Computer Forensics & Data Recovery has articles on a wide variety of subjects relating to Computer Forensics - Data Recovery, Computer Crime, Cryptography, Freeware Computer Forensic Toolkit.


Fresh Advice:

The most important part of your PC is your data. In the event of a serious system crash, you can usually restore the operating system and programs that you use, but your personal data may be lost. Although emergency data recovery options are available, these will tend to be costly and there is no guarantee that everything you want can be recovered. A better approach is to start a regular routine of backing up your important data.


Your data should be backed up as often as possible, It isn't necessary to back up your whole hard drive. Identify the folders that hold your important files and only back those folders up to save on storage space. To find out where your files are being stored, use "Save As" instead of just hitting "Save" when you create or update your files, and note the location the program is using to write your data.

Computer Forensics Explained


At a basic level, computer forensics is the analysis of information contained within and created with computer systems and computing devices, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved.


This can be for the purpose of performing a root cause analysis of a computer system that had failed or is not operating properly, or to find out who is responsible for misuse of computer systems, or perhaps who committed a crime using a computer system or against a computer system. This being said, computer forensic techniques and methodologies are commonly used for conducting computing investigations - again, in the interest of figuring out what happened, when it happened, how it happened, and who was involved.


Think about a murder case or a case of financial fraud. What do the investigators involved in these cases need to ascertain? What happened, when did it happen, how did it happen, and who was involved.


In many cases, information is gathered during a computer forensics investigation that is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files - known by computer forensic practitioners as slack space. Special skills and tools are needed to obtain this type of information or evidence. Think of a case where the specific firearm that fired a bullet needs to be identified. This information could not be readily ascertained by just any member of law enforcement, so ballistics professional with special skills and tools is needed.


The more technical definition we use at CyberSecurity Institute to describe computer forensics or forensic computing in the vein of computer crime or computer misuse is as follows:


The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found.


Let's break this definition down.


When performing a computer forensics analysis, we must do everything possible to preserve the original media and data. Typically this involves making a forensic image or forensic copy of the original media, and conducting our analysis on the copy versus the original.


In the initial phase, this has to do with identifying the possible containers of computer related evidence, such as hard drives, floppy disks, and log files to name a few. Understand that a computer or hard drive itself is not evidence - it is a possible container of evidence.


In the analysis phase, this has to do with identifying the information and data that is actually pertinent to the situation at hand. Sifting through Gigabytes of information, conducting keyword searches, looking through log files, etc.


Any evidence found relevant to the situation at hand will need to be extracted from the working copy media and then typically saved to another form of media as well as printed out.


This is a biggie. Understand that just about anyone can perform a computer forensics "analysis." Some of the GUI tools available make it extremely easy. Being able to find evidence is one thing, the ability to properly interpret it is another story. Entire books could be written citing examples of when computer forensics experts misinterpreted their results of a forensic analysis . We'll cite one example.


The experts for the prosecution in a case used a popular GUI tool that came with a script for finding Internet search engine activity. When they ran the script, they found literally hundreds and hundreds of "searches" that supposedly had been conducted by the defendant. Therefore, the defendant had intentionally accessed certain types of information related to these searches - the searches showed intent.


When the experts for the defense examined the same evidence, they realized that each and every one of these "searches" was actually a hyperlink and not a search at all. The hyperlinks were formed in such a way that when a link was clicked, a database was searched to pull up the most current information related to the link. The way that the links within the page were formed was what the GUI tool honed in on, as they were formed similarly to fragments and Web pages that could be found to indicate search engine activity.


The experts for the prosecution took for granted that their automated tool was accounting for any variables, and would only show them searches that had actually been conducted. A big mistake. Theses experts lacked the technical skills to authenticate their results, so they depended entirely on a single automated tool.

This leads to a very important lesson. Results from any tool should always be thoroughly checked by someone versed in the underlying technology to see if what appears to be a duck is actually a duck.


In the very same case, the experts for the defense recovered reams of email that the prosecution experts did not find. This was due to the fact that the prosecution experts simply did not know how to find it.


It is interesting to note that both the experts for the defense and the prosecution used the same primary tool in their analysis. The differences in what was found by one side versus the other, as well as the differences in interpretation was due to the experience and education levels of the experts - it had nothing to do with the tool being used.


Documentation needs to be kept from beginning to end, as soon as you become involved in a case. This includes what is commonly referred to as a chain of custody form, as well as documentation pertinent to what you do during your analysis. We cannot overemphasize the importance of documentation. When involved in a situation where you are conducting a computer forensics analysis, we recommend that you establish and keep the mindset that the case or situation is going to end up in court. This will go a long way in helping you to make sure that you are keeping the appropriate documentation. Take for granted that you will be questioned on every aspect of the case, and everything that you do.


Rules of Evidence
There are various tests that courts can apply to the methodology and testimony of an expert in order to determine admissibility, reliability, and relevancy. The particular test(s) used will vary from state to state and even from court to court within the same state. Commonly, you will hear about the Frye test and the Daubert test. You need to be aware of the Rules of Evidence for your locale and situation. Your best bet is to ask legal counsel about any Rules of Evidence that you need to be aware of pertinent to the situation, and familiarize yourself with this information early on.


We recommend that you find and read the Federal Rules of Evidence on the Internet, and conduct searches using the terms "daubert test" and "frye test" as keywords.


Legal Processes
This has to do with the processes and procedures for search warrants, depositions, hearings, trials, and discovery just to name a few.


This can also be related to processes relevant to your employer, as well as conducting computing investigations internally for your employer.


If you are conducting computing investigations for your employer, the best advice we can offer is to work as closely as possible with legal counsel and those in your Human Resources department before and during a computing investigation. You'll not know everything you need to know when you start working in this field - it is a learning process.


Integrity of Evidence
This has to do with keeping control over everything related to the case or situation. We are talking about establishing and keeping a chain of custody, as well as making sure that you do not alter or change the original media. As well, you cannot talk to other people about the case or situation specifics that are not involved.

Factual Reporting of the Information Found

Your findings and reports need to be based on proven techniques and methodology, and you as well as any other competent forensic examiner should be able to duplicate and reproduce the results.


Providing Expert Opinion
You may have to testify or relate your findings and opinions about your findings in a court of law or other type of legal or administrative proceeding.


Cryptographic Methods - Posted on 10/1/2008

Computer Crime and Computer Forensics - Posted on 2/1/2008

The Freeware Forenic Toolkit - Posted on 6/12/2007