Computer forensics differs from data recovery, which is the recovery of electronic data after an event affecting the physical data, such as a hard drive crash. Computer forensics goes much further and can be used as a tool to
- determine the facts from your employee/client,
- discharge your duty to avoid destruction,
- obtain all relevant evidence from the opposing party like using a Request for Production of Documents, and
- determine whether computers were used as the instrumentality of a tort, crime, or violation of policy.
In response to pending litigation, analyzing your connected computers is an excellent way to discharge your duties to preserve evidence and avoid destruction. It also allows you to acquire all relevant information essential to your legal theories and strategies.
In litigation, an attorney must determine whether a Request for Production of Documents will obtain all relevant evidence. You might simply ask yourself whether you want to discover a part of the relevant information (i.e. that seen by your opponent’s operating system) or all of it (i.e. deleted, hidden, orphaned data, etc.). It is not unrealistic to believe that information that is helpful to a matter would be saved on a computer. At the same time, that which is harmful would be deleted, hidden, or rendered invisible. For example, in sexual harassment cases, it is not unusual to discover deleted emails and other data invisible to the operating system that significantly affects the case. Computer forensic analysis extracts all the emails, memos, and data that can be viewed with the operating system, as well as all invisible data. In many cases, the hidden data completely changes the nature of a claim or defence and ultimately effects settlement strategy.
In any situation in which one or more computers may have been misused, it is essential to call a forensic expert. Only a computer forensic investigator will be able to preserve, extract, and analyze the vital data that records the “tracks” left behind by inappropriate use.
Computer forensics is a complex and often misunderstood practice. The examiner is presented with massive volumes of data, and forced to work within the constraints of computer processing capabilities. Contrary to prime time television shows, there is no “Magic” button, and there is no instant feedback. Proper computer investigation is a multi-step, time and labour-intensive process.
This article is designed as a primer on the computer forensics process and generally what examiners will go through to conduct an investigation. It is meant to provide a basic understanding of how a computer stores, accesses and processes data so that you, the client, has a more definite sense of the work and time necessary for a full and thorough forensics investigation. It is by no means complete, as every study is different, and this is not designed to delve into every eventuality. For example, a malware or network compromise examination may be far more surgical in its approach, meaning that many time-intensive–time-intensive” functions are not necessary. It is to be viewed and used as a guideline only. It is written starting from the point that an examiner would come to be in receipt of the computer/hard drive/media in question, whether that be in the examiner’s lab, or on-site, and consists basically of three phases. The Acquisition Phase, the Analysis Phase, and the Reporting Phase.
This is an often asked question, because in some cases, the window for acquisition is minimal, as in a situation where an employee will only be gone for a few hours, or the activity will disrupt some other work product. In all cases, this is an “it depends” answer. It depends on several factors that the examiner cannot control. It is dictated by things like the type of formatting on the subject drive, the rotational speed of the journey, data density and volume, drive interface and construction, and tools used. In the case of using a hardware device as mentioned above, a general rule of thumb would be 4-5 GB of data per minute to create the forensic image.
Check out our range of Top private investigators to help in your problem with legal nature, or business-related, or private and personal related.
Translated, this means that a 320 GB hard drive will take roughly 70-80 minutes to image. A 1 TERAbyte hard drive will take approximately 3.5 to 4.5 hours to picture. These are just imaging times. Immediately following the imaging process, a verification process has to be performed to ensure the integrity of the evidence collected. This roughly takes as long as the initial imaging phase and needs to be performed during the acquisition process.
In the case of an older hard drive or a problematic hard drive with structural problems, the imaging process may only happen at a rate of 1 GB per minute. During a live acquisition of a machine that cannot be turned off, the same price (1 GB/min) can be expected. Hard drives in external enclosures that connect via USB must be dismantled (which can be destructive in some cases), or else their acquisition timeline will be increased.
Many times an examiner has shown up at a location only to find that the computer has more than one hard drive in it, or is a server with multiple drives in it. Obviously, this severely impacts the acquisition timeline, not to mention the cost.
Finally, during the acquisition phase, if it is a live acquisition, or the computer is found to be on when the examiner arrives, it is highly recommended that the computer’s RAM (Random Access Memory) be acquired. This again is dependent on the amount of RAM in the network, but can take anywhere from a few minutes to more than an hour, and cannot be done concurrently with the hard drive acquisition process.
As you can see, from start to finish, the acquisition phase can take the better part of an entire day just by itself before any analysis is started!
Materials are seized as soon as illegal content is identified to prevent the destruction of evidence. If there is sufficient evidence of receipt or distribution of confirmation, a search warrant can be obtained. I was a Child Exploitation Investigation Coordinator, and I can say that in my experience, there have been numerous contacts with child pornography suspects during was has been referred to as a “knock and talk,” wherein people allowed a search that provided evidence of a felony violation. Once child porn is viewed, the computer is generally seized in place, and a warrant obtained if necessary. A forensic computer specialist then processes it, and all suspected material is reviewed and identified to the extent possible.
Looking for help in digital forensics? Look no further, Private Investigators has you covered.
There is commonly a delay between the seizure of materials, generally computer data, and indictment. Forensic recovery of data takes time, since there are usually a limited number of technically trained investigators, and there can be numerous causes. Once recovered, materials have to be reviewed to identify suspected illegal images. There must be a determination as to the illegality of each image (i.e., the image of a minor posed as to appeal to prurient interests or engaged in a sexual act); which can involve identification of the individual depicted as a small as the result of a previous investigation, or individually articulating and documenting the reason that the person depicted is a minor (possibly using the Tanner Scale for approximating the person’s age, based on the physical appearance of the genitalia, breasts, etc.). Just reviewing the thousands of images in a standard collection is time-consuming.
When an investigator finishes documentation of illegality, it is presented to a prosecutor, who may take the evidence to a grand jury. Then an indictment is issued for arrest.
These contacts were based on the fact that there was evidence of a particular IP address has received or sent child porn. The person apparently associated with a suspect IP address was under no obligation to allow a search, but they did in many cases.
Such report of suspicion of receipt or distribution of child porn by a Deputy Sheriff was referred to the Sheriff’s Office for investigation. They reported that interviews of two step-daughters of the Deputy indicated that that Deputy had molested them. Another suspect allowed such a search and was later found to have molested his grandchildren. He apparently killed himself prior to sentencing by kicking a jack from beneath his car and crushing himself.
Another case involved a plainclothes investigator Deputy Constable (Texas peace officer), who I confronted in the office of his supervisor regarding the evidence. He requested to speak to me alone, so we chatted in the parking lot adjacent to the Constable’sConstable’s office (for some reason, without me relieving him of his weapon). Since he was not in custody, I allowed him to talk while he paced back and forth and confessed to his having progressed from legal teen porn to child porn; and how he was engaged to be married to a woman with two daughters. Then he allowed me to accompany him to his home to search for his computer. Once I sat down at the computer, he decided to withdrawn consent; however, I consulted with an Assistant US Attorney, and he confirmed that sufficient probable cause had been identified to obtain a search warrant. When the Deputy Constable was advised of this, while in the company of his mother, he voluntarily surrendered his computer for forensic analysis, leading to the recovery of child porn.
At Private Investigators, we have a huge range of background check investigations.
When the company Enron declared bankruptcy in December 2001, hundreds of employees were left jobless while some executives seemed to benefit from the company company’s collapse. The United States Congress decided to investigate after hearing allegations of corporate misconduct. Much of Congress’Congress’ investigation relied on computer files as evidence. A specialized detective force began to search through hundreds of Enron employee computers using computer forensics.
The purpose of computer forensics techniques is to search, preserve and analyze information on computer systems to find potential evidence for a trial. Many of the techniques detectives use in crime scene investigations have digital counterparts, but there are also some unique aspects to computer investigations.
For example, just opening a computer file changes the file — the computer records the time and date it was accessed on the data itself. If detectives seize a computer and then start opening files, there there’s no way to tell for sure that they didn’t change anything. Lawyers can contest the validity of the evidence when the case goes to court.
Some people say that using digital information as evidence is a bad idea. If it’sits easy to change computer data, how can it be used as reliable evidence? Many countries allow computer evidence in trials, but that could change if digital evidence proves untrustworthy in future cases.
Computers are getting more powerful, so the field of computer forensics must continuously evolve. In the early days of computers, a single detective could sort through files because storage capacity was so low. Today, with hard drives capable of holding gigabytes and even terabytes of data, that’s a daunting task. Detectives must discover new ways to search for evidence without dedicating too many resources to the process.
What are the basics of computer forensics? What can investigators look for, and where do they look? Find out in the next section.
Computer Forensics is the analysis of information contained within and created with computer systems, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved. This being said, computer forensic techniques and methodologies are used for conducting investigations – again, in the interest of figuring out what happened, when it happened, how it happened, and who was involved.
During a typical digital investigation, a certified forensics investigator will:
First, clearly determine the purpose and objective of the study. Then they will take several careful steps to identify and extract all relevant data on a subject’s computer system. Forensic analysis will obtain the information that can be viewed by the operating system, as well as data invisible to the operating system.
Image, protect and preserve the evidence during the forensic examination from any possible alteration, damage, data corruption, or virus introduction, insuring proof is not damaged, tainted or in any other way rendered inadmissible in court.
Use forensically sound protocols at all times during the investigation to ensure the information obtained is admissible in court. It must be assumed that every case/situation could end up in the legal system. If your computer forensics examiner doesn’t make that assumption, find someone else.
Address the legal issues at hand in dealing with electronic evidence, such as relevant case law, how to navigate the discovery process, protection of privilege, and in general, working and communicating with attorneys and other professionals involved in the case.
Discover all files on the subject’s system. This includes existing active files and invisible files; deleted yet remaining files, hidden files, password-protected files, and encrypted files. In many cases, information is gathered during a computer forensics investigation that is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files – known by computer forensic practitioners as slack space. Special skills and tools are needed to obtain this type of information or evidence, but it is often a treasure trove of relevant information.
In computer forensics, there are three types of data that we are concerned with – active, archival, and latent.
Active data is the information that can be readily seen, like data files, programs, and files used by the operating system. This is the most accessible type of data to obtain.
Archival data is data that has been backed up and stored. This could consist of backup tapes, CDs, floppies, digital storage devices, or entire hard drives, to cite a few examples.
Latent (also called ambient) data is the information one typically needs specialized tools to get at. An example would be information that has been deleted or partially overwritten.
When it comes to digital evidence, getting a certified computer forensic examiner involved early will increase the chances of recovering all deleted files, and other data which has not yet been overwritten. As a computer is used, the operating system is regularly writing data to the hard drive. From time to time, the operating system will save new data on a hard drive by overwriting data resident on the journey but no longer needed by the operating system. A deleted file, for example, will remain resident on a hard drive until the operating system overwrites all or some of the data. Thus, in order to preserve as much relevant data as possible on a computer system, you must acquire suitable computers as soon as possible. The on-going use of a computer system may destroy data that could have been extracted before being overwritten. Fortunately, the costs of acquisition are very reasonable, and the process is not disruptive.
A skilled forensic examiner will analyze all possibly relevant data found, including in special (and typically inaccessible) areas of a disk. This includes unallocated space on a drive (currently unused, but possibly still a repository of previous data that may potentially be relevant), as well as ”slack” space in a file (the remaining space at the end of a file) which is another possible site for previously created and relevant evidence.
When the analysis is completed, the forensic examiner will provide a report analysis of the computer system, as well as provide you with a copy of all relevant data, parsed, formatted and arranged to be integrated into your legal theories and strategies.
GDF’s analysis and investigation work are performed using the highest levels of forensic scrutiny, always following proven judicial procedures and using only open and verifiable programming techniques. Our methodologies are transparent – we encourage the court and opposing sides to dissect our work because we stand behind its admissibility 100%. We use NO PROPRIETARY or secret methods or programs when doing our analysis. Instead, we use our programming skills to build tools and software specifically for the task at hand. And of course, we always fully document everything and open our work to scrutiny by all parties involved.
How Digital Devices are Collected
On the scene: As anyone who has dropped a cell phone in a lake or had their computer damaged in a move or a thunderstorm knows, the digitally stored information is susceptible and easily lost. There are general best practices, developed by organizations like SWGDE and NIJ, to properly seize devices and computers. Once the scene has been secured, and legal authority to take the evidence has been confirmed, methods can be collected. Any passwords, codes or PINs should be gathered from the individuals involved, if possible, and associated chargers, cables, peripherals, and manuals should be collected. Thumb drives, cell phones, hard drives and the like are examined using different tools and techniques, and this is most often done in a specialized laboratory.
First responders need to take special care with digital devices in addition to standard evidence collection procedures to prevent exposure to things like extreme temperatures, static electricity and moisture.
Seizing Mobile Devices
- Devices should be turned off immediately and batteries removed, if possible. Turning off the phone preserves cell tower location information and call logs, and prevents the phone from being used, which could change the data on the phone. Besides, if the device remains on, remote destruction commands could be used without the investigator’s knowledge. Some phones have an automatic timer to turn on the phone for updates, which could compromise data, so battery removal is optimal.
- If the device cannot be turned off, then it must be isolated from its cell tower by placing it in a Faraday bag or other blocking material, set to aeroplane mode, or the Wi-Fi, Bluetooth or other communications system must be disabled. Digital devices should be placed in antistatic packagings such as paper bags or envelopes and cardboard boxes. Plastic should be avoided as it can convey static electricity or allow a buildup of condensation or humidity.
This is usually the most extended phase in the process, although depending on findings, the Reporting Phase can actually take longer.
Much of the activity performed in this phase is predicated on what the case parameters are. Understand that there are also a great many tools at a skilled examiner’s disposal with which to perform tasks. This paper attempts to be tool-agnostic and speak merely to the process, and not the specific techniques or tools.
To better understand what the examiner faces, it behoves a potential client to have a basic understanding of how an operating system works. This paper is focused on the Windows operating system, but generally speaking, the process applies to any operating system. The purpose of this paper is not to adequately train the reader in the technical functionality of Windows, but rather to understand some of its complexities. For that reason, it is not necessarily essential to understand the terminologies or data repositories, but rather be aware of the volumes of information that get parsed that the average client may not be aware of.
Windows by itself is a complicated and highly technical living beast. Add to this the fact that there are basically two types of Windows (32 bit and 64 bit; functioning in vastly different ways), and multiple versions of each type (Windows 7 Home, Windows 7 Professional, Windows 7 Ultimate, etc.), not to mention different packages of Windows (Windows 95, 98, XP, 2000, Vista, 7, 8, etc.). As if that weren’t enough, consider the vagaries of all the different programs (and their types and versions) that a user may install, and it becomes easy to see why a computer forensic examination is a highly complex undertaking. And these are only the parts that an average user sees and knows about.
Generally speaking, Windows contents (system only, not considering user data) can be classified as Visible and Hidden. Although these two areas don’t specifically contain user-created data, they DO contain a vast amount of data ABOUT a user, their activities, preferences, and habits. These areas provide as much or more data relevant to an investigation than the user files themselves. For example, the fact that a user-created Word Document exists is not always that important, because the client usually already knows about it. It is the “”under the hood”” workings that tell the examiner about the file, such as the “”who””, “”what””, “”when””, “”where”” “”how””, and sometimes even “”why””. For the most part, this data is not visible (or even known about) by the average user.
Exploiting data in the laboratory: Once the digital evidence has been sent to the laboratory, a qualified analyst will take the following steps to retrieve and analyze data:
- Prevent contamination: It is easy to understand cross-contamination in a DNA laboratory or at the crime scene, but digital evidence has similar issues which must be prevented by the collection officer. Prior to analyzing digital evidence, an image or work copy of the first storage device is created. When collecting data from a suspect device, the text must be stored on another form of media to keep the original pristine. Analysts must use “clean” storage media to prevent contamination or the introduction of data from another source. For example, if the analyst was to put a copy of the suspect device on a CD that already contained information, that information might be analyzed as though it had been on the suspect device. Although digital storage media such as thumb drives and data cards are reusable, simply erasing the data and replacing it with new evidence is not sufficient. The destination storage unit must be original or, if reused, it must be forensically “wiped” before use. This removes all content, known and unknown, from the media.
- Isolate Wireless Devices: Cell phones and other wireless devices should be initially examined in an isolation chamber, if available. This prevents connection to any networks and keeps evidence as pristine as possible. The Faraday bag can be opened inside the house, and the device can be exploited, including phone information, Federal Communications Commission (FCC) information, SIM cards, etc. The device can be connected to analysis software from within the chamber. If an agency does not have an isolation chamber, investigators will typically place the device in a Faraday bag and switch the phone to aeroplane mode to prevent reception.
- Install write-blocking software: To prevent any change to the data on the device or media, the analyst will install a block on the working copy so that data may be viewed, but nothing can be changed or added.
- Select extraction methods: Once the working copy is created, the analyst will determine the make and model of the device and select extraction software designed to most completely “parse the data,” or view its contents.
- Submit a device or original media for traditional evidence examination: When the data has been removed, the device is sent back into evidence. There may be DNA, trace, fingerprint, or other evidence that may be obtained from it and the digital analyst can now work without it. Learn more about DNA, trace evidence, or fingerprints.
- Proceed with the investigation: At this point, the analyst will use the selected software to view data. The analyst will be able to see all the files on the drive, can see if areas are hidden and may even be able to restore the organization of files allowing hidden areas to be viewed. Deleted files are also visible, as long as new data haven’t overwritten them. Partially deleted files can be of value as well.
Files on a computer or other device are not the only evidence that can be gathered. The analyst may have to work beyond the hardware to find proof that resides on the Internet, including chat rooms, instant messaging, websites and other networks of participants or information. By using the system of Internet addresses, email header information, timestamps on messaging and other encrypted data, the analyst can piece together strings of interactions that provide a picture of activity.