Understanding Computer Forensics
The ultimate goal of computer forensics is to produce evidence for legal cases.
To achieve this, there are four objectives you need to keep in mind.
- The first objective is to prepare for an investigation by ensuring the integrity of the evidence. For example, write protecting your evidence medium so that you don’t accidentally write over it.
- The second objective is to acquire data. This includes making a copy of your evidence medium so that when you’re doing your investigation, you only work on the copy rather than the evidence medium itself.
- Once you have your data acquired, the next step is to analyze the data. Conducting a search based on a keyword to find an incriminating piece of evidence could be a good example of analyzing the data.
- Finally, the last step is to identify evidence and present it in the form of a written report. A lot of times these reports are auto generated by your computer forensics tool, but you often have to edit them.
When these objectives of computer forensics are accomplished, its safe to say that an investigator is now ready to submit the evidence.
Types of investigations
There are two primary types of computer forensic investigations, one is public and the other is private.
- Public investigations occur in the context of criminal cases. Usually conducted by the law enforcement officers and driven by the statutes in the criminal law. Some examples of public investigations involve drug crimes, sexual exploitation, and theft. Private investigations occur in the context of civil cases. Organizations try to avoid any form of litigations, due to the enormous associated cost. As a result, many private investigations simply turn out to be internal cases.
- Private investigations are typically conducted by corporations or similar types of organizations. They’re driven by the statutes of the civil law, or organizational policies. One of the most important things to consider in private investigations is business continuity. If your investigation is hurting your business bottom line, the investigation is probably not worth it. Therefore, your priority has to be actually stopping the violations rather than litigating. Some examples of private investigations include sabotage, embezzlement, and industrial espionage.
Also, the boundary between public and private investigations is not always very clear. For example, when you’re investigating an employee for a potential violation of company policies, and come across illegal pornography, the job quickly turns into a public case. Because of this reason, as a computer forensics investigator, you should be able to handle both public, and private cases.
Tools
There are many tools of the trade in computer forensics. Some of these tools are software based, others are hardware based. Many computer forensic software tools exist in the form of a software suite. They usually have a comprehensive set of features that cover an investigation from the beginning to its completion. Some of these features include the ability to acquire and process data, conduct searches, and generate reports.
Depending on the nature of your case there are times you need specialized software tools other than a computer forensics software suite because sometimes they don’t provide the particular feature you’re looking for. For example, if you had to retrieve hidden text in an image file, a general purpose computer forensics tool wouldn’t be able to help you. For that you need specialized software called a steganography tool.
There are also special hardware needs. Forensic software is demanding in terms of processing power, memory size, and disk space. The more of these resources you have, the better. Forensics workstations also feature extra bays and additional ports to help with expansions.
In addition to the computer forensics workstation, you may also need some special equipment such as a write blocker, which prevents an operating system from writing over an evidence drive. There are also software write blockers out there, but a lot of times hardware write blockers are preferred because of their simple and sure fire nature. Although it’s not very special, another tool you need in your computer forensics arsenal is a large capacity storage device. Evidence drives are often large capacity devices and they are getting bigger as we speak.
Regardless of our backgrounds, we all know very well that having an effective tool at hand can make a night and day difference. The same applies to computer forensics. To be effective as a computer forensics investigator you have to have as many relevant tools as possible.