Define computer forensics, digital forensics and computer forensic investigation

Computer forensics otherwise known as “digital forensics” is a process of electronic discovery to acquire digital evidence, analyse facts and report on a case by examining digital devices such as computers, hard drives or any other storage media or network conducted by a suitably trained computer forensic analyst in order to investigate a claim or allegation.

Computer forensic involves 4 basic steps:

  • Acquisition and collection of data
  • Examination
  • Analysis
  • Reporting

The forensic investigator must be suitably trained to perform the specific type of investigation requested by the client who can be a solicitor, private detective, company manager, prosecuting agent or law enforcing agency. A computer forensic specialist will initially examine each computer forensic case to determine the complexity level of the case so that an appropriately trained digital forensic investigator or team of investigators is assigned to the job. It is at this level that all the costs, logistics and duration of the investigation is determined and communicated to the client. Depending on the case, there may be a charge for the initial assessment which will be agreed at the time of the computer forensic service inquiry.

Acquiring and Collecting Digital Evidence

Digital evidence can be collected from many sources. Obvious sources include computers, mobile phones, digital cameras, hard drives, CD-ROM, USB memory sticks and so on. Non-obvious sources include RFID tags, and web pages which must be preserved as they are subject to change.

We will take special care when handling computer evidence: most digital information is volatile can be easily changed, and once modified, it is usually difficult to detect the changes or to revert the data back to its original state. For this reason, we will carry out and calculate a cryptographic hash of digital evidence and record that hash in a safe place to prevent any digital evidence contamination. This is essential as the computer forensic investigators will be able to establish at a later stage whether or not the original digital evidence has been tampered with since the hash was initiated and calculated.

It has to be noted that some of the most valuable information obtained in the course of a forensic examination will come from the computer user himself. An interview with the user- if he is cooperative- can yield valuable clues about the system configuration, applications, encryption keys and methodology. Computer forensic analysis is much easier when analysts have the user’s passwords to access encrypted files, containers, and network servers.

However if the user refuses to cooperate or the computer user interview is not possible, the digital forensic investigator will be fully equipped with necessary tools to uncover most- if not all- of the information he requires in order to carry out his computer forensic investigation successfully. However, in any investigation in which the owner of the digital evidence has not given consent to have his or her media examined (as in some criminal cases), we take special care to ensure that the computer forensic specialist has the legal authority to seize, copy, and examine the data. All the legal clearances required for a successful computer forensic investigation must be sought by the client prior to the investigation. This will be discussed with the client in the initial stages of a computer forensic service inquiry or assessment.

Imaging electronic media evidence

As as an initial stage of our computer forensic investigation, we may have to to create an exact duplicate of the original evidentiary media. We use a combination of standalone hard-drive duplicators or software imaging tools so that the entire hard drive is fully cloned. We will do this at the at the sector level, making a bit-stream copy of every part of the user-accessible areas of the hard drive which can physically store data, rather than duplicating the file system. We will then transfer the original drive to secure storage to prevent any tampering. During the imaging process, we will use a write-protection or write-blocking device or application to ensure that no information is introduced onto the evidentiary media during the computer forensic investigation process.