What is computer forensics?
Computer forensics is the process of preserving, collecting, confirming, identifying, analyzing, recording, and presenting evidence data stored or encoded in a computer. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened in a computer security incident and who was responsible.
Computer forensics investigators follow a defined process when examining digital evidence. This process ensures the evidence integrity is preserved so it can be presented in a court or other legal proceedings. The basic steps in a computer forensic examination include:
- Identify potential sources of digital evidence
- Preserve the state of the digital evidence
- Collect the evidence while maintaining integrity
- Examine the data without modifying the evidence
- Analyze the results
- Report the findings
- Present the digital evidence in court if required
The examinations are performed on data at rest on devices such as hard drives, flash drives, CDs/DVDs, mobile devices or in live memory. They can also analyze data in transit over a network.
Why is a forensic computer examination performed?
There are several reasons an organization or individual may require a forensic examination of computers or digital media:
- Investigate security policy breaches within an organization
- Gather evidence in criminal investigations
- Determine the root cause of malware infections
- Discover the source of data breaches
- Track access to confidential corporate data
- Recover lost or deleted data
- Support insurance claims
- Settle intellectual property theft claims
Who performs computer forensics?
Computer forensics is performed by trained forensics specialists. They typically have backgrounds in IT, criminal justice or law enforcement. Forensics specialists require extensive training to acquire the specialized skills needed for evidence recovery and analysis. Certifications like the Computer Hacking Forensic Investigator (CHFI) from EC-Council validate a forensics specialist’s skills.
What are the steps in a computer forensic examination?
There are several phases in a structured computer forensic examination:
Planning
The forensic specialist meets with legal counsel or leadership to define the objective and scope of the examination based on the specifics of the case.
Evidence collection
The investigator identifies sources of potential evidence like computers, drives, mobile devices, networks logs or archives. They isolate and document the systems to ensure the data is preserved in its original state.
Evidence acquisition
The specialist makes a forensic copy or image of the data storage media to preserve the evidence. Copying creates a bit-stream image which is identical to the original data.
Evidence examination
The investigator thoroughly examines the forensic image of the data storage media without modifying the evidence. They recover files including deleted content and extract metadata embedded in documents.
Data analysis
Recovered data is carefully analyzed using timeline analysis, data visualization, and other techniques to determine how events occurred.
Reporting
Detailed reports document the procedures used during the investigation, list findings, and draw conclusions based on the evidence.
Evidence presentation
The forensic specialist presents the evidence and findings in court or legal proceedings if required. They explain how they recovered and examined the data.
What are the steps for collecting digital evidence?
Proper evidence collection and preservation is crucial to ensure evidence integrity. The general process includes:
- Document the devices and media to be acquired. Include make, model and serial numbers.
- Photograph or video record the scene and equipment.
- Isolate systems to avoid contamination or damage to evidence.
- Use write protection like hardware switches or cables.
- Collect evidence like hard drives, SSDs, CD-Rs, flash drives or printouts.
- Label evidence appropriately indicating case identifiers.
- Document each step taken during the evidence acquisition process.
- Store evidence securely to avoid tampering or damage.
- Maintain a chain of custody record listing who handled evidence.
- Verify hashes like MD5 or SHA-1 prior to acquiring data.
- Acquire data using an accepted imaging process.
- Verify hashes again after imaging to confirm success.
Proper procedures demonstrate the evidence was not altered during collection and examination.
How is a forensic image or copy of data created?
Forensics specialists use imaging tools to make an exact, bit-for-bit copy of a drive or device. This imaging process captures all data on the device including:
- Files
- Folders
- Deleted content
- Unallocated space
- Slack space
- Hibernation files
- File metadata
Software tools use mathematical algorithms to calculate hash values on the original evidence. Hashes like MD5, SHA-1 or SHA-256 generate a fingerprint for the data. After imaging, hashes are calculated again to demonstrate the copy is identical to the original.
Hardware imagers can also create forensic copies by duplicating drives bit-for-bit at the physical layer. Common forensic imaging tools include:
- FTK Imager
- X-Ways Forensics
- EnCase
- Oxygen Forensic Detective
The forensic image is processed, analyzed and stored to preserve the integrity of the evidence data.
What types of data can be recovered in a forensic examination?
Many types of files and content can be recovered during an examination including:
- Documents
- Photos
- Video and audio files
- Email messages
- Internet history
- Operating system artifacts
- Application data
- Hidden and deleted files
- Encrypted or compressed data
- Databases
- Network traffic and logs
- Mobile app data
- Memory snapshots
With the right tools and techniques, forensics specialists can recover extensive information during examinations.
What types of deleted data can be recovered?
Extensive deleted data can often be recovered from a drive unless it has been completely overwritten. Common recoverable data includes:
- Individual files deleted from file systems
- Data from formatted partitions or wiped drives
- Information within slack space
- Data from operating system swap files or caches
- Information within file system metadata
- Data from file fragments and directories
- Remnants of temporary or working files
- Content deleted from mobile apps
- Web browser cache or history
- Email messages or attachments
- Database entries and records
Specialized forensic tools allow retrieval of data unless completely overwritten by new content multiple times.
What types of metadata are collected in a forensic examination?
Metadata provides extensive information that can be crucial for investigations. Common metadata recovered includes:
- File system timestamps like modification, access, creation times
- Ownership, permissions, and access control lists
- File hashes used to identify content
- Digital camera metadata like GPS coordinates or time
- Document metadata like title, author, or revisions
- Media metadata like codec, length, or compression
- Operating system and application metadata
- Network device metadata like IP addresses or MAC addresses
- Database schemas, relationships and transactions
Timeline analysis using metadata can recreate the sequence of events during an incident.
What tools are used in a computer forensic examination?
Forensic specialists use extensive toolsets during examinations including:
- Forensic collection tools like FTK Imager, EnCase or dd
- Forensic analysis tools like EnCase, X-Ways Forensics or Autopsy
- File viewers for documents, media, databases
- Password crackers for encrypted or locked data
- Network sniffers and protocol analyzers
- Steganography detection tools
- Malware detection and extraction tools
- File carving tools for recovering deleted data
- Mobile forensic tools for smartphones and tablets
- Decryption tools for encrypted drives or containers
- Data visualization tools for timelines and relationships
Specialized tools automate many processing and analysis tasks during complex examinations.
What types of data analysis are performed?
Forensic specialists use a variety of analysis techniques to uncover clues including:
- Timeline analysis – Uses file metadata like modified times to recreate sequences.
- Data carving – Searches raw data for patterns indicating files.
- String searching – Looks for text strings relating to crimes.
- Metadata analysis – Extracts metadata for files, logs and devices.
- Data mining – Identifies connections using statistics and algorithms.
- File decoding – Decodes unknown file formats into human readable data.
- Malware analysis – Studies malware code extracts artifacts or reverses functionality.
- Network analysis – Reviews intrusion detection logs for anomalies or exploits.
- Pattern matching – Identifies common patterns that may indicate intrusion tools.
Using multiple analysis techniques builds a more complete picture of user and application activities.
How can encrypted data be examined?
Encrypted data poses challenges for investigators and multiple options exist for examination:
- Obtain encryption keys or passwords to decrypt the data.
- Use brute force tools to attempt to crack weak passwords.
- Exploit software vulnerabilities to extract encryption keys.
- Recover decrypted versions of content in memory snapshots.
- Identify artifacts like encryption metadata or key files.
Providing the encryption passphrase is often the simplest approach for collaboration.
How are results documented in a forensic report?
The forensic examiner documents findings in a formal report containing:
- An executive summary of high-level conclusions.
- Description of the evidence examined and tools used.
- Explanation of analysis performed on the data.
- Details on files, data and artifacts recovered.
- A timeline of user or application activity.
- Supporting imagery including screen captures, network diagrams or visualizations.
- Case numbers, evidence tags or descriptions, and chain of custody.
Reports require extensive details so other examiners can understand processes and validate results.
How is evidence presented in legal proceedings?
If a case proceeds to trial, the forensics specialist serves as an expert witness presenting and explaining results including:
- Qualifications establishing investigator expertise and credibility.
- Processes followed to acquire, preserve and examine evidence.
- Tools and techniques used during the examination and analysis.
- Terminology describing technical concepts simply.
- Findings extracted from the compromised systems.
- Supporting reports, visualizations and log files.
- Opinions on how conclusions were reached.
Lawyers or judges may question methods, interpretations, and ask additional details.
Conclusion
Performing a forensic computer examination involves specialized procedures and tools to acquire, preserve, extract and interpret digital evidence. Trained forensics specialists carefully recover artifacts, metadata, deleted files and hidden information tracing user or application actions. Findings allow reconstructing incidents like data breaches or insider threats. When conveyed through reports and testimony, forensic results provide compelling evidence for legal proceedings or HR investigations.