Computer forensics is a discipline that combines elements of

College of Information Technology and Engineering

2022 LGBTQ History and National Coming Out Day

If you manage or administer information systems and networks, you should understand computer forensics. Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts. (The word forensics means “to bring to the court.”) Forensics deals primarily with the recovery and analysis of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive.

Because computer forensics is a new discipline, there is little standardization and consistency across the courts and industry. As a result, it is not yet recognized as a formal “scientific” discipline. We define computer forensics as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.

The ultimate goal of computer forensics is to perform a structured investigation and maintain a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.

Computer forensics -- which is sometimes referred to as computer forensic science -- essentially is data recovery with legal compliance guidelines to make the information admissible in legal proceedings. The terms digital forensics and cyber forensics are often used as synonyms for computer forensics.

History of computer(digital) forensics

Here, are important landmarks from the history of Digital Forensics:

• Hans Gross (1847 -1915): First use of scientific study to head criminal investigations
• FBI (1932): Set up a lab to offer forensics services to all field agents and other law authorities across the USA.
•  In 1978 the first computer crime was recognized in the Florida Computer Crime Act.
• Francis Galton (1982 - 1911): Conducted first recorded study of fingerprints
• In 1992, the term Computer Forensics was used in academic literature.
• 1995 International Organization on Computer Evidence (IOCE) was formed.
• In 2000, the First FBI Regional Computer Forensic Laboratory established.
• In 2002, Scientific Working Group on Digital Evidence (SWGDE) published the first book about digital forensic called "Best practices for Computer Forensics".
• In 2010, Simson Garfinkel identified issues facing digital investigations.

Differences Between Computer(digital) Forensics and Other Computing Domains:

Computer forensics is considered a stand alone domain, although it has some overlap with other computing domains such as data recovery and computer security.

Computer security aims to protect systems and data according to a specific security policy set by individuals or organizations, whereas computer forensics tries to explain how security policies became violated. One of the aims of computer security is to protect user data and assure privacy by using encryption and hiding techniques whereas computer forensics tries to recover passwords, access encrypted files, discover hidden data, and recover deleted files and wiped disks for evidence.

Data recovery involves recovering data from computers that were deleted by mistake or lost because of power failure or hardware crash. The user usually knows what he/she is looking for when conducting data recovery; however, in computer forensics an investigator is searching for hidden data and intentionally deleted files for the purpose of using them as evidence during a trial.

Data recovery has many things to share with computer forensics as it uses many of its techniques to restore data that has been lost, but the main difference between both is the final outcome of the process and the way to achieve it. The ultimate goal of computer forensics is to acquire data in a lawful way so that it could be submitted to a court of law.

Why is computer(digital) forensics important?

Adding the ability to practice sound computer forensics will help you ensure the overall integrity and survivability of your network infrastructure. You can help your organization if you consider computer forensics as a new basic element in what is known as a “defense-in-depth” approach to network and computer security. For instance, understanding the legal and technical aspects of computer forensics will help you capture vital information if your network is compromised and will help you prosecute the case if the intruder is caught.

In the civil and criminal justice system, computer forensics helps ensure the integrity of digital evidence presented in court cases. As computers and other data-collecting devices are used more frequently in every aspect of life, digital evidence -- and the forensic process used to collect, preserve and investigate it -- has become more important in solving crimes and other legal issues.

The average person never sees much of the information modern devices collect. For instance, the computers in cars continually collect information on when a driver brakes, shifts and changes speed without the driver being aware. However, this information can prove critical in solving a legal matter or a crime, and computer forensics often plays a role in identifying and preserving that information.

Digital evidence isn't just useful in solving digital-world crimes, such as data theft, network breaches and illicit online transactions. It's also used to solve physical-world crimes, such as burglary, assault, hit-and-run accidents and murder.

Businesses often use a multilayered data management, data governance and network security strategy to keep proprietary information secure. Having data that's well managed and safe can help streamline the forensic process should that data ever come under investigation.

Businesses also use computer forensics to track information related to a system or network compromise, which can be used to identify and prosecute cyber attackers. Businesses can also use digital forensic experts and processes to help them with data recovery in the event of a system or network failure caused by a natural or other disaster.

As the world becomes more reliant on digital technology for the core functions of life, cybercrime is rising. As such, computer forensic specialists no longer have a monopoly on the field. See how the police in the U.K. are adopting computer forensic techniques to keep up with increasing rates of cybercrime.

Types of computer forensics

There are various types of computer forensic examinations. Each deals with a specific aspect of information technology. Some of the main types include the following:

•  Database forensics. The examination of information contained in databases, both data and related metadata.
• Email forensics. The recovery and analysis of emails and other information contained in email platforms, such as schedules and contacts.
•  Malware forensics. Sifting through code to identify possible malicious programs and analyzing their payload. Such programs may include Trojan horses, ransomware or various viruses.

• Memory forensics. Collecting information stored in a computer's random access memory (RAM) and cache.
• Mobile forensics. The examination of mobile devices to retrieve and analyze the information they contain, including contacts, incoming and outgoing text messages, pictures and video files.
• Network forensics. Looking for evidence by monitoring network traffic, using tools such as a firewall or intrusion detection system.
•  Disk Forensics: It deals with extracting data from storage media by searching active, modified, or deleted files.
• Wireless Forensics: It is a division of network forensics. The main aim of wireless forensics is to offers the tools need to collect and analyze the data from wireless network traffic.

How does computer forensics work?

Forensic investigators typically follow standard procedures, which vary depending on the context of the forensic investigation, the device being investigated or the information investigators are looking for. In general, these procedures include the following steps:

Identification

It is the first step in the forensic process. The identification process mainly includes things like what evidence is present, where it is stored, and lastly, how it is stored (in which format).

Electronic storage media can be personal computers, Mobile phones, PDAs, etc.

Preservation

In this phase, data is isolated, secured, and preserved. It includes preventing people from using the digital device so that digital evidence is not tampered with.

Analysis

In this step, investigation agents reconstruct fragments of data and draw conclusions based on evidence found. However, it might take numerous iterations of examination to support a specific crime theory.

Documentation

In this process, a record of all the visible data must be created. It helps in recreating the crime scene and reviewing it. It Involves proper documentation of the crime scene along with photographing, sketching, and crime-scene mapping.

Presentation

In this last step, the process of summarization and explanation of conclusions is done. The forensic investigators present their findings in a legal proceeding, where a judge or jury uses them to help determine the result of a lawsuit. In a data recovery situation, forensic investigators present what they were able to recover from a compromised system.

Techniques forensic investigators use

Investigators use a variety of techniques and proprietary forensic applications to examine the copy they've made of a compromised device. They search hidden folders and unallocated disk space for copies of deleted, encrypted or damaged files. Any evidence found on the digital copy is carefully documented in a finding report and verified with the original device in preparation for legal proceedings that involve discovery, depositions or actual litigation.

Computer forensic investigations use a combination of techniques and expert knowledge. Some common techniques include the following:

·        Reverse steganography. Steganography is a common tactic used to hide data inside any type of digital file, message or data stream. Computer forensic experts reverse a steganography attempt by analyzing the data hashing that the file in question contains. If a cybercriminal hides important information inside an image or other digital file, it may look the same before and after to the untrained eye, but the underlying hash or string of data that represents the image will change.

·        Stochastic forensics. Here, investigators analyze and reconstruct digital activity without the use of digital artifacts. Artifacts are unintended alterations of data that occur from digital processes. Artifacts include clues related to a digital crime, such as changes to file attributes during data theft. Stochastic forensics is frequently used in data breach investigations where the attacker is thought to be an insider, who might not leave behind digital artifacts.

·        Cross-drive analysis. This technique correlates and cross-references information found on multiple computer drives to search for, analyze and preserve information relevant to an investigation. Events that raise suspicion are compared with information on other drives to look for similarities and provide context. This is also known as anomaly detection.

·        Live analysis. With this technique, a computer is analyzed from within the OS while the computer or device is running, using system tools on the computer. The analysis looks at volatile data, which is often stored in cache or RAM. Many tools used to extract volatile data require the computer in to be in a forensic lab to maintain the legitimacy of a chain of evidence.

·        Deleted file recovery. This technique involves searching a computer system and memory for fragments of files that were partially deleted in one place but leave traces elsewhere on the machine. This is sometimes known as file carving or data carving.

How is computer(digital) forensics used as evidence?

In recent time, commercial organizations have used digital forensics in following a type of cases:

·        Intellectual Property theft

·        Industrial espionage

·        Employment disputes

·        Fraud investigations

·        Inappropriate use of the Internet and email in the workplace

·        Forgeries related matters

·        Bankruptcy investigations

·        Issues concern with the regulatory compliance

Computer forensics has been used as evidence by law enforcement agencies and in criminal and civil law since the 1980s. Some notable cases include the following:

·        Apple trade secret theft. An engineer named Xiaolang Zhang at Apple's autonomous car division announced his retirement and said he would be moving back to China to take care of his elderly mother. He told his manager he planned to work at an electronic car manufacturer in China, raising suspicion. According to a Federal Bureau of Investigation (FBI) affidavit, Apple's security team reviewed Zhang's activity on the company network and found, in the days prior to his resignation, he downloaded trade secrets from confidential company databases to which he had access. He was indicted by the FBI in 2018.

·        Google trade secret theft. Anthony Scott Levandowski, a former executive of both Uber and Google, was charged with 33 counts of trade secret theft in 2019. From 2009 to 2016, Levandowski worked in Google's self-driving car program, where he downloaded thousands of files related to the program from a password-protected corporate server. He departed from Google and created Otto, a self-driving truck company, which Uber bought in 2016, according to The New York Times. Levandowski plead guilty to one count of trade secrets theft and was sentenced to 18 months in prison and $851,499 in fines and restitution. Levandowski received a presidential pardon in January 2021.

·        Michael Jackson. Investigators used metadata and medical documents from Michael Jackson's doctor's iPhone that showed the doctor, Conrad Murray, prescribed lethal amounts of medication to Jackson, who died in 2009.

Computer forensics careers and certifications

Computer forensics has become its own area of scientific expertise, with accompanying coursework and certification. Some examples of cyber forensic career paths include the following:

·        Forensic engineer. These professionals deal with the collection stage of the computer forensic process, gathering data and preparing it for analysis. They help determine how a device failed.

·        Forensic accountant. This position deals with crimes involving money laundering and other transactions made to cover up illegal activity.

·        Cybersecurity analyst. This position deals with analyzing data once it has been collected and drawing insights that can later be used to improve an organization's cybersecurity strategy.

A bachelor's degree -- and, sometimes, a master's degree -- in computer science, cybersecurity or a related field are required of computer forensic professionals. There are several certifications available in this field, including the following:

·        CyberSecurity Institute's CyberSecurity Forensic Analyst. This credential is designed for security professionals with at least two years of experience. Testing scenarios are based on actual cases.

·        International Association of Computer Investigative Specialists' Certified Forensic Computer Examiner. This program focuses primarily on validating the skills necessary to ensure business follows established computer forensic guidelines.

·        EC-Council's Computer Hacking Forensic Investigator. This certification assesses an applicant's ability to identify intruders and collect evidence that can be used in court. It covers search and seizure of information systems, working with digital proof and other cyber forensics skills.

·        International Society of Forensic Computer Examiners' (ISFCE) Certified Computer Examiner. This forensic examiner program requires training at an authorized bootcamp training center, and applicants must sign the ISFCE Code of Ethics and Professional Responsibility.

Advantages of computer(digital) forensics:

Here, are pros/benefits:

·        To ensure the integrity of the computer system.

·        To produce evidence in the court, which can lead to the punishment of the culprit.

·        It helps the companies to capture important information if their computer systems or networks are compromised.

·        Efficiently tracks down cybercriminals from anywhere in the world.

·        Helps to protect the organization's money and valuable time.

·        Allows to extract, process, and interpret the factual evidence, so it proves the cybercriminal action's in the court.

Disadvantages of computer(digital) forensics

Here, are major drawbacks:

·        Digital evidence accepted into court. However, it is must be proved that there is no tampering

·        Producing electronic records and storing them is an extremely costly affair

·        Legal practitioners must have extensive computer knowledge

·        Need to produce authentic and convincing evidence

·        If the tool used for digital forensic is not according to specified standards, then in the court of law, the evidence can be disapproved by justice.

·        Lack of technical knowledge by the investigating officer might not offer the desired result

Ref: 

https://en.wikipedia.org/wiki/Computer_forensics

https://sentreesystems.com/the-advantages-and-disadvantages-of-computer-forensics/

https://www.sciencedirect.com/topics/computer-science/computer-forensics

https://www.sciencedirect.com/topics/computer-science/computer-forensics

https://www.slideshare.net/akhilrocker143/515-11293738

https://www.classmate4u.com/history-of-digital-forensics/