How Computer Forensics Works

When the company Enron declared bankruptcy in December 2001, hundreds of employees were left jobless while some executives seemed to benefit from the company's collapse. The United States Congress decided to investigate after hearing allegations of corporate misconduct. Much of Congress' investigation relied on computer files as evidence. A specialized detective force began to search through hundreds of Enron employee computers using computer forensics.

The purpose of computer forensics techniques is to search, preserve and analyze information on computer systems to find potential evidence for a trial. Many of the techniques detectives use in crime scene investigations have digital counterparts, but there are also some unique aspects to computer investigations.

For example, just opening a computer file changes the file -- the computer records the time and date it was accessed on the file itself. If detectives seize a computer and then start opening files, there's no way to tell for sure that they didn't change anything. Lawyers can contest the validity of the evidence when the case goes to court.

Some people say that using digital information as evidence is a bad idea. If it's easy to change computer data, how can it be used as reliable evidence? Many countries allow computer evidence in trials, but that could change if digital evidence proves untrustworthy in future cases.

Computers are getting more powerful, so the field of computer forensics must constantly evolve. In the early days of computers, it was possible for a single detective to sort through files because storage capacity was so low. Today, with hard drives capable of holding gigabytes and even terabytes of data, that's a daunting task. Detectives must discover new ways to search for evidence without dedicating too many resources to the process.

What are the basics of computer forensics? What can investigators look for, and where do they look? Find out in the next section.

Contents

Computer Forensics Basics
Phases of a Computer Forensics Investigation
Anti-Forensics
Standards of Computer Evidence
Computer Forensics Tools

Computer Forensics Basics

The field of computer forensics is relatively young. In the early days of computing, courts considered evidence from computers to be no different from any other kind of evidence. As computers became more advanced and sophisticated, opinion shifted -- the courts learned that computer evidence was easy to corrupt, destroy or change.

Investigators realized that there was a need to develop specific tools and processes to search computers for evidence without affecting the information itself. Detectives partnered with computer scientists to discuss the appropriate procedures and tools they'd need to use to retrieve evidence from a computer. Gradually, they developed the procedures that now make up the field of computer forensics.

Usually, detectives have to secure a warrant to search a suspect's computer for evidence. The warrant must include where detectives can search and what sort of evidence they can look for. In other words, a detective can't just serve a warrant and look wherever he or she likes for anything suspicious. In addition, the warrant's terms can't be too general. Most judges require detectives to be as specific as possible when requesting a warrant.

For this reason, it's important for detectives to research the suspect as much as possible before requesting a warrant. Consider this example: A detective secures a warrant to search a suspect's laptop computer. The detective arrives at the suspect's home and serves the warrant. While at the suspect's home, the detective sees a desktop PC. The detective can't legally search the PC because it wasn't included in the original warrant.

Every computer investigation is somewhat unique. Some investigations might only require a week to complete, but others could take months. Here are some factors that can impact the length of an investigation:

The expertise of the detectives
The number of computers being searched
The amount of storage detectives must sort through (hard drives, CDs, DVDs and thumb drives)
Whether the suspect attempted to hide or delete information
The presence of encrypted files or files that are protected by passwords

What are the steps in collecting evidence from a computer? Keep reading to find out.

In Plain View

The plain view doctrine gives detectives the authority to gather any evidence that is in the open while conducting a search. If the detective in our example saw evidence of a crime on the screen of the suspect's desktop PC, then the detective could use that as evidence against the suspect and search the PC even though it wasn't covered in the original warrant. If the PC wasn't turned on, then the detective would have no authority to search it and would have to leave it alone.

Phases of a Computer Forensics Investigation

Judd Robbins, a computer scientist and leading expert in computer forensics, lists the following steps investigators should follow to retrieve computer evidence:

Secure the computer system to ensure that the equipment and data are safe. This means the detectives must make sure that no unauthorized individual can access the computers or storage devices involved in the search. If the computer system connects to the Internet, detectives must sever the connection.
Find every file on the computer system, including files that are encrypted, protected by passwords, hidden or deleted, but not yet overwritten. Investigators should make a copy of all the files on the system. This includes files on the computer's hard drive or in other storage devices. Since accessing a file can alter it, it's important that investigators only work from copies of files while searching for evidence. The original system should remain preserved and intact.
Recover as much deleted information as possible using applications that can detect and retrieve deleted data.
Reveal the contents of all hidden files with programs designed to detect the presence of hidden data.
Decrypt and access protected files.
Analyze special areas of the computer's disks, including parts that are normally inaccessible. (In computer terms, unused space on a computer's drive is called unallocated space. That space could contain files or parts of files that are relevant to the case.)
Document every step of the procedure. It's important for detectives to provide proof that their investigations preserved all the information on the computer system without changing or damaging it. Years can pass between an investigation and a trial, and without proper documentation, evidence may not be admissible. Robbins says that the documentation should include not only all the files and data recovered from the system, but also a report on the system's physical layout and whether any files had encryption or were otherwise hidden.
Be prepared to testify in court as an expert witness in computer forensics. Even when an investigation is complete, the detectives' job may not be done. They may still need to provide testimony in court [source: Robbins].

All of these steps are important, but the first step is critical. If investigators can't prove that they secured the computer system, the evidence they find may not be admissible. It's also a big job. In the early days of computing, the system might have included a PC and a few floppy disks. Today, it could include multiple computers, disks, thumb drives, external drives, peripherals and Web servers.

Some criminals have found ways to make it even more difficult for investigators to find information on their systems. They use programs and applications known as anti-forensics. Detectives have to be aware of these programs and how to disable them if they want to access the information in computer systems.

What exactly are anti-forensics, and what's their purpose? Find out in the next section.

Anti-Forensics

Anti-forensics can be a computer investigator's worst nightmare. Programmers design anti-forensic tools to make it hard or impossible to retrieve information during an investigation. Essentially, anti-forensics refers to any technique, gadget or software designed to hamper a computer investigation.

There are dozens of ways people can hide information. Some programs can fool computers by changing the information in files' headers. A file header is normally invisible to humans, but it's extremely important -- it tells the computer what kind of file the header is attached to. If you were to rename an mp3 file so that it had a .gif extension, the computer would still know the file was really an mp3 because of the information in the header. Some programs let you change the information in the header so that the computer thinks it's a different kind of file. Detectives looking for a specific file format could skip over important evidence because it looked like it wasn't relevant.

Other programs can divide files up into small sections and hide each section at the end of other files. Files often have unused space called slack space. With the right program, you can hide files by taking advantage of this slack space. It's very challenging to retrieve and reassemble the hidden information.

It's also possible to hide one file inside another. Executable files -- files that computers recognize as programs -- are particularly problematic. Programs called packers can insert executable files into other kinds of files, while tools called binders can bind multiple executable files together.

Encryption is another way to hide data. When you encrypt data, you use a complex set of rules called an algorithm to make the data unreadable. For example, the algorithm might change a text file into a seemingly meaningless collection of numbers and symbols. A person wanting to read the data would need the encryption's key, which reverses the encryption process so that the numbers and symbols would become text. Without the key, detectives have to use computer programs designed to crack the encryption algorithm. The more sophisticated the algorithm, the longer it will take to decrypt it without a key.

Other anti-forensic tools can change the metadata attached to files. Metadata includes information like when a file was created or last altered. Normally you can't change this information, but there are programs that can let a person alter the metadata attached to files. Imagine examining a file's metadata and discovering that it says the file won't exist for another three years and was last accessed a century ago. If the metadata is compromised, it makes it more difficult to present the evidence as reliable.

Some computer applications will erase data if an unauthorized user tries to access the system. Some programmers have examined how computer forensics programs work and have tried to create applications that either block or attack the programs themselves. If computer forensics specialists come up against such a criminal, they have to use caution and ingenuity to retrieve data.

A few people use anti-forensics to demonstrate how vulnerable and unreliable computer data can be. If you can't be sure when a file was created, when it was last accessed or even if it ever existed, how can you justify using computer evidence in a court of law? While that may be a valid question, many countries do accept computer evidence in court, though the standards of evidence vary from one country to another.

What exactly are the standards of evidence? We'll find out in the next section.

Standards of Computer Evidence

In the United States, the rules are extensive for seizing and using computer evidence. The U.S. Department of Justice has a manual titled "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations." The document explains when investigators are allowed to include computers in a search, what kind of information is admissible, how the rules of hearsay apply to computer information and guidelines for conducting a search.

If the investigators believe the computer system is only acting as a storage device, they usually aren't allowed to seize the hardware itself. This limits any evidence investigation to the field. On the other hand, if the investigators believe the hardware itself is evidence, they can seize the hardware and bring it to another location. For example, if the computer is stolen property, then the investigators could seize the hardware.

In order to use evidence from a computer system in court, the prosecution must authenticate the evidence. That is, the prosecution must be able to prove that the information presented as evidence came from the suspect's computer and that it remains unaltered.

Although it's generally acknowledged that tampering with computer data is both possible and relatively simple to do, the courts of the United States so far haven't discounted computer evidence completely. Rather, the courts require proof or evidence of tampering before dismissing computer evidence.

Another consideration the courts take into account with computer evidence is hearsay. Hearsay is a term referring to statements made outside of a court of law. In most cases, courts can't allow hearsay as evidence. The courts have determined that information on a computer does not constitute hearsay in most cases, and is therefore admissible. If the computer records include human-generated statements like e-mail messages, the court must determine if the statements can be considered trustworthy before allowing them as evidence. Courts determine this on a case-by-case basis.

Computer forensics experts use some interesting tools and applications in their investigations. Learn more about them in the next section.

Think Globally, Prosecute Locally

One challenge computer investigators face is that while computer crimes know no borders, laws do. What's illegal in one country may not be in another. Moreover, there are no standardized international rules regarding the collection of computer evidence. Some countries are trying to change that. The G8 group, which includes the United States, Canada, France, Germany, Great Britain, Japan, Italy and Russia, has identified six general guidelines regarding computer forensics. These guidelines concentrate on preserving evidence integrity.

Computer Forensics Tools

Programmers have created many computer forensics applications. For many police departments, the choice of tools depends on department budgets and available expertise.

Here are a few computer forensics programs and devices that make computer investigations possible:

Disk imaging software records the structure and contents of a hard drive. With such software, it's possible to not only copy the information in a drive, but also preserve the way files are organized and their relationship to one another.
Software or hardware write tools copy and reconstruct hard drives bit by bit. Both the software and hardware tools avoid changing any information. Some tools require investigators to remove hard drives from the suspect's computer first before making a copy.
Hashing tools compare original hard disks to copies. The tools analyze data and assign it a unique number. If the hash numbers on an original and a copy match, the copy is a perfect replica of the original.
Investigators use file recovery programs to search for and restore deleted data. These programs locate data that the computer has marked for deletion but has not yet overwritten. Sometimes this results in an incomplete file, which can be more difficult to analyze.
There are several programs designed to preserve the information in a computer's random access memory (RAM). Unlike information on a hard drive, the data in RAM ceases to exist once someone shuts off the computer. Without the right software, this information could be lost easily.
Analysis software sifts through all the information on a hard drive, looking for specific content. Because modern computers can hold gigabytes of information, it's very difficult and time consuming to search computer files manually. For example, some analysis programs search and evaluate Internet cookies, which can help tell investigators about the suspect's Internet activities. Other programs let investigators search for specific content that may be on the suspect's computer system.
Encryption decoding software and password cracking software are useful for accessing protected data.

These tools are only useful as long as investigators follow the right procedures. Otherwise, a good defense lawyer could suggest that any evidence gathered in the computer investigation isn't reliable. Of course, a few anti-forensics experts argue that no computer evidence is completely reliable.

Whether courts continue to accept computer evidence as reliable remains to be seen. Anti-forensics experts argue that it's only a matter of time before someone proves in a court of law that manipulating computer data without being detected is both possible and plausible. If that's the case, courts may have a hard time justifying the inclusion of computer evidence in a trial or investigation.

To learn more about computer forensics and related topics, follow the links on the next page.

Frequently Answered Questions

Is computer forensics a good career?

Computer forensics is a good career for people who are interested in computers and have a desire to help solve crimes. This field can be very challenging and exciting, and there is a great demand for qualified computer forensics professionals.

What does computer forensic do?

Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation to find all the evidence that may be relevant to a case and then to interpret that evidence in a way that is legally admissible.

What degree do you need to be a computer forensic?

The specific educational requirements for becoming a computer forensics specialist will vary depending on the specific field or industry in which you wish to work. However, most computer forensics specialists need at least a bachelor's degree in computer forensics, computer science, or a related field.

Lots More Information

Sources

Berinato, Scott. "The Rise of Antiforensics." CSO Online. June, 2007. http://www.csoonline.com/read/060107/fea_antiforensics.html
Computer Forensics Tool Testing Project http://www.cftt.nist.gov/index.html
"Federal Rules of Evidence." Cornell Law School. http://www.law.cornell.edu/rules/fre/rules.htm#Rule1001
Fitzgerald, Thomas J. "Deleted But Not Gone." The New York Times. November 3, 2005. http://www.nytimes.com/2005/11/03/technology/circuits/03basics.htmlex=1288674000&en=52520fd64c31403f&ei=5090&partner=rssuserland&emc=rss
Kerr, Orin S. "Computer Records and the Federal Rules of Evidence." U.S. Department of Justice. March, 2001. http://www.usdoj.gov/criminal/cybercrime/usamarch2001_4.htm
Harris, Ryan. "Arriving at an anti-forensics consensus." Digital Investigation. 2006. http://dfrws.org/2006/proceedings/6-Harris.pdf
"How the FBI Investigates Computer Crime." CERT. http://www.cert.org/tech_tips/FBI_investigates_crime.html
Oseles, Lisa. "Computer Forensics: The Key to Solving the Crime."
Peron, Christian S. J. and Legary, Michael. "Digital Anti-Forensics: Emerging trends in data transformation techniques." Seccuris Labs. http://www.seccuris.com/documents/papers/Seccuris-Antiforensics.pdf
Robbins, Judd. "An Explanation of Computer Forensics." http://computerforensics.net/forensics.htm
"Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations." United States Department of Justice. July 2002. http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm#_V_
"The Fall of Enron." Chron.com. http://www.chron.com/news/specials/enron/
Walker, Cornell. "Computer Forensics: Bringing the Evidence to Court." InfosecWriters. http://www.infosecwriters.com/text_resources/pdf/Computer_Forensics_to_Court.pdf
Witter, Franklin. "Legal Aspects of Collecting and Preserving Computer Forensic Evidence." Global Information Assurance Certification. April 20, 2001. http://www.giac.org/certified_professionals/practicals/gsec/0636.php