Computer Forensics In Everyday Practice

Computer forensics is a branch of forensics sciences, and is increasingly becoming important in court cases as forms of cybercrime are on the increase. As a result of the work of these computer experts, evidence can now be brought to court cases to help solve some of the worst internet and technology based crimes. This is one of the most exciting and cutting edge career in the computer field today.

Computer forensics experts work a little differently from other forensics experts, however. Forensic science itself is quite an old field of study, although many fields of forensics rely on cutting edge technology to help solve their crimes. What is different with computer forensics is often the nature of the data being studied. Instead of simply taking regular fingerprints, “digital fingerprints” are also examined, meaning the traces left by a criminal in the data files of a computer. Instead of taking blood or DNA samples, the history of computer access will also be examined. Computer forensics experts also tend to deal with murder crime scenes less and financial and business espionage crime scenes much more often.

However, there are important similarities between forensics work done on computers and other branches of the forensic sciences in that treating the data collected carefully is of the most importance. During your training to become a computer forensics specialist, you will learn not only how to analyze and collect data, but also how to prepare the documentation that the courts will need in order to accept this data during a case. You will also learn how to use sophisticated software to help analyze and retrieve data in crime scenes.

If you decide to pursue training to become a forensics specialist, you will have numerous employment options both in the private and the public sector once you have completed your training and received certification. For public sector jobs, you may be working with the police, military or similar institutions. Private sector work may be either for a company or a contract firm.

If you do work for the police or a similar agency, much of your time may be spent analyzing seized computers from crime scenes. Many criminals are unaware that simply emptying your computer’s trash bin does not erase data permanently from your computer and computer forensics specialists are often able to retrieve this data and use it to help convict criminals.

If you go to work for a private company, you may be in charge of such tasks as preventing the theft of sensitive data or doing forensics work after a breach has been discovered.

Both private and public sector jobs tend to pay well, and this is definitely a field of employment that expects significant growth in the future. If you are a person who loves working with computers, becoming a computer forensics specialist may be a great career choice for you.

Computer Forensic Examiner Uncovers Digital Evidence Of Criminal Activity

Computer Forensics now aid in solving crimes

We now live in a digital age where the computer permeates almost every aspect of our lives. Almost all transactions and records of our activities are now recorded electronically. Unfortunately, the digital era has also ushered in an age of digital crime.

Computer forensics involves searching computers for evidence of crime and also for evidence in traditional crimes. Some examples of cybercrime include hacking, releasing viruses and various internet scams such as phishing or spoofing of real web sites.

The specialists who uncover digital evidence of criminal activity and assists in presenting evidence are called Computer Forensics specialists or Computer Forensic examiners. The Forensic Specialist is an expert on retrieving lost hidden or deleted information on any electronic device. These specialists may be employed by the government, in law enforcement or in private practice.

This type of forensics is basically a multiform process that includes many complex steps. The first part in the process includes investigation of computer data to uncover evidence of criminal activities. The second part involves analyzing and using the evidence found in the computer, either in or out of court.

Computer Forensics examiners are usually well qualified.

Both civil and criminal proceedings often make use of evidence, provided by computer forensic examiners who may be hired in diverse areas.

Law enforcement: Assistance is usually provided in the handling of seized computer equipment

Criminal Prosecution: Computer evidence is used in a variety of cases where incriminating documents can be found such child pornography,homicides, financial fraud and embezzlement.

Insurance companies: Forensic Specialists may be used to uncover evidence of false accident, workman`s compensation claims and arson.

Corporations: Forensics specialists are hired to search employee computers for records of sexual harassment,embezzlement or theft of trade secrets.

Employees may also hire forensic examiners to support claims of wrongful dismissal or age discrimination.

Computer Forensics is quite different from other forensics disciplines, and knowledge of other fields are often required. In addition to being impartial, a computer forensic examiner will typically have a wide range of experience with various types of hardware and software. The specialist should also have the required skill to search a computer thoroughly enough to access deleted, encrypted and password protected files and other forms of hidden evidence. Additionally, the forensic examiner should be familiar with hardware architecture to know where on the computer to look for the most relevant data. In addition, since most computers are networked in industrial environments, the specialist should also have knowledge of network architecture.

Forensic examiners can perform either on-site inspections of the computer or laboratory inspections of seized equipment. The most crucial step is making sure that all files are copied. Searching computer files may sometimes alter or even destroy data, and integrity of all data should be preserved to allow for admissibility in courts.

Special training for computer forensics is available

It is essential for forensic technicians to have extensive knowledge of computer operating systems, including models and systems no longer in use. Whether your interest lies in capturing criminals or in the technical challenges of computer searches, a career in computer forensics can be very fulfilling and very rewarding.

What Is the Current Demand for Computer Forensics Certification?

In recent years, there have been a record number of computer security related crimes than ever before. The more that digital technology advances, the more chances that computer criminals will take advantage and find new ways of stealing and destroying data. That is why the growing interest in computer forensics training is becoming a sought after field for those wanting a high paid and stable forensics career.

If you want to pursue a computer forensics education, there are many forensics classes you will need to complete to get your forensics degree. The basis of your forensics classes will be to become a forensics specialist who can solve computer crimes successfully.

Another aspect of your forensics training will be to find and recover lost or stolen computer systems information, as well as making it safe against future computer criminals. Going to forensics school will also entail becoming trained to analyze other electronic devices besides computers, such as cell phones, iPads, iPhones and other new technological devices that connect to the internet. As a result, you can imagine that there are many in-demand forensics colleges and forensics classes that will help you to get your forensics degree. Believe it or not, you can receive a forensics degree as soon as two years from now.

However, keep in mind that the highest salaried forensics jobs will be from those forensics colleges that offer a four-year degree in the specialized area. Some of the training you will receive when attending a forensics school, will be the basics of computer forensics, as well as much more focused education on computer file recovery, how criminals hide data, administrative procedures when dealing with related court cases.

You will also become an expert in computer forensics software programs used in the profession. If you are someone who enjoys computer work on a full time basis and you also find working with the law interesting, the field of computer forensics will be very rewarding for you. If you also have a degree of skill working with computer software and programs, you will very likely enjoy the computer forensics training you receive.

This is a field that will never be short of jobs because of the continued advancements in computers and digital technology. This, like the healthcare field, is a career you can feel secure about pursuing as it will always be in demand as long as there are computers and people who use them!

Beginner’s Guide to Computer Forensics

Introduction
Computer forensics is the practice of collecting, analysing and reporting on digital information in a way that is legally admissible. It can be used in the detection and prevention of crime and in any dispute where evidence is stored digitally. Computer forensics has comparable examination stages to other forensic disciplines and faces similar issues.

About this guide
This guide discusses computer forensics from a neutral perspective. It is not linked to particular legislation or intended to promote a particular company or product and is not written in bias of either law enforcement or commercial computer forensics. It is aimed at a non-technical audience and provides a high-level view of computer forensics. This guide uses the term “computer”, but the concepts apply to any device capable of storing digital information. Where methodologies have been mentioned they are provided as examples only and do not constitute recommendations or advice. Copying and publishing the whole or part of this article is licensed solely under the terms of the Creative Commons – Attribution Non-Commercial 3.0 license

Uses of computer forensics
There are few areas of crime or dispute where computer forensics cannot be applied. Law enforcement agencies have been among the earliest and heaviest users of computer forensics and consequently have often been at the forefront of developments in the field. Computers may constitute a ‘scene of a crime’, for example with hacking [ 1] or denial of service attacks [2] or they may hold evidence in the form of emails, internet history, documents or other files relevant to crimes such as murder, kidnap, fraud and drug trafficking. It is not just the content of emails, documents and other files which may be of interest to investigators but also the ‘meta-data’ [3] associated with those files. A computer forensic examination may reveal when a document first appeared on a computer, when it was last edited, when it was last saved or printed and which user carried out these actions.

More recently, commercial organisations have used computer forensics to their benefit in a variety of cases such as;

Intellectual Property theft
Industrial espionage
Employment disputes
Fraud investigations
Forgeries
Matrimonial issues
Bankruptcy investigations
Inappropriate email and internet use in the work place
Regulatory compliance

Guidelines
For evidence to be admissible it must be reliable and not prejudicial, meaning that at all stages of this process admissibility should be at the forefront of a computer forensic examiner’s mind. One set of guidelines which has been widely accepted to assist in this is the Association of Chief Police Officers Good Practice Guide for Computer Based Electronic Evidence or ACPO Guide for short. Although the ACPO Guide is aimed at United Kingdom law enforcement its main principles are applicable to all computer forensics in whatever legislature. The four main principles from this guide have been reproduced below (with references to law enforcement removed):

No action should change data held on a computer or storage media which may be subsequently relied upon in court.

In circumstances where a person finds it necessary to access original data held on a computer or storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third-party should be able to examine those processes and achieve the same result.

The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

In summary, no changes should be made to the original, however if access/changes are necessary the examiner must know what they are doing and to record their actions.

Live acquisition
Principle 2 above may raise the question: In what situation would changes to a suspect’s computer by a computer forensic examiner be necessary? Traditionally, the computer forensic examiner would make a copy (or acquire) information from a device which is turned off. A write-blocker[4] would be used to make an exact bit for bit copy [5] of the original storage medium. The examiner would work then from this copy, leaving the original demonstrably unchanged.

However, sometimes it is not possible or desirable to switch a computer off. It may not be possible to switch a computer off if doing so would result in considerable financial or other loss for the owner. It may not be desirable to switch a computer off if doing so would mean that potentially valuable evidence may be lost. In both these circumstances the computer forensic examiner would need to carry out a ‘live acquisition’ which would involve running a small program on the suspect computer in order to copy (or acquire) the data to the examiner’s hard drive.

By running such a program and attaching a destination drive to the suspect computer, the examiner will make changes and/or additions to the state of the computer which were not present before his actions. Such actions would remain admissible as long as the examiner recorded their actions, was aware of their impact and was able to explain their actions.

Stages of an examination
For the purposes of this article the computer forensic examination process has been divided into six stages. Although they are presented in their usual chronological order, it is necessary during an examination to be flexible. For example, during the analysis stage the examiner may find a new lead which would warrant further computers being examined and would mean a return to the evaluation stage.

Readiness
Forensic readiness is an important and occasionally overlooked stage in the examination process. In commercial computer forensics it can include educating clients about system preparedness; for example, forensic examinations will provide stronger evidence if a server or computer’s built-in auditing and logging systems are all switched on. For examiners there are many areas where prior organisation can help, including training, regular testing and verification of software and equipment, familiarity with legislation, dealing with unexpected issues (e.g., what to do if child pornography is present during a commercial job) and ensuring that your on-site acquisition kit is complete and in working order.

Evaluation
The evaluation stage includes the receiving of clear instructions, risk analysis and allocation of roles and resources. Risk analysis for law enforcement may include an assessment on the likelihood of physical threat on entering a suspect’s property and how best to deal with it. Commercial organisations also need to be aware of health and safety issues, while their evaluation would also cover reputational and financial risks on accepting a particular project.

Collection
The main part of the collection stage, acquisition, has been introduced above. If acquisition is to be carried out on-site rather than in a computer forensic laboratory then this stage would include identifying, securing and documenting the scene. Interviews or meetings with personnel who may hold information which could be relevant to the examination (which could include the end users of the computer, and the manager and person responsible for providing computer services) would usually be carried out at this stage. The ‘bagging and tagging’ audit trail would start here by sealing any materials in unique tamper-evident bags. Consideration also needs to be given to securely and safely transporting the material to the examiner’s laboratory.

Analysis
Analysis depends on the specifics of each job. The examiner usually provides feedback to the client during analysis and from this dialogue the analysis may take a different path or be narrowed to specific areas. Analysis must be accurate, thorough, impartial, recorded, repeatable and completed within the time-scales available and resources allocated. There are myriad tools available for computer forensics analysis. It is our opinion that the examiner should use any tool they feel comfortable with as long as they can justify their choice. The main requirements of a computer forensic tool is that it does what it is meant to do and the only way for examiners to be sure of this is for them to regularly test and calibrate the tools they use before analysis takes place. Dual-tool verification can confirm result integrity during analysis (if with tool ‘A’ the examiner finds artefact ‘X’ at location ‘Y’, then tool ‘B’ should replicate these results.)

Presentation
This stage usually involves the examiner producing a structured report on their findings, addressing the points in the initial instructions along with any subsequent instructions. It would also cover any other information which the examiner deems relevant to the investigation. The report must be written with the end reader in mind; in many cases the reader of the report will be non-technical, so the terminology should acknowledge this. The examiner should also be prepared to participate in meetings or telephone conferences to discuss and elaborate on the report.

Review
Along with the readiness stage, the review stage is often overlooked or disregarded. This may be due to the perceived costs of doing work that is not billable, or the need ‘to get on with the next job’. However, a review stage incorporated into each examination can help save money and raise the level of quality by making future examinations more efficient and time effective. A review of an examination can be simple, quick and can begin during any of the above stages. It may include a basic ‘what went wrong and how can this be improved’ and a ‘what went well and how can it be incorporated into future examinations’. Feedback from the instructing party should also be sought. Any lessons learnt from this stage should be applied to the next examination and fed into the readiness stage.