Computer forensics is the application of scientific methods to digital media in order to establish factual information for judicial review. The process often involves investigating computer systems to determine whether they are, or have been, used for illegal or unauthorized activities. Mostly, computer forensic experts investigate data storage devices, either fixed like hard discs or removable like compact disks and solid state devices. Computer forensics experts identify sources of documentary or other digital evidence, preserve the evidence, analyze it and present the findings.
Computer forensics is done in a fashion which adheres to the standards of evidence that are admissible in any court of law. It is absolutely vital for the forensics team to have a solid understanding of the level of sophistication of the suspect(s). If insufficient information is available to form this opinion, the suspects should be considered experts, and presumed to have installed countermeasures against forensic techniques. Because of this, it is critical that the equipment is as indistinguishable as possible from its normal users until you have shut it down completely, either in a manner which prohibits the machine modifying the drives, or in exactly the same way they would.
If the equipment contains only a small amount of critical data on the hard drive, software may be installed in order to wipe out the data permanently and quickly if a given action happens; from there, the machine is set to shut down after the file deletion has finished. However, simply “pulling the plug” isn’t always a great idea, as either information stored solely in RAM, or on special peripherals, may be permanently lost. Losing an encryption key stored solely in the RAM, and possibly unknown even to the suspects themselves by virtue of having been automatically generated, may render a great deal of data on the hard drive/drives unusable, or at least may lead to an extremely expensive and time-consuming affair to recover.
Like any other piece of evidence used in any case, the information generated as a result of computer forensics investigation must follow the standards of admissible evidence. Special care must be taken when handling a suspect’s files; dangers to the evidence include viruses, electromagnetic or mechanical damage, and even booby traps. There are a handful of cardinal rules that should be adhered to, in order to ensure that the evidence is not destroyed or compromised, such as handling the original evidence as little as possible to avoid changing the data, establish and maintaining the chain of custody, documenting everything done and never exceeding personal knowledge.
If such steps are not followed, the original data may get changed, ruined or become tainted, and so any results generated will be challenged and may not hold up in a court of law. Other things to take into consideration are the time that business operations are inconvenienced and how sensitively the information which is unintentionally discovered will be handled. In any investigation in which the owner of the digital evidence has not given consent to have his or her media examined – as in most criminal cases – special care must be taken to ensure that you as a forensic specialist have legal authority to seize, image, and examine each device. Besides, after having the case thrown out of court, the examiner may find himself or herself in the wrong end of a hefty civil lawsuit. As a general rule, if one isn’t sure of a specific piece of media, one should not examine it. Amateur forensic examiners should keep it in mind before beginning with any unauthorized investigation.
