At a basic level, computer forensics is the analysis of information contained within and created with computer systems and computing devices, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved.

This can be for the purpose of performing a root cause analysis of a computer system that had failed or is not operating properly, or to find out who is responsible for misuse of computer systems, or perhaps who committed a crime using a computer system or against a computer system. This being said, computer forensic techniques and methodologies are commonly used for conducting computing investigations - again, in the interest of figuring out what happened, when it happened, how it happened, and who was involved.

Think about a murder case or a case of financial fraud. What do the investigators involved in these cases need to ascertain? What happened, when did it happen, how did it happen, and who was involved.

In many cases, information is gathered during a computer forensics investigation that is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files - known by computer forensic practitioners as slack space. Special skills and tools are needed to obtain this type of information or evidence. Think of a case where the specific firearm that fired a bullet needs to be identified. This information could not be readily ascertained by just any member of law enforcement, so ballistics professional with special skills and tools is needed.

The more technical definition we use at CyberSecurity Institute to describe computer forensics or forensic computing in the vein of computer crime or computer misuse is as follows:

The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found.

Let's break this definition down.

Preservation
When performing a computer forensics analysis, we must do everything possible to preserve the original media and data. Typically this involves making a forensic image or forensic copy of the original media, and conducting our analysis on the copy versus the original.

Identification
In the initial phase, this has to do with identifying the possible containers of computer related evidence, such as hard drives, floppy disks, and log files to name a few. Understand that a computer or hard drive itself is not evidence - it is a possible container of evidence.

In the analysis phase, this has to do with identifying the information and data that is actually pertinent to the situation at hand. Sifting through Gigabytes of information, conducting keyword searches, looking through log files, etc.

Extraction
Any evidence found relevant to the situation at hand will need to be extracted from the working copy media and then typically saved to another form of media as well as printed out.

Interpretation
This is a biggie. Understand that just about anyone can perform a computer forensics "analysis." Some of the GUI tools available make it extremely easy. Being able to find evidence is one thing, the ability to properly interpret it is another story. Entire books could be written citing examples of when computer forensics experts misinterpreted their results of a forensic analysis . We'll cite one example.

The experts for the prosecution in a case used a popular GUI tool that came with a script for finding Internet search engine activity. When they ran the script, they found literally hundreds and hundreds of "searches" that supposedly had been conducted by the defendant. Therefore, the defendant had intentionally accessed certain types of information related to these searches - the searches showed intent.

When the experts for the defense examined the same evidence, they realized that each and every one of these "searches" was actually a hyperlink and not a search at all. The hyperlinks were formed in such a way that when a link was clicked, a database was searched to pull up the most current information related to the link. The way that the links within the page were formed was what the GUI tool honed in on, as they were formed similarly to fragments and Web pages that could be found to indicate search engine activity.

The experts for the prosecution took for granted that their automated tool was accounting for any variables, and would only show them searches that had actually been conducted. A big mistake. Theses experts lacked the technical skills to authenticate their results, so they depended entirely on a single automated tool.

This leads to a very important lesson. Results from any tool should always be thoroughly checked by someone versed in the underlying technology to see if what appears to be a duck is actually a duck.

In the very same case, the experts for the defense recovered reams of email that the prosecution experts did not find. This was due to the fact that the prosecution experts simply did not know how to find it.

It is interesting to note that both the experts for the defense and the prosecution used the same primary tool in their analysis. The differences in what was found by one side versus the other, as well as the differences in interpretation was due to the experience and education levels of the experts - it had nothing to do with the tool being used.

Documentation
Documentation needs to be kept from beginning to end, as soon as you become involved in a case. This includes what is commonly referred to as a chain of custody form, as well as documentation pertinent to what you do during your analysis. We cannot overemphasize the importance of documentation. When involved in a situation where you are conducting a computer forensics analysis, we recommend that you establish and keep the mindset that the case or situation is going to end up in court. This will go a long way in helping you to make sure that you are keeping the appropriate documentation. Take for granted that you will be questioned on every aspect of the case, and everything that you do.

Rules of Evidence
There are various tests that courts can apply to the methodology and testimony of an expert in order to determine admissibility, reliability, and relevancy. The particular test(s) used will vary from state to state and even from court to court within the same state. Commonly, you will hear about the Frye test and the Daubert test. You need to be aware of the Rules of Evidence for your locale and situation. Your best bet is to ask legal counsel about any Rules of Evidence that you need to be aware of pertinent to the situation, and familiarize yourself with this information early on.

We recommend that you find and read the Federal Rules of Evidence on the Internet, and conduct searches using the terms "daubert test" and "frye test" as keywords.

Legal Processes
This has to do with the processes and procedures for search warrants, depositions, hearings, trials, and discovery just to name a few.

This can also be related to processes relevant to your employer, as well as conducting computing investigations internally for your employer.

If you are conducting computing investigations for your employer, the best advice we can offer is to work as closely as possible with legal counsel and those in your Human Resources department before and during a computing investigation. You'll not know everything you need to know when you start working in this field - it is a learning process.

Integrity of Evidence
This has to do with keeping control over everything related to the case or situation. We are talking about establishing and keeping a chain of custody, as well as making sure that you do not alter or change the original media. As well, you cannot talk to other people about the case or situation specifics that are not involved.

Factual Reporting of the Information Found
Your findings and reports need to be based on proven techniques and methodology, and you as well as any other competent forensic examiner should be able to duplicate and reproduce the results.

Providing Expert Opinion
You may have to testify or relate your findings and opinions about your findings in a court of law or other type of legal or administrative proceeding.

Two Primary Types of Computer Forensics Investigations

Computer forensics techniques and methodology is used in two primary types of investigations. The first is when the computer(s) was/were used as an instrument to commit a crime or involved in some other type of misuse.

The second is when the computer is used as the target of a crime - hacked into and information stolen for example. When computer forensics techniques and methodology are used in this situation to figure out what happened, we typically call this incident response.

In the first type of investigation, you may or may not be present when the computing device is shut down to begin an investigation. You may have hard drives and other media delivered to you to analyze.

In the second type of investigation, you will typically always want to capture information that is extremely volatile, such as information contained in RAM concerning network connections and running processes.

Regardless of the situation, and whether the evidence will be used in a court of law or as the grounds for a letter of reprimand, the techniques, procedures, and methodologies used should be largely the same.

What starts out as a letter of reprimand given to an employee for misusing company computing resources, may end up as a lawsuit against the employer.

What starts out as an investigation concerning Internet access at odd times may reveal that child pornography was accessed.

It is for the above reasons that we must use sound and proven techniques for any work performed related to computer forensics, and always approach a situation as if we will end up in a court of law or possibly be handing the case over to law enforcement.

Active, Archival, and Latent Data

In computer forensics, there are three types of data that we are concerned with - active, archival, and latent.

Active data is the information that you and I can see. Data files, programs, and files used by the operating system. This is the easiest type of data to obtain.

Archival data is data that has been backed up and stored. This could consist of backup tapes, CD's, floppies, or entire hard drives to cite a few examples.

Latent (also called ambient) data is the information that one typically needs specialized tools to get at. An example would be information that has been deleted or partially overwritten.

A computer investigation could entail looking at one or more of these data types depending on the circumstances. Obtaining latent data is by far the most time consuming and costly.

Public Sector, Private Sector, and Consulting

There are three primary areas that you will find computer forensics used. Public sector, private sector, and consulting.

Public Sector

Computer forensics is used in the public sector by government and law enforcement personnel to investigate and prosecute crimes. Criminals are using computer technology when committing "traditional" crimes such as homicide, rape, fraud, and auto theft to name a few. They are also using computer technology to commit crimes that would not be possible without computing devices, such as breaking into a networked system and stealing or altering data, posting child pornography to a newsgroup, or harassing someone via email.

Computers can be the target of a crime (your computer system is attacked over the Internet), the tool in the commission of a crime, (sending and receiving child pornography), or as incidental to a crime (keeping records concerning the houses you've burgled). When computing devices are used in committing crimes, you'll often hear the term "Cybercrime" used. Although the word "Cyber" does get peoples attention, it is often misused - Cyber typically denotes being online. You are not in "CyberSpace" just by turning your computer on.

At any rate, government and law enforcement use of computer forensics is increasing, as more and more criminals are using computing technology. Computer evidence is used by Prosecutors everyday to aid in convicting criminals involved in fraud, murder, drug trafficking, child pornography, embezzlement, and terrorism.

Private Sector

In the private sector, computer forensic techniques and methodologies are used to investigate electronic break-ins, embezzlement, improper use of computing resources by employees, and theft of trade secrets among other things.

Those in the insurance business may use information retrieved from computer systems to identify fraud in workman's compensation, automobile or personal accident cases, or arson. I'm aware of a few cases were emails were sent outlining plans to fake back injuries and other ailments in order to receive money from insurance. These emails were used to convict those making the false claims.

Consulting

The majority of work that I perform in regards to computer forensics is not as an employee of a law enforcement agency or company; it is for individuals or law firms as a consultant. Some may argue that working for a law firm should be in the private sector category, as law firms are companies and corporations, and I do agree to a certain extent. I believe however that the type of work that I (and countless others like me) perform in the area of computer forensics needs it's own category due to the uniqueness of the work performed.

Four Possibilities

As an educator, I come into contact with countless students who want to get into computer forensics.

As I tell my students, there are basically four possibilities.

1. Get into law enforcement, the FBI, CIA, or other investigative agency. The reality is, members of law enforcement and government investigative agencies typically do their own computer forensics work.

2. Get into the information security or computing investigations department of a private company.

3. Work for a company that specializes in computer forensics and/or electronic discovery.

4. Start your own business providing computer forensic services and consulting. It is in this area that I believe most of the opportunity exists. Attorneys regularly need the services of computing professionals with computer forensic skills to aid in litigation, and there are also individuals that need the services of someone skilled in computer forensics for personal and civil matters. There is now, and will continue to be, an infinite demand for computer forensics experts.

To better explain what I'm saying here, I'll cite some examples of cases where some of my colleagues and I have used computer forensics techniques and methodologies, in the capacity of a consultant.

Medical Malpractice
In a medical malpractice/wrongful death suit, a computer was examined to extract evidence relevant to the decedents part time business. The information recovered was used to determine how much the decedent would have made had they lived another thirty or so years, and helped to determine the settlement amount for the surviving spouse.

Spying Spouse
A recently divorced woman was being harassed by her former spouse. She was being told that he could see everything that she was doing while her computer was turned on. An investigation was conducted of her hard drive contents, and her computer was monitored for several weeks. The findings were that nothing out of the ordinary was happening, or had taken place in the past with the computer.

Finding a Will
In this case, a decedents computer was examined to determine if there was any information relevant to a will. The decedent was a cryptologist, and many files had to "cracked" as they were encrypted. Information was recovered that helped settle the decedents estate.

Troubled Teen
A parent wanted to know what their son was doing online. The investigation showed that their son was frequenting sites on making bombs, and was also planning to make one. The son confessed to this and was given help to deal with a situation at school that was causing pent up anger that he could not deal with on his own.

Is it Just About What's On The Computer?

Evidence gleaned from a forensic investigation and examination is not limited to what is found or extracted from magnetic media such as hard drives, floppy drives, and tapes.

Evidence can be in the form of visual output on a computer monitor, printouts, passwords written down, notes made in computer or software manuals, or logs from systems external to the subject computer itself, such as proxy servers of firewalls. The computer forensics practitioner that limits themselves to looking at only the magnetic media on the subject computer will be missing important clues.

A computer forensics practitioner must always remember that there might be, and probably is, evidence related to the situation that is external to the computer itself. In some situations this external evidence could not only make or break the case, it might even be the best evidence that you can obtain.

In a case I was involved in regarding alleged access to pornographic Websites, my retaining attorney was questioning the expert for the opposition concerning the proxy and firewall logs that were pertinent to the case.

The expert was unable to answer the questions, and admitted not much experience in this area. I remember asking myself what is he doing representing them? The expert for the opposition had years of experience working with evidence from personal computers.

The problem here was that he had focused his investigation solely on what was found on the subject computer itself, and had totally ignored other sources of information that could have helped his client to prove their case. In short, he had done a poor job of preparing himself and his retaining counsel concerning the aspects of the case, and the types of questions that might be asked. A computer forensic practitioner needs to always look at the big picture, and obtain and examine all evidence that may be relevant. If they find an aspect of their case that they are unfamiliar with, they need to seek assistance.

In Closing

The information contained in this document covers the basics, and really doesn't do full justice to all facets of computer forensics. I hope however that you have a better understanding of what computer forensics entails. Feel free to contact me If I can be of assistance, or if you have specific questions.

Steve Hailey