Computer Forensic

This guide discusses computer forensics from a neutral perspective. It is not linked to particular legislation or intended to promote a particular company or product, and is not written in bias of either law enforcement or commercial computer forensics.The guide is aimed at a non-technical audience and provides a high-level view of computer forensics. Although the term “computer” is used, the concepts apply to any device capable of storing digital information.Where methodologies have been mentioned they are provided as examples only, and do not constitute recommendations or advice. Copying and publishing the whole or part of this article is licensed solely under the terms of the Creative Commons – Attribution Non-Commercial 4.0 license.

There are few areas of crime or dispute where computer forensics cannot be applied. Law enforcement agencies have been among the earliest and heaviest users of computer forensics and consequently have often been at the forefront of developments in the field.Computers may constitute a ‘scene of a crime’, for example with hacking [1] or denial of service attacks [2] or they may hold evidence in the form of emails, internet history, documents or other files relevant to crimes such as murder, kidnap, fraud and drug trafficking.It is not just the content of emails, documents and other files which may be of interest to investigators but also the ‘metadata’ [3] associated with those files. A computer forensic examination may reveal when a document first appeared on a computer, when it was last edited, when it was last saved or printed and which user carried out these actions.

More recently, commercial organisations have used computer forensics to their benefit in a variety of cases such as;

* Intellectual Property theft
* Industrial espionage
* Employment disputes
* Fraud investigations
* Forgeries
* Bankruptcy investigations
* Inappropriate email and internet use in the work place
* Regulatory compliance

For evidence to be admissible it must be reliable and not prejudicial, meaning that at all stages of a computer forensic investigation admissibility should be at the forefront of the examiner’s mind.A widely used and respected set of guidelines which can guide the investigator in this area is the Association of Chief Police Officers Good Practice Guide for Digital Evidence [PDF], or ACPO Guide for short. Although the ACPO Guide is aimed at United Kingdom law enforcement, its main principles are applicable to all computer forensics.

The four main principles from this guide (with references to law enforcement removed) are as follows:

1. No action should change data held on a computer or storage media which may be subsequently relied upon in court.
2. In circumstances where a person finds it necessary to access original data held on a computer or storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
3. An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third-party should be able to examine those processes and achieve the same result.
4. The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

In what situations would changes to a suspect’s computer by a computer forensic examiner be necessary?

Traditionally, the computer forensic examiner would make a copy (or acquire) information from a device which is turned off. A write-blocker [4]would be used to make an exact bit for bit copy [5] of the original storage medium. The examiner would work from this copy, leaving the original demonstrably unchanged.However, sometimes it is not possible or desirable to switch a computer off. It may not be possible if doing so would, for example, result in considerable financial or other loss for the owner. The examiner may also wish to avoid a situation whereby turning a device off may render valuable evidence to be permanently lost. In both these circumstances the computer forensic examiner would need to carry out a ‘live acquisition’ which would involve running a small program on the suspect computer in order to copy (or acquire) the data to the examiner’s hard drive.By running such a program and attaching a destination drive to the suspect computer, the examiner will make changes and/or additions to the state of the computer which were not present before his actions. However, the evidence produced would still usually be considered admissible if the examiner was able to show why such actions were considered necessary, that they recorded those actions and that they are to explain to a court the consequences of those actions.

The issues facing computer forensics examiners can be broken down into three broad categories: technical, legal and administrative.

Technical issues

Encryption – Encrypted data can be impossible to view without the correct key or password. Examiners should consider that the key or password may be stored elsewhere on the computer or on another computer which the suspect has had access to. It could also reside in the volatile memory of a computer (known as RAM [6]) which is usually lost on computer shut-down; another reason to consider using live acquisition techniques, as outlined above.

Increasing storage space – Storage media hold ever greater amounts of data, which for the examiner means that their analysis computers need to have sufficient processing power and available storage capacity to efficiently deal with searching and analysing large amounts of data.

New technologies – Computing is a continually evolving field, with new hardware, software and operating systems emerging constantly. No single computer forensic examiner can be an expert on all areas, though they may frequently be expected to analyse something which they haven’t previously encountered. In order to deal with this situation, the examiner should be prepared and able to test and experiment with the behaviour of new technologies. Networking and sharing knowledge with other computer forensic examiners is very useful in this respect as it’s likely someone else has already come across the same issue.

Anti-forensics – Anti-forensics is the practice of attempting to thwart computer forensic analysis. This may include encryption, the over-writing of data to make it unrecoverable, the modification of files’ metadata and file obfuscation (disguising files). As with encryption, the evidence that such methods have been used may be stored elsewhere on the computer or on another computer which the suspect has had access to. In our experience, it is very rare to see anti-forensics tools used correctly and frequently enough to totally obscure either their presence or the presence of the evidence that they were used to hide.

Legal issues

Legal issues may confuse or distract from a computer examiner’s findings. An example here would be the ‘Trojan Defence’. A Trojan is a piece of computer code disguised as something benign but which carries a hidden and malicious purpose. Trojans have many uses, and include key-logging [7]), uploading and downloading of files and installation of viruses. A lawyer may be able to argue that actions on a computer were not carried out by a user but were automated by a Trojan without the user’s knowledge; such a Trojan Defence has been successfully used even when no trace of a Trojan or other malicious code was found on the suspect’s computer. In such cases, a competent opposing lawyer, supplied with evidence from a competent computer forensic analyst, should be able to dismiss such an argument. A good examiner will have identified and addressed possible arguments from the “opposition” while carrying out the analysis and in writing their report.

Administrative issues

Accepted standards – There are a plethora of standards and guidelines in computer forensics, few of which appear to be universally accepted. The reasons for this include: standard-setting bodies being tied to particular legislations; standards being aimed either at law enforcement or commercial forensics but not at both; the authors of such standards not being accepted by their peers; or high joining fees for professional bodies dissuading practitioners from participating.

Fit to practice – In many jurisdictions there is no qualifying body to check the competence and integrity of computer forensics professionals. In such cases anyone may present themselves as a computer forensic expert, which may result in computer forensic examinations of questionable quality and a negative view of the profession as a whole.