The purpose of Digital / Computer Forensics is to:
- Preserve; and
- Analyse information on a computer, device and or central processing unit to find evidence in support of an investigation.
When dealing with data, it is important to ensure that files are not contaminated and or corrupted, for example:
- When opening the file ensure that the data is not changed in any way i.e. the file date etc;
- Extraction methods are reliable and not destructive; and
- The methodology followed in securing must be admissible in a court of law.
Computer devices and or central processing units constitute a ‘crime scene’, for example:
- Denial of service attacks;
- Hacking evidence; and
- Holding evidence in the form of emails, internet history or other documents relevant to an investigation.
The metadata on a document is also important to the forensic examiner as it reveals the following information:
- When a document first appeared on the computer device and or central processing unit;
- When a document was last edited;
- When a document was last saved or printed; and
- Which user carried out these actions?
There are four main principles used by forensic examiners of the Association of Chief Police Officers Good Practise Guide for Digital Evidence (ACPO).
- No action should change data on the medium which may be subsequently relied upon in court;
- In circumstances where it is necessary to do so, the forensic examiner must be competent and be able to give evidence explaining the relevance and implications of the action;
- An audit trail or other record of all processes applied to computer based electronic devices should be created and preserved. An independent third party should be able to examine those processes and achieve the same result; and
- The person in charge of the investigation has overall responsibility for ensuring that the law and principles are adhered to.
The examination process can be divided into the following chronological stages:
Ensure that the client is educated and ready for the process.
Ensure that the forensic examiner uses equipment that is regularly tested and up to date with latest techniques to ensure that the on-site acquisition kit is in order etc.
Ensure that a clear brief and or instruction is obtained. Pay attention to risk analysis and allocation of resources.
Commercial organisations need to be aware of health and safety issues and possible conflicts of interest.
Identify and secure all devices as well as document the scene and or environment.
Conduct interviews with employees who may have relevant information pertaining to the investigation and or use of the devices.
Analyse the data received and inform the client of the finding.
The finding may cause the investigation to change direction or be narrowed down, depending on the specifics of the project.
The analysis must be thorough, accurate, impartial, recorded, repeatable and completed within the time restrictions and resources allocated.
- Presentation of a Report:
Presenting of a report on the findings of the digital analysis must ensure that all areas of concern are addressed, both the initial instructions as well as any subsequent instructions received.
The report must be written with the end reader in mind who might not understand all the technical terminology.
The forensic examiner must be available to elaborate and or testify to the findings of the report.
The following technical issues can complicate a Digital Forensics investigation:
Data cannot be viewed without the correct key or password. (This may be hidden on the same or a different computer device).
- Increasing storage space:
The computer being analysed needs to have sufficient processing power and storage capacity to efficiently search large amounts of data.
- New technologies:
As technology advances, the forensic examiner must stay up to date.
- Anti forensics:
This is the practise of attempting to prevent computer forensics analysis by methods such as encryption, overwriting of data etc.
These tools are rarely used correctly to prevent the digital forensic process.
- Accepted standards:
Certain processes are tied to particular legislation, which are either aimed at law enforcement or commercial forensics.
- Fit to practise:
There is no qualifying body to check the competence or integrity of computer forensics professionals. Forensic examiners are encouraged to stay up to date with all methods and technology regarding computer forensics.