What is computer forensics? In this article we explain what it consists of, its types and the tools to carry out a forensic analysis.
What is computer forensics
The term forensics literally means using some type of established scientific process for the collection, analysis, and presentation of the evidence that has been collected. However, all forms of evidence are important, especially when a cyber attack has occurred.
Therefore, a definition of computer forensics can be presented as follows:
It is the discipline that combines the elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.
Obviously, when a cyber attack has occurred , the collection of all relevant evidence is of paramount importance in answering the questions outlined above. However, keep in mind that the forensic investigator is particularly interested in a particular piece of evidence, which is specifically known as “latent data”.
In the world of Cyber Security, this type of data (also known as “environmental data”) cannot be easily seen or accessed at first glance at the scene of a cyber attack. In other words, it takes a much deeper level of investigation by the computer forensic expert to unearth them.
Obviously, this data has many uses, but it was implemented in such a way that access to it has been extremely limited.
Examples of latent data include the following:
- Information that is in computer storage but not readily listed in file allocation tables;
- Information that is not readily visible to the operating system or commonly used software applications;
- Data that has been deliberately removed and is now located at:
- Unallocated space on the hard drive;
- Exchange files;
- Print spool files;
- Memory dumps;
- The slack space between the existing files and the temporary cache.
Objectives of computer forensics
In the event of a security breach , these are the essential goals of using computer forensics :
- Helps to recover, analyze, and preserve the computer and related materials in a way that helps the investigating agency present them as evidence in a court of law.
- It helps postulate the motive behind the crime and the identity of the main culprit.
- Design procedures at a suspected crime scene that help ensure that the digital evidence obtained is not corrupted.
- Data acquisition and duplication: recovery of deleted files and deleted partitions from digital media to extract evidence and validate it.
- Helps to quickly identify evidence and also allows estimating the potential impact of malicious activity on the victim
- Produce a computer forensic report that provides a comprehensive account of the investigation process.
- Preserve evidence following the chain of custody.
Types of computer forensics
The main types of computer forensics are as follows:
Of operating systems
It is the process of recovering useful information from the operating system (OS) of the computer or mobile device in question. The goal of collecting this information is to acquire empirical evidence against the perpetrator.
An understanding of an operating system and its file system is necessary to retrieve data for computer investigations . The file system provides an operating system with a roadmap for the data on the hard drive. The file system also identifies how the hard drive stores data.
Network forensics refers to the collection, monitoring, and analysis of network activities to discover the source of attacks, viruses, intrusions, or security breaches occurring on a network or in network traffic.
As such, network forensics is considered alongside mobile forensics or digital image forensics, as part of digital forensics.
It is typically used when dealing with network attacks. In many cases, it is used to monitor a network to proactively identify suspicious traffic or an impending attack. On the other hand, it is used to collect evidence by analyzing network traffic data to identify the source of an attack.
On mobile devices
Crimes do not occur in isolation from technological trends; therefore, mobile device forensics has become an important part of digital forensics.
The mobile forensics process aims to recover digital evidence or relevant data from a mobile device in a way that preserves the evidence in a forensically sound condition. To achieve that, the mobile forensics process needs to establish precise rules that seize, isolate, transport, store for analysis, and test digital evidence that securely originates from mobile devices.
In the cloud
Today, with most of our company’s critical data transferred to cloud service providers, one of our main concerns is dealing with security issues. That includes being able to quickly respond and report events that can lead to legal trouble.
This is not an easy task and things are further complicated by the fact that we have to rely on our cloud provider’s ability to deliver digital forensics data in the event of any legal dispute (whether civil or criminal) during the cyber attacks or even if a data breach occurs.
Cloud forensics combines cloud computing and digital forensics, which primarily focuses on collecting digital forensics from a cloud infrastructure. This means working with a collection of computing resources, such as network assets, servers (both physical and virtual), stores, applications, and any services that are provided.
For most situations, this environment will remain (at least partially) live, and can be quickly reconfigured with minimal effort. In the end, any type of evidence collected must be suitable for presentation in a court of law.
Computer forensics vs computer anti-forensics
Computer anti-forensics can be a computer investigator’s worst nightmare. Programmers design anti-forensic tools to make it difficult or impossible to retrieve information during an investigation.
Essentially, computer anti-forensics refers to any technique, device, or software designed to hinder a computer investigation .
There are dozens of ways people can hide information. Some programs can trick computers by changing the information in the file headers .
A file header is normally invisible to humans, but it is extremely important: it tells the computer what type of file the header is attached to. If you were to rename an mp3 file so that it had a .gif extension, the computer would know that the file was really an mp3 because of the information in the header. Some programs allow you to change the information in the header so that the computer thinks it is a different type of file.
Other programs may split files into small sections and hide each section at the end of other files . Files often have unused space called slack space. With the right program, you can hide files by taking advantage of this slack space. It is very difficult to retrieve and reassemble the hidden information.
It is also possible to hide one file inside another . Executable files are particularly troublesome. Programs called packers can insert executable files into other types of files, while tools called linkers can join multiple executable files.
Encryption is another way to hide data. When you encrypt data, you use a complex set of rules called an algorithm to make the data unreadable. A person who wants to read the data would need the encryption key. Without the key, detectives have to use computer programs designed to crack the encryption algorithm. The more sophisticated the algorithm, the longer it will take to crack it without a key.
Other anti-forensic tools can change the metadata attached to files. If the metadata is compromised, it is more difficult to present the evidence as reliable.
Some people use computer anti-forensics to demonstrate how vulnerable and unreliable computer data can be. If you can’t be sure when a file was created, last accessed, or ever existed, how can you justify using computer evidence in a court of law?
Tools for digital forensics
Digital forensics tools come in many categories, so the exact choice of tool depends on where and how you want to use it.
But regardless of these variations, what is important is that computer forensics tools offer a great number of possibilities to obtain information during an investigation. It is also important to note that the digital forensics landscape is very dynamic with new tools and features being released regularly to keep up with constant device updates.
FTK Imager is an image and data preview tool that allows you to examine files and folders on local hard drives, network drives, CD/DVDs and review the content of forensic images or memory dumps.
With FTK Imager you can also hash SHA1 or MD5 files, export forensic image files and folders to disk, review and recover files that were deleted from the Recycle Bin (as long as their data blocks have not been overwritten), and mount a forensic image to view its content in Windows Explorer.
When you launch FTK Imager, go to File > Add Evidence Item…’ to upload a piece of evidence for review. To create a forensic image, go to ‘File > Create Disk Image…’ and choose which source you want to get a forensic image from.
HashCalc is a calculator program developed by SlavaSoft. It is used to compute HMACs, message digests, and checksums for files. It can also be used to calculate hexadecimal strings and text strings. The program provides 13 of the most common hash and checksum algorithms.
The program interface is simple. It offers a standard window that provides all the options directly from the main interface. To use it, the user only has to choose the file to calculate and the desired cryptographic hash functions.
Volatile memory analysis
For the analysis of volatile memory there are several tools such as:
- Volatility: Used for incident response and malware analysis. With this tool, you can extract information from running processes, network sockets, network connection, DLL files and registry hives. It also has support for extracting information from Windows crash dump files and hibernation files. This tool is available for free under the GPL license.
- Belkasoft Live RAM capturer: It is a small free forensic tool to reliably extract all the contents of your computer’s volatile memory, even if it is protected by an active anti-bugging or anti-dumping system. Separate 32-bit and 64-bit versions are available to minimize the footprint of the tool as much as possible. Memory dumps captured with Belkasoft Live RAM Capturer can be analyzed with any forensic tool.
Computer forensic analysis includes the discovery and extraction of information collected at the collection stage. The type of analysis depends on the needs of each case. It can range from extracting a single email to piecing together the complexities of a fraud or terrorism case.
During the analysis, the computer forensic expert usually gives feedback to his line manager or client. These tradeoffs can take the analysis down a different path or narrow it down to specific areas. Forensic analysis must be accurate, thorough, impartial, recorded, repeatable, and completed within available timelines and allocated resources.
There are multiple tools available for computer forensics . One of the most complete is AccessData Registry Viewer .
Within the analysis programs for computer forensics, we can highlight the following:
It is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and in many other open source and commercial forensic tools.
It allows you to quickly search, identify and prioritize potential evidence, on computers and mobile devices, to determine if further investigation is warranted. This will result in a decreased backlog so investigators can focus on closing the case.
SIFT Workstation 3
It is a set of free, open source forensic and incident response tools designed to perform detailed digital forensic examinations in a variety of environments. It can match any current incident response and forensic toolkit.
SIFT demonstrates that advanced incident response capabilities and deep dive digital forensics techniques for intrusions can be achieved using state-of-the-art open source tools that are freely available and frequently updated.
It provides one of the fastest and most powerful ways to locate files on a Windows computer. You can search by file name, size, creation and modification dates, and other criteria.
The results are returned and available in a number of different useful views. This includes Timeline View which allows you to browse matches on a timeline, evidencing the pattern of user activity on the machine.
OSForensics can also search the content of files and return results almost instantly after indexing. It is capable of searching within the most common file formats and is powered by Wrensoft’s highly accurate Zoom search engine.
Computer forensics cases
There are few areas of crime or dispute where computer forensics cannot be applied. Law enforcement agencies were among the earliest and heaviest users of computer forensics; as a result, they have often been at the forefront of developments in the field.
Computers can be considered a crime scene, for example with hacking or denial of service attacks. They may have evidence of crimes that occurred elsewhere, in the form of emails, internet history, documents, or other files relevant to crimes such as murder, kidnapping, fraud, or drug dealing.
A computer digital forensic exam can reveal more than expected.
Researchers are not only interested in the content of emails, documents, and other files, but also the metadata associated with those files. Records of a user’s actions may also be stored in log files and other applications on a computer, such as Internet browsers.
Therefore, a computer forensic examination could reveal when a document first appeared on a computer, when it was last edited, when it was last saved or printed, and which user performed these actions.
Commercial organizations have used computer forensics to help with all kinds of cases, including:
- Intellectual property theft
- Labor disputes
- Bill fraud, often enabled by phishing emails
- Inappropriate use of email and the Internet in the workplace
- Normative compliance
Where to study computer forensics?
Choosing where to get your computer forensics degree can be quite personal, but there are a few questions every student should ask themselves: How long do you have to get your degree? Will you be working while you attend school, or can you commit to a full-time college experience?
If you have a more specific idea of what you want to study, you can base your decision on the specific curricula that different schools offer. You can search for programs that offer the concentrations, internship opportunities, and course structures that work best for you.
Only accredited schools can award degrees, having demonstrated to a regional or national council that they meet certain educational criteria. In addition to institution-wide national or regional accreditation, some schools also have programmatic accreditation, through which individual programs or departments have been accredited by a board in a related profession.
There are as many different computer forensics courses as there are schools that offer them, but some subjects are common to most programs. Here are five sample courses you’ll likely find at most institutions, many of which form the foundation of a computer forensics education.
- Basic computer forensics
- Cyber criminology
- Network security
- Incident response
- Vulnerability Analysis and Testing
Why will computer forensics be so important in the future?
With the constant increase in digital devices and online actions, the majority of crimes in the future will be committed online.
The importance of computer forensics for a business or a corporation is enormous. For example, it is often thought that simply hardening lines of defense with firewalls, routers, etc. it will be enough to thwart any cyber attack.
But the security professional knows this is not true, given the extremely sophisticated nature of today’s cyber hacker.
This premise is also not true from the point of view of computer forensics. While these specialized pieces of hardware provide information to some degree about what generally happened during a cyber attack, they often don’t possess that deeper layer of data to provide those clues about exactly what happened.
This underscores the need for the organization to also implement those security mechanisms (alongside the old hardware) that can provide this specific data (examples of this include security devices using artificial intelligence, machine learning, business analytics, etc. ).
Therefore, the implementation of this type of security model in which the principles of computer forensics are also adopted is also known as “ Defense in depth ”.
By having this specific data, there is a much higher chance that the evidence presented will be found admissible in a court of law, bringing the perpetrators who launched the cyber attack to justice.
Furthermore, by incorporating the principles of a “Defense in Depth”, the company or corporation can easily comply with laws and government mandates. They require all types and types of data to be archived and stored for auditing purposes. If an entity fails any compliance measure, it can face severe financial penalties.
The above content published at Collaborative Research Group is for informational purposes only and has been developed by referring to reliable sources and recommendations from experts. We do not have any contact with official entities nor do we intend to replace the information that they emit.