In this chapter, you’ll learn more about:
· Defining computer forensics
· Understanding corporate forensic needs
· Understanding law enforcement forensic
· Training forensic practitioners
· Training end users
· Assessing your organization’s needs
Computer forensics is a fascinating field. As enterprises become more complex and exchange more information online, high-tech crimes are increasing at a rapid rate. The computer forensic industry has taken off in recent years, and it’s no surprise that a profession once regarded as a vague counterpart of network security has grown into a science all its own. In addition, numerous companies and professionals now offer computer forensic services as a main line of business.
A computer forensic technician is a combination of a private eye and a computer scientist. Although the ideal background for this field includes legal, technical, and law enforcement experience, many industries as well as government and military organizations use professionals with investigative intelligence and technology proficiency. A computer forensic professional can fill a variety of roles such as private investigator, corporate compliance professional, or law enforcement official.
This chapter introduces you to the concept of computer forensics, while addressing computer forensic needs from two views—corporate policy and law enforcement. It will present some real-life examples of computer crime. It will help you assess your organization’s needs and discuss various training methods used for practitioners and end users.
Defining Computer Forensics
The digital age has produced many new professions, but one of the most unusual is computer forensics. Computer forensics deals with the application of law to a science. The New Shorter Oxford English Dictionary defines computer forensics as “the application of forensic science techniques to computer-based material.” In other words, forensic computing is the process of identifying, preserving, analyzing, and presenting digital evidence in a manner that is acceptable in a legal proceeding. At times, it is more science than art; other times, it is more art than science.
Computer investigation and analysis techniques that involve the identification, preservation, extraction, documentation, and interpretation of computer data to determine potential legal evidence.
Although it is similar to other forms of legal forensics, the computer forensics process requires a vast knowledge of computer hardware, software, and proper techniques to avoid compromising or destroying evidence. Computer forensic review involves the application of investigative and analytical techniques to acquire and protect potential legal evidence; therefore, a professional within this field needs to have a detailed understanding of the local, regional, national, and sometimes even international laws affecting the process of evidence collection and retention. This is especially true in cases involving attacks that may be waged from widely distributed systems located in many separate regions.
Computer forensics can also be described as the critical analysis of a computer hard disk drive after an intrusion or crime. This is mainly because specialized software tools and procedures are required to analyze, after the fact, the various areas where computer data is stored. Often this involves retrieving deleted data from hard drives and servers that have been subpoenaed to appear in court or seized by law enforcement.
Any unauthorized access to a computer, including the use, alteration, or disclosure of programs or data residing on the computer.
During the course of forensic work, you will run into a practice that is called electronic discovery, or e-discovery. Electronic discovery produces electronic documents for litigation. Data that is created or stored on a computer, computer network, or other storage media are included in e-discovery. Examples of such are e-mail, word-processing documents, plaintext files, database files, spreadsheets, digital art, photos, and presentations. Electronic discovery using computer forensic techniques requires in-depth computer knowledge and the ability to logically dissect a computer system or network to locate the desired evidence. It may also require expert witness testimony to explain to the court the exact method or methods by which the evidence was obtained.
electronic discovery or e-discovery
The process whereby electronic documents are collected, prepared, reviewed, and distributed in association with legal and government proceedings.
Computer forensics has become a hot topic in computer security circles and in the legal community. It’s a fascinating field with far more information available than can be analyzed in a single book, although this book will provide you with an understanding of the basic skills you’ll need as a forensic investigator. Key skills in computer forensics are knowing the best places to look for evidence, and knowing when to stop looking. These skills come with time and experience.
In looking at the major concepts behind computer forensics, the main emphasis is on data recovery. To do that you must:
· Identify meaningful evidence
· Determine how to preserve the evidence
· Extract, process, and interpret the evidence
· Ensure that the evidence is acceptable in a court of law
All of these concepts are discussed in great detail throughout this book. Because computer-based information is fragile and can be easily fabricated, the simple presence of incriminating material is not always evidence of guilt. Electronic information is easy to create and store, yet computer forensics is a science that requires specialized training, experience, and equipment.
Real World Scenario
Tales from the Trenches: Why Computer Forensics Matters
A computer forensic examiner might be called upon to perform any of a number of different types of computer forensic investigations.
We have all heard of or read about the use of computer forensics by law enforcement agencies to help catch criminals. The criminal might be a thief who was found with evidence of his crime when his home or office computer was searched, or a state employee who was found to have stolen funds from public accounts by manipulating accounting software to hide funds transfers.
Most of us know that computer forensics is used every day in the corporate business world to help protect the assets and reputation of large companies. Forensic examiners are called upon to monitor the activities of employees, assist in locating evidence of industrial espionage, and provide support in defending allegations of misconduct by senior management.
Government agencies hire computer forensic specialists to help protect the data the agencies maintain. Sometimes, it’s as simple as making sure IRS employees don’t misuse the access they have been granted to view your tax information by periodically reviewing their activities. Many times, it’s as serious as helping to defend the United States to protect the most vital top secret information by working within a counterintelligence group.
Every day, divorce attorneys ask examiners to assist in the review of personal computers belonging to spouses involved in divorce proceedings. The focus of such investigations usually is to find information about assets that the spouse may be hiding and to which the other spouse is entitled.
More recently, defense attorneys have asked forensic examiners to reexamine computers belonging to criminal defendants. Computer forensic experts have even been asked to reexamine evidence used in a capital murder case that resulted in the defendant’s receiving a death sentence. Such reexaminations are conducted to refute the findings of the law enforcement investigations.
Although each of these areas seems entirely unique, the computer forensic examiner who learns the basics, obtains appropriate equipment, follows proper procedures, and continues to educate himself or herself will be able to handle each of these investigations and many other types not yet discussed. The need for proper computer forensic investigations is growing every day as new methods, technologies, and reasons for investigations are discovered.