Forensics
Computer forensics is a clear, well-defined methodology used to preserve, identify, recover, and document computer or electronic data. Although the computer forensics field is relatively new to the corporate sector, law enforcement has been practicing this science since the mid-1980s. Growth in this field is directly related to the ever-growing popularity of electronics.
Computers are one of the most targeted items of examination, but they are not the only devices subject to forensic analysis. Cellphones, PDAs, pagers, digital cameras, and just about any electronic device also can be analyzed. Attempted hacking attacks and allegations of employee computer misuse have added to the organization's need to examine and analyze electronic devices. Mishandling concerns can cost companies millions. Companies must handle each in a legal and defensible manner. Because electronic information can be easily changed, a forensic examination usually follows these three steps:
1. |
Acquire This is usually performed by means of a bit-level copy. A bit-level copy is an exact duplicate of the original data, allowing the examiner to scrutinize the copy while leaving the original copy intact.
|
||
2. |
Authenticate This process requires an investigator to show that the data is unchanged and has not been tampered with. Authentication can be accomplished through the use of checksums and hashes such as MD5 and SHA.
|
||
3. |
Analyze The investigator must be careful to examine the data and ensure that his actions are documented. The investigator usually recovers evidence by examining drive slack space, file slack space, hidden files, swap data, Internet cache, and other locations, such as the recycle bin. Copies of the original disks, drive, or data are usually examined to protect the original evidence.
|
Handling Evidence
The handling of evidence is of special importance to the forensic investigator. This is addressed through the chain of custody, a process that helps protect the integrity and reliability of the evidence by providing an evidence log that shows every access to evidence, from collection to appearance in court. A complete chain of custody report also includes any procedures or activities that were performed on the evidence.
A primary image is the original image. It should be held in storage and kept unchanged. The working image is the one used for analysis purposes. |
Trace Evidence
Locard's Exchange Principle states that whenever two objects come into contact, a transfer of material will occur. The resulting trace evidence left behind during this transfer can be used to associate objects, individuals, or locations to a crime. Simply stated, no matter how hard someone tries, some trace evidence always remains. Although criminals can make recovery harder by deleting files and caches, some trace evidence always remains.
Drive Wiping
Drive wiping is the process of overwriting all addressable locations on the disk. The Department of Defense (DoD) drive-wiping standard #5220-22M states, "All addressable locations must be overwritten with a character, its complement, then a random character and verify." By making several passes over the media, an organization can further decrease the possibility of data recovery. Organizations worried about proper disposal of used media then get clean, unrecoverable media. In the hands of the criminal, drive wiping offers the chance to destroy evidence.
Standardization of Forensic Procedures
In March 1998, the International Organization on Computer Evidence (IOCE) was appointed to draw international principles for the procedures relating to digital evidence. The goal was to harmonize methods and practices among nations and guarantee the capability to use digital evidence collected by one state in the courts of another state. The IOCE (www.ioec.org) has established the following six principles to govern these activities:
- When dealing with digital evidence, all generally accepted forensic and procedural principles must be applied.
- Upon seizing digital evidence, actions taken should not change that evidence.
- When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.
- All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
- An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in his possession.
- Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.