Computer forensics, also commonly referred to as digital forensics, is a division of forensic science involving information in computers and digital storage media being used as legal evidence; it is utilized when hardware or software fails and the data needs to be recovered, during legal proceedings, and when terminating an employee. By collecting, analyzing, and reporting on digital data, digital crime can be prevented and detected, as well as using the data for any dispute where the evidence is stored digitally.
Digital forensics can be applied in various areas of crime and dispute, including industrial espionage, employment disputes, fraud investigations, forgeries, bankruptcy investigations, regulatory compliance, and inappropriate internet/email use in the workplace.
There are multiple stages of the digital forensics process, to clarify, I have separated them into Six Modules.
In this stage, the proper training, testing, and verification of those involved in the forensic process needs to be both gained and continuously maintained. Ensuring the readiness of the forensic examiner will allow them to have the current software and equipment necessary for this procedure, familiarity with legislation, and ensuring that their data extraction (on-site acquisition) kit is complete and ready to go.
During the evaluation stage, instructions and clarification on those instructions will take place on the task at hand. A risk assessment will be administered by the forensic examiner or law enforcement to assess the possible risks, safety issues, and when and where this examination will take place. For example, if the digital property was stored off-site at the suspects’ house, there will need to be proper planning for the expected resistance that the examiner may encounter. Furthermore, if the material or situation is sensitive, there may be an increased risk to the accuser/suspects’ financial status or reputation. I find that a carefully written report outlining all of the possible outcomes and potential issues that may occur is ideal in most situations Expect the best, but prepare for the worst.
In this stage, acquisition of the materials, data, and evidence needed is carried out; this evidence can be acquired from making a copy of the data in question using a write blocker (software/hardware which allows the acquisition of data on a drive without the possibility of harming or damaging the drive’s contents). Additionally, a bit-by-bit/mirror image backup can be performed (backups all areas of a drive/storage media device on a separate device). Of the many methods to collect the information needed for a case/investigation, the environment and security of the location in which is used are vital to the entire collection phase. If possible, all procedures should be completed in a computer forensic laboratory, thoroughly regulating who does what, who enters the room, and clearly marking and bagging each separate item in the investigation. Similar to your traditional crime scene detectives you see on TV, a single error during the investigation, such as an improperly marked piece of evidence, can be used to dismantle the credibility of the results of the entire operation.
Potential Technical Issues
The amount of data that storage devices can hold is always increasing, which in turn, makes the digital forensics process more difficult. For example, if the storage device you are collecting data from has a massive amount of data and storage capability, you will need an equally large enough duplicate storage device, as well as enough processing power to copy or process it efficiently.
Encrypted data, or data that is rendered unviewable/inaccessible without the correct key or password, can certainly put a stop to many investigations. However, there are methods to bypass encryption, including simply finding the key/code (they tend to be saved on the device in question, on a separate digital device, or even written down on a piece of paper.) You can also attempt to guess the encryption key using an educated guess (their birthdate, their passcodes to other devices/accounts, or even use a brute force style of attack, which uses software to try millions of passwords per second automatically.) Keep in mind that with many encryptions, you will be permanently locked out or the data will be erased if too many incorrect login attempts are made. Finally, there are numerous flaws you can find in the encryption schemes and can sometimes access the plaintext version if the device is still in use by the device’s owner.
Just like in comic books, the hero of the story tends to have their exact opposite in the form of a villain. With digital forensics, there is just as much (if not more) technology and advancement behind anti-forensics as there is with digital forensics. Encryption, modifying file metadata and file obfuscation (disguising files) are all methods that make our job more difficult.
After all of the data and evidence is collected, the next stage is analyzing everything, ensuring that the procedure is thorough, recorded, accurate, repeatable, and completed on time/within budget. There are several tools one can use to analyze the collected data. The SANS SIFT (Sans Investigative Forensic Toolkit) is an excellent free program due to having all the tools one could require for an in-depth forensic investigation. SIFT supports analysis of Expert Witness Format, RAW, AFF evidence, and the UI of the program is simple to view and use. SIFT features cross-compatibility between Linux and Windows, as well as being filled with the latest forensic techniques and accountability methods. Whichever method you choose to analyze the data, it is always recommended to use a separate tool to duplicate the results, strengthening your case immensely.
Next, compiling all of your findings on the case and creating a structured report to be delivered needs to be accomplished. By using information from each of the previous stages, such as your initial instructions, what your risks where, how you collected the digital evidence, and how you processed/analyzed it, you can develop a clear and precise report. Keep in mind your reader’s technical skill level. As with any form of paper, you do not want to use unnecessarily complicated terms. Along with this report, be prepared to discuss and defend your findings in-person and over the phone, as there will undoubtedly be material and events that need further clarification.
For our last step, the review stage is vital to strengthen the digital forensic process for your next case, by learning from your mistakes, evolving your methods, and meticulous note-taking. A simple overview of how your analysis went, what problems came up, what the total cost was, and the results of your task will allow you to fine-tune your procedures for the next time your services are in need.