Investigation Techniques and Computer Forensics

Forensics is a discipline that dates back at least to the Roman era (and possibly event to ancient China), when people accused of crimes (and the accuser) presented evidence in front of a public audience (the Latin word forensics, means “of or before the forum”). In modern times it has come to mean the application of scientific processes to recover evidence related to crime or other legal action.

Digital Forensics System

Digital forensics, as a discipline, grew out of the explosion in personal computer use during the late 1970s and early 1980s. The first specific computer crimes were recognized in the 1978 Florida Computer Crimes Act, which included legislation against the unauthorized modification or deletion of data on a computer system. Over the next few years the range of computer crimes being committed increased and laws were passed to deal with issues of copyright, privacy/harassment and child pornography.

It was not until the 1980s that federal laws began to incorporate computer offences. Canada was the first country to pass legislation in 1983. This was followed by the US Federal Computer Fraud and Abuse Act in 1986, Australian amendments to their crimes acts in 1989 and the British Computer Abuse Act in 1990.

Also Read: Cybersecurity Regulations and Compliance You Need To Know

Much of the forensic analysis during this period was performed on “live” systems, using traditional (and non-specialist) system administration tools. Very few standards or guidelines existed to help practitioners, and the evidence they produced was often rejected by courts. Digital forensics is traditionally associated with criminal investigations and, as you would expect, most types of investigation centre on some form of computer crime.

This sort of crime can take two forms; computer based crime and computer facilitated crime.

1. Computer based crime

This is criminal activity that is conducted purely on computers, for example cyber -bullying or spam. As well as crimes newly defined by the computing age it also includes traditional crime conducted purely on computers (for example, child pornography).

2. Computer facilitated crime

Crime conducted in the “real world” but facilitated by the use of computers. A classic example of this sort of crime is fraud: computers are commonly used to communicate with other fraudsters, to record/plan activities or to create fraudulent documents. Not all digital forensics investigations focus on criminal behaviour; sometimes the techniques are used in corporate (or private) settings to recover lost information or to rebuild the activities of employees.

Types of Investigation

There are four main types of investigation performed by digital forensics specialists. The first three are broadly similar in the activities involve, but differ in terms of the legal restrictions and guidelines imposed as well as the type of digital evidence and form of report.

1. Criminal forensics

The largest form of digital forensics and falling under the remit of law enforcement (or private contractors working for them). Criminal forensics is usually part of a wider investigation conducted by law enforcement and other specialists with reports being intended to facilitate that investigation and, ultimately, to be entered as expert evidence before the court. Focus is on forensically sound data extraction and producing report/evidence in simple terms that a lay man will understand.

2. Intelligence gathering

This type of investigation is often associated with crime, but in relation to providing intelligence to help track, stop or identify criminal activity. Unless the evidence is later to be used in court forensic soundness is less of a concern in this form of investigation, instead speed can be a common requirement.

3. Electronic discovery (eDiscovery)

Similar to “criminal forensics” but in relation to civil law. Although functionally identical to its criminal counter part, eDiscovery has specific legal limitations and restrictions, usually in relation to the scope of any investigation. Privacy laws (for example, the right of employees not to have personal conversation intercepted) and human rights legislation often affect electronic discovery.

4. Intrusion investigation

The final form of investigation is different from the previous three. Intrusion investigation is instigated as a response to a network intrusion, for example a hacker trying to steal corporate secrets. The investigation focuses on identifying the entry point for such attacks, the scope of access and mitigating the hackers activities. Intrusion investigation often occurs “live” (i.e. in real time) and leans heavily on the discipline of network forensics.

Evidence and Analysis

Obviously the main aim of any investigation is to recover some form of digital evidence, objective data that is relevant to the examination. On top of that the investigator might be asked to make some form of analysis of that evidence; either to form an expert conclusion, or to explain the meaning of the evidence. Here are some examples of the kind of analysis an examiner might be asked to undertake:

1. Attribution

Meta data and other logs can be used to attribute actions to an individual. For example, personal documents on a computer drive might identify its owner.

2. Alibis and statements

Information provided by those involved can be cross checked with digital evidence.

3. Intent

Intent as well as finding objective evidence of a crime being committed, investigations can also be used to prove the intent.

4. Evaluation of source

File artefacts and meta-data can be used to identify the origin of a particular piece of data. for example, older versions of Microsoft Word embedded a Global Unique Identifier into files which identified the computer it had been created on. Proving whether a file was produced on the digital device being examined or obtained from elsewhere (e.g., the Internet) can be very important.

5. Document authentication

Related to “Evaluation of Source”, meta data associated with digital documents can be easily modified (for example, by changing the computer clock you can affect the created date of a file). Document authentication relates to detecting and identifying falsification of such details.

You may also like: