Computer Forensic Examination Steps
So what is the field of computer forensics all about? What do computer forensics examiners do every day? These sections answer some of those questions. They are a bit technical; however, we want you to understand what an examiner’s job is and what the major challenges are.
Computer forensics is a field that must frequently adapt to changing law and technology. During a computer forensic examination, proper procedures and sophisticated technology are used to insure the preservation of the evidence and accuracy of the results of the examination. This section does not discuss all of the different scenarios that may be encountered during the course of a forensic examination, but provides some common examples.
Computer forensic examiners take precautions to be sure that the information saved on data storage media designated for examination will be protected from alteration during the forensic examination. Whenever possible, the original media is copied, physically inspected, and stored without alteration to the data. The forensic examiner then examines the copy, not the original media. In computer forensic terminology, the copy is called an “image.”
Need to Conduct the Computer Forensic Examination Off-Site
For a number of reasons, the forensic examination is typically best conducted off-site, in a secure computer forensic laboratory. The first reason examinations should be conducted off-site is that forensic examinations can be extremely complicated. For example, the examiner may have to break passwords or encryption, which may involve special software or hardware to complete the examination. Second, the integrity of the evidence is best maintained in a secure laboratory environment. Third, computer forensic examinations can be time consuming. In fact, the process of imaging data storage media alone can take a very long period of time, depending on the hardware and software involved in the process. If the image is not successful, the examiner may have to re-image the media. If examiners remained on-site, the people in control of the premises could suffer losses, intervene in the examination, or be interrupted for an indefinite period of time. Plus, if the examiner remained on-site, the evidence would be accessible to others, potentially breaking the chain-of-custody and perhaps jeopardizing the entire examination.
Ease of Transfer of Electronic Data
Electronic data and files are easily transferred, copied, downloaded, or uploaded from one data storage medium to another. A computer user needs only minimal skills to perform these tasks. A forensic examination is oftentimes most successful when all data storage media are examined. Further, the transfer of files or data may be evidence that the computer user had knowledge of the file or data’s existence on the particular media and intent to possess that file or data.
Forensic Exam of Unallocated Areas of the Media
Evidence can be found in any location on the media or image, including locations that are not occupied by allocated files. Allocated files are files that have an entry in the file system and occupy a reserved physical location on the data storage media so they cannot be overwritten. All other space on data storage media is considered unallocated space. Unallocated space is any area of the media that does not contain an allocated file and is not reserved for use by the file system. Data found in unallocated space can be overwritten with files or by automated processes. In many situations, unallocated space contains vast quantities of data, including deleted files. Computer forensic examiners must identify and extract data and files from unallocated space, and review it to determine if it is of evidentiary significance.
Recovery of Deleted Files
When a user saves a file, the file gets either a default file name designated by the software or one chosen by the user. The file is written to small physical segments of the media called sectors. The file system marks the sectors used by the file as allocated to that file and prevents other new data from overwriting the allocated file.
When the user deletes the file, the file system marks the sectors as unallocated and available to write new data to. Significantly, the data from a deleted file is not physically removed from the media absent the use of special software and the file may be subject to partial or whole recovery by forensic examiners depending on whether the old files have been overwritten with new data. Deleted files may be recovered years after deletion because media, particularly hard drives, are capable of storing such vast quantities of data.
System Files and Associated Files
Sometimes an operating system or a particular application, will create a file and write data to a hard drive, or write the data to an existing file, log, or location, by an automatic system process. The files or data created during any of these processes are often of vital importance to a forensic examiner because they may assist in the identification of the computer user at the time of the incident under investigation. When a computer user browses the Internet using the software application Internet Explorer, a copy of the whole or partial Internet website is saved, or cached on the hard drive, as is a history of browsing activity. In some situations a small text file called a “cookie” will be stored on the hard drive as a computer user browses the Internet, and be used primarily for identification of the particular computer system/user on return visits to the same Internet site. The cookie may identify the login name of the user as well as the site visited.