Computer forensics

Last updated
A forensic expert examining a mobile device that was seized during an investigation Computer Investigations and Analysis Division (39033998171).jpg
A forensic expert examining a mobile device that was seized during an investigation
Media types used for computer forensic analysis: a Fujifilm FinePix digital camera, two flash memory cards, a USB flash drive, a 5GB iPod, a CD-R or DVD recordable, and a Mini CD. PersonalStorageDevices.agr.jpg
Media types used for computer forensic analysis: a Fujifilm FinePix digital camera, two flash memory cards, a USB flash drive, a 5GB iPod, a CD-R or DVD recordable, and a Mini CD.

Computer forensics (also known as computer forensic science) [1] is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing, and presenting facts and opinions about the digital information.

Contents

Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.

Evidence from computer forensics investigations is usually subjected to the same guidelines and practices as other digital evidence. It has been used in a number of high-profile cases and is accepted as reliable within U.S. and European court systems.

Overview

In the early 1980s, personal computers became more accessible to consumers, leading to their increased use in criminal activity (for example, to help commit fraud). At the same time, several new "computer crimes" were recognized (such as cracking). The discipline of computer forensics emerged during this time as a method to recover and investigate digital evidence for use in court. Since then, computer crime and computer-related crime has grown, with the FBI reporting a suspected 791,790 internet crimes in 2020, a 69% increase over the amount reported in 2019. [2] [3] Today, computer forensics is used to investigate a wide variety of crimes, including child pornography, fraud, espionage, cyberstalking, murder, and rape. The discipline also features in civil proceedings as a form of information gathering (e.g., Electronic discovery).

Forensic techniques and expert knowledge are used to explain the current state of a digital artifact, such as a computer system, storage medium (e.g., hard disk or CD-ROM), or an electronic document (e.g., an email message or JPEG image). [4] The scope of a forensic analysis can vary from simple information retrieval to reconstructing a series of events. In a 2002 book, Computer Forensics, authors Kruse and Heiser define computer forensics as involving "the preservation, identification, extraction, documentation and interpretation of computer data". [5] They describe the discipline as "more of an art than a science," indicating that forensic methodology is backed by flexibility and extensive domain knowledge. However, while several methods can be used to extract evidence from a given computer, the strategies used by law enforcement are fairly rigid and lack the flexibility found in the civilian world. [6]

Cybersecurity

Computer forensics is often confused with cybersecurity. Cybersecurity focuses on prevention and protection, while computer forensics is more reactionary and active, involving activities such as tracking and exposing. System security usually encompasses two teams: cybersecurity and computer forensics, which work together. A cybersecurity team creates systems and programs to protect data; if these fail, the computer forensics team recovers the data and investigates the intrusion and theft. Both areas require knowledge of computer science. [7]

Computer forensics are used to convict those involved in physical and digital crimes. Some of these computer-related crimes include interruption, interception, copyright infringement, and fabrication. Interruption relates to the destruction and stealing of computer parts and digital files. Interception is the unauthorized access of files and information stored on technological devices. [8] Copyright infringement refers to using, reproducing, and distributing copyrighted information, including software piracy. Fabrication involves accusing someone of using false data and information inserted into the system through an unauthorized source. Examples of interceptions include the Bank NSP case, Sony.Sambandh.com case, and business email compromise scams. [9]

Use as evidence

In court, computer forensic evidence is subject to the usual requirements for digital evidence. This requires that information be authentic, reliably obtained, and admissible. [10] Different countries have specific guidelines and practices for evidence recovery. In the United Kingdom, examiners often follow Association of Chief Police Officers guidelines that help ensure the authenticity and integrity of evidence. While voluntary, the guidelines are widely accepted in British courts.

Computer forensics has been used as evidence in criminal law since the mid-1980s. Some notable examples include: [11]

Forensic process

A portable Tableau write blocker attached to a hard drive Portable forensic tableau.JPG
A portable Tableau write blocker attached to a hard drive

Computer forensic investigations typically follow the standard digital forensic process, consisting of four phases: acquisition, examination, analysis, and reporting. Investigations are usually performed on static data (i.e., acquired images) rather than "live" systems. This differs from early forensic practices, when a lack of specialized tools often required investigators to work on live data.

Computer forensics lab

The computer forensics lab is a secure environment where electronic data can be preserved, managed, and accessed under controlled conditions, minimizing the risk of damage or alteration to the evidence. Forensic examiners are provided with the resources necessary to extract meaningful data from the devices they examine. [15]

Techniques

Various techniques are used in computer forensic investigations, including:

Cross-drive analysis
This technique correlates information found on multiple hard drives and can be used to identify social networks or detect anomalies. [16] [17]
Live analysis
The examination of computers from within the operating system using forensic or existing sysadmin tools to extract evidence. This technique is particularly useful for dealing with encrypting file systems where encryption keys can be retrieved, or for imaging the logical hard drive volume (a live acquisition) before shutting down the computer. Live analysis is also beneficial when examining networked systems or cloud-based devices that cannot be accessed physically. [18]
Deleted files
A common forensic technique involves recovering deleted files. Most operating systems and file systems do not erase the physical file data, allowing investigators to reconstruct it from the physical disk sectors. Forensic software can "carve" files by searching for known file headers and reconstructing deleted data.
Stochastic forensics
This method leverages the stochastic properties of a system to investigate activities without traditional digital artifacts, often useful in cases of data theft.
Steganography
Steganography involves concealing data within another file, such as hiding illegal content within an image. Forensic investigators detect steganography by comparing file hashes, as any hidden data will alter the hash value of the file.

Mobile device forensics

Phone logs
Phone companies typically retain logs of received calls, which can help create timelines and establish suspects' locations at the time of a crime. [19]
Contacts
Contact lists are useful in narrowing down suspects based on their connections to the victim. [19]
Text messages
Text messages contain timestamps and remain in company servers, often indefinitely, even if deleted from the device. These records are valuable evidence for reconstructing communication between individuals. [19]
Photos
Photos can provide critical evidence, supporting or disproving alibis by showing the location and time they were taken. [19]
Audio recordings
Some victims may have recorded pivotal moments, capturing details like the attacker's voice, which could provide crucial evidence. [19]

Volatile data

Volatile data is stored in memory or in transit and is lost when the computer is powered down. It resides in locations such as registries, cache, and RAM. The investigation of volatile data is referred to as "live forensics."

When seizing evidence, if a machine is still active, volatile data stored solely in RAM may be lost if not recovered before shutting down the system. "Live analysis" can be used to recover RAM data (e.g., using Microsoft's COFEE tool, WinDD, WindowsSCOPE) before removing the machine. Tools like CaptureGUARD Gateway allow for the acquisition of physical memory from a locked computer.[ citation needed ]

RAM data can sometimes be recovered after power loss, as the electrical charge in memory cells dissipates slowly. Techniques like the cold boot attack exploit this property. Lower temperatures and higher voltages increase the chance of recovery, but it is often impractical to implement these techniques in field investigations.

Tools that extract volatile data often require the computer to be in a forensic lab to maintain the chain of evidence. In some cases, a live desktop can be transported using tools like a mouse jiggler to prevent sleep mode and an uninterruptible power supply (UPS) to maintain power.

Page files from file systems with journaling features, such as NTFS and ReiserFS, can also be reassembled to recover RAM data stored during system operation.

Analysis tools

Numerous open-source and commercial tools exist for computer forensics. Common forensic analysis includes manual reviews of media, Windows registry analysis, password cracking, keyword searches, and the extraction of emails and images. Tools such as Autopsy (software), Belkasoft Evidence Center, Forensic Toolkit (FTK), and EnCase are widely used in digital forensics.

Professional education and careers

Digital forensics analyst

A digital forensics analyst is responsible for preserving digital evidence, cataloging collected evidence, analyzing evidence relevant to the ongoing case, responding to cyber breaches (often in a corporate context), writing reports containing findings, and testifying in court. [20] A digital forensic analyst may also be referred to as a computer forensic analyst, digital forensic examiner, cyber forensic analyst, forensic technician, or other similarly named titles, though these roles perform similar duties. [21]

Certifications

Several computer forensics certifications are available, such as the ISFCE Certified Computer Examiner, Digital Forensics Investigation Professional (DFIP), and IACRB Certified Computer Forensics Examiner. The top vendor-independent certification, particularly within the EU, is the Certified Cyber Forensics Professional (CCFP). [22] [23]

Many commercial forensic software companies also offer proprietary certifications. [24]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that may result in unauthorized information disclosure, theft of hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

Steganography is the practice of representing information within another message or physical object, in such a manner that the presence of the concealed information would not be evident to an unsuspecting person's examination. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video. The word steganography comes from Greek steganographia, which combines the words steganós, meaning "covered or concealed", and -graphia meaning "writing".

Steganalysis is the study of detecting messages hidden using steganography; this is analogous to cryptanalysis applied to cryptography.

<span class="mw-page-title-main">Digital forensics</span> Branch of forensic science

Digital forensics is a branch of forensic science encompassing the recovery, investigation, examination, and analysis of material found in digital devices, often in relation to mobile devices and computer crime. The term "digital forensics" was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.

Acronis True Image is a proprietary backup, imaging, cloning and cybersecurity suite developed by Acronis International GmbH. It can back up files, data, clone storage media and protects the system from ransomware. In 2021, the product was renamed to Acronis Cyber Protect Home Office before being renamed back to True Image in 2024.

<span class="mw-page-title-main">The Sleuth Kit</span>

The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-based utilities for extracting data from disk drives and other storage so as to facilitate the forensic analysis of computer systems. It forms the foundation for Autopsy, a better known tool that is essentially a graphical user interface to the command line utilities bundled with The Sleuth Kit.

Anti–computer forensics or counter-forensics are techniques used to obstruct forensic analysis.

<span class="mw-page-title-main">EnCase</span>

EnCase is the shared technology within a suite of digital investigations products by Guidance Software. The software comes in several products designed for forensic, cyber security, security analytics, and e-discovery use. EnCase is traditionally used in forensics to recover evidence from seized hard drives. It allows the investigator to conduct in-depth analysis of user files to collect evidence such as documents, pictures, internet history and Windows Registry information.

Forensic Toolkit, or FTK, is computer forensics software originally developed by AccessData, and now owned and actively developed by Exterro. It scans a hard drive looking for various information. It can, for example, potentially locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.

<span class="mw-page-title-main">Network forensics</span>

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

<span class="mw-page-title-main">Department of Defense Cyber Crime Center</span> United States defense organization

The Department of Defense Cyber Crime Center (DC3) is designated as a Federal Cyber Center by National Security Presidential Directive 54/Homeland Security Presidential Directive 23, as a Department of Defense (DoD) Center Of Excellence for Digital and Multimedia (D/MM) forensics by DoD Directive 5505.13E, and serves as the operational focal point for the Defense Industrial Base (DIB) Cybersecurity program. DC3 operates as a Field Operating Agency (FOA) under the Inspector General of the Department of the Air Force.

File carving is the process of reassembling computer files from fragments in the absence of filesystem metadata.

<span class="mw-page-title-main">Mobile device forensics</span> Recovery of evidence from mobile devices

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.

<span class="mw-page-title-main">Digital forensic process</span>

The digital forensic process is a recognized scientific and forensic process used in digital forensics investigations. Forensics researcher Eoghan Casey defines it as a number of steps from the original incident alert through to reporting of findings. The process is predominantly used in computer and mobile forensic investigations and consists of three steps: acquisition, analysis and reporting.

Guidance Software, Inc. was a public company founded in 1997. Headquartered in Pasadena, California, the company developed and provided software solutions for digital investigations primarily in the United States, Europe, the Middle East, Africa, and the Asia/Pacific Rim. Guidance Software had offices in Brazil, Chicago, Houston, New York City, San Francisco, Singapore, United Kingdom and Washington, D.C., and employed approximately 371 employees. On September 14, 2017, the company was acquired by OpenText.

Forensic search is an emerging field of computer forensics. Forensic search focuses on user created data such as email files, cell phone records, office documents, PDFs and other files that are easily interpreted by a person.

Stochastic forensics is a method to forensically reconstruct digital activity lacking artifacts, by analyzing emergent properties resulting from the stochastic nature of modern computers. Unlike traditional computer forensics, which relies on digital artifacts, stochastic forensics does not require artifacts and can therefore recreate activity which would otherwise be invisible. Its chief application is the investigation of insider data theft.

<span class="mw-page-title-main">CAINE Linux</span> Linux distribution

CAINE Linux is an Italian Linux live distribution managed by Giovanni "Nanni" Bassetti. The project began in 2008 as an environment to foster digital forensics and incidence response (DFIR), with several related tools pre-installed.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

References

  1. Michael G. Noblett; Mark M. Pollitt; Lawrence A. Presley (October 2000). "Recovering and examining computer forensic evidence" . Retrieved 26 July 2010.
  2. "2020 Internet Crime Report" (PDF). IC3.gov.
  3. "IC3 Releases 2020 Internet Crime Report". Federal Bureau of Investigation.
  4. Yasinsac, A.; Erbacher, R.F.; Marks, D.G.; Pollitt, M.M.; Sommer, P.M. (July 2003). "Computer forensics education". IEEE Security & Privacy. 1 (4): 15–23. doi:10.1109/MSECP.2003.1219052.
  5. Warren G. Kruse; Jay G. Heiser (2002). Computer forensics: incident response essentials . Addison-Wesley. p.  392. ISBN   978-0-201-70719-9 . Retrieved 6 December 2010.
  6. Gunsch, G (August 2002). "An Examination of Digital Forensic Models" (PDF).
  7. "What Is Computer Forensics?". Western Governors University.
  8. Kruse II, Warren G.; Heiser, Jay G. (2001). Computer Forensics: Incident Response Essentials. Pearson Education. ISBN   978-0-672-33408-5.
  9. Sabry, Fouad (2022). Digital Forensics: How digital forensics is helping to bring the work of crime scene investigating into the real world. One Billion Knowledgeable. ISBN   978-1-792-30942-6.{{cite book}}: Check |isbn= value: checksum (help)
  10. Adams, R. (2012). "'The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice".
  11. 1 2 3 Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN   978-0-12-163104-8.
  12. "The Capture of Serial Killer Dennis Rader, BTK". Psychology Today.
  13. Dooley, Sean. "BTK serial killer's daughter: 'We were living our normal life... Then everything upended on us'". ABC News.
  14. Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN   978-0-12-374267-4 . Retrieved 27 August 2010.
  15. "Chapter 3: Computer Forensic Fundamentals - Investigative Computer Forensics: The Practical Guide for Lawyers, Accountants, Investigators, and Business Executives [Book]". www.oreilly.com. Retrieved 2022-03-04.
  16. Garfinkel, Simson L. (2006-09-01). "Forensic feature extraction and cross-drive analysis". Digital Investigation. The Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS '06). 3: 71–81. doi: 10.1016/j.diin.2006.06.007 . ISSN   1742-2876.
  17. David, Anne; Morris, Sarah; Appleby-Thomas, Gareth (2020-08-20). "A Two-Stage Model for Social Network Investigations in Digital Forensics" (PDF). Journal of Digital Forensics, Security and Law. 15 (2). doi: 10.15394/jdfsl.2020.1667 . ISSN   1558-7223. S2CID   221692362.
  18. https://espace.curtin.edu.au/bitstream/handle/20.500.11937/93974/Adams%20RB%202023%20Public.pdf?sequence=1&isAllowed=y
  19. 1 2 3 4 5 Pollard, Carol (2008). Computer Forensics for Dummies. John Wiley & Sons, Incorporated. pp. 219–230. ISBN   9780470434956.
  20. "What Is a Digital Forensic Analyst?". EC Council. 2022-12-28. Archived from the original on 2022-11-28. Retrieved 2022-12-28.
  21. "CISA Cyber Defense Forensics Analyst". Cybersecurity & Infrastructure Security Agency (CISA). 2022-12-28. Archived from the original on 2022-11-05. Retrieved 2022-12-28.
  22. "Cybersecurity Certification". isc2.org. Retrieved 2022-11-18.
  23. "CCFP Salaries surveys". ITJobsWatch. Archived from the original on 2017-01-19. Retrieved 2017-06-15.
  24. "X-PERT Certification Program". X-pert.eu. Retrieved 2015-11-26.
  25. J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten (2008-02-21). "Lest We Remember: Cold Boot Attacks on Encryption Keys". Princeton University . Retrieved 2009-11-20.{{cite journal}}: Cite journal requires |journal= (help)CS1 maint: multiple names: authors list (link)
  26. "EXP-SA: Prediction and Detection of Network Membership through Automated Hard Drive Analysis".
  27. Aaron Phillip; David Cowen; Chris Davis (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional. p. 544. ISBN   978-0-07-162677-4 . Retrieved 27 August 2010.
  28. Geiger, M (March 2005). "Evaluating Commercial Counter-Forensic Tools" (PDF). Archived from the original (PDF) on 2014-12-30. Retrieved 2012-04-02.
  29. Dunbar, B (January 2001). "A detailed look at Steganographic Techniques and their use in an Open-Systems Environment".

Further reading