Computer forensics is a particular sub-specialty of forensic science dealing with computer and digital evidence relevant to legal investigations. In recent years computers have been increasingly utilised in criminal activities, including theft, fraud, computer hacking, software forgery, computer virus creation, and child pornography. Computer forensic specialists will often be called upon when the computers of suspects are seized, particularly for the retrieval of data files. This field of work can be split into three main specialties; obtaining and documenting digital information, computer-related expert testimony, and basic investigation.
The search for digital evidence in computer forensics is extensive, with everything being investigated including home and work systems, modem pools, deleted and existing files, networks, cookies, print spool files, temp files, swap files, slack space, caches, log in files, and any other related media. The data the investigator searches for may come in numerous forms. Active data is information that is clearly visible, including data files, programs, and files used by the operating system. These are quite obvious and easy to access. Archival data is data that has been backed up and stored, whether on tapes, CDs, or other hard drives. Once the storage medium has been located, access does not usually pose a problem. However latent or ambient data has been deleted, partially overwritten, or even encrypted, and will often require specialised tools to access it.
However before the search begins the computer must be protected from any damage or alteration and all contents copied before being examined. The state of the computer in which it was found should also be documented, including all connections and cables attached to the computer and any files or programs open. Dead analysis involves the examination of a computer’s contents without the machine being turned on. Using hard-drive duplicating software, such as the imaging tools DCFLdd and IXimager, the original files may be duplicated without altering them. These copies must be analysed to ensure they are true and accurate. Hashing tools can be used to compare the original hard disk to the copy made of it, ensuring that the files have been correctly copied.
Many individuals mistakenly believe that when a file is deleted it cannot be recovered. In actual fact a file is simply hidden when deleted by the user, and so can be retrieved until that space is overwritten. Information previously stored on the hard drive remains in an unused sector known as slack space, until this is overwritten. However even if the file has been overwritten some fragments may still exist. Computers are constantly swapping files between the RAM and the hard disc, created swap files in the process. These swap files, though they change every time the computer is switched on, may contain the desired information. It is possible to copy the contents of a computer without switching it on, though this process can take hours.
Incriminating files may have previously been encrypted in order to prevent undesirable individuals from viewing its contents, whether by the user or automatically by the computer. However using cryptography it may be possible to decrypt these files. Symmetric encryption uses a single particular key to encode the message, therefore allowing it to be decrypted if that key is known. However asymmetric encryption uses one key to encrypt the message and another to decrypt it, making decryption more difficult.
Used by millions of people worldwide every day, email systems are ripe for criminal activity, particularly malicious SPAM and email viruses. Fortunately there are ways of tracking the source of such crime. Each computer has a unique IP (Internet Protocol) address which is recorded every time a computer connects with a particular server. The IP address may be used to track the computer responsible. Every time an email is sent, logs are kept storing information including the sender, receiver, plus dates and times. Such data may also prove beneficial in forensic investigations.
Metadata is essentially data about another piece of data. When a file is created using certain programs, information will be produced regarding the file’s history. This may include the time and date of its creation, when it was last accessed, and when it was last modified. As digital evidence can be so fragile, all extracted evidence must be kept away from mechanical and electromagnetic devices. However computer forensics is not limited to PCs and laptops, but may be utilised in the investigation of cameras, video recorders, mobile phones, and fax machines. Vast security systems are often manipulated during the likes of break-ins and computer hacking. Study of these systems can determine the way in which the attacker gained access and what they did.
Forensic and Anti-Forensics Software
Some computer-savvy criminals may employ more advanced methods of concealing incriminating evidence. Anti-forensics tools can further hinder an investigation. Some of these can change the metadata attached to a file, or expertly encrypt data. Certain programs can be established that will erase data if an unauthorised user attempts to access the system. Fortunately numerous tools are available for use in the forensic analysis of computer systems, common ones being AccessData’s FTK, Guidance Software’s EnCase, and Brian Carrier’s Sleuth Kit.