Elements of computer forensics. In comparison to other forensic sciences, the field of computer forensics is relatively new. Unfortunately, many people do not understand what the term computer forensics means and what techniques are involved. In particular, there is a lack of clarity regarding the difference between data extraction and data analysis. There is also confusion about how these two operations fit into the forensic process.
Elements Of Computer Forensics
Computer forensics means the use of scientifically derived and proven methods for the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources to facilitate or further the reconstruction of events found to be criminal.
The three steps of computer forensics are identification, preservation, and analysis.
Identification
Examiners repeat the identification process for each item on the extracted data list. They begin by determining the type of item. If it is unrelated to the forensic request, they simply mark it as processed and proceed. If an examiner discovers an item that is incriminating but outside the scope of the original search warrant, it is recommended that the examiner immediately stop all activity, notify the appropriate individuals, including the requester, and wait for further instructions, just as in a physical search.
For example, law enforcement may seize a computer in search of evidence of tax fraud, but the examiner may discover child pornography. After discovering evidence outside the scope of a warrant, the most prudent course of action is to halt the search and seek to expand the warrant’s authority or obtain a second warrant.
Preservation
Examiners begin by determining whether there is sufficient information to proceed. They ensure that a clear request is in hand and that there is enough data to attempt to respond to it. If something is missing, they work with the requester to find it. Otherwise, they will proceed with the process setup.
The first step in any forensic process is to validate all hardware and software to ensure proper operation. The forensics community is still divided on how frequently software and equipment should be tested. Most people agree that organizations should validate every piece of software and hardware after purchasing it and before using it. They should also retest following any updates, patches, or reconfiguration.
Analysis
Examiners connect the dots and paint a complete picture for the requester during the analysis phase. Examiners respond to questions such as who, what, when, where, and how for each item on the relevant data list. They attempt to explain which user or application created, edited, received, or sent each item, as well as how it came to be. Examiners also describe where they discovered it. Most importantly, they explain why all of this information is important and what it means in the context of the case.
Examiners can frequently produce the most valuable analysis by looking at when events occurred and creating a timeline that tells a coherent story. Examiners attempt to explain when each relevant item was created, accessed, modified, received, sent, viewed, deleted, and launched. They observe and explain a series of events, noting which events occurred concurrently.
Final Thoughts
Examiners and requesters must consider the return on investment as they go through this process. The steps of the process may be repeated several times during an examination. Everyone involved in the case must decide when to call it a day. The value of additional identification and analysis diminishes once the evidence obtained is sufficient for prosecution.