Computer forensics (also known as computer forensic science) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.
Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.
Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high-profile cases and is becoming widely accepted as reliable within U.S. and European court systems.
When and how is computer forensics used
There are few areas of crime or dispute where computer forensics cannot be applied. Law enforcement agencies were among the earliest and heaviest users of computer forensics – as a result they’ve often been at the forefront of developments in the field.
Computers can be considered a ‘scene of a crime’ – for example with hacking or denial of service attacks. They may hold evidence of crimes that happened elsewhere, in the form of emails, internet history, documents or other files relevant to crimes such as murder, kidnap, fraud or drug trafficking.
A forensic computer exam can reveal more than expected
Investigators are not only interested in the content of emails, documents and other files, but also in the metadata associated with those files. Records of a user’s actions may also be stored in log files and other applications on a computer, such as internet browsers.
So a computer forensic examination might reveal when a document first appeared on a computer, when it was last edited, when it was last saved or printed and which user carried out these actions.
Commercial organisations have used computer forensics to help with all kinds of cases, including:
- Intellectual Property theft
- Employment disputes
- Invoice fraud, often enabled by phishing emails
- Inappropriate email and internet use in the workplace
- Regulatory compliance
Guidelines for successful computer forensics
If evidence found during a computer forensic investigation is to be admissible, it must be reliable and ‘not prejudicial’. Which means the examiner needs to keep admissibility at the front of his mind at every stage of an investigation.
The U.K.’s Association of Chief Police Officers’ Good Practice Guide for Digital Evidence – or ACPO Guide – is a widely used and respected set of guidelines for investigators. ACPO has now become the National Police Chief’s Council. The guide has not been updated for several years but its content remains relevant; the technologies change but the principals remain constant.
The four main principles from the APCO Guide
Please note references to law enforcement have been removed.
- No action should change data held on a computer or storage media which may be subsequently relied upon in court.
- In circumstances where a person finds it necessary to access original data held on a computer or storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
- An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third-party should be able to examine those processes and achieve the same result.
- The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
Use as evidence
In court, computer forensic evidence is subject to the usual requirements for digital evidence. This requires that information be authentic, reliably obtained, and admissible. Different countries have specific guidelines and practices for evidence recovery. In the United Kingdom, examiners often follow Association of Chief Police Officers guidelines that help ensure the authenticity and integrity of evidence. While voluntary, the guidelines are widely accepted in British courts.
Computer forensics has been used as evidence in criminal law since the mid-1980s, some notable examples include:
- BTK Killer: Dennis Rader was convicted of a string of serial killings that occurred over a period of sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy disk. Metadata within the documents implicated an author named “Dennis” at “Christ Lutheran Church”; this evidence helped lead to Rader’s arrest.
- Joseph E. Duncan III: A spreadsheet recovered from Duncan’s computer contained evidence that showed him planning his crimes. Prosecutors used this to show premeditation and secure the death penalty.
- Sharon Lopatka: Hundreds of emails on Lopatka’s computer lead investigators to her killer, Robert Glass.
- Corcoran Group: This case confirmed parties’ duties to preserve digital evidence when litigation has commenced or is reasonably anticipated. Hard drives were analyzed by a computer forensics expert who could not find relevant emails the Defendants should have had. Though the expert found no evidence of deletion on the hard drives, evidence came out that the defendants were found to have intentionally destroyed emails, and misled and failed to disclose material facts to the plaintiffs and the court.
- Dr. Conrad Murray: Dr. Conrad Murray, the doctor of the deceased Michael Jackson, was convicted partially by digital evidence on his computer. This evidence included medical documentation showing lethal amounts of propofol.
The stages of a computer forensics examination
The process is divided into six stages.
Forensic readiness is an important and occasionally overlooked stage in the process. In commercial computer forensics, it might include educating clients about system preparedness. For example, forensic examinations provide stronger evidence if a device’s auditing features are activated before an incident takes place.
For the forensic examiner, readiness includes appropriate training, testing and verification of their own software and equipment. They need to be familiar with legislation, know how to deal with unexpected issues (such as what to do if child abuse images are found during a fraud engagement) and ensure their data acquisition computer and associated items are suitable for the task.
During the evaluation stage, the examiner receives instructions and seeks clarification if any of these are unclear or ambiguous, carries out risk analysis and allocates roles and resources. For law enforcement, risk analysis might include assessing the likelihood of physical threat on entering a suspect’s property and how best to deal with it.
Commercial organisations also need to consider health and safety issues, conflict of interest issues and possible risks – financial and to their reputation – when they accept a particular project.
If data acquisition (often called ‘imaging’) is carried out on-site rather than at the computer forensic examiner’s office, this stage includes identifying and securing devices which may store evidence, and documenting the scene.
The examiner would also hold interviews or meetings with personnel who might have information relevant to the examination – such as the computer’s end-users, the manager and the person responsible for computer services, i.e. an IT administrator.
The collection stage can also involve the labelling and bagging of items from the site which may be used in the investigation – these are sealed in numbered tamper-evident bags. The material then needs to be securely and safely transported to the examiner’s office or laboratory.
Analysis includes the discovery and extraction of information gathered in the collection stage. The type of analysis depends on the needs of each case. It can range from extracting a single email to piecing together the complexities of a fraud or terrorism case.
During analysis the examiner usually feeds back to their line manager or client. These exchanges may result in the analysis taking a different path or narrowing to specific areas. Forensic analysis must be accurate, thorough, impartial, recorded, repeatable and completed within the available timescales and allocated resources.
There are multiple tools available for computer forensics analysis. The examiner should use any tool they feel comfortable with, as long as they can justify their choice. A computer forensic tool must do what it’s meant to do, so examiners need to regularly test and calibrate their tools before carrying out any analysis.
Examiners can also use ‘dual-tool verification’ to confirm the integrity of their results during analysis. For example, if the examiner finds artefact X at location Y using tool A, they should be able to replicate these results with tool B.
In this stage the examiner produces a structured report on their findings, addressing the points in the initial instructions, along with any further instructions they have received. The report should also cover any other information the examiner deems relevant to the investigation
The report must be written with the end reader in mind. Often that the reader will be non-technical, so appropriate terminology should be used. The examiner may need to participate in meetings or conference calls to discuss and elaborate on their report.
Like the Readiness stage, the Review is often overlooked or disregarded, because it’s not billable work or because the examiner needs to get on with the next job. But carrying out a review of each examination can make future projects more efficient and time-effective, which saves money and improves quality in the longer term.
The review of an examination can be simple, quick and begin during any of the above stages. It could include a basic analysis of what went wrong and what went well, along with feedback from the person/company who requested the investigation. Any lessons learnt from this stage should be applied to future examinations and feed into the Readiness stage.