The world is becoming a smaller place to live and work. We bank electronically, and are more likely to receive an email than a letter. Criminal activity has, to a large extent, also converted from a physical dimension to a cyber dimension. As early as 1984, the FBI Laboratory and other law enforcement agencies began developing programs to examine computer evidence. For the most part these examinations were scattered throughout the agency but now it appears to be trending toward moving to a laboratory environment. Computer Forensics is defined as “the science of identifying, recovering, extracting, preserving, and documenting ESI (Electronically Stored Information) so that it can be presented as evidence in a court of law.” This science was created to address the specific needs of law enforcement in order to make the most of the electronic evidence. Computer forensics has been an evidence gathering tool of technology-related investigations and intelligence gathering in law enforcement and military agencies since the mid-1980s. However, only since 1999 have the tools been developed that make the examination process comprehensive, expedient, and financially feasible.
There are five basic steps to the computer forensic process: Preparation of the investigator, Collection of the data, Examination of the data, Analysis of the data, and Reporting of the findings.
The investigators must first acquire the equipment that is needed for each investigation. This equipment can include the normal equipment that is used in a traditional forensic investigation, such as cameras, notepads, crime scene tape, cable tags, and stick-on labels. It can also include equipment to help with the operating systems, data recovery software, disk imaging software, encryption decoding software, and file viewers. Investigators should try to never use the original media that is collected as evidence because that evidence needs to be preserved. They should also be aware of the court rules that are in place for evidence and be sure to follow these rules closely.
According to a veteran law enforcement officer and trainer, the most important aspect of computer forensic investigation is gathering the evidence. He said that all the computer technology in the world for forensics is only as good as the evidence (input) that is used. So when the officers or detectives arrive on the scene is imperative that the scene remain sterile. It is also imperative that evidence is gathered using proper procedures as not to contaminate the evidence. Once all the evidence has been gathered, the data can be put into the computers and various other machines, labs, etc. It really is amazing all the information that investigators can glean from the technology. However, again he stressed that the computers are only as good as their human counterparts. If the data input has been contaminated or gathered in a manner that is inconsistent with proper protocol, then the output from the forensics will not be good.
Computer forensic examinations are conducted in forensic laboratories, data processing departments, and in some cases, the detective’s squad room. Computer evidence represented by physical items such as chips, boards, central processing units, storage media, monitors, and printers can be described easily and correctly as a unique form of physical evidence. Although forensic laboratories are very good at ensuring the integrity of the physical items in their control, computer forensics also requires methods to ensure the integrity of the information contained within those physical items. The challenge to computer forensic science is to develop methods and techniques that provide valid and reliable results while protecting the real evidence from harm. Evidence can be found in many different forms: financial records, word processing documents, diaries, spreadsheets, databases, e-mail, pictures, movies, sound files, etc. There is a lot of information that is stored in a computer of which most users are unaware. A forensic examiner can usually tell what a computer was used for, when it was used, what the user has done on the Internet (and when), and recover much of what the user wrote, read or viewed on the computer. Examiners can find deleted files. They may not get the entire file, but they can get some of it.
Evidence to be analyzed must be information uncovered during an investigation. With average storage capacities approaching 30 gigabytes and systems with 60 GB available it is likely to be impossible to completely and exhaustively examine every file stored on a seized system. There may also be legal prohibitions against searching every file (example: doctor files-patient privacy). To keep the seized evidence intact and unaltered they try to make a copy of files to do the investigation from and then leave the original intact and unaltered. Unlike most investigation the evidence from computers will not always be the same, like fingerprints or DNA, each case will have different information to be analyzed. This leads to different policies of collection, examination and analyzing. Computer forensic science is also almost entirely technology and market driven, generally outside the laboratory setting, and the examinations present unique variations in almost every situation.
The final step in a computer forensic investigation is the report writing. This is actually the one of the greatest tasks of the forensic analyst because they must put the data together in such as way as to be readable for the intended audience. If the judge and jury in a court case cannot understand the evidence being submitted, it is unlikely that they will be swayed by the evidence in their decision making process. Disorganized and poorly written reports can jeopardize a case. There are websites that are aimed at helping these professionals to write good, detailed reports. There is even a website with a template to ensure that the report writer has all the necessary information in the report. That template is located at http://computer-forensics.privacyresources.org/forensic-template.htm Computer forensics is one of the many career opportunities for the skilled IT professional that would prove to be very interesting and challenging.
7 comments:
I think this is would be a neat job to have. Computer Forensics helps the police catch people. Some people may delete their computers but the police can find ideas on the hard drive. The way computer forensics has advanced over the years if great and I believe it will continue to advances.
Frances Rowe
I guess you must really pay attention to what goes on your computer. If you let someone use your computer they could leave files behind that would or could implicate you. Something to think about.
I get freaked out sometimes when I think about how advanced technology can be. Some people just don't realize just what can happen on a computer and what people can do on them.
It amazes me to read about identity theft on the internet and how easily it is done. Another thing that comes to mind that would involve computer forensics is sexual predators on juveniles. My personal opinion on computer use is that if you don't want someone to know what you are looking at online, you shouldn't do it. Nothing is ever completely deleted from a computer. This was a very imformative post. I enjoyed reading it.
Just today, one of my friends received and email from Chase that indicated his account may have been exposed to a security threat and that he had one un-read message on his account. The email asked him to log into his account using his normal username and password, and read the message. After entering his username/password in the space provided, he was then prompted to enter his account number. Of course, he was familiar enough with the most common means of fraud these days and did not enter his account number. He instead called Chase immediately. Chase verified the email was fraudulent and informed him that a $6,000 Ebay transaction had just posted to his account. Even though my friend did not reveal his account number, the thief was able to gain access to his account through his username/password, and in less than than 5 minutes. Usernames are usually visible but passwords are not. Therefore, the thief who sent the email must have the abiliy and technology to record key strokes and/or somehow transcribe secret passwords.
This is so true! Since technology has run rampant in our world, of course the trouble-makers of the world have to follow suit.
I personally work for a bank, and all of the technological crimes amaze me everyday. It's such a shame that people put their amazing minds to use for the wrong purpose.
This should also be a great warning for everyone that it's so important to protect yourself and your information from these potential disasters.
What an interesting article! I never thought about someone going into computer forensics. Actually I didn't think that jobs like that existed! It makes since, though. We need jobs like that with the way things are nowadays! I love CSI, so reading about this article was interesting! When CSI goes in and takes a computer from a crime scene and does research, it does make me think that...dud! Someone has to specialize in stuff like that! Of course it is all Holleywood, but I still believe that in "real life" computers are taken to retreive necessary information.
Post a Comment