ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Uses of Computer Forensics

Updated on February 19, 2014
krsharp05 profile image

Kristi graduated from the University of Kansas with a degree in Human Development and Developmental Psychopathology of Children.


┬ęcopyright ALL RIGHTS RESERVED 2012

Personal Storage Devices
Personal Storage Devices | Source

Catching A Cyber Criminal

The vocation of cyber forensics encompasses many different duties. Defined in the most basic manner, computer forensics is the analysis of information that has been constructed and stored within a computer system, in the interest of solving any alleged criminal activity that may have occurred with the use of the specific apparatus being analyzed. Probable cause would allow the for the apparatus to be taken into custody if an officer or trained person of reasonable caution believes that a crime has been, is being or is about to be committed.

Forensic data is not the type of information that is readily available, contrary to what you see on LA LAW and CSI. Hollywood makes criminal forensics seem very futuristic and glamorous with lasers and innovative machinery. In Hollywood they perform the most amazing tests and within seconds - voila! Crime solved! Unfortunately, it often takes hours of tedious research to find the real answers.

Digital Forensics: Portable Tableau
Digital Forensics: Portable Tableau | Source

Cyber Growth

Forensics investigations are most often used to refute or support a supposition during civil, criminal and corporate litigation. Digital forensics may also be used in the private sector by companies who are undergoing internal investigations into unauthorized technical and network transgressions.

The specialized aspect of an investigation is sub-categorized into four main areas; computer forensics, network forensics, database forensics and mobile device forensics. The actual physical process includes obtaining evidence, forensic imaging, analysis and reporting evidence.

Ram Memory Drive
Ram Memory Drive | Source

DIGITAL FORENSIC TOOLS

IMDUMP

SafeBack

DIBS

EnCase

FTK

WindowsSCOPE

XRY

Radio Tactics Aceso

History

The earliest known uses of computer forensics goes back to as early as 1970. US military and intelligence agencies employed computer forensic techniques in counterintelligence measures however, specific details are classified.

Before 1980, crimes that involved digital intelligence were handled with existing laws. The next ten years saw an eruption of of crimes being committed using digital technology. Legislature was passed to deal with the issues of copyright, privacy, harassment, cyber bullying, cyberstalking, online predators and child pornography. The US Federal Computer Fraud and Abuse Act was passed in 1986.

It wasn't until 1992 that the United States recognized computer forensics as a necessary and legitimate discipline in criminal investigation though it had been used informally and not for criminal or civil litigation purposes. The new challenge became developing a discipline of standardization for seizure, preservation and the analyzation of evidence by trained experts to ensure that all evidence is factually based on their own expert knowledge, that all testimony given will be the product of reliable formulas and processes and that the witness applies such formulas and processes reliably to the facts of the case.

The Patriot Act signed by President Bush in 2001 (2.5.3.1) included efforts to eradicate terrorism through the use of cyber forensics. Section 814 specifically addresses cyber terrorism.

Cryptic Hash Algorithm Functions

SHA-1 is a secure hash algorithm designed by the NSA (National Security Agency)

MD5 is a secure hash algorithm that is also used. It's more conservative design came from MIT (Massachusetts Institute of Technology).

Forensic Process

  • The first stage of the forensic process is to acquire a forensic duplicate of the media or intelligence often using a device which will prevent any alteration of the original. Both the original and the duplicate are "hashed" and the values are then analyzed to ensure the replicas are accurate and exact.
  • Once the investigator has acquired evidentiary material they will need to begin analysis using many techniques and devices. Evidence may be apparent but may have gaps in which the forensic detectives must fill by using their forensic processes. The procedure may involve the use of conducting keyword searches within files or slack space (the unused space in a disk cluster), recovering deleted files and withdrawing registry information such as user accounts or attached USB devices. The evidence is then used for reconstruction purposes and then finally put into a written report.

LIMITATIONS

One considerable limitation is the use of keyword encryption which disrupts examination where evidence may be stored but is inaccessible. Laws to disclose encryption keys are in their earliest phases and are still controversial.

Application

Computer forensics is most commonly known in criminal law but also has applications in private investigation and corporate investigation. Outside of the criminal realm, computer forensics might commonly be used to ensue unauthorized network intrusions or identify a network attack or hacker.

The primary focus of computer forensics is to recover evidence of criminal activity. The legal term is: Actus reus in legal parlance. There is an assortment of data within digital devices that is beneficial to other areas of inquiry.

  1. Attribution: Meta Data can be used to incriminate specific actions to an individual.
  2. Alibis and Statements: Information provided may be checked with digital evidence such as mobile phone statements for date and time stamp proofing.
  3. Intent: Objective evidence is data that can be used to prove mens rea (intent) if the internet history shows incriminating evidence such as search terms: How to poison with arsenic, or How to kill people.
  4. Evaluation of Source: File artifacts and meta data can be used to determine where the data was generated. It identifies whether or not the file was designed on the computer being evaluated or if it came from another source. The problem with source evaluation is that you can affect the file dates by simply changing computer clock times. This has been highly debated in trial. Fortunately, it's not a strong enough argument to suspend evidence in nearly all cases.

Result of Failed Data Recovery
Result of Failed Data Recovery | Source

Types of Forensic Data

  • Active Data is the information that we can see such as files, programs and anything that would be used by the operating system. It is the easiest type of information to obtain.
  • Archival Data is data that has been backed up and stored on CDs, disks, back-up tapes or entire hard drives. This information requires a bit more work and know-how to retrieve.
  • Latent Data is the material that requires specialized equipment to access such as information that has been deleted or partially overwritten. Latent data is the most difficult and time consuming type of information to collect.
  • When collecting data for forensic purposes it is important that devices are collected and information is harvested as early as possible in order to prevent information from degraded or being destroyed.

Common Mistakes

  • Using your own internal IT Staff to conduct a computer forensic investigation.

If your staff is not trained on evidentiary procedures and if they do not follow the chain of custody and all accepted evidence techniques, any information collected may not be recognized in a court of law.

  • Waiting until the last minute to perform a computer forensics exam.

Computer forensics depends largely on the ability to authenticate information. The data is considered extremely delicate and degrades very easily. The longer this type of evidence is allowed to corrupt, the more difficult and costly it will be to recover. In computer forensic analysis the rule of thumb is that if there is even a negligible chance that forensic evidence will be necessary, analysis and imaging should be done immediately.

  • Limiting the scope of analysis.

You may want to limit the cost of your analysis however, it's impossible to know which system or systems have been attacked or which contain evidence. Additionally, processors will not know where to look for evidence and will need to do a complete scan of all data and systems.

  • You're not prepared to safeguard digital evidence.

Regardless of the size of your company, you should, at all times, be prepared to secure electronic and digital evidence. Your employees should know and properly exercise correct file deletion laws. Additionally, many corporations overwrite their own backup tapes. Recently a company was fined 1,000,000 for that very practice. Ooops! They quickly hired an IT team that worked with their new legal team and they were able to install an new preservation order.

  • Selecting a sub-standard forensic organization

Do your homework and make sure that your forensic analysis provider is capable and qualified. They must be certified computer forensic investigators and be using tools that are acceptable for the environment and which collect data which is recognized as evidence. They must have the ability to serve as an expert witness and be a trusted advisor. They must follow accepted protocols and handle different systems and hardwares. They must be able to handle a variety of forensic collection and analysis situations. They must provide references and comply with The Department of Justice practices in their lab.

Comments

    0 of 8192 characters used
    Post Comment

    • spartucusjones profile image

      CJ Baker 4 years ago from Parts Unknown

      Very comprehensive and well explained hub! Definitely a more accurate portrayal of computer forensics than what we get through Hollywood.

    • krsharp05 profile image
      Author

      krsharp05 4 years ago from 18th and Vine

      lol, so true Spartucus. Thank you for reading. It's a fascinating field but not as flashy as they make it look on the homicide shows. -K

    • Mhatter99 profile image

      Martin Kloess 4 years ago from San Francisco

      Thank you for this fascinating information

    • kashmir56 profile image

      Thomas Silvia 4 years ago from Massachusetts

      Hi krsharp05, WOW this is so very interesting and fascinating information . Thanks for helping me learn more about computer forensics,well done !

      Vote up and more !!! SHARING !

    • Om Paramapoonya profile image

      Om Paramapoonya 4 years ago

      I have to agree with spaetucusjones' comments. I've learned a lot more accurate information about computer forensics from this hub than from the CSI shows! Maybe they should hire you to be their new scriptwriter LOL

    • leahlefler profile image

      leahlefler 4 years ago from Western New York

      Wow - I had never heard of cyber forensics, but this is a really fantastic hub! I love your explanation of limitations and common mistakes - such as using your own IT team to perform an investigation. I love this one, krsharp05!

    • krsharp05 profile image
      Author

      krsharp05 4 years ago from 18th and Vine

      Mhatter, thank you for stopping by. As always, it's a pleasure to see you!

    • krsharp05 profile image
      Author

      krsharp05 4 years ago from 18th and Vine

      kashmir, thank you for your comments. It's a fascinating field. I appreciate your vote and thank you for sharing.

    • krsharp05 profile image
      Author

      krsharp05 4 years ago from 18th and Vine

      ha ha ha, I will put in my application! thank you for reading and commenting. good to hear from you -K

    • krsharp05 profile image
      Author

      krsharp05 4 years ago from 18th and Vine

      leah, after doing the research, I learned so much more about something I already love. This is such a great experience. Thank you for reading and commenting. I appreciate your words of wisdom. -K

    • Simone Smith profile image

      Simone Haruko Smith 4 years ago from San Francisco

      It seems like computer forensics is becoming more important (and contested, not to mention controversial) every day! It's great to have learned a bit more background about the field. This will help me better understand current debates on the issue.

    • krsharp05 profile image
      Author

      krsharp05 4 years ago from 18th and Vine

      Simone, computer forensics is becoming a lot more controversial. The legal community is at constant odds about time stamping issues. You're right, it is very controversial. Thank you for reading and commenting -K

    • lindacee profile image

      lindacee 4 years ago from Southern Arizona

      I just learned something about a subject of which I knew very little. With technology and the criminals who use it advancing at such a rapid rate, cyber forensics techniques must quickly evolve to stay one step ahead of the bad guys. Voted up and interesting!

    • krsharp05 profile image
      Author

      krsharp05 4 years ago from 18th and Vine

      Lindacee, it's like a race between brilliant minds! Nice to hear from you, thank you for reading. Keep your cyber security system turned on - you never know who is sneaking in.. lol! -K

    • dmop profile image

      dmop 4 years ago from Cambridge City, IN

      I found this article very interesting. I know that there is lots of software out there that helps eliminate traces of what a computer has been used for, though I'm sure none of it is 100% effective. I do know that retrieval even after meager attempts at removal or deliberate corruption is very expensive. Great Hub, voted up and useful.

    • krsharp05 profile image
      Author

      krsharp05 4 years ago from 18th and Vine

      dmop, thank you for reading and for your input. You're exactly right. The technology is there and it can be pricey. It's all about timing. Great to hear from you. -K

    • SidKemp profile image

      Sid Kemp 4 years ago from Boca Raton, Florida (near Miami and Palm Beach)

      Fun article. I'm an ex-computer techie and a CSI junkie, so this was a fun read. I could enjoy this work, if I wanted to launch a new career. One thing I'm curious about: What exactly is meant by the idea that "the data is very delicate and degrades very easily." Clearly, that is not true of the bits on a hard drive. So, in what way does computer forensic data degrade? (Maybe a topic for another hub?)

    • krsharp05 profile image
      Author

      krsharp05 4 years ago from 18th and Vine

      Sid, I'm glad you asked! Just turning on your computer changes caches and temporary files and slack space files which can all be veritable treasures for forensic techs. It's also impossible to know if meta-data has been altered, damaged or destroyed by opening, printing or saving files. Everything I read about computer forensics said that electronic evidence naturally degrades over time regardless of it's housing and more so when used on a regular basis. If you have more information that I can add, I would love to have your input! Thank you for reading and commenting. It's always nice to hear from you. -K

    • SidKemp profile image

      Sid Kemp 4 years ago from Boca Raton, Florida (near Miami and Palm Beach)

      Hi KR: I see what you are saying - I was picturing the data after it had been seized. A properly stored hard drive in a secure lockup is pretty stable.

      But, even there, the opportunity to investigate the *meaning* of the stored data might degrade. Say we seize the computer early, but there is a delay before investigation. Then the investigation points to an avatar on the Internet. But that avatar was abandoned 3 months ago. It will be very hard to trace the person behind it. 3 months earlier, the forensic data investigation might lead to catching a criminal still using an avatar.

      Some case studies - real ones, not CSI - would be interesting, wouldn't they?

    • krsharp05 profile image
      Author

      krsharp05 4 years ago from 18th and Vine

      I'm fascinated with all aspects of criminal forensics and this particular avenue is macabre at times. One of the most famous cases where computer forensics was used is the BTK killer. Thanks for the great discussion Sid!

    • tamarawilhite profile image

      Tamara Wilhite 4 years ago from Fort Worth, Texas

      Computer forensics are also used in the workplace. Did someone email proprietary files, whether on purpose to sell the information or accidentally? Has someone broken IT policy by installing freeware software or put company licensed software on a personal device? Computer forensics are often used in the business world.

    • krsharp05 profile image
      Author

      krsharp05 4 years ago from 18th and Vine

      Tamara, thank you for reading and commenting. You are definitely the IT woman. I know by reading your hubs that ANY and ALL IT questions should be passed by you. You're exactly right, CF companies are often hired by businesses to maintain systems at all times. I appreciate your input. Glad to have you here. -K

    • Shyron E Shenko profile image

      Shyron E Shenko 3 years ago from Texas

      Hi krshar[05, this is an interesting hub, but there is a lot going on that is not written about here. i.e. some search engines are putting out info that they have no right to. Long ago people had to pay to get their telephone listed in white pages, now you have to pay to keep it out.

      One search engine said "You can Opt Out of having them show personal info so I called because they put out a lot of false information on me and I don't want any. They said I would have to send a copy of my driver's license and pay them to unpublish the wrong information but if I wanted to correct the information I could do that for free.

      Voted up, interesting.

    • krsharp05 profile image
      Author

      krsharp05 3 years ago from 18th and Vine

      Shyron, Thank you for taking the time to read and respond. I'm sorry to hear that you've had such a hard time with your identity and the white pages. It sounds like you have been through an odyssey! I appreciate your input. Thanks! -K

    Click to Rate This Article