Computer forensics is the convenance of collecting, analysing and advertisement on agenda admonition in a way that is accurately admissible. It can be acclimated in the apprehension and blockage of abomination and in any altercation breadth affirmation is stored digitally. Computer forensics has commensurable assay stages to added argumentative disciplines and faces agnate issues.
About this guide
This adviser discusses computer forensics from a aloof perspective. It is not affiliated to authentic legislation or advised to advance a authentic aggregation or achievement and is not accounting in bent of either law administration or bartering computer forensics. It is aimed at a non-technical admirers and provides a high-level appearance of computer forensics. This adviser uses the appellation “computer”, but the concepts administer to any accessory able of autumn agenda information. Breadth methodologies accept been mentioned they are provided as examples alone and do not aggregate recommendations or advice. Copying and publishing the accomplished or allotment of this commodity is accountant alone beneath the agreement of the Creative Commons – Attribution Non-Commercial 3.0 license
Uses of computer forensics
There are few areas of abomination or altercation breadth computer forensics cannot be applied. Law administration agencies accept been a allotment of the ancient and heaviest users of computer forensics and appropriately accept generally been at the beginning of developments in the field. Computers may aggregate a ‘scene of a crime’, for archetype with hacking [ 1] or abnegation of account attacks  or they may authority affirmation in the anatomy of emails, internet history, abstracts or added files accordant to crimes such as murder, kidnap, artifice and biologic trafficking. It is not just the agreeable of emails, abstracts and added files which may be of absorption to board but aswell the ‘meta-data’  associated with those files. A computer argumentative assay may accede if a certificate aboriginal appeared on a computer, if it was endure edited, if it was endure adored or printed and which user agitated out these actions.
More recently, bartering organisations accept acclimated computer forensics to their account in a array of cases such as;
- Intellectual Acreage annexation
- Industrial espionage
- Employment disputes
- Artifice investigations
- Matrimonial issues
- Bankruptcy investigations
- Inappropriate email and internet use in the plan abode
- Regulatory acquiescence
For affirmation to be acceptable it accept to be reliable and not prejudicial, acceptation that at all stages of this activity accommodation should be at the beginning of a computer argumentative examiner’s mind. One set of guidelines which has been broadly accustomed to abetment in this is the Association of Chief Police Officers Good Convenance Adviser for Computer Based Cyberbanking Affirmation or ACPO Adviser for short. Although the ACPO Adviser is aimed at United Kingdom law administration its capital attack are applicative to all computer forensics in whatever legislature. The four capital attack from this adviser accept been reproduced beneath (with references to law administration removed):
- No activity should change abstracts captivated on a computer or accumulator media which may be after relied aloft in court.
- In affairs breadth a getting finds it all-important to admission aboriginal abstracts captivated on a computer or accumulator media, that getting accept to be competent to do so and be able to accord affirmation answer the appliance and the implications of their actions.
- An assay aisle or added almanac of all processes activated to computer-based cyberbanking affirmation should be created and preserved. An absolute third-party should be able to appraise those processes and accomplish the aforementioned result.
- The getting in allegation of the assay has all-embracing albatross for ensuring that the law and these attack are adhered to.
In summary, no changes should be fabricated to the original, about if access/changes are all-important the examiner accept to apperceive what they are accomplishing and to almanac their actions.
Principle 2 aloft may accession the question: In what bearings would changes to a suspect’s computer by a computer argumentative examiner be necessary? Traditionally, the computer argumentative examiner would accomplish a archetype (or acquire) admonition from a accessory which is angry off. A write-blocker would be acclimated to accomplish an exact bit for bit archetype  of the aboriginal accumulator medium. The examiner would plan again from this copy, abrogation the aboriginal demonstrably unchanged.
However, sometimes it is not accessible or adorable to about-face a computer off. It may not be accessible to about-face a computer off if accomplishing so would aftereffect in ample banking or added accident for the owner. It may not be adorable to about-face a computer off if accomplishing so would beggarly that potentially admired affirmation may be lost. In both these affairs the computer argumentative examiner would charge to backpack out a ‘live acquisition’ which would absorb active a baby affairs on the doubtable computer in adjustment to archetype (or acquire) the abstracts to the examiner’s harder drive.
By active such a affairs and adhering a destination drive to the doubtable computer, the examiner will accomplish changes and/or additions to the accompaniment of the computer which were not present afore his actions. Such accomplishments would abide acceptable as continued as the examiner recorded their actions, was acquainted of their appulse and was able to explain their actions.
Stages of an examination
For the purposes of this commodity the computer argumentative assay activity has been disconnected into six stages. Although they are presented in their accustomed archival order, it is all-important during an assay to be flexible. For example, during the assay date the examiner may accretion a new advance which would accreditation added computers getting advised and would beggarly a acknowledgment to the appraisal stage.
Forensic address is an important and occasionally abandoned date in the assay process. In bartering computer forensics it can awning educating audience about arrangement preparedness; for example, argumentative examinations will accommodate stronger affirmation if a server or computer’s congenital auditing and logging systems are all switched on. For examiners there are abounding areas breadth above-mentioned organisation can help, including training, approved testing and assay of software and equipment, acquaintance with legislation, ambidextrous with abrupt issues (e.g., what to do if adolescent chicanery is present during a bartering job) and ensuring that your on-site accretion kit is complete and in alive order.
The appraisal date includes the accepting of bright instructions, accident assay and allocation of roles and resources. Accident assay for law administration may awning an appraisal on the likelihood of concrete blackmail on entering a suspect’s acreage and how best to accord with it. Bartering organisations aswell charge to be acquainted of bloom and assurance issues, while their appraisal would aswell awning reputational and banking risks on accepting a authentic project.
The capital allotment of the accumulating stage, acquisition, has been alien above. If accretion is to be agitated out on-site rather than in a computer argumentative class again this date would awning identifying, accepting and documenting the scene. Interviews or affairs with cadre who may authority admonition which could be accordant to the assay (which could awning the end users of the computer, and the administrator and getting amenable for accouterment computer services) would usually be agitated out at this stage. The ‘bagging and tagging’ assay aisle would alpha actuality by sealing any abstracts in altered tamper-evident bags. Consideration aswell needs to be accustomed to deeply and cautiously alteration the actual to the examiner’s laboratory.
Analysis depends on the specifics of anniversary job. The examiner usually provides acknowledgment to the applicant during assay and from this chat the assay may yield a altered aisle or be narrowed to specific areas. Assay accept to be accurate, thorough, impartial, recorded, repeatable and completed aural the time-scales accessible and assets allocated. There are countless accoutrement accessible for computer forensics analysis. It is our assessment that the examiner should use any apparatus they feel adequate with as continued as they can absolve their choice. The capital requirements of a computer argumentative apparatus is that it does what it is meant to do and the alone way for examiners to be abiding of this is for them to consistently assay and calibrate the accoutrement they use afore assay takes place. Dual-tool assay can affirm aftereffect candor during assay (if with apparatus ‘A’ the examiner finds achievement ‘X’ at breadth ‘Y’, again apparatus ‘B’ should carbon these results.)
This date usually involves the examiner bearing a structured address on their findings, acclamation the credibility in the antecedent instructions forth with any consecutive instructions. It would aswell awning any added admonition which the examiner deems accordant to the investigation. The address accept to be accounting with the end clairvoyant in mind; in abounding cases the clairvoyant of the address will be non-technical, so the analogue should accede this. The examiner should aswell be able to participate in affairs or blast conferences to altercate and busy on the report.
Along with the address stage, the assay date is generally abandoned or disregarded. This may be due to the perceived costs of accomplishing plan that is not billable, or the charge ‘to get on with the next job’. However, a assay date congenital into anniversary assay can advice save money and accession the akin of superior by authoritative approaching examinations added able and time effective. A assay of an assay can be simple, quick and can activate during any of the aloft stages. It may awning a basal ‘what went amiss and how can this be improved’ and a ‘what went able-bodied and how can it be congenital into approaching examinations’. Acknowledgment from the instructing affair should aswell be sought. Any acquaint learnt from this date should be activated to the next assay and fed into the address stage.
Issues adverse computer forensics
The issues adverse computer forensics examiners can be torn down into three ample categories: technical, acknowledged and administrative.
Encryption – Encrypted files or harder drives can be absurd for board to appearance after the actual key or password. Examiners should accede that the key or countersign may be stored abroad on the computer or on addition computer which the doubtable has had admission to. It could aswell abide in the airy anamnesis of a computer (known as RAM  which is usually absent on computer shut-down; addition acumen to accede appliance reside accretion techniques as categorical above.
Increasing accumulator space – Accumulator media holds anytime greater amounts of abstracts which for the examiner agency that their assay computers charge to accept acceptable processing adeptness and accessible accumulator to calmly accord with analytic and analysing astronomic amounts of data.
New technologies – Accretion is an ever-changing area, with new hardware, software and operating systems getting consistently produced. No individual computer argumentative examiner can be an able on all areas, admitting they may frequently be accustomed to analyse something which they haven’t dealt with before. In adjustment to accord with this situation, the examiner should be able and able to assay and agreement with the behaviour of new technologies. Networking and administration adeptness with added computer argumentative examiners is aswell actual advantageous in this account as it’s acceptable anyone abroad may accept already encountered the aforementioned issue.
Anti-forensics – Anti-forensics is the convenance of attempting to baffle computer argumentative analysis. This may awning encryption, the over-writing of abstracts to accomplish it unrecoverable, the modification of files’ meta-data and book obfuscation (disguising files). As with encryption above, the affirmation that such methods accept been acclimated may be stored abroad on the computer or on addition computer which the doubtable has had admission to. In our experience, it is actual attenuate to see anti-forensics accoutrement acclimated accurately and frequently abundant to absolutely abstruse either their attendance or the attendance of the affirmation they were acclimated to hide.
Legal arguments may abash or abstract from a computer examiner’s findings. An archetype actuality would be the ‘Trojan Defence’. A Trojan is a section of computer cipher bearded as something amiable but which has a hidden and awful purpose. Trojans accept abounding uses, and awning key-logging , uploading and downloading of files and accession of viruses. A advocate may be able to altercate that accomplishments on a computer were not agitated out by a user but were automatic by a Trojan after the user’s knowledge; such a Trojan Defence has been auspiciously acclimated even if no trace of a Trojan or added awful cipher was begin on the suspect’s computer. In such cases, a competent opposing lawyer, supplied with affirmation from a competent computer argumentative analyst, should be able to abolish such an argument.
Accepted standards – There are a deluge of standards and guidelines in computer forensics, few of which arise to be universally accepted. This is due to a bulk of affidavit including standard-setting bodies getting angry to authentic legislations, standards getting aimed either at law administration or bartering forensics but not at both, the authors of such standards not getting accustomed by their peers, or top abutting fees black practitioners from participating.
Fitness to practice – In abounding jurisdictions there is no condoning physique to analysis the adequacy and candor of computer forensics professionals. In such cases anyone may present themselves as a computer argumentative expert, which may aftereffect in computer argumentative examinations of ambiguous superior and a abrogating appearance of the profession as a whole.
Resources and added reading
There does not arise to be a abundant bulk of actual accoutrement computer forensics which is aimed at a non-technical readership. About the afterward links at links at the basal of this page may prove to be of absorption prove to be of interest:
1. Hacking: modifying a computer in way which was not originally advised in adjustment to account the hacker’s goals.
2. Abnegation of Account attack: an attack to anticipate accepted users of a computer arrangement from accepting admission to that system’s admonition or services.
3. Meta-data: at a basal akin meta-data is abstracts about data. It can be anchored aural files or stored evidently in a abstracted book and may accommodate admonition about the file’s author, format, conception date and so on.
4. Write blocker: a accouterments accessory or software appliance which prevents any abstracts from getting adapted or added to the accumulator average getting examined.
5. Bit copy: bit is a abbreviating of the appellation ‘binary digit’ and is the axiological assemblage of computing. A bit archetype refers to a consecutive archetype of every bit on a accumulator medium, which includes areas of the average ‘invisible’ to the user.
6. RAM: Random Admission Memory. RAM is a computer’s acting workspace and is volatile, which agency its capacity are absent if the computer is powered off.
7. Key-logging: the recording of keyboard ascribe giving the adeptness to apprehend a user’s typed passwords, emails and added arcane information.