| Created: April
Updated: Sept 19, 2003
Author: Steve Hailey
At a basic level, computer forensics is the analysis
of information contained within and created with computer
systems and computing devices, typically in the interest
of figuring out what happened, when it happened, how
it happened, and who was involved.
This can be for the purpose of performing a root
cause analysis of a computer system that had failed
or is not operating properly, or to find out who is
responsible for misuse of computer systems, or perhaps
who committed a crime using a computer system or against
a computer system. This being said, computer forensic
techniques and methodologies are commonly used for
conducting computing investigations - again, in the
interest of figuring out what happened, when it happened,
how it happened, and who was involved.
Think about a murder case or a case of financial
fraud. What do the investigators involved in these
cases need to ascertain? What happened, when did it
happen, how did it happen, and who was involved.
In many cases, information is gathered during a computer
forensics investigation that is not typically available
or viewable by the average computer user, such as
deleted files and fragments of data that can be found
in the space allocated for existing files - known
by computer forensic practitioners as slack space.
Special skills and tools are needed to obtain this
type of information or evidence. Think of a case where
the specific firearm that fired a bullet needs to
be identified. This information could not be readily
ascertained by just any member of law enforcement,
so ballistics professional with special skills and
tools is needed.
The more technical definition we use at CyberSecurity
Institute to describe computer forensics or forensic
computing in the vein of computer crime or computer
misuse is as follows:
The preservation, identification,
extraction, interpretation, and documentation of computer
evidence, to include the rules of evidence, legal
processes, integrity of evidence, factual reporting
of the information found, and providing expert opinion
in a court of law or other legal and/or administrative
proceeding as to what was found.
Let's break this definition down.
When performing a computer forensics analysis, we
must do everything possible to preserve the original
media and data. Typically this involves making a forensic
image or forensic copy of the original media, and
conducting our analysis on the copy versus the original.
In the initial phase, this has to do with identifying
the possible containers of computer related evidence,
such as hard drives, floppy disks, and log files to
name a few. Understand that a computer or hard drive
itself is not evidence - it is a possible container
In the analysis phase, this has to do with identifying
the information and data that is actually pertinent
to the situation at hand. Sifting through Gigabytes
of information, conducting keyword searches, looking
through log files, etc.
Any evidence found relevant to the situation at hand
will need to be extracted from the working copy media
and then typically saved to another form of media
as well as printed out.
This is a biggie. Understand that just about anyone
can perform a computer forensics "analysis."
Some of the GUI tools available make it extremely
easy. Being able to find evidence is one thing, the
ability to properly interpret it is another story.
Entire books could be written citing examples of when
computer forensics experts misinterpreted their results
of a forensic analysis . We'll cite one example.
The experts for the prosecution in a case used a
popular GUI tool that came with a script for finding
Internet search engine activity. When they ran the
script, they found literally hundreds and hundreds
of "searches" that supposedly had been conducted
by the defendant. Therefore, the defendant had intentionally
accessed certain types of information related to these
searches - the searches showed intent.
When the experts for the defense examined the same
evidence, they realized that each and every one of
these "searches" was actually a hyperlink
and not a search at all. The hyperlinks were formed
in such a way that when a link was clicked, a database
was searched to pull up the most current information
related to the link. The way that the links within
the page were formed was what the GUI tool honed in
on, as they were formed similarly to fragments and
Web pages that could be found to indicate search engine
The experts for the prosecution took for granted
that their automated tool was accounting for any variables,
and would only show them searches that had actually
been conducted. A big mistake. Theses experts lacked
the technical skills to authenticate their results,
so they depended entirely on a single automated tool.
This leads to a very important lesson. Results from
any tool should always be thoroughly checked by someone
versed in the underlying technology to see if what
appears to be a duck is actually a duck.
In the very same case, the experts for the defense
recovered reams of email that the prosecution experts
did not find. This was due to the fact that the prosecution
experts simply did not know how to find it.
It is interesting to note that both the experts for
the defense and the prosecution used the same primary
tool in their analysis. The differences in what was
found by one side versus the other, as well as the
differences in interpretation was due to the experience
and education levels of the experts - it had nothing
to do with the tool being used.
Documentation needs to be kept from beginning to end,
as soon as you become involved in a case. This includes
what is commonly referred to as a chain of custody
form, as well as documentation pertinent to what you
do during your analysis. We cannot overemphasize the
importance of documentation. When involved in a situation
where you are conducting a computer forensics analysis,
we recommend that you establish and keep the mindset
that the case or situation is going to end up in court.
This will go a long way in helping you to make sure
that you are keeping the appropriate documentation.
Take for granted that you will be questioned on every
aspect of the case, and everything that you do.
Rules of Evidence
There are various tests that courts can apply to the
methodology and testimony of an expert in order to
determine admissibility, reliability, and relevancy.
The particular test(s) used will vary from state to
state and even from court to court within the same
state. Commonly, you will hear about the Frye test
and the Daubert test. You need to be aware of the
Rules of Evidence for your locale and situation. Your
best bet is to ask legal counsel about any Rules of
Evidence that you need to be aware of pertinent to
the situation, and familiarize yourself with this
information early on.
We recommend that you find and read the Federal
Rules of Evidence on the Internet, and conduct searches
using the terms "daubert test" and "frye
test" as keywords.
This has to do with the processes and procedures for
search warrants, depositions, hearings, trials, and
discovery just to name a few.
This can also be related to processes relevant to
your employer, as well as conducting computing investigations
internally for your employer.
If you are conducting computing investigations for
your employer, the best advice we can offer is to
work as closely as possible with legal counsel and
those in your Human Resources department before and
during a computing investigation. You'll not know
everything you need to know when you start working
in this field - it is a learning process.
Integrity of Evidence
This has to do with keeping control over everything
related to the case or situation. We are talking about
establishing and keeping a chain of custody, as well
as making sure that you do not alter or change the
original media. As well, you cannot talk to other
people about the case or situation specifics that
are not involved.
Factual Reporting of the Information
Your findings and reports need to be based on proven
techniques and methodology, and you as well as any
other competent forensic examiner should be able to
duplicate and reproduce the results.
Providing Expert Opinion
You may have to testify or relate your findings and
opinions about your findings in a court of law or
other type of legal or administrative proceeding.
Two Primary Types of Computer Forensics
Computer forensics techniques and methodology is
used in two primary types of investigations. The first
is when the computer(s) was/were used as an instrument
to commit a crime or involved in some other type of
The second is when the computer is used as the target
of a crime - hacked into and information stolen for
example. When computer forensics techniques and methodology
are used in this situation to figure out what happened,
we typically call this incident response.
In the first type of investigation, you may or may
not be present when the computing device is shut down
to begin an investigation. You may have hard drives
and other media delivered to you to analyze.
In the second type of investigation, you will typically
always want to capture information that is extremely
volatile, such as information contained in RAM concerning
network connections and running processes.
Regardless of the situation, and whether the evidence
will be used in a court of law or as the grounds for
a letter of reprimand, the techniques, procedures,
and methodologies used should be largely the same.
What starts out as a letter of reprimand given to
an employee for misusing company computing resources,
may end up as a lawsuit against the employer.
What starts out as an investigation concerning Internet
access at odd times may reveal that child pornography
It is for the above reasons that we must use sound
and proven techniques for any work performed related
to computer forensics, and always approach a situation
as if we will end up in a court of law or possibly
be handing the case over to law enforcement.
Active, Archival, and Latent Data
In computer forensics, there are three types of data
that we are concerned with - active, archival, and
Active data is the information that you and I can
see. Data files, programs, and files used by the operating
system. This is the easiest type of data to obtain.
Archival data is data that has been backed up and
stored. This could consist of backup tapes, CD's,
floppies, or entire hard drives to cite a few examples.
Latent (also called ambient) data is the information
that one typically needs specialized tools to get
at. An example would be information that has been
deleted or partially overwritten.
A computer investigation could entail looking at
one or more of these data types depending on the circumstances.
Obtaining latent data is by far the most time consuming
Public Sector, Private Sector, and
There are three primary areas that you will find
computer forensics used. Public sector, private sector,
Computer forensics is used in the public sector by
government and law enforcement personnel to investigate
and prosecute crimes. Criminals are using computer
technology when committing "traditional"
crimes such as homicide, rape, fraud, and auto theft
to name a few. They are also using computer technology
to commit crimes that would not be possible without
computing devices, such as breaking into a networked
system and stealing or altering data, posting child
pornography to a newsgroup, or harassing someone via
Computers can be the target of a crime (your computer
system is attacked over the Internet), the tool in
the commission of a crime, (sending and receiving
child pornography), or as incidental to a crime (keeping
records concerning the houses you've burgled). When
computing devices are used in committing crimes, you'll
often hear the term "Cybercrime" used. Although
the word "Cyber" does get peoples attention,
it is often misused - Cyber typically denotes being
online. You are not in "CyberSpace" just
by turning your computer on.
At any rate, government and law enforcement use of
computer forensics is increasing, as more and more
criminals are using computing technology. Computer
evidence is used by Prosecutors everyday to aid in
convicting criminals involved in fraud, murder, drug
trafficking, child pornography, embezzlement, and
In the private sector, computer forensic techniques
and methodologies are used to investigate electronic
break-ins, embezzlement, improper use of computing
resources by employees, and theft of trade secrets
among other things.
Those in the insurance business may use information
retrieved from computer systems to identify fraud
in workman's compensation, automobile or personal
accident cases, or arson. I'm aware of a few cases
were emails were sent outlining plans to fake back
injuries and other ailments in order to receive money
from insurance. These emails were used to convict
those making the false claims.
The majority of work that I perform in regards to
computer forensics is not as an employee of a law
enforcement agency or company; it is for individuals
or law firms as a consultant. Some may argue that
working for a law firm should be in the private sector
category, as law firms are companies and corporations,
and I do agree to a certain extent. I believe however
that the type of work that I (and countless others
like me) perform in the area of computer forensics
needs it's own category due to the uniqueness of the
As an educator, I come into contact with countless
students who want to get into computer forensics.
As I tell my students, there are basically four possibilities.
1. Get into law enforcement, the FBI, CIA, or other
investigative agency. The reality is, members of law
enforcement and government investigative agencies
typically do their own computer forensics work.
2. Get into the information security or computing
investigations department of a private company.
3. Work for a company that specializes in computer
forensics and/or electronic discovery.
4. Start your own business providing computer forensic
services and consulting. It is in this area that I
believe most of the opportunity exists. Attorneys
regularly need the services of computing professionals
with computer forensic skills to aid in litigation,
and there are also individuals that need the services
of someone skilled in computer forensics for personal
and civil matters. There is now, and will continue
to be, an infinite demand for computer forensics experts.
To better explain what I'm saying here, I'll cite
some examples of cases where some of my colleagues
and I have used computer forensics techniques and
methodologies, in the capacity of a consultant.
In a medical malpractice/wrongful death suit, a computer
was examined to extract evidence relevant to the decedents
part time business. The information recovered was
used to determine how much the decedent would have
made had they lived another thirty or so years, and
helped to determine the settlement amount for the
A recently divorced woman was being harassed by her
former spouse. She was being told that he could see
everything that she was doing while her computer was
turned on. An investigation was conducted of her hard
drive contents, and her computer was monitored for
several weeks. The findings were that nothing out
of the ordinary was happening, or had taken place
in the past with the computer.
Finding a Will
In this case, a decedents computer was examined to
determine if there was any information relevant to
a will. The decedent was a cryptologist, and many
files had to "cracked" as they were encrypted.
Information was recovered that helped settle the decedents
A parent wanted to know what their son was doing online.
The investigation showed that their son was frequenting
sites on making bombs, and was also planning to make
one. The son confessed to this and was given help
to deal with a situation at school that was causing
pent up anger that he could not deal with on his own.
Is it Just About What's On The Computer?
Evidence gleaned from a forensic investigation and
examination is not limited to what is found or extracted
from magnetic media such as hard drives, floppy drives,
Evidence can be in the form of visual output on a
computer monitor, printouts, passwords written down,
notes made in computer or software manuals, or logs
from systems external to the subject computer itself,
such as proxy servers of firewalls. The computer forensics
practitioner that limits themselves to looking at
only the magnetic media on the subject computer will
be missing important clues.
A computer forensics practitioner must always remember
that there might be, and probably is, evidence related
to the situation that is external to the computer
itself. In some situations this external evidence
could not only make or break the case, it might even
be the best evidence that you can obtain.
In a case I was involved in regarding alleged access
to pornographic Websites, my retaining attorney was
questioning the expert for the opposition concerning
the proxy and firewall logs that were pertinent to
The expert was unable to answer the questions, and
admitted not much experience in this area. I remember
asking myself what is he doing representing them? The expert for the opposition had years of experience
working with evidence from personal computers.
The problem here was that he had focused his investigation
solely on what was found on the subject computer itself,
and had totally ignored other sources of information
that could have helped his client to prove their case.
In short, he had done a poor job of preparing himself
and his retaining counsel concerning the aspects of
the case, and the types of questions that might be
asked. A computer forensic practitioner needs to always
look at the big picture, and obtain and examine all
evidence that may be relevant. If they find an aspect
of their case that they are unfamiliar with, they
need to seek assistance.
The information contained in this document covers
the basics, and really doesn't do full justice to
all facets of computer forensics. I hope however that
you have a better understanding of what computer forensics
entails. Feel free to contact me If I can be of assistance,
or if you have specific questions.