administrative.

Technical issues

Encryption - Encrypted files or hard drives can be impossible for investigators to view without the correct key or password. Examiners should consider that the key or password may be stored elsewhere on the computer or on another computer to which the suspect has had access to. It could reside in the volatile memory of a computer (known as RAM[6]) which is usually lost on computer shut-down; this is another reason to consider using live acquisition techniques as outlined above,

Increasing storage space - Storage media holds ever greater amounts of data which for the examiner means that their analysis computers need to have sufficient processing power and available storage to efficiently deal with searching and analysing enormous amounts of data.

New technologies - Computing is an ever changing area, with new hardware, software and operating systems being constantly produced. No one computer forensic examiner can be an expert on all areas, though they may frequently be expected to analyse something which they haven't dealt with before. In order to deal with this situation, the examiner should be prepared and able to test and experiment with the behaviour of new technologies. Networking and sharing knowledge with other computer forensic examiners is also very useful in this respect as it's likely someone may have already come across the same problem previously.

Anti-forensics - Anti-forensics is the practice of attempting to thwart computer forensic analysis. This may include encryption, the over-writing of data making it unrecoverable, the modification of files' meta-data and file obfuscation (disguising files). As with encryption above, the evidence that such methods have been used may be stored elsewhere on the computer or on another computer to which the suspect has had access to. In the writer's experience, it is very rare to see anti-forensics tools used correctly and frequently enough to totally obscure either their presence or the presence of evidence which they were used to hide.

Legal issues

Legal argument may confuse or distract from a computer examiner's findings. An example here would be the 'Trojan Defence'. In computer terms a Trojan is a piece of computer code disguised as something benign but which has a hidden and malicious purpose. Trojans have many uses, and include key-logging[7], uploading and downloading of files and installation of viruses. A lawyer may be able to argue that actions on a computer were not carried out by a user but were automated by a Trojan unbeknown to the user; such a Trojan Defence has been successfully used even when no trace of a Trojan or other malicious code was found on the suspect's computer. In such cases, a competent opposing lawyer supplied with evidence from a competent computer forensic analyst should be able to dismiss such an argument.

Administrative issues

Accepted standards - There are a plethora of standards and guidelines in computer forensics few of which, either in part or whole, appear to be universally accepted. This is due to a number of reasons including standards setting bodies being tied to particular legislations, standards being aimed either at law enforcement or commercial forensics but not at both, the authors of such standards not being viewed as accepted by their peers and high joining fees which can dissuade practitioners from joining.

Fit to practice - In many jurisdictions there is no qualifying body to check the competence and integrity of computer forensics professionals. In such cases anyone without training or experience may present themselves as computer forensic expert which may result in computer forensic examinations of questionable quality and a negative view of the profession as a whole.


Resources and further reading

There does not appear to be a great amount of material aimed covering computer forensics which is aimed at a non-technical readership. However the following links may prove to be of interest:

Forensic Focus This web site is an excellent resource with a popular message board. Includes a list of training courses in various locations.
NIST Computer Forensic Tool Testing Program The National Institute of Standards and Technology (America) provides an industry respected testing of tools checking that they consistently produce accurate and objective test results.
Computer Forensics World Another computer forensic community web site with message boards.

References

  1. Hacking; modifying a computer in way which was not originally intended in order to benefit the hacker's goals.
  2. Denial of Service attack; an attempt to prevent legitimate users of a computer system from having access to that system's information or services.
  3. Meta-data; at a basic level meta-data is data about data. It can be embedded within files or stored externally to a file and may contain information about the file's author, the file's format, when it was created and so on.
  4. Write Blocker; a hardware device or software application which prevents any data from being modified or added to the storage medium being examined.
  5. Bit Copy; bit is a contraction of the term 'binary digit' and is the fundamental unit of computing. A bit copy refers to a sequential copy of every bit on a storage medium, which includes areas of the medium which are 'invisible' to the user.
  6. RAM; Random Access Memory. RAM is a computer's temporary workspace and is volatile, which means its contents are lost when the computer is powered off.
  7. Key-logging; the recording of keyboard input giving the person who places the key-logger on a computer the ability to read a user's typed passwords, emails and other confidential information.

Comments


Anonymous

Untitled

Bloomsburg Univeristy of Pennsylvania has an excellent program to train students in this very discipline.

Last edited Jan 11, 2009 4:56 PM
Report abusive comment

Anonymous

Interesting to read

As non-expert in forensics I've found the article very interesting to read. It gives the fundamentals in an effective way. Good work.

Last edited Aug 6, 2008 12:18 PM
Report abusive comment
Jonathan Krause
Jonathan Krause
Forensic Control Limited
London, United Kingdom
Article rating:
Your rating:

Categories

Based on community consensus.

Activity for this knol

This week:

87pageviews

Totals:

1893pageviews
2comments
©2009 Google