COMPUTER FORENSICS

The History of Computer Forensics
Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer data. In the mid 1980's these technology related investigations were exclusively in use by law enforcement and military agencies. The widespread use of computers in every home, business, and government facility has revolutionized the storage of information. In our homes we use the computer to send emails, access our banking information, do our taxes, purchase products, and surf the internet. Businesses use computers to manage customer information, perform accounting tasks, store trade secrets, and develop new products and services. Local, state and Federal governments use the computer to record everything from criminal record databases to property taxes. In every level of society we have replaced the storage of paper documentation with digital documentation. This digital transformation created a need for computer forensic methods, procedures, new laws, forensic systems and equipment, and qualified computer forensic investigators.

By the late 90's the need for computer forensics had grown to such levels that the private industry began developing advanced tools for computer forensic evidence collection and analysis. Today, computer forensic investigators have become a powerful resource for attorneys and prosecutors in both civil and criminal proceedings. The computer forensic investigator's lead the effort at catching online predators, child pornographers, hackers, fraudulent bank schemes, and even the domestic cheating spouse.

The Source of Evidence

Electronic evidence can be recovered from any source device that stores information. A cell phone, a laptop computer, a USB memory stick, a digital voice recorder, and even a stick of computer RAM. The most common source of evidence is the computer hard drive. In most forensic cases the computer's hard drive is the primary source of the investigation. A hard drive is a device which stores digitally encoded data on rapidly rotating platters with magnetic surfaces. Older hard drives had removable media; however, today's is typically a sealed unit with fixed media.


Acquiring the Evidence

Following the usual documentation and custody procedures the computer forensic investigator assumes physical custody of the hard drive for examination and analysis. The hard drive is traditionally removed from the computer and connected to a "write blocker" device. The "write blocker" is used to protect the integrity of the source hard drive by only allowing data to flow from the drive. The "write blocker" device is then connected to the forensic computer containing acquisition software, such as EnCase. The investigator will start an acquisition sequence that will result in a complete mirror image of the source hard drive for storage on the forensic file server. Once the acquisition process is completed a verification process checks to see if each and every sector of the source hard drive was successfully copied. The evidence is now safely copied for extensive analysis.

Performing Analysis
Computer forensic analysis is the process by which an investigator deploys special tools, programs, and scripts to search through billions of bytes of information. These tools make a mission impossible seem like a routine procedure for the experienced forensic investigator. A basic search can locate and recover deleted or fragmented files, emails, web pages, chat conversations, credit card transactions, spreadsheets, documents, images, movie files, and system history files.

The investigator uses a specific criteria during the initial search. Based on those findings the search criteria will be modified to support a "target analysis". Suppose the investigator is working on a child pornography case and was directed to locate all movie files. A special script would be used to collect and deposit each fragment associated with a movie file extension. If the investigator was seeking to locate fraudulent credit card transaction a script would be run to collect every instance, in the history of the hard drive, where a credit card was used.

This image depicts EnCase viewing the contents of a hard drive under analysis. EnCase contains an extensive array of search and analysis tools to assist the investigator. EnCase allows the investigator to quickly search through billions of bytes of information quickly and efficiently.

Computer Forensics in Civil Law
Computer forensic investigators can be assigned to any case where the acquisition and analysis of electronic evidence is necessary to support a case. In the private sector the most popular types of investigations involve civil litigation. An infidelity investigation can reveal intimate details about the relationship and become instrumental in a divorce proceeding. Integrity Security & Investigation Services, Inc. has performed thousands of computer forensic services since the fall of 2000. Their Computer Forensic Investigator stated that there has been a great demand for computer forensic services in divorce proceedings. Mr. Edmister stated that, "people forget about what they did 2 or 3 years ago. They think that because they have deleted the file from their computer it's gone forever. Of course, this is not the case". [permission granted to quote Mr. Edmister]

Computer Forensics in Criminal Law
Computer forensics in criminal litigation required a great deal of preparation and procedural prowess to ensure that all the rules of evidence are closely followed. A single procedural violation could render a case tainted and result in a failed prosecution of a child pornographer. Every forensic investigator should be well versed in the procedure regarding chain of custody and handling of evidence.

Computer Forensics Protocol
Computer forensic investigators should adhere to a standard protocol made up of 5 phases. Consultation, Data Collection, Forensic Recovery & Analysis, Results & Reporting, and Affidavits & Testimony.

Phase 1 - Computer Forensics Consultation

Preparing for litigation involving Electronic Discovery is commonly viewed as a chess match between opposing attorneys. It is during this critical planning phase that the groundwork must be laid for Discovery Motions & Orders. Forensic Investigators work closely with attorneys throughout this phase.

Phase 2 – Computer Forensics Data Collection

The all important task of assuming custody of electronic evidence must be performed in a manner that maintains strict adherence to "chain-of-custody procedures". It is equally important to ensure the proper resources are in place to facilitate securing all discoverable media as quickly as possible.

Phase 3 – Computer Forensics Recovery & Analysis

The process of recovering the electronic data from the "source hard drive(s)" must be accomplished by an approved method. The use of equipment and software that has not been recognized by the courts poses many risks to the integrity of the forensic process. Forensic Investigators use EnCase, a forensic software acquisition and analysis system recognized by all courts, including the United States Supreme Court.

One of the most significant aspects of the computer forensic process is the analysis phase. It is during this phase that the expertise of Forensic Investigators makes all the difference in the world. This phase relies on technical knowledge, investigative skills, reporting procedures, and overall knowledge of the advanced features of computer forensic systems.

Phase 4 – Computer Forensics Results & Reporting

After the analysis is completed it is crucial to provide seamless communication with attorneys and clients. Experience has taught us that this must be done in terms that all parties can understand and collaborate with. Equally important is the reporting process which must always be prepared as a courtroom worthy document. From cases with one hard drive to complex litigation cases involving multiple sites and expanded networks our Forensic Engineers are prepared to apply over a quarter century of experience.

Phase 5 – Computer Forensics Affidavits & Testimony

Experienced Computer Forensic Engineers can provide affidavits and expert testimony. It is imperative that an expert witness possesses the communication skills necessary to deliver presentations and verbally translate that information in understandable terms to jurors.