Identification in computer forensics. The first step is to conduct a physical inventory of the items that need to be subjected to computer forensic analysis. After identifying individuals who may be involved in a fraud, a visual inspection around their desk or office for evidence of items holding digital clues is conducted.
Sync cables for cell phones or PDAs, USB drives, CD-ROMs, external hard drives, extra power cords without a device attached and Digital music players (these can hold large amounts of data), Infrared devices, or adapters, Wireless Internet access cards are all type of devices that can be identified.
Identification In Computer Forensics
Examiners repeat the identification process for each item on the extracted data list. They begin by determining the type of item. If it is unrelated to the forensic request, they simply mark it as processed and proceed. If an examiner discovers an item that is incriminating but outside the scope of the original search warrant, it is recommended that the examiner immediately stop all activity, notify the appropriate individuals, including the requester, and wait for further instructions, just as in a physical search.
For example, law enforcement may seize a computer in search of evidence of tax fraud, but the examiner may discover child pornography. After discovering evidence outside the scope of a warrant, the most prudent course of action is to halt the search and seek to expand the warrant’s authority or obtain a second warrant.
Examiners document items that are relevant to the forensic request on a third list, the relevant data list. This list contains information pertinent to answering the original forensic request. In an identity theft case, for example, relevant data could include, among other things, social security numbers, images of false identification, or e-mails discussing identity theft. It’s also possible that an item will generate another search lead. An email could reveal that a target was using a different alias. This results in a new keyword search for the new nickname. The examiners would go back and add that lead to the search lead list so they would remember to thoroughly investigate it.
An item can also point to an entirely new potential data source. Examiners, for example, may discover a new e-mail account that the target was using. Following this discovery, law enforcement may wish to obtain a subpoena for the contents of the new e-mail account. Examiners may also discover evidence indicating that the target stored files on a removable universal serial bus (USB) drive, which law enforcement did not discover during the initial search. In these circumstances, law enforcement may consider obtaining a new search warrant in order to locate the USB drive. A forensic examination can reveal a wide range of new evidence.
Examiners return to any new leads developed after processing the extracted data list. Examiners should consider returning to the extraction step to process any new data search leads. Similarly, when confronted with a new source of data that could lead to new evidence, examiners consider going all the way back to the process of acquiring and imaging that new forensic data.
Final Thoughts
Examiners should inform the requester of their preliminary findings at this point in the process. It’s also a good time for examiners and the requester to talk about what they think the return on investment will be for following up on new leads.
Depending on the stage of a case, extracted and identified relevant data may provide the requester with sufficient information to move the case forward, and examiners may not need to do any additional work. In a child pornography case, for example, if an examiner recovers a large number of child pornography images organized in user-created directories, a prosecutor may be able to secure a guilty plea without any further forensic analysis.