Computer forensics refers to the process of analyzing, collecting and reporting digital information in a legal way. It is used to detect and prevent crime, and can also be used in disputes involving digital evidence. Computer forensics is comparable to other forensic disciplines in terms of examination stages and faces the same issues.
This guide is neutral in its approach to computer forensics. This guide is not intended to promote any company or product or link to specific legislation. It also isn’t biased in law enforcement or commercial computerforensics. This guide is intended for non-technical audiences and gives a high-level overview of computer forensics. Although the term “computer” is used in this guide, the concepts can be applied to any device that can store digital information. These methods are not intended to be used as a guideline or a recommendation. The Creative Commons – Attribution Non-Commercial 3.0 license only permits copying and publishing of this article.
Computer forensics can be used in a variety of areas, including disputes and crime. Computer forensics has been used extensively by law enforcement agencies, who have been the most prolific users. Computers can be considered a “scene of crime”, such as hacking  or denial-of-service attacks ; or they could contain evidence in the form emails, internet history or documents that are relevant to crimes like murder, kidnapping, fraud, and drug trafficking. Investigators may not only be interested in the contents of emails, documents, and other files but also the metadata  that is associated with these files. Computer forensic examinations can reveal the date and time a document appeared on a computer. It may also reveal whether it was edited or saved last.
Computer forensics has been used by commercial organizations in a number of cases, including;
Intellectual Property Theft
Investigations into Bankruptcy
Workplace email and internet usage that is inappropriate
Compliance with regulations
Evidence must be reliable and not prejudicial in order to be admissible. This means that computer forensic examiners should keep the admissibility of evidence at the forefront of their minds at all times. The Association of Chief Police Officers Good Practice Guide to Computer Based Electronic Evidence, or the ACPO Guide, has been widely accepted as a guideline. The ACPO Guide is intended for United Kingdom law enforcement, but its core principles can be applied to any computer forensics under any legislature. Below are the four principles of this guide (with no reference to law enforcement):
It is not appropriate to alter data stored on computers or storage media that could be used in court.
If a person feels the need to access original data stored on a computer or other storage media, they must be competent and able to provide evidence explaining the significance and implications of their actions.
A trail of audits or any other record should be kept. A third party should be able examine the processes and produce the same result.
The investigation’s head is responsible for ensuring the law and principles are followed.
Summary: No changes should be made or added to the original. However, if necessary, the examiner must be able to access the original and record the actions.
Principle 2 may be a question. In what circumstances would a computer forensic investigator make changes to the computer of a suspect? The computer forensic examiner would normally make a copy of (or acquire) information from a device that is off. To make a exact copy of the original storage media , a write-blocker is used. This copy would be used by the examiner to make a copy of the original storage medium.
Sometimes, however, it may not be possible or desirable to turn a computer off. If the owner would suffer significant financial or other losses, it may not be possible for a computer to be switched off. If the computer is susceptible to losing valuable evidence, it may not be a good idea to turn it off. In these cases, the computer forensic examiner will need to perform a “live acquisition” which involves running a small program on suspect’s computer to copy or acquire the data to examiner’s hard disk.
The examiner can run such a program, attach a destination drive to the suspect’s computer, and make any changes or additions to the computer’s state that were not there before. These actions are admissible so long as the examiner records them, is aware of their effects and can explain them.
Stages for an Examination
The computer forensic examination process is divided into six stages for the purposes of this article. They are listed in chronological order but it is important to be flexible during an examination. An example: During the analysis stage, the examiner might find a new lead that warrants further computer examinations. This would result in a return to evaluation.
It is an important, but often overlooked, stage of the examination process. It can also include teaching clients about system readiness. For example, forensic examinations are more effective if the server’s built in auditing or logging systems have been turned on. Examiners can benefit from prior organisation in many areas. This includes training, regular testing, verification, and dealing with unexpected issues (e.g. what to do if child pornography appears during a commercial job), and making sure that your on-site acquisition kit works properly.
The evaluation stage involves clear instructions, risk analysis, and the allocation of resources and roles. A risk analysis may be used by law enforcement to determine the likelihood that a suspect will become a physical threat and how best they can deal with it. Businesses must also be aware of safety and health issues. Their evaluation should also consider reputational and financial risk when accepting a project.
Below is the main part of the collection phase, acquisition. This stage includes identifying, documenting and securing the scene if acquisition is to take place on-site. This stage usually includes interviews or meetings with people who might have information that could be useful in the examination. These could include end users, managers and those responsible for providing services to computers. This is where the ‘bagging and tag’ audit trail begins. All materials should be sealed in unique, tamper-evident bags. Also, it is important to transport the material safely and securely to the laboratory of the examiner.
Each job is unique and the details of each case will affect how analysis is done. During analysis, the examiner will usually give feedback to the client. This dialogue can lead to a new path or narrowing down to particular areas. Analyses must be thorough, objective, impartial, recorded and repeated within the allocated time and resources. Computer forensics analysis can be done with many tools. We believe that an examiner should choose any tool that they are comfortable with, as long as it can be justified. Computer forensic tools must perform their intended function. Examiners should regularly calibrate and test the tools before any analysis can take place. Double-tool verification is a way to confirm the integrity of results during analysis. If tool A finds artefacts X and Y, then tool B should reproduce these results.
The examiner will usually produce a structured report of their findings. This includes addressing all points raised in the instructions and any additional instructions. The report would include any additional information that the examiner considers necessary to the investigation. It must be written with the end user in mind. In many cases, the reader will not be technical so terminology should reflect this. It is important that the examiner is available to attend meetings or phone conferences in order to discuss and expand on the report.
The review stage is often ignored or neglected along with the readiness stage. The review stage is often overlooked or ignored due to perceived costs, such as the cost of not billing for work or the desire to ‘get on with the next task’. A review stage can be incorporated into every examination to save money and improve quality. It will also make future examinations faster and more efficient. Reviewing an examination is easy, fast and can be done during any one of the stages. This review may consist of a brief summary of the examination, including a description of what went wrong and how it can be fixed, and an evaluation of the results to see if they can be used in future exams. It is also important to seek feedback from the instructing party. The lessons learned from this stage should then be applied to the next examination.
Issues facing computer forensics
Computer forensics examiners face three main issues: technical, legal, and administrative.
Encryption Investigators may not be able to access encrypted files or hard drives without the right key or password. The key or password could be stored on another computer, or elsewhere on the computer that the suspect may have had access to. Examiners should also consider this possibility. It may also be stored in volatile memory (RAM ), which is often lost when a computer is shut down. Another reason to use live acquisition techniques, as described above.
More storage Storage media hold ever more data. This means that the examiner must have enough processing power and storage available to effectively deal with analysing and searching through huge amounts of data.
Latest technologies Computing is a constantly-evolving field with new software, hardware and operating systems being continually produced. Although they are not experts in all areas of computer forensics, they might be asked to analyze something they haven’t seen before. To deal with this situation, the examiner must be able to experiment and test new technologies. It’s also a good idea to network with other computer forensic examiners and share your knowledge, as you never know who might have encountered the same problem.
Antiforensics The practice of trying to stop computer forensic analysis is called anti-forensics. This could include encryption, overwriting data to make it impossible to recover, modification of meta-data files and file obfuscation (disguising of files). The evidence of such methods may also be stored on other computers or on another computer that the suspect has access to, as with encryption. Our experience shows that it is rare for anti-forensics tools to be used correctly or frequently enough to completely obscure their existence.