Introduction
Computer forensics is
the practice of collecting, analysing and reporting on digital information in a
way that is legally admissible. It can be used in the detection and prevention
of crime and in any dispute where evidence is stored digitally. Computer
forensics has comparable examination stages to other forensic disciplines and
faces similar issues.
About this guide
This guide discusses
computer forensics from a neutral perspective. It is not linked to particular
legislation or intended to promote a particular company or product and is not
written in bias of either law enforcement or commercial computer forensics. It
is aimed at a non-technical audience and provides a high-level view of computer
forensics. This guide uses the term "computer", but the concepts apply
to any device capable of storing digital information. Where methodologies have
been mentioned they are provided as examples only and do not constitute
recommendations or advice. Copying and publishing the whole or part of this
article is licensed solely under the terms of the Creative Commons -
Attribution Non-Commercial 3.0 license
Uses of computer
forensics
There are few areas of
crime or dispute where computer forensics cannot be applied. Law enforcement
agencies have been among the earliest and heaviest users of computer forensics
and consequently have often been at the forefront of developments in the field.
Computers may constitute a 'scene of a crime', for example with hacking [ 1] or
denial of service attacks [2] or they may hold evidence in the form of emails,
internet history, documents or other files relevant to crimes such as murder,
kidnap, fraud and drug trafficking. It is not just the content of emails,
documents and other files which may be of interest to investigators but also
the 'meta-data' [3] associated with those files. A computer forensic
examination may reveal when a document first appeared on a computer, when it
was last edited, when it was last saved or printed and which user carried out
these actions.
More recently,
commercial organisations have used computer forensics to their benefit in a
variety of cases such as;
- Intellectual Property theft
- Industrial espionage
- Employment disputes
- Fraud investigations
- Forgeries
- Matrimonial issues
- Bankruptcy investigations
- Inappropriate email and internet use in the work place
- Regulatory compliance
Guidelines
For evidence to be
admissible it must be reliable and not prejudicial, meaning that at all stages
of this process admissibility should be at the forefront of a computer forensic
examiner's mind. One set of guidelines which has been widely accepted to assist
in this is the Association of Chief Police Officers Good Practice Guide for
Computer Based Electronic Evidence or ACPO Guide for short. Although the ACPO
Guide is aimed at United Kingdom law enforcement its main principles are
applicable to all computer forensics in whatever legislature. The four main
principles from this guide have been reproduced below (with references to law
enforcement removed):
No
action should change data held on a computer or storage media which may be
subsequently relied upon in court.
In
circumstances where a person finds it necessary to access original data held on
a computer or storage media, that person must be competent to do so and be able
to give evidence explaining the relevance and the implications of their
actions.
An
audit trail or other record of all processes applied to computer-based
electronic evidence should be created and preserved. An independent third-party
should be able to examine those processes and achieve the same result.
The
person in charge of the investigation has overall responsibility for ensuring
that the law and these principles are adhered to.
In summary, no changes
should be made to the original, however if access/changes are necessary the
examiner must know what they are doing and to record their actions.
Live acquisition
Principle 2 above may
raise the question: In what situation would changes to a suspect's computer by
a computer forensic examiner be necessary? Traditionally, the computer forensic
examiner would make a copy (or acquire) information from a device which is
turned off. A write-blocker[4] would be used to make an exact bit for bit copy
[5] of the original storage medium. The examiner would work then from this
copy, leaving the original demonstrably unchanged.
However, sometimes it is
not possible or desirable to switch a computer off. It may not be possible to
switch a computer off if doing so would result in considerable financial or
other loss for the owner. It may not be desirable to switch a computer off if
doing so would mean that potentially valuable evidence may be lost. In both
these circumstances the computer forensic examiner would need to carry out a
'live acquisition' which would involve running a small program on the suspect
computer in order to copy (or acquire) the data to the examiner's hard drive.
By running such a
program and attaching a destination drive to the suspect computer, the examiner
will make changes and/or additions to the state of the computer which were not
present before his actions. Such actions would remain admissible as long as the
examiner recorded their actions, was aware of their impact and was able to
explain their actions.
Stages of an examination
For the purposes of this
article the computer forensic examination process has been divided into six
stages. Although they are presented in their usual chronological order, it is
necessary during an examination to be flexible. For example, during the
analysis stage the examiner may find a new lead which would warrant further
computers being examined and would mean a return to the evaluation stage.