If you have watched enough crime shows on television, you've likely seen an actor or actress portraying a forensic investigator. On shows like CSI: Miami, the forensic investigators seem to be able to type a few keys into a terminal and boom— they have all the information they need.
In real life, however, computer forensics isn't so simple. In fact, computer forensic investigators may take days to dissect all of the information needed for a case.
In this article, we'll discuss computer forensics and how these types of investigations are conducted.
For those unfamiliar with computer forensics, it is the art and science of uncovering evidence stored in computers and digital storage.
Computer forensic engineers extract evidence in a legally-sound manner to ensure its usability in criminal or civil court proceedings. To ensure the evidence is not tampered with and admissible in court, computer forensic investigators use a documented chain of custody and tools such as write blockers and tamper seals.
When a criminal activity involving a computer occurs, such as a denial-of-service (DoS) or hacking attack, the system used holds a plethora of evidence regarding the crime. Even in criminal cases that aren't explicitly cybersecurity-related, such as drug-trafficking, fraud, or even murder, the suspect's devices likely hold evidence of the crime in emails, internet history, documents, and images.
In 2010, a Baptist preacher named Matt Baker was sentenced to 65 years in prison for the murder of his wife. The initial report had stated the wife had committed suicide by overdosing on sleeping pills. Upon further investigation, a forensic analyst found that Baker had searched "overdosing on sleeping pills" and had visited several pharmaceutical websites before his wife's death. Without this information from Baker's computer, he might have never been brought to justice.
Commercial corporations also use computer forensics for a myriad of various reasons. Intellectual property theft, fraud, forgeries, and employment disputes may result in the use of computer forensics to provide evidence for civil cases. Imagine a scenario in which an employee claims to have experienced sexual harassment or prejudice by an employer. Company-owned devices will likely be one of the most useful locations to find evidence.
When an individual works for an organization, any work performed on the corporate devices typically belongs to that organization, even if that employee was working on a “personal project” while using this device. Companies may choose to use computer forensics to prove that the product belongs to them as it was created on a company device. Computer forensics can be used to find this evidence, even if the employee believes that they have deleted all applicable files on that computer.
For individuals working in computer forensics, there are five essential steps to a successful investigation.
As with any role, maintaining properly defined policies and procedures is crucial. In computer forensics, these procedures may outline how to properly prepare systems for evidence retrieval and the steps to ensure the authenticity of data.
Computers can store a lot of information, sometimes terabytes of data, not all of which apply to a specific case for which an investigator is collecting evidence. Investigators need a knowledge of the case at hand and an understanding of which evidence applies to the case.
Merely locating the evidence is not enough. The evidence must be collected and acquired, following strict guidelines to ensure its admissibility in court. Typical instructions for preserving evidence include the physical removal of storage devices, the use of write blockers to prevent tampering, and thorough documentation such as a chain of custody.
Upon assessing and acquiring evidence, the next step is to examine the potential evidence. Investigators use various methods, techniques, and tools for reviewing digital data. Intentionally hidden files and any data tagged with a date and timestamps are particularly useful to investigators.
Documenting all steps throughout the investigation is a critical aspect of any computer forensic investigator’s duties. Since the goal of collecting this data is typically to present it in a court of law, any failure to accurately document and report the steps taken could result in the evidence being inadmissible.
If you’re interested in learning more about digital forensics, visit our Digital Forensics services page here.