Computer Forensics Definition
Techopedia defines computer forensics as “the process of uncovering and interpreting electronic data”. The main goal of this process is to “preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events”.
In other words, digital forensics is a branch of the same old forensic science that you know from old crime TV shows. You know how they usually go: a horrendous murder is committed. Police officers arrive at the scene with the chief investigator leading the pack in his Ford Galaxie 500. As soon as they step out their vehicles, somebody yells “Don’t touch anything! We need every piece of evidence we can find”.
Back in the day, such evidence would often be someone’s diary or a fingerprint on a glass of water. These days, it’s digital metadata, log files, IP addresses, and leftover chunks of ones and zeros. Some of the very first digital crimes can be traced back to the late 1970s and early 1980s. In those days, computer security and privacy were the subjects of interest to only a very small group of geeks and innovators.
A major turning point occurred in 1978, with the 1978 Florida Computer Crimes Act, which recognized the first computer crimes in the United States and included legislation against unauthorized deletion or modification of computer data. Other acts, such as the US Federal Computer Fraud and Abuse Act of 1986 and the British Computer Misuse Act of 1990, followed soon after that.
Before the arrival of the new millennium, the discussion still revolved mostly around recognizing computer crimes as serious threats to personal, organizational, and national security. Since 2000, a new need for standardization arose, leading to the production of “Best practices for Computer Forensics” and the publication of ISO 17025 by the Scientific Working Group on Digital Evidence (SWGDE).
These standards and guides helped established a set of best practices for computer forensic specialists to follow and ignited computer forensics companies to produce capable forensic data recovery software solutions that would be able to meet the complex demands of the modern age.
The typical forensic process has several distinct stages: the seizure, forensic acquisition, analysis, and the production of a report based on the collected data. There are special free forensic software tools as well as paid forensic tools for each stage. A list of digital forensics tools can be found later in this article.
Sub-Branches of Computer Forensics
Computer forensic specialists either deal with the private or the public sector. With the public sector, their work is usually to support or refute a hypothesis before criminal or civil courts. The bread and butter of private sector forensic investigators are corporate investigations and intrusion investigations.
As the complexity of modern technology increases, computer forensic specialists often focus on one or a number of sub-branches of digital forensics, to gain expert-level knowledge. Digital forensics is typically divided according to the type of devices involved. The major branches are computer forensics, mobile device forensics, network forensics, forensic data analysis, and database forensics.
The one branch that has seen the most growth over the past few years is mobile device forensics. As people replace laptops and desktop computers with smartphones and tablets, the need for cell phone forensic software capable of forensic cell phone data recovery rises dramatically.
Computer Forensic Tools and Equipment
To describe some of many computer forensic tools used by computer forensic investigators and specialists, let’s imagine a crime scene involving child pornography stored on a personal computer. In most cases, investigators would first remove the PC’s HDD and attach with a hardware write blocking device. Such device makes this completely impossible to alter the content of the HDD in any way while allowing investigators to capture and preview the content of the disk.
A bit-accurate copy of the disk can be made with a variety of specialized tools. There are large digital forensics frameworks and software solutions, alongside countless smaller utilities. The former group includes Digital Forensics Framework, Open Computer Forensics Architecture, CAINE (Computer Aided Investigative Environment), X-Ways Forensics, SANS Investigative Forensics Toolkit (SIFT), EnCase, The Sleuth Kit, Llibforensics, Volatility, The Coroner’s Toolkit, Oxygen Forensic Suite, Computer Online Forensic Evidence Extractor (COFEE), HELIX3, or Cellebrite UFED.
These large software solutions and forensic suites include a wide range of forensic data services in a single package. However, many professional forensic specialists prefer to build their own customized toolboxes from individual tools and utilities that exactly fit their needs and preferences. The options are plentiful for every stage of the forensic data recovery process, including hard drive forensics and file system forensic analysis.
Data capture can be done with the help of EnCase Forensic Imager, FTK Imager, Live RAM Capturer, or Disk2vhd from Microsoft. Emails are analyzed with tools such as EDB Viewer, Mail Viewer, or MBOX Viewer. Some tools are made specifically to target certain operating systems, while others support multiple platforms. Popular tools for Mac OS X include Disk Arbitrator, Volafox, and ChainBreaker, which parses keychain structure and extracts user’s information. Needless to say that no forensic analyst can be without a sizable assortment of internet analysis tools, including Dumpzilla from Busindre, Chrome Session Parser, IEPassView, OperaPassView, and Web Page Saver from Magnet Forensics.
Features of Professional Forensic Tools
Features of professional forensic tools vary greatly depending on what aspect of forensic analysis they target and what market they are aimed at. Generally, large forensic software suites have to be able to do the following:
- Support hashing of all files, which allows comparative filtering
- Full disk hashing to be able to confirm that the data has not changed (typically one tool is used to acquire and another is used to confirm the disk hash)
- Exact pathway locators
- Clear time and date stamps
- Have to include an acquisition feature
- Search and filtering of items
- The ability to load iOS backups and parse their data
Compared to law enforcement agencies, corporations are usually not concerned with volatile RAM captures. They want to acquire the evidence for private investigation and/or turn over to Law Enforcement. They are also usually not interested in previewing ability.
Major Forensic Software Providers
The field of forensic software analysis is filled with forward-thinking innovators and prolific, existing software companies that are ready to expand their operation. Large forensic software providers tend to appear at large industry gatherings, such as the High Tech Crime Investigation Association Conference, but there are many of these conferences across North America.
No comments:
Post a Comment