Cyber Forensics

The simple definition of computer forensics

... is the art and science of applying computer science to aid the legal process. With the rapid advance in technology it quickly became more than just an art though, and nowadays you can even get a cyber forensics specialization degree on the subject. Although plenty of science is attributable to computer forensics, most successful investigators possess a nose for investigations and a skill for solving puzzles, which is where the art comes in. - Chris L.T. Brown, Computer Evidence Collection and Preservation, 2006

Thus, it is more than the technological, systematic inspection of the computer system and its contents for evidence or supportive evidence of a civil wrong or a criminal act. Computer forensics requires specialized expertise and tools that goes above and beyond the normal data collection and preservation techniques available to end-users or system support personnel. One definition is analogous to "Electronic Evidentiary Recovery, known also as e-discovery, requires the proper tools and knowledge to meet the Court's criteria, whereas Computer Forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence."[1] Another is "a process to answer questions about digital states and events"[2]. This process often involves the investigation and examination computer system(s), including, but not limitied to the data acquisition that resides on the media within the computer. The forensic examiner renders an opinion, based upon the examination of the material that has been recovered. After rendering an opinion and report, to determine whether they are or have been used for criminal, civil or unauthorized activities. Mostly, computer forensics experts investigate data storage devices, these include but are not limited to hard drives, portable data devices (USB Drives, External drives, Micro Drives and many more). Computer forensics experts:

Identify sources of documentary or other digital evidence.
Preserve the evidence.
Analyze the evidence.
Present the findings.

Computer forensics is done in a fashion that adheres to the standards of evidence that are admissible in a court of law. Thus, computer forensics must be techno-legal in nature rather than purely technical or purely legal.

Understand the suspects
It is absolutely vital for the forensics team to have a solid understanding of the level of sophistication of the suspect(s). If insufficient information is available to form this opinion, the suspects must be considered to be experts, and should be presumed to have installed countermeasures against forensic techniques. Because of this, it is critical that you appear to the equipment to be as indistinguishable as possible from its normal users until you have shut it down completely, either in a manner which probably prohibits the machine modifying the drives, or in exactly the same way they would.

If the equipment contains only a small amount of critical data on the hard drive, for example, software exists to wipe it permanently and quickly if a given action occurs. It is straightforward to link this to the Microsoft Windows "Shutdown" command, for example. However, simply "pulling the plug" isn't always a great idea, either-- information stored solely in RAM, or on special peripherals, may be permanently lost. Losing an encryption key stored solely in Random Access Memory, and possibly unknown even to the suspects themselves by virtue of having been automatically generated, may render a great deal of data on the hard drive(s) unusable, or at least extremely expensive and time-consuming to recover.

Electronic evidence considerations
Electronic evidence can be collected from a variety of sources. Within a company’s network, evidence will be found in any form of technology that can be used to transmit or store data. Evidence should be collected through three parts of an offender’s network: at the workstation of the offender, on the server accessed by the offender, and on the network that connects the two. Investigators can therefore use three different sources to confirm of the data’s origin.

Like any other piece of evidence used in a case, the information generated as the result of a computer forensics investigation must follow the standards of admissible evidence. Special care must be taken when handling a suspect’s files; dangers to the evidence include viruses, electromagnetic or mechanical damage, and even booby traps. There are a handful of cardinal rules that are used to ensure that the evidence is not destroyed or compromised:

Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.
In order to verify that a tool is forensically sound, the tool should be tested in a mock forensic examination to verify the tools performance. There are government agencies such as the Defense Cyber Crime Institute that accept requests to test specific digital forensic tools and methods for governmental agencies, law enforcement organizations, or vendors of digital forensic products at no cost to the requestor.

Handle the original evidence as little as possible to avoid changing the data.
Establish and maintain the chain of custody.
Document everything done.
Never exceed personal knowledge.
If such steps are not followed the original data may be changed, ruined or become tainted, and so any results generated will be challenged and may not hold up in a court of law. Other things to take into consideration are:

The time that business operations are inconvenienced.
How sensitive information which is unintentionally discovered will be handled.
In any investigation in which the owner of the digital evidence has not given consent to have his or her media examined – as in most criminal cases – special care must be taken to ensure that you as the forensic specialist have legal authority to seize, image, and examine each device. Besides having the case thrown out of court, the examiner may find him or herself on the wrong end of a hefty civil lawsuit. As a general rule, if you aren't sure about a specific piece of media, do not examine it. Amateur forensic examiners should keep this in mind before starting any unauthorized investigation.

Some of the most valuable information obtained in the course of a forensic examination will come from the computer user themself. In accordance with applicable laws, statutes, organizational policies, and other applicable regulations, an interview of the computer user can often yield invaluable information regarding the system configuration, applications, and most important, software or hardware encryption methodology and keys utilized with the computer. Forensic analysis can become exponentially easier when analysts have passphrase(s) utilized by the user open encrypted files or containers used on the local computer system, or on systems mapped to the local computer through a local network or the internet.

Secure the machine and the data
Unless completely unavoidable, data should never be analyzed using the same machine it is collected from. Instead, forensically sound copies of all data storage devices, primarily hard drives, must be made. Exceptional consideration to this practice are detailed below regarding live system considerations.