Computer forensics, sometimes known as digital forensics, is undertaken by trained examiners who pull data (search histories, purchase records, time logs and more) from devices including, but not limited to: computers, tablets, and smartphones. They are then able to investigate and analyse the data, before presenting it in a way that can be easily understood to people who may not be familiar with forensic or computer science.
If you would like to learn more about computer forensics, we have compiled this comprehensive guide, encompassing all you need to know with no technical knowledge required. Our aim is to give every reader a high-level view of computer forensics to help them understand more about the different processes and when they should be used.
DISCLAIMER: We use the term ‘computer’ throughout this article, but the concept we discuss can apply to any device capable of storing digital information.
When and how is computer forensics used?
There aren’t many areas of crime or civil dispute where computer forensics cannot be applied. Law enforcement agencies were among the earliest and most prominent users of computer forensics, and as a result, they’ve often been at the forefront of developments in the field.
Computers can be considered a ‘crime scene’ – for example, with hacking or denial of service attacks. They may hold evidence of crimes that happened elsewhere, in the form of emails, internet history, documents or other files relevant to crimes such as murder, kidnap, fraud or drug trafficking.
A forensic computer exam can reveal much more than expected.
Computer forensic investigators are not only interested in the content of emails, documents and other files, but also in the metadata associated with those files. Metadata provides more information about a certain dataset, which can be revealing in its own right. For instance, records of a user’s actions may also be stored in log files and other applications on a computer, such as internet browsers.
So a computer forensic examination might reveal when a document first appeared on a computer, when it was last edited, when it was last saved or printed and which user carried out these actions.
Commercial organisations have used computer forensics to help with all kinds of cases, including:
- Intellectual property theft
- Employment disputes
- Invoice fraud, often enabled by phishing emails
- Inappropriate email and internet use in the workplace
- Regulatory compliance
Guidelines for successful computer forensics
If evidence found during a computer forensic investigation is to be admissible, it must be reliable and ‘not prejudicial’. This means the examiner needs to keep admissibility at the front of their mind at every stage of an investigation.
The UK Association of Chief Police Officers’ Good Practice Guide for Digital Evidence – or ACPO Guide – is a widely used and respected set of guidelines for investigators. ACPO has now become the National Police Chief’s Council. The guide has not been updated for several years, but its content remains relevant. The technologies change, but the principles remain consistent.
The four main principles from the APCO Guide
Please note: references to law enforcement have been removed.
- No action should change data held on a computer or storage media which may be subsequently relied upon in court.
- In circumstances where a person finds it necessary to access original data held on a computer or storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
- An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third-party should be able to examine those processes and achieve the same result.
- The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
For a more in-depth look at the ACPO Guidelines, you may like to read our article: ACPO Guidelines and Principles Explained.
Live acquisition: Getting data from a powered computer
Are there instances when a computer forensic examiner might need to make changes to a suspect’s computer and – in doing so – go against the first principle above? Yes.
Traditionally, examiners copy data from a device which is turned off. They use a write-blocker to make an exact bit-for-bit copy of the original storage medium, and create an acquisition hash of the original medium. They then work from this copy, leaving the original unchanged.
However, sometimes it’s not possible (or desirable) to switch off a computer. Perhaps doing so would result in considerable financial or other loss for the owner, or cause valuable evidence to be permanently lost. In these cases, the computer forensic examiner may need to carry out a ‘live acquisition’. This involves running a simple application on the suspect computer to copy (acquire) the data to the examiner’s data repository.
By running such an application (and attaching a device such a USB drive to the suspect computer), the examiner makes changes and/or additions to the computer which were not present before. But if the examiner records these actions, can show why they were necessary, and explain the consequences of them to a court, the evidence produced is usually still admissible.
The stages of a computer forensics examination
The overall process of a computer forensics examination is divided into six stages.
Forensic readiness is an important and occasionally overlooked stage in the process. In commercial computer forensics, it might include educating clients about system preparedness. For example, forensic examinations provide stronger evidence if a device’s auditing features are activated before an incident takes place.
For the forensic examiner, readiness includes appropriate training, testing and verification of their own software and equipment. They need to be familiar with legislation, know how to deal with unexpected issues (such as what to do if child abuse images are found during a fraud engagement) and ensure their data acquisition computer and associated items are suitable for the task.
During the evaluation stage, the examiner receives instructions and should seek clarification if any of these are unclear or ambiguous. They will then carry out the risk analysis and allocate roles and resources. For law enforcement, risk analysis may include assessing the likelihood of physical threat on entering a suspect’s property and how best to deal with it.
Commercial organisations also need to consider health and safety issues, conflict of interest issues, and other possible risks (such as to their finances or their reputation) when they accept a particular project.
If data acquisition (often called ‘imaging’) is carried out on-site rather than at the computer forensic examiner’s office, this stage includes identifying and securing devices which may store evidence, and documenting the scene.
The examiner would also hold interviews or meetings with personnel who might have information relevant to the examination – such as the computer’s end-users, the manager and the person responsible for computer services (e.g. an IT administrator).
The collection stage can also involve the labelling and bagging of items from the site which may be used in the investigation. These are sealed in numbered tamper-evident bags. The material must then be securely and safely transported to the examiner’s office or laboratory.
Analysis includes the discovery and extraction of information gathered in the collection stage. The type of analysis depends on the needs of each case. It can range from extracting a single email to piecing together the complexities of a fraud or terrorism case.
During an analysis, the examiner usually delivers their findings to their line manager or client. These exchanges may result in the analysis taking a different path or narrowing to specific areas. Forensic analysis must be accurate, thorough, impartial, recorded, repeatable and completed within the available timescales and allocated resources.
There are multiple tools available for computer forensics analysis. The examiner should use any tool they feel comfortable with, as long as they can justify their choice. A computer forensic tool must do what it’s meant to do, so examiners should regularly test and calibrate their tools before carrying out any analysis.
Examiners can also use ‘dual-tool verification’ to confirm the integrity of their results during analysis. For example, if the examiner finds artefact X at location Y using tool A, they should be able to replicate these results with tool B.
In this stage the examiner produces a structured report on their findings, addressing the points in the initial instructions, along with any further instructions they have received. The report should also cover any other information the examiner deems relevant to the investigation.
The report must be written with the end reader in mind. Often the reader may not have a high level of technical knowledge, so appropriate terminology should be used. The examiner may need to participate in meetings or conference calls to discuss and elaborate on their report.
Like the Readiness stage, the Review is often overlooked or disregarded, as it’s not billable work or because the examiner needs to proceed with the next investigation. But carrying out a review of each examination can make future projects more efficient and time-effective, which saves money and improves the quality of investigations in the longer term.
The review of an examination can be simple, quick, and begin during any of the above stages. It could include a basic analysis of what went wrong and what went well, along with feedback from the person or company who requested the investigation. Any lessons learnt from this stage should be applied to future examinations and feed into the Readiness stage.
What issues do computer forensics examiners face?
Computer forensics examiners come up against three main categories of problem: technical, legal and administrative.
Encrypted data can be impossible to view without the correct key or password. If the key isn’t available or the owner won’t reveal it, it may be stored:
- elsewhere on the computer
- on another computer which the suspect can access
- on the computer’s volatile memory (RAM). This is usually lost when a computer is shut-down
When encryption may be present, the examiner may need to consider using the ‘live acquisition’ techniques outlined above.
Increasing storage space
Storage media hold ever-greater amounts of data, so the examiner’s analysis computers need sufficient processing power and available storage capacity to search and analyse large amounts of data efficiently.
Computing is a continually evolving field, with new hardware, software and operating systems emerging constantly. No single computer forensic examiner can be an expert on all areas, though they are often expected to analyse things that they haven’t encountered before.
This means computer forensics examiners must be prepared and able to experiment with new technologies. At this point, networking and sharing knowledge with other computer forensic examiners comes in useful, because someone else may already have come across the same issue.
Anti-forensics is the practice of attempting to thwart computer forensic analysis through encryption, over-writing data to make it unrecoverable, modifying files’ metadata and file obfuscation (disguising files). As with encryption, the evidence that such methods have been used may be stored elsewhere on the computer or on another computer which the suspect can access.
In our experience, it’s very rare to see anti-forensics tools used correctly and frequently enough to totally obscure their presence or the presence of the evidence they were used to hide.
Data often isn’t stored on a person’s computer but on remote computers which they are renting storage space on, otherwise known as the ‘cloud’. This data may be in a different country, meaning access to it could involve different legislation. And if access is possible, it may be complicated and expensive.
Legal issues can confuse or distract from a computer examiner’s findings. One example of this is the ‘Trojan Defence’. A Trojan is a piece of computer code disguised as something benign, but which has a hidden and malicious purpose. Trojans have many uses, including key-logging, uploading or downloading files, and installing viruses.
A lawyer may be able to argue that actions on a computer were not carried out by a user, but instead automated by a Trojan without the user’s knowledge. This kind of Trojan Defence has been successfully used even when no trace of a Trojan or other malicious code was found on the suspect’s computer.
In such cases, a competent opposing lawyer supplied with evidence from a competent computer forensic analyst should be able to dismiss the argument. A good examiner will have identified and addressed possible arguments from the ‘opposition’ during the analysis and writing stages of their report.
There are all kinds of standards and guidelines in computer forensics, few of which are universally accepted. The reasons for this include:
- Standard-setting bodies can be tied to particular legislations
- Standards are aimed either at law enforcement or commercial forensics, but not both
- The authors of such standards are not accepted by their peers
- High joining fees for professional bodies can discourage practitioners
Fit to practice
Many jurisdictions have no qualifying body to check the competence and integrity of computer forensics professionals. This means anyone can present themselves as a computer forensics expert, which in turn can lead to poor quality examinations and a negative view of the profession as a whole.
At Forensic Control we are experts in computer forensics, so if you need any assistance please just drop us a message, and we’ll be happy to advise. Alternatively, you can book a computer investigation with one of our experienced computer forensics investigators.
If you’re in the UK, we can also assist you with a Cyber Essentials certification or Cyber Essentials Plus. These certifications will assure your customers and clients that your organisation is committed to keeping their data safe and secure.