Uses of Computer Forensics
©copyright ALL RIGHTS RESERVED 2012
Catching A Cyber Criminal
The vocation of cyber forensics encompasses many different duties. Defined in the most basic manner, computer forensics is the analysis of information that has been constructed and stored within a computer system, in the interest of solving any alleged criminal activity that may have occurred with the use of the specific apparatus being analyzed. Probable cause would allow the for the apparatus to be taken into custody if an officer or trained person of reasonable caution believes that a crime has been, is being or is about to be committed.
Forensic data is not the type of information that is readily available, contrary to what you see on LA LAW and CSI. Hollywood makes criminal forensics seem very futuristic and glamorous with lasers and innovative machinery. In Hollywood they perform the most amazing tests and within seconds - voila! Crime solved! Unfortunately, it often takes hours of tedious research to find the real answers.
Forensics investigations are most often used to refute or support a supposition during civil, criminal and corporate litigation. Digital forensics may also be used in the private sector by companies who are undergoing internal investigations into unauthorized technical and network transgressions.
The specialized aspect of an investigation is sub-categorized into four main areas; computer forensics, network forensics, database forensics and mobile device forensics. The actual physical process includes obtaining evidence, forensic imaging, analysis and reporting evidence.
DIGITAL FORENSIC TOOLS
Radio Tactics Aceso
The earliest known uses of computer forensics goes back to as early as 1970. US military and intelligence agencies employed computer forensic techniques in counterintelligence measures however, specific details are classified.
Before 1980, crimes that involved digital intelligence were handled with existing laws. The next ten years saw an eruption of of crimes being committed using digital technology. Legislature was passed to deal with the issues of copyright, privacy, harassment, cyber bullying, cyberstalking, online predators and child pornography. The US Federal Computer Fraud and Abuse Act was passed in 1986.
It wasn't until 1992 that the United States recognized computer forensics as a necessary and legitimate discipline in criminal investigation though it had been used informally and not for criminal or civil litigation purposes. The new challenge became developing a discipline of standardization for seizure, preservation and the analyzation of evidence by trained experts to ensure that all evidence is factually based on their own expert knowledge, that all testimony given will be the product of reliable formulas and processes and that the witness applies such formulas and processes reliably to the facts of the case.
The Patriot Act signed by President Bush in 2001 (188.8.131.52) included efforts to eradicate terrorism through the use of cyber forensics. Section 814 specifically addresses cyber terrorism.
Cryptic Hash Algorithm Functions
SHA-1 is a secure hash algorithm designed by the NSA (National Security Agency)
MD5 is a secure hash algorithm that is also used. It's more conservative design came from MIT (Massachusetts Institute of Technology).
- The first stage of the forensic process is to acquire a forensic duplicate of the media or intelligence often using a device which will prevent any alteration of the original. Both the original and the duplicate are "hashed" and the values are then analyzed to ensure the replicas are accurate and exact.
- Once the investigator has acquired evidentiary material they will need to begin analysis using many techniques and devices. Evidence may be apparent but may have gaps in which the forensic detectives must fill by using their forensic processes. The procedure may involve the use of conducting keyword searches within files or slack space (the unused space in a disk cluster), recovering deleted files and withdrawing registry information such as user accounts or attached USB devices. The evidence is then used for reconstruction purposes and then finally put into a written report.
One considerable limitation is the use of keyword encryption which disrupts examination where evidence may be stored but is inaccessible. Laws to disclose encryption keys are in their earliest phases and are still controversial.
Computer forensics is most commonly known in criminal law but also has applications in private investigation and corporate investigation. Outside of the criminal realm, computer forensics might commonly be used to ensue unauthorized network intrusions or identify a network attack or hacker.
The primary focus of computer forensics is to recover evidence of criminal activity. The legal term is: Actus reus in legal parlance. There is an assortment of data within digital devices that is beneficial to other areas of inquiry.
- Attribution: Meta Data can be used to incriminate specific actions to an individual.
- Alibis and Statements: Information provided may be checked with digital evidence such as mobile phone statements for date and time stamp proofing.
- Intent: Objective evidence is data that can be used to prove mens rea (intent) if the internet history shows incriminating evidence such as search terms: How to poison with arsenic, or How to kill people.
- Evaluation of Source: File artifacts and meta data can be used to determine where the data was generated. It identifies whether or not the file was designed on the computer being evaluated or if it came from another source. The problem with source evaluation is that you can affect the file dates by simply changing computer clock times. This has been highly debated in trial. Fortunately, it's not a strong enough argument to suspend evidence in nearly all cases.
Types of Forensic Data
- Active Data is the information that we can see such as files, programs and anything that would be used by the operating system. It is the easiest type of information to obtain.
- Archival Data is data that has been backed up and stored on CDs, disks, back-up tapes or entire hard drives. This information requires a bit more work and know-how to retrieve.
- Latent Data is the material that requires specialized equipment to access such as information that has been deleted or partially overwritten. Latent data is the most difficult and time consuming type of information to collect.
- When collecting data for forensic purposes it is important that devices are collected and information is harvested as early as possible in order to prevent information from degraded or being destroyed.
- Using your own internal IT Staff to conduct a computer forensic investigation.
If your staff is not trained on evidentiary procedures and if they do not follow the chain of custody and all accepted evidence techniques, any information collected may not be recognized in a court of law.
- Waiting until the last minute to perform a computer forensics exam.
Computer forensics depends largely on the ability to authenticate information. The data is considered extremely delicate and degrades very easily. The longer this type of evidence is allowed to corrupt, the more difficult and costly it will be to recover. In computer forensic analysis the rule of thumb is that if there is even a negligible chance that forensic evidence will be necessary, analysis and imaging should be done immediately.
- Limiting the scope of analysis.
You may want to limit the cost of your analysis however, it's impossible to know which system or systems have been attacked or which contain evidence. Additionally, processors will not know where to look for evidence and will need to do a complete scan of all data and systems.
- You're not prepared to safeguard digital evidence.
Regardless of the size of your company, you should, at all times, be prepared to secure electronic and digital evidence. Your employees should know and properly exercise correct file deletion laws. Additionally, many corporations overwrite their own backup tapes. Recently a company was fined 1,000,000 for that very practice. Ooops! They quickly hired an IT team that worked with their new legal team and they were able to install an new preservation order.
- Selecting a sub-standard forensic organization
Do your homework and make sure that your forensic analysis provider is capable and qualified. They must be certified computer forensic investigators and be using tools that are acceptable for the environment and which collect data which is recognized as evidence. They must have the ability to serve as an expert witness and be a trusted advisor. They must follow accepted protocols and handle different systems and hardwares. They must be able to handle a variety of forensic collection and analysis situations. They must provide references and comply with The Department of Justice practices in their lab.
Reputable Forensic Labs
- Computer Forensics Services, e-Discovery, Data Recovery
Computer forensics, mobile device forensics, e-discovery. Computer forensics investigations.
- DisputeSoft LLC. All rights reserved.
DisputeSoft provides litigation consulting and expert testimony services related to software project failures, intellectual property disputes, electronic discovery issues, and computer forensics.
- Semke Forensic | Home