Forensic Computing, the industry, has rapidly developed and gained significant importance in our lives due to the increasing use of technological devices. With its abundance of data, it has found its place within the realm of forensic sciences in illuminating legal matters. It is the branch of combating cybercrimes, involving the collection and examination of evidence to identify and investigate committed offenses.
Forensic Computing encompasses all efforts related to defining, obtaining, storing, examining, and presenting any kind of data (audio, video, text, etc.) stored or transmitted in electronic environments as digital evidence to legal authorities.
Forensic Computing analysis does not necessarily have to be related to a specific legal case. It may be required for the examination of a computing device due to everyday needs, unrelated to any legal incident.
The process of Forensic Computing involves the collection of devices with digital data storage and transmission capabilities, identification of digital evidence within these devices, and the reporting of digital evidence to legal authorities, all with the purpose of illuminating events.
In technical terms, Forensic Computing refers to the identification, acquisition, preservation, examination, and presentation of any kind of digital object, such as audio, video, data/information, or their combinations, stored or transmitted in electromagnetic-electro-optical environments, as digital evidence in a court of law.
Forensic Informatics Review Process and Methods
Understanding the process and methods of Forensic Computing is essential, as nearly every crime now has a digital aspect. It can prevent innocent people from being falsely accused or enable offenders to escape justice due to simple lack of knowledge.
Leaving or erasing evidence in virtual environments is easier, making Forensic Computing not only important for criminal investigations but also essential in resolving security-related issues in network environments.
The Forensic Computing examination is a process consisting of four main steps:
Identification
Examination
Analysis
Reporting
These steps are crucial in conducting a comprehensive and effective Forensic Computing analysis.
Identification
The process of Forensic Computing analysis begins with the identification and collection of potential data storage sources (digital evidence). Typical data sources may include computers with attached hard drives, CDs, DVDs, USB drives, flash drives, memory cards, disks, GPS devices, and mobile phones. Additionally, data from magnetic card copiers, database applications, web server logs, and telephone call traffic can also serve as sources.
Examination
During the examination process, exact copies (forensic images) of the collected data sources are created, and the investigation is conducted based on these copies. Ensuring the data integrity of the evidence is crucial in this phase. This means that the evidence must be preserved from the moment it is seized. The procedures for collecting data from a running computer are different from those of a powered-off computer. The explanation given here assumes intervention with a powered-off computer.
Analysis
In this phase, relevant data is extracted from the exact copy of the examined evidence.
Reporting
The reporting process involves presenting the findings obtained during the analysis. Reports should be clear, understandable, and focused on evaluations rather than claims.
It’s important to note that the above four processes are commonly applied, but the process can be flexible depending on the identified sources. For example, creating exact copies of thousands of clients’ computers in a system may not be practical. Similarly, shutting down the entire system to examine a database application used by thousands of clients may not be feasible. Therefore, the intervention method will vary depending on the system’s characteristics. Some sources may not require exact copies at all, and the examination can be performed while the system is still running.
Forensic Computing Analysis Methods:
Cross-drive analysis
This forensic technique is used to associate information found on multiple hard drives. It can be used to identify social networks and detect anomalies.
Live analysis
Live analysis involves using special forensic or existing system administrator tools to extract evidence from a computer’s operating system. For example, it can be used to retrieve encryption keys or view the logical drive before shutting down the computer.
Deleted files recovery
A common technique used in computer forensics is the recovery of deleted files. Most operating systems and file systems do not immediately erase physical file data. Researchers can reconstruct deleted data by allowing reconstruction from physical disk sectors and examining deleted data within a disk image.
Stochastic
This method utilizes the stochastic properties of a computer system to investigate the incomplete actions of digital artifacts. Its primary use is in investigating data theft.
Steganography
Steganography is a technique used to hide data within an image or digital picture. Criminals may use this method to hide incriminating images or other information. Computer forensic experts can examine the image’s hash and compare it to the original image to identify any changes. When data changes, the hash will also change.
Digital evidence is the general term for the data contained within computer systems or electronic devices with data storage capabilities, which plays a significant role in clarifying the crime.
Digital Evidence and Acquisition Methods
The methods of obtaining digital evidence encompass specific stages, and any actions outside this framework may compromise the evidential value of the data.
Evaluation of Digital Evidence
- The data must possess the nature of evidence.
- The evidence should be supportive of the alleged crime.
- The evidence must be obtained through methods compliant with the law.
Collection of Digital Evidence
- A backup should be made for every piece of digital evidence.
- If the digital evidence is connected to a local network, it should be disconnected from the network and stored securely in a designated location.
- The transportation and preservation procedures of the evidence should be conducted in accordance with the law, and the details of these actions should be documented in a protocol.
- If the digital evidence is in a powered-off state, it should not be turned on to maintain its evidential value.
- If the evidence is turned on, the RAM image should be taken before shutting it down.
- All data present on the digital evidence should be imaged onto a sufficiently sized disk following technical specifications.
- Hash values (file fingerprints) should be obtained for the copied data.
- Only the person responsible for examining the evidence should have access to it, and others should not be allowed access.
Note: The above guidelines are essential to preserve the integrity and authenticity of digital evidence during the investigation process. Adhering to proper procedures is crucial to ensure the evidence remains admissible in a court of law.