Computer Forensics ABC
Posted: April 4, 2013 at 8:50 pm
In modern crime scene investigation, most things pass through a computer. There is, and won’t be in the foreseeable future, a replacement for quality human work, but the developments of computers have provided incredibly much help to CSIs.
Defining computer forensics
Nowadays, everybody uses computers; they’ve become such an essential part of our lives that it’s hard to imagine how society would look without them. Considering how forensics deals with all aspects of crime, computer forensics was necessary and bount to appear, sooner or later. So, if we were to define it, we’d be saying that computer forensics is the investigation of a computer system (or parts) involved in crime, or which can hold information about a crime. But now, it’s not only about computers – tablets, smartphones, even ebook readers – all of them can be subjected to computer forensics.
It’s interesting to note that many detective techniques have their counterpart in computer forensics. For example, just like with a crime scene, just opening a file changes the file. If you just start a computer and open files left and right, there’s no way to know if you changed them. Any decent lawyer will contest the evidence taken this way, and you can kiss your cyber evidence good bye; but fear not – that’s why we need our computer guys.
Computer forensics job description
So evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence, meaning you have to be really careful when doing… anything. A digital forensics investigation consists of 3 stages, and you’ll be doing this every single time: acquiring and imaging, analysis, and reporting; yep, that’s right, be prepared for a whole lot of reports, because not that many people are savvy in this field, and you have to explain (sometimes the same things) everything step by step.
Most computer forensic jobs are found in the law enforcement sector. There are 4 main specialties; other, more niched options are available, but these are the main areas:
Computer Forensics Analyst – basic stuff. Takes out over half of all jobs in the field. You typically check e-mails and other cyber correspondance, hard disks, analyze pictures, analyzing everything in light of the crime in question. You may also check to see who accessed certain files or computers, where is someone located, check IPs, etc.
Special Agent – most of the time, you do the same things, but you’ll probably be dealing with counterintelligence or counterterrorism, so the requirements are much, much higher. Special agents work for agencies (duh), such as FBI, CIA, NSA, etc. You’ll also be required, in most cases, to be physically fit and be able to pass strict physical tests.
Ethical Hacker – the name pretty much says it all. This is where the going really gets tough – you’ve got to know how to hack and slash your way into other computers, but mostly, you’ve got to know how to protect against such attacks.
Information Security Manager – as in every field, when you get to a certain point, you get moved from “field work” to manager work. This is not really a job you get, but rather a job you get promoted into.
You’re probably going to be surprised by this, but within the financial services sector, there are an increased number of computer forensic jobs available. Their role is to prevent bad things from happening, and gather evidence when they do happen.
In the past 10-20 years, cyber crime has increased exponentially, and the odds are it will continue at a similar rate, so there’s plenty of work available.
Applications of computer forensics
Digital forensics is now commonly used in both criminal law and private investigation. But how is it done, really?
Of course, the first thing that comes to mind as an application is cyber crime. If someone stole something via the internet, or did some phishing, or has pornographic material with minors, or anything else.
Meta data and other logs can be used to attribute actions to an individual. If you find a computer, tablet or smartphone, you can often track its owner by the documents on the hard drive.
Alibi and action check
Information provided by suspects/witnesses can often be verified digitally.
It’s often circumstantial, but when you have a rapist suspect, and on his computer you find google searches for ‘how to rape and not get caught’, that’s a pretty good indication (and something in these lines, but less obvious often happens).
Pretty much what the name says – verify if a document originated on a certain computer, when and now it was modified, etc.
Computer forensics cases
The admissibility of digital evidence relies on the tools used to extract it, which vary from country to country. Laws dealing with digital evidence are concerned with two issues: integrity and authenticity. Usually, they fall into the same strict legal guidelines as other forms of evidence. Computer forensics has been very successful in several high-profile cases, of which we’ll name just a few:
The alibi of the killer was disproved when mobile phone records of the person he claimed to be with showed she was out of town at the time.
Dennis Rader was convicted of a string of serial killings that occurred over a period of sixteen years. Towards the end of this period, he started sending letters to the police in the form of floppy disks. The evidence helped catch and convict him.
Joseph E. Duncan III
Forensic investigators found a spreadsheet in which Duncan was planning his murders; this helped prove he was planning the crimes.
After going through hundreds of emails, investigators were able to find her killer, Robert Glass. In this very disturbing, the victim wanted to be tortured and strangled, which was also proven this way.
According to Wikipedia: This case confirmed parties’ duties to preserve digital evidence when litigation has commenced or is reasonably anticipated. Hard drives were analyzed by a computer forensics expert, who could not find relevant e-mails the Defendants should have had. Though the expert found no evidence of deletion on the hard drives, evidence came out that the defendants were found to have intentionally destroyed emails, and misled and failed to disclose material facts to the plaintiffs and the court.
Dr. Conrad Murray
Dr. Conrad Murray – the doctor of Michael Jackson was convicted partially by digital evidence on his computer. This evidence included medical documentation showing lethal amounts of propofol.
You’re going to find lots of deceiving information on some websites – pay extra attention when dealing with such info. IACIS (the International Association of Computer Investigative Specialists) offers the Certified Computer Forensic Examiner (CFCE) program. There’s also the ISFCE Certified Computer Examiner and IACRB Certified Computer Forensics Examiner – and there are a few others.
Also, most commercial based forensic software companies are now also offering proprietary certifications on their products.
So that’s pretty much the ABCs in terms of cyberforensics; of course, there would be much, much more to say, but this is just introductory information – we have more posts covering different aspects of the business which I invite you to check out.