Computer forensics is a particular sub-division of forensic science dealing with computer and digital evidence relevant to legal investigations. In recent years computers have been increasingly utilised in criminal activities, including theft, fraud, computer hacking, software forgery, computer virus creation, and child pornography. Computer forensic specialists will often be called upon when the computers of suspects are seized, particularly for the retrieval of data files.
The search for digital evidence in computer forensics is extensive, with the possible sources to be investigated including home and work computer systems, external hard drives and memory sticks, modem pools, deleted and existing files, networks, cookies, print spool files, temp files, swap files, slack space, caches, log in files, and any other related media. The data the investigator searches for may come in numerous forms. Active data is information that is clearly visible, including data files, programs, and files used by the operating system. These are quite obvious and in theory easy to access. Archival data is data that has been backed up and stored, whether on tapes, CDs, or other hard drives. Once the storage medium has been located, access does not usually pose a problem. However some data may have been deleted, partially overwritten, or even encrypted, and will often require specialised tools to access it.
However before the search begins the computer must be protected from any damage or alteration and all contents copied before being examined. The state of the computer in which it was found should also be documented, including all connections and cables attached to the computer and any files or programs open. Dead analysis involves the examination of a computer’s contents without the machine being turned on. Using hard-drive duplicating software, such as the imaging tools DCFLdd and IXimager, the original files may be duplicated without altering them. These copies must be analysed to ensure they are true and accurate. Hashing tools can be used to compare the original hard disk to the copy made of it, ensuring that the files have been correctly copied.
Many individuals mistakenly believe that when a file is deleted it cannot be recovered. In actual fact a file is simply hidden when deleted by the user, and so can potentially be retrieved until that space is overwritten. Information previously stored on the hard drive remains in an unused sector known as slack space, until this is overwritten. However even if the file has been overwritten some fragments may still exist. Computers are constantly swapping files between RAM and hard disc, creating swap files in the process. These swap files, though they change every time the computer is switched on, may contain the desired information. It is possible to copy the contents of a computer without switching it on, though this process can take hours.
Incriminating files may have previously been encrypted in order to prevent unauthorised individuals from viewing its contents, whether by the user or automatically by the computer. However using cryptography it may be possible to decrypt these files. Symmetric encryption uses a single particular key to encode the message, therefore allowing it to be decrypted if that key is known. However asymmetric encryption uses one key to encrypt the message and another to decrypt it, making decryption more difficult.
Used by millions of people worldwide every day, email systems are ideal for criminal activity, particularly malicious SPAM and email viruses. Fortunately there are ways of tracking the source of such crime. Each computer has a unique IP (Internet Protocol) address which is recorded every time a computer connects with a particular server. The IP address may be used to track the computer responsible. Every time an email is sent, logs are kept storing information including the sender, receiver, plus dates and times. Such data may also prove beneficial in forensic investigations. However it is possible for people to use VPNs and proxies in attempts to mask their real IP address and thus their location.
Metadata is essentially data about another piece of data. When a file is created using certain programs, information will be produced regarding the file’s history. This may include the time and date of its creation, when it was last accessed, and when it was last modified. This type of data does not only relate to computers, but also devices such as cameras, which will attach metadata to photographs and videos.
Forensic and Anti-Forensics Software
Some tech-savvy criminals may employ more advanced methods of concealing incriminating evidence. Anti-forensics tools can further hinder an investigation, some of which can be used to change the metadata attached to a file, or expertly encrypt data. Certain programs can be established that will erase data if an unauthorised user attempts to access the system, making it imperative that only trained experts handle digital evidence. Fortunately numerous tools are available for use in the forensic analysis of computer systems, common apparatus including AccessData’s FTK, Guidance Software’s EnCase, and Brian Carrier’s Sleuth Kit.