THE COMPUTER FORENSIC PROCESS
Computer Forensics, is the preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the USDOJ rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and ability to provide expert opinion in a court of law or other legal proceeding as to what was found.
Confirming and Preventing theft of information and intellectual property through internal examination and monitoring usage with Computer Forensics Investigations, in most cases are conducted in a reactionary situation however today more proactive computer forensic examinations are used for monitoring and in some cases a debriefing process for all investigated employees.
Computer forensics has different facets, and is not just one simple procedure. At a basic level, computer forensics is the analysis of information contained within and created with computer systems, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved. computer forensic techniques and methodologies are used for conducting computing investigations in the interest of figuring out what happened, when it happened, how it happened, and who was involved.
In many cases, information is gathered during a computer forensics investigation that is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files. Special skills and tools are needed to obtain this type of information or evidence.
Active, Archival, and Latent Data
In computer forensics, there are three types of data that we are concerned with – active, archival, and latent
- Active Data, is the information that you and I can see. Data files, programs, and files used by the operating system. This is the easiest type of data to obtain.
- Archival Data, is data that has been backed up and stored. This could consist of backup tapes, CD’s, floppies, or entire hard drives to cite a few examples.
- Latent Data, is the information that one typically needs specialized tools to get at. An example would be information that has been deleted or partially overwritten.
A computer investigation could entail looking at all of these data types depending on the circumstances. Obtaining latent data is by far the most time consuming and costly.
Computer Forensics is all about obtaining the proof of a Crime or Breech of Policy. Computer forensics is about obtaining the proof of an illegal misuse of computers in a way that could lead to the prosecution of the culprit.
The primary phases in a computer forensics examination are:
- Discussion of suspicion and concerns of potential abuse, by Telephone
- Harvesting of all electronic data
- Identification of violations or concern
- Protection of the proof
- Qualified, verifiable evidence
- Written Report and comments of the examiner
If you think you may have a problem it is best to act quickly, computer evidence is volatile and could be destroyed with ease. It is also better to know for sure than to ignore possible consequences. If you are unfortunate to uncover a potential problem, it may be prudent to seek confidential advice from a certified forensic examiner before rushing in.
When carried out correctly, forensic analysis of computer systems involved in abuse can provide valuable evidence which might otherwise have been lost or overlooked. Performed wrongly but with good intent and your evidence could give the guilty the opportunity they need to get a case dismissed which is why it would be imperative that you get in the professionals.
The steps involved for a computing investigation are summarized in the following paragraphs. While this really doesn’t do the process justice, it does serve as a quick overview.
- Computer Forensic Investigations should always be conducted by a certified computer forensic examiner, using licensed equipment to insure validity in court and to prevent tainting of the evidence.
- Establish a chain of custody. Be aware at all times where any items related to the investigation are located. Use a safe or cabinet to secure items .
- Maintain the integrity of the original media. The original source of information should not be altered. An exact copy of a hard drive image would be made and that image is authenticated against the original to make sure that it is indeed exact.
- Catalog all information. This includes active, archival, and latent data. Information that has been deleted will be recovered to whatever extent possible. Encrypted information and information that is password protected is identified, as well as anything that indicates attempts to hide or obfuscate data.
- Additional sources of information is obtained, as the circumstances dictate. Firewall logs, Proxy server logs, Kerberos server logs, sign-in sheets, etc.
- The information will be analyzed and interpreted to determine possible evidence. Both exculpatory (they didn’t do it) and inculpatory (they did it) evidence is sought out. If appropriate, encrypted files and password protected files are "cracked."
- Submit a written report to the client with your findings and comments.
- If needed, provide testimony at a deposition, trial, or other legal proceeding