June 27, 2022

twerally.co.uk

The Rally boasting with in-depth analysis

A Beginner’s Guide To Computer Forensics

Introduction
Computer forensics refers to the process of analyzing, collecting and reporting digital information in a legal way. It is used to detect and prevent crime, and can also be used in disputes involving digital evidence. Computer forensics is comparable to other forensic disciplines in terms of examination stages and faces the same issues.

This guide
This guide is neutral in its approach to computer forensics. This guide is not intended to promote any company or product or link to specific legislation. It also isn’t biased in law enforcement or commercial computerforensics. This guide is intended for non-technical audiences and gives a high-level overview of computer forensics. Although the term “computer” is used in this guide, the concepts can be applied to any device that can store digital information. These methods are not intended to be used as a guideline or a recommendation. The Creative Commons – Attribution Non-Commercial 3.0 license only permits copying and publishing of this article.

Computer forensics
Computer forensics can be used in a variety of areas, including disputes and crime. Computer forensics has been used extensively by law enforcement agencies, who have been the most prolific users. Computers can be considered a “scene of crime”, such as hacking [1] or denial-of-service attacks [2]; or they could contain evidence in the form emails, internet history or documents that are relevant to crimes like murder, kidnapping, fraud, and drug trafficking. Investigators may not only be interested in the contents of emails, documents, and other files but also the metadata [3] that is associated with these files. Computer forensic examinations can reveal the date and time a document appeared on a computer. It may also reveal whether it was edited or saved last.

Computer forensics has been used by commercial organizations in a number of cases, including;

Intellectual Property Theft
Industrial espionage
Employment disputes
Fraud investigations
Forgeries
Matrimonial problems
Investigations into Bankruptcy
Workplace email and internet usage that is inappropriate
Compliance with regulations

Guidelines
Evidence must be reliable and not prejudicial in order to be admissible. This means that computer forensic examiners should keep the admissibility of evidence at the forefront of their minds at all times. The Association of Chief Police Officers Good Practice Guide to Computer Based Electronic Evidence, or the ACPO Guide, has been widely accepted as a guideline. The ACPO Guide is intended for United Kingdom law enforcement, but its core principles can be applied to any computer forensics under any legislature. Below are the four principles of this guide (with no reference to law enforcement):

It is not appropriate to alter data stored on computers or storage media that could be used in court.
If a person feels the need to access original data stored on a computer or other storage media, they must be competent and able to provide evidence explaining the significance and implications of their actions.
A trail of audits or any other record should be kept. A third party should be able examine the processes and produce the same result.
The investigation’s head is responsible for ensuring the law and principles are followed.

Summary: No changes should be made or added to the original. However, if necessary, the examiner should know what they are doing so that they can record it.

Live acquisition
Principle 2 may be a question. In what circumstances would a computer forensic investigator make changes to the computer of a suspect? The computer forensic examiner would normally make a copy of (or acquire) information from a device that is off. To make a exact copy of the original storage media [5], a write-blocker[4] is used. This copy would be used by the examiner to make a copy of the original storage medium.

Sometimes, however, it may not be possible or desirable to turn a computer off. If the owner would suffer significant financial or other losses, it may not be possible for a computer to be switched off. If the computer is susceptible to losing valuable evidence, it may not be a good idea to turn it off. In these cases, the computer forensic examiner will need to perform a “live acquisition” which involves running a small program on suspect’s computer to copy or acquire the data to examiner’s hard disk.

The examiner can run such a program, attach a destination drive to the suspect’s computer, and make any changes or additions to the computer’s state that were not there before. These actions are admissible so long as the examiner records them, is aware of their effects and can explain their consequences.

Stages for an Examination
The computer forensic examination process is divided into six stages for the purposes of this article. They are listed in chronological order but it is important to be flexible during an examination. An example: During the analysis stage, the examiner might find a new lead that warrants further computer examination and could result in a return to evaluation.

Readiness
It is an important, but often overlooked, stage of the examination process. It can also include teaching clients about system readiness. For example, forensic examinations are more effective if the server’s built in auditing or logging systems have been turned on. Examiners can benefit from prior organisation in many areas. This includes training, regular testing, verification, and dealing with unexpected issues (e.g. what to do if child pornography appears during a commercial job), and making sure that your on-site acquisition kit works properly.

Evaluation
The evaluation stage involves clear instructions, risk analysis, and the allocation of resources and roles. A risk analysis may be used by law enforcement to determine the likelihood that a suspect will become a physical threat and how best they can deal with it. Businesses must also be aware of safety and health issues. Their evaluation should also consider reputational and financial risk when accepting a project.

Collection
Below is the main part of the collection phase, acquisition. This stage includes identifying, documenting and securing the scene if acquisition is to take place on-site. This stage usually includes interviews or meetings with people who might have information that could be useful in the examination. These could include end users, managers and those responsible for providing services to computers. This is where the ‘bagging’ and ‘tagging’ audit trail begins. Materials should be sealed in unique, tamper-evident bags. Also, it is important to transport the material safely and securely to the laboratory of the examiner.

Analysis
Each job is unique and the details of each case will affect how analysis is done. During analysis, the examiner will usually give feedback to the client. This dialogue can lead to a new path or narrowing down to particular areas. Analyses must be thorough, objective, impartial, recorded and repeated within the allocated time and resources. Computer forensics analysis can be done with many tools. We believe that an examiner should choose any tool that they are comfortable with, as long as it can be justified. Computer forensic tools must perform their intended function. Examiners should regularly calibrate and test the tools before any analysis can take place. Double-tool verification is a way to confirm the integrity of results during analysis. If tool A finds artifact X at location Y, then tool B should reproduce these results.

Presentation
The examiner will usually produce a structured report of their findings. This includes addressing all points raised in the instructions and any additional instructions. The report would include any additional information that the examiner considers necessary to the investigation. It must be written with the reader in mind. In many cases, the reader will not be technical so terminology should reflect this. It is important that the examiner is available to attend meetings or phone conferences in order to discuss and expand on the report.

Review
The review stage is often ignored or neglected along with the readiness stage. The review stage is often overlooked or ignored due to perceived costs, such as the cost of not billing for work, or the desire to ‘get on with the next task’. A review stage can be incorporated into every examination to save money and improve quality. It will also make future examinations faster and more efficient. Reviewing an examination is easy, fast and can be done during any one of the stages. This review may consist of a brief summary of the examination, including a description of what went wrong and how it can be fixed, and an evaluation of what went well. It can also include suggestions for how to make future examinations more effective. It is also important to seek feedback from the instructing party. The lessons learned from this stage should then be applied to the next examination.

Issues facing computer forensics
Computer forensics examiners face three main issues: technical, legal, and administrative.

Encryption Investigators may not be able to access encrypted files or hard drives without the right key or password. The key or password could be stored on another computer, or elsewhere on the computer that the suspect may have had access to. Examiners should also consider this possibility. It may also be stored in volatile memory (RAM [6]), which is often lost when a computer is shut down. Another reason to use live acquisition techniques, as described above.

More storage Storage media hold ever more data. This means that the examiner must have enough processing power and storage available to effectively deal with analysing and searching through huge amounts of data.

Latest technologies Computing is a constantly-evolving field with new software, hardware and operating systems constantly being developed. Although they are not experts in all areas of computer forensics, they might be asked to analyze something they haven’t seen before. To deal with this situation, the examiner must be able to experiment and test new technologies. It’s also a good idea to network with other computer forensic examiners and share your knowledge, as you never know who might have encountered the same problem.

Antiforensics The practice of trying to stop computer forensic analysis is called anti-forensics. This could include encryption, overwriting data to make it impossible to recover, modification of meta-data files and file obfuscation (disguising of files). The evidence of such methods may also be stored on another computer, or on another computer that the suspect has access to. Our experience shows that it is rare for anti-forensics tools to be used correctly or frequently enough to completely obscure their existence.

Legal issues
Computer examiners may be distracted by legal arguments. The Trojan Defence is an example. Trojans are computer codes disguised as benign, but with a hidden or malicious purpose. Trojans can be used for key-logging [7], downloading and uploading files, and installing viruses. A lawyer might be able argue that actions on a computer weren’t performed by the user, but were instead automated by Trojans without the user’s consent. This Trojan Defence can be used even if there is no trace of Trojans or malicious code on the suspect’s computer. A competent opposing lawyer should be able, with evidence from a computer forensic analyst, to dismiss such arguments.

Accepted Standards There are many standards and guidelines for computer forensics. However, not all of them seem to be widely accepted. There are many reasons for this, including standards being tied to specific legislations, standards aimed at law enforcement and commercial forensics, but not both, authors not being accepted by peers or high joining fees that discourage practitioners from participating.

Fitness to Practice – There is often no qualified body that can verify the competence and integrity computer forensics professionals in many jurisdictions. Anyone can present themselves as a computerforensic expert in such instances, which could lead to computer forensic examinations that are questionable and a negative perception of the profession.

Resources and additional reading
It doesn’t appear that there is much material on computer forensics that is targeted at non-technical readers. The following links are at the bottom of page. They may be of some interest to you:

Glossary
1. Hacking is the act of modifying a computer to achieve a hacker’s goal.
2. A denial-of-service attack is a method of stopping legitimate users from gaining access to information and services on a computer system.
3. Meta-data: At its most basic, meta-data refers to data about data. It can be stored in files, or embedded into them. Meta-data may also contain information about the file’s author and format.
4. Write blocker is a device or software that prevents data from being altered or added to the storage media being examined.
5. Bit copy: Bit is a contraction for the term “binary digit” and is the basic unit of computing. Bit copy is a sequential copy (or copy) of all bits on a storage media. This includes any areas that are ‘invisible’ for the user.
6. RAM is Random Access Memory. RAM is the temporary storage space of a computer and is volatile. This means that its contents are lost when it is turned off.
7. Key-logging: The recording of keystrokes allows for the identification and analysis of confidential information, such as passwords and emails.