Computer Forensics & Data Recovery has articles on a wide variety of subjects relating to Computer Forensics - Data Recovery, Computer Crime, Cryptography, Freeware Computer Forensic Toolkit.


Fresh Advice:

The most important part of your PC is your data. In the event of a serious system crash, you can usually restore the operating system and programs that you use, but your personal data may be lost. Although emergency data recovery options are available, these will tend to be costly and there is no guarantee that everything you want can be recovered. A better approach is to start a regular routine of backing up your important data.


Your data should be backed up as often as possible, It isn't necessary to back up your whole hard drive. Identify the folders that hold your important files and only back those folders up to save on storage space. To find out where your files are being stored, use "Save As" instead of just hitting "Save" when you create or update your files, and note the location the program is using to write your data.



"Computer Forensics involves the preservation, identification, extraction, documentation and interpretation of computer data.. The basic methodology consists of what you can think of as the three A's:


Acquire the evidence without altering or damaging the original
Authenticated that your recovered evidence is the same as the original data
Analyze the data without modifying it." [1].


These three steps are the framework of every forensic investigation. The details of the specific investigation will depend upon the circumstances and objectives, but the assessment will always follow these same three steps.
There are many possible goals other than successful criminal prosecution. Sometimes forensics is conducted to determine the root cause of an event to ensure that it will not happen again. This goal is important "You have to fully understand the extent of your problem before you can be reasonably sure that it will not be exploited again" [1]. The problem also has to be fully understood before it can be correctly responded to. In addition to determining what happened forensics can also address the question of who was responsible?


Acquire the Evidence


Deciding whether to let a machine continue to run, to pull the power plug from the back of the computer, or to perform the normal shutdown process is one of the longest running arguments in the computer forensics field. Many investigators claim that they always pull the plug as it is the only way to freeze the system at its current state. However, this will result in loss of data associated with the attacking process, and it may corrupt data on the hard drive. "The ideal way to examine a system and maintain the most defensible evidence is to freeze it and examine a copy of the original data" [1]. However, management often refuses to allow the shutdown of a system, especially if the system will be down for an indeterminate length of time.
Handling of evidence is a very precise process, in which certain rules must be followed. If the evidence is not taken care of then the entire investigation will be compromised. The courts may choose to reject evidence if there are any inadequacies in the process.
"You must accurately count and identify the evidence. You can use a label maker for identification, or you can use stickers or tags, as long as they will not easily come off and they are large enough to include:

The case number
A brief description
Your signature
The date and time evidence was collected" [1]

Documenting the investigation can prove difficult to computer professionals. "If you aren't careful, you can become so engrossed in your analysis that you can totally forget to take notes" [1].


Authenticate the Evidence


"Computer drives slowly deteriorate, but neither readable text nor illegal pictures appear at random through the action of digital wear and tear." [1]. Therefore it can be determined that any text or picture as part of digital evidence has a deliberate human source. In the digital world it can be proven that evidence did not change after it was collected. Simple techniques allow the evidence to be timestamped, so it can be shown "that it was in existence at a specific point in time" [1].




The main rule of analysis is that the investigation should never be carried out on the original evidence. Also the image acquisition must always be performed in an environment that does not alter the original evidence, which can mean that there are limitations concerning which operating system can be booted from a floppy disk. A forensic backup is important so that a bit-for-bit clone of the hard drive is achieved. A "normal" backup does not copy deleted files and other parts of a hard drive, which may prove critical to the investigation.
Before the analysis of the disk is undergone the forensic investigator will develop a sense of the suspect's technical powers. If the suspect uses standard software then it is unlikely that the user will have encrypted files to conceal evidence. However, if the suspect has more specialised software (e.g. password-cracking tools) then the forensic investigator will need to be more aware of sophisticated attempts to hide data.
Firstly the investigator will use a hex editor or forensic program (Encase [7]) to search for terms related to the case. After a complete keyword search has been completed the next task is to retrieve deleted files. These deleted files can be manually recovered using a hex editor or can be recovered using file retrieval software, such as Norton Unerase. "As you locate evidence, save copies of it on the hard drive of your analysis workstation. You may also want to clean up the formatting to make the file more legible and for inclusion in your reports" [1].


<<< Previous

Cryptographic Methods - Posted on 10/1/2008

Computer Crime and Computer Forensics - Posted on 2/1/2008

The Freeware Forenic Toolkit - Posted on 6/12/2007