Computer forensics

Last updated
A forensic expert examining a mobile device that was seized during an investigation Computer Investigations and Analysis Division (39033998171).jpg
A forensic expert examining a mobile device that was seized during an investigation
Media types used for computer forensic analysis: a Fujifilm FinePix digital camera, two flash memory cards, a USB flash drive, a 5GB iPod, a CD-R or DVD recordable, and a Mini CD. PersonalStorageDevices.agr.jpg
Media types used for computer forensic analysis: a Fujifilm FinePix digital camera, two flash memory cards, a USB flash drive, a 5GB iPod, a CD-R or DVD recordable, and a Mini CD.

Computer forensics (also known as computer forensic science [1] ) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

Contents

Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.

Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high-profile cases and is accepted as reliable within U.S. and European court systems.

Overview

In the early 1980s, personal computers became more accessible to consumers, leading to their increased use in criminal activity (for example, to help commit fraud). At the same time, several new "computer crimes" were recognized (such as cracking). The discipline of computer forensics emerged during this time as a method to recover and investigate digital evidence for use in court. Since then, computer crime and computer-related crime has grown, with the FBI reporting a suspected 791,790 internet crimes alone in 2020, a 69% increase over the amount reported in 2019. [2] [3] Today, computer forensics is used to investigate a wide variety of crime, including child pornography, fraud, espionage, cyberstalking, murder, and rape. The discipline also features in civil proceedings as a form of information gathering (for example, Electronic discovery)

Forensic techniques and expert knowledge are used to explain the current state of a digital artifact, such as a computer system, storage medium (e.g., hard disk or CD-ROM), or an electronic document (e.g., an email message or JPEG image). [4] The scope of a forensic analysis can vary from simple information retrieval to reconstructing a series of events. In a 2002 book, Computer Forensics, authors Kruse and Heiser define computer forensics as involving "the preservation, identification, extraction, documentation and interpretation of computer data". [5] They go on to describe the discipline as "more of an art than a science", indicating that forensic methodology is backed by flexibility and extensive domain knowledge. However, while several methods can be used to extract evidence from a given computer, the strategies used by law enforcement are fairly rigid and lack the flexibility found in the civilian world. [6]

Cybersecurity

Computer forensics is often confused with cybersecurity. Cybersecurity is about prevention and protection, while computer forensics is more reactionary and active, involving activities such as tracking and exposing. System security usually encompasses two teams, cybersecurity and computer forensics, which work together. A cybersecurity team creates systems and programs to protect data; if these fail, then the computer forensics team recovers the data and performs the investigation into the intrusion and theft. Both areas require knowledge of computer science. [7]

Computer forensics are used to convict those involved in physical and digital crimes. Some of these computer-related crimes include interruption, interception, copyright infringement, and fabrication. Interruption relates to the destruction and stealing of computer parts and digital files. Interception is the unauthorized access of files and information stored on technological devices. [8] Copyright Infringement is using, reproducing, and distributing copyrighted information, including software piracy. Fabrication is accusing someone of using false data and information put in the system through an unauthorized source. Examples of interceptions are the Bank NSP case, Sony.Sambandh.com case, and business email compromise scams. [9]

Use as evidence

In court, computer forensic evidence is subject to the usual requirements for digital evidence. This requires that information be authentic, reliably obtained, and admissible. [10] Different countries have specific guidelines and practices for evidence recovery. In the United Kingdom, examiners often follow Association of Chief Police Officers guidelines that help ensure the authenticity and integrity of evidence. While voluntary, the guidelines are widely accepted in British courts.

Computer forensics has been used as evidence in criminal law since the mid-1980s, some notable examples include: [11]

Forensic process

A portable Tableau write blocker attached to a Hard Drive Portable forensic tableau.JPG
A portable Tableau write blocker attached to a Hard Drive

Computer forensic investigations usually follow the standard digital forensic process or phases: acquisition, examination, analysis, and reporting. Investigations are performed on static data (i.e. acquired images) rather than "live" systems. This is a change from early forensic practices where a lack of specialist tools led to investigators commonly working on live data.

Computer forensics lab

The computer forensic lab is a safe and protected zone where electronic data can be managed, preserved, and accessed in a controlled environment. There, there is a very much reduced risk of damage or modification to the evidence. Computer forensic examiners have the resources needed to elicit meaningful data from the devices that they are examining. [15]

Techniques

A number of techniques are used during computer forensics investigations, and these include the following:

Cross-drive analysis
This is a forensic technique that correlates information found on multiple hard drives, and has been used to identify social networks and perform anomaly detection. [16] [17] [18]
Live analysis
The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.
Deleted files
A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data. [19] Most operating systems and file systems do not always erase physical file data, allowing investigators to reconstruct it from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.
Stochastic forensics
A method which uses stochastic properties of the computer system to investigate activities lacking digital artifacts. Its chief use is to investigate data theft.
Steganography
One of the techniques used to hide data is via steganography, the process of hiding data inside of a picture or digital image. An example would be to hide pornographic images of children or other information that a given criminal does not want to have discovered. Computer forensics professionals can fight this by looking at the hash of the file and comparing it to the original image (if available.) While the images appear identical upon visual inspection, the hash changes as the data changes. [20]

Mobile device forensics

Phone Logs: Phone companies usually keep logs of calls received, which can be helpful when creating timelines and gathering the locations of persons when the crime occurred. [21]

Contacts: Contact lists help narrow down the suspect pool due to their connections with the victim or suspect. [21]

Text messages: Messages contain timestamps and remain in company servers indefinitely, even if deleted on the original device. Because of this, messages act as crucial records of communication that can be used to convict suspects. [21]

Photos: Photos can be critical in either supporting or disproving alibis by displaying a location or scene along with a timestamp of when the photo was taken. [21]

Audio Recordings: Some victims might have been able to record pivotal moments of the struggle, like the voice of their attacker or extensive context of the situation. [21]

Volatile data

Volatile data is any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off. Volatile data resides in registries, cache, and random access memory (RAM). The investigation of this volatile data is called "live forensics".

When seizing evidence, if the machine is still active, any information stored solely in RAM that is not recovered before powering down may be lost. [14] One application of "live analysis" is to recover RAM data (for example, using Microsoft's COFEE tool, WinDD, WindowsSCOPE) prior to removing an exhibit. CaptureGUARD Gateway bypasses Windows login for locked computers, allowing for the analysis and acquisition of physical memory on a locked computer.[ citation needed ]

RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate, an effect exploited by the cold boot attack. The length of time that data is recoverable is increased by low temperatures and higher cell voltages. Holding unpowered RAM below −60 °C helps preserve residual data by an order of magnitude, improving the chances of successful recovery. However, it can be impractical to do this during a field examination. [22]

Some of the tools needed to extract volatile data, however, require that a computer be in a forensic lab, both to maintain a legitimate chain of evidence, and to facilitate work on the machine. If necessary, law enforcement applies techniques to move a live, running desktop computer. These include a mouse jiggler, which moves the mouse rapidly in small movements and prevents the computer from going to sleep accidentally. Usually, an uninterruptible power supply (UPS) provides power during transit.

However, one of the easiest ways to capture data is by actually saving the RAM data to disk. Various file systems that have journaling features such as NTFS and ReiserFS keep a large portion of the RAM data on the main storage media during operation, and these page files can be reassembled to reconstruct what was in RAM at that time. [23]

Analysis tools

A number of open source and commercial tools exist for computer forensics investigation. Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review. [11] Autopsy (software), Belkasoft Evidence Center, Forensic Toolkit (FTK), EnCase are the some of tools used in Digital forensics.

Jobs in computer forensics

Digital forensics analyst

A digital forensics analyst is responsible for preserving digital evidence, cataloging collected evidence, analyzing evidence in a manner relevant to the ongoing case, responding to cyber breaches (usually in a corporate context), writing reports containing findings, and testifying in court. [24] A digital forensic analyst may alternatively be referred to as a computer forensic analyst, digital forensic examiner, cyber forensic analyst, forensic technician, or other similarly named titles, although these roles perform the same duties. [25]

Certifications

There are several computer forensics certifications available, such as the ISFCE Certified Computer Examiner, Digital Forensics Investigation Professional (DFIP) and IACRB Certified Computer Forensics Examiner.

The top vendor independent certification (especially within EU) is considered the CCFP - Certified Cyber Forensics Professional. [26] [27]

Others, worth to mention for USA or APAC are: The International Association of Computer Investigative Specialists offers the Certified Computer Examiner program.

The International Society of Forensic Computer Examiners offers the Certified Computer Examiner program.

Many commercial based forensic software companies are now also offering proprietary certifications on their products. For example, Guidance Software offering the (EnCE) certification on their tool EnCase, AccessData offering (ACE) certification on their tool FTK, PassMark Software offering certification on their tool OSForensics, and X-Ways Software Technology offering (X-PERT) certification for their software, X-Ways Forensics. [28]

See also

Related Research Articles

<span class="mw-page-title-main">Forensic accounting</span> Branch of accounting which investigates financial misconduct and fraud

Forensic accounting, forensic accountancy or financial forensics is the specialty practice area of accounting that investigates whether firms engage in financial reporting misconduct, or financial misconduct within the workplace by employees, officers or directors of the organization. Forensic accountants apply a range of skills and methods to determine whether there has been financial misconduct by the firm or its employees.

Data remanence is the residual representation of digital data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written to the media, or through physical properties of the storage media that allow previously written data to be recovered. Data remanence may make inadvertent disclosure of sensitive information possible should the storage media be released into an uncontrolled environment.

<span class="mw-page-title-main">Digital forensics</span> Branch of forensic science

Digital forensics is a branch of forensic science encompassing the recovery, investigation, examination, and analysis of material found in digital devices, often in relation to mobile devices and computer crime. The term "digital forensics" was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.

<span class="mw-page-title-main">Database forensics</span>

Database forensics is a branch of digital forensic science relating to the forensic study of databases and their related metadata.

<span class="mw-page-title-main">The Sleuth Kit</span>

The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-based utilities for extracting data from disk drives and other storage so as to facilitate the forensic analysis of computer systems. It forms the foundation for Autopsy, a better known tool that is essentially a graphical user interface to the command line utilities bundled with The Sleuth Kit.

Anti–computer forensics or counter-forensics are techniques used to obstruct forensic analysis.

<span class="mw-page-title-main">EnCase</span>

EnCase is the shared technology within a suite of digital investigations products by Guidance Software. The software comes in several products designed for forensic, cyber security, security analytics, and e-discovery use. EnCase is traditionally used in forensics to recover evidence from seized hard drives. It allows the investigator to conduct in-depth analysis of user files to collect evidence such as documents, pictures, internet history and Windows Registry information.

In computer security, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random-access memory (RAM) by performing a hard reset of the target machine. Typically, cold boot attacks are used for retrieving encryption keys from a running operating system for malicious or criminal investigative reasons. The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes following a power switch-off.

Data erasure is a software-based method of data sanitization that aims to completely destroy all electronic data residing on a hard disk drive or other digital media by overwriting data onto all sectors of the device in an irreversible process. By overwriting the data on the storage device, the data is rendered irrecoverable.

Forensic Toolkit, or FTK, is a computer forensics software originally developed by AccessData, an Exterro company. It scans a hard drive looking for various information. It can, for example, potentially locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.

<span class="mw-page-title-main">Network forensics</span>

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

File carving is the process of reassembling computer files from fragments in the absence of filesystem metadata.

<span class="mw-page-title-main">Mobile device forensics</span> Recovery of evidence from mobile devices

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.

<span class="mw-page-title-main">Digital forensic process</span>

The digital forensic process is a recognized scientific and forensic process used in digital forensics investigations. Forensics researcher Eoghan Casey defines it as a number of steps from the original incident alert through to reporting of findings. The process is predominantly used in computer and mobile forensic investigations and consists of three steps: acquisition, analysis and reporting.

Guidance Software, Inc. was a public company founded in 1997. Headquartered in Pasadena, California, the company developed and provided software solutions for digital investigations primarily in the United States, Europe, the Middle East, Africa, and the Asia/Pacific Rim. Guidance Software had offices in Brazil, Chicago, Houston, New York City, San Francisco, Singapore, United Kingdom and Washington, D.C., and employed approximately 371 employees. On September 14, 2017, the company was acquired by OpenText.

Advanced Digital Forensic Solutions, Inc. is a company based in Reston, Virginia, that develops tools for scanning suspect computers and digital devices to locate and extract data, a process known as digital forensics. Digital forensic tools scan mobile phones, computers and digital devices to collect intelligence or evidence of a crime to identify computers that contain content relevant to an investigation.

Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM. It does not write any part of its activity to the computer's hard drive, thus increasing its ability to evade antivirus software that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaving very little evidence that could be used by digital forensic investigators to identify illegitimate activity. Malware of this type is designed to work in memory, so its existence on the system lasts only until the system is rebooted.

William "Chuck" Easttom II is an American computer scientist specializing in cyber security, cryptography, quantum computing, and systems engineering.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

References

  1. Michael G. Noblett; Mark M. Pollitt; Lawrence A. Presley (October 2000). "Recovering and examining computer forensic evidence" . Retrieved 26 July 2010.
  2. "2020 Internet Crime Report" (PDF).
  3. "IC3 Releases 2020 Internet Crime Report". Federal Bureau of Investigation. Retrieved 2023-03-17.
  4. Yasinsac, A.; Erbacher, R.F.; Marks, D.G.; Pollitt, M.M.; Sommer, P.M. (July 2003). "Computer forensics education". IEEE Security & Privacy. 1 (4): 15–23. doi:10.1109/MSECP.2003.1219052.
  5. Warren G. Kruse; Jay G. Heiser (2002). Computer forensics: incident response essentials . Addison-Wesley. p.  392. ISBN   978-0-201-70719-9 . Retrieved 6 December 2010.
  6. Gunsch, G (August 2002). "An Examination of Digital Forensic Models" (PDF).
  7. "What Is Computer Forensics?". Western Governors University. Retrieved 2022-03-04.
  8. Kruse II, Warren G.; Heiser, Jay G. (2001-09-26). Computer Forensics: Incident Response Essentials. Pearson Education. ISBN   978-0-672-33408-5.
  9. Sabry, Fouad (2022-07-10). Digital Forensics: How digital forensics is helping to bring the work of crime scene investigating into the real world. One Billion Knowledgeable.
  10. Adams, R. (2012). "'The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice".
  11. 1 2 3 Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN   978-0-12-163104-8.
  12. "The Capture of Serial Killer Dennis Rader, BTK | Psychology Today South Africa". www.psychologytoday.com. Retrieved 2023-03-17.
  13. Dooley, Sean (January 22, 2019). "BTK serial killer's daughter: 'We were living our normal life. ... Then everything upended on us'". ABC News. Retrieved 2023-03-17.
  14. 1 2 Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN   978-0-12-374267-4 . Retrieved 27 August 2010.
  15. "Chapter 3: Computer Forensic Fundamentals - Investigative Computer Forensics: The Practical Guide for Lawyers, Accountants, Investigators, and Business Executives [Book]". www.oreilly.com. Retrieved 2022-03-04.
  16. Garfinkel, Simson L. (2006-09-01). "Forensic feature extraction and cross-drive analysis". Digital Investigation. The Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS '06). 3: 71–81. doi: 10.1016/j.diin.2006.06.007 . ISSN   1742-2876.
  17. "EXP-SA: Prediction and Detection of Network Membership through Automated Hard Drive Analysis".
  18. David, Anne; Morris, Sarah; Appleby-Thomas, Gareth (2020-08-20). "A Two-Stage Model for Social Network Investigations in Digital Forensics" (PDF). Journal of Digital Forensics, Security and Law. 15 (2). doi: 10.15394/jdfsl.2020.1667 . ISSN   1558-7223. S2CID   221692362.
  19. Aaron Phillip; David Cowen; Chris Davis (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional. p. 544. ISBN   978-0-07-162677-4 . Retrieved 27 August 2010.
  20. Dunbar, B (January 2001). "A detailed look at Steganographic Techniques and their use in an Open-Systems Environment".
  21. 1 2 3 4 5 Pollard, Carol (2008). Computer Forensics for Dummies. John Wiley & Sons, Incorporated. pp. 219–230. ISBN   9780470434956.
  22. J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten (2008-02-21). "Lest We Remember: Cold Boot Attacks on Encryption Keys". Princeton University . Retrieved 2009-11-20.{{cite journal}}: Cite journal requires |journal= (help)CS1 maint: multiple names: authors list (link)
  23. Geiger, M (March 2005). "Evaluating Commercial Counter-Forensic Tools" (PDF). Archived from the original (PDF) on 2014-12-30. Retrieved 2012-04-02.
  24. "What Is a Digital Forensic Analyst?". EC Council. 2022-12-28. Archived from the original on 2022-11-28. Retrieved 2022-12-28.
  25. "CISA Cyber Defense Forensics Analyst". Cybersecurity & Infrastructure Security Agency (CISA). 2022-12-28. Archived from the original on 2022-11-05. Retrieved 2022-12-28.
  26. "Cybersecurity Certification". isc2.org. Retrieved 2022-11-18.
  27. "CCFP Salaries surveys". ITJobsWatch. Archived from the original on 2017-01-19. Retrieved 2017-06-15.
  28. "X-PERT Certification Program". X-pert.eu. Retrieved 2015-11-26.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.