Computer Forensics For Dummies
Computer forensics is often painstaking, but finding electronic evidence that helps convict or exonerate someone can be immensely satisfying. Find out what a computer forensics investigator does and where the evidence is, the steps that investigators follow when obtaining and preparing e-evidence, and how that evidence is used.
Computer Forensics: Where to Find Electronic Evidence
If you're working in computer forensics, knowing where to look for electronic evidence is critical. A computer forensics investigator seeks evidence in all the electronics on the following list:
|Computer: Digital memories don't forget anything. A hard drive is a goldmine for locating every file that was created, saved, downloaded, sent, or deleted to it or from it, including documents, e-mails, images, and financial records. You can find file content intact, as well as a lot of details about when the file was created, accessed, and edited, and you might even be able to find prior versions. In short, a hard drive is the perfect time machine.||Web site that was visited: Any digital device used to access the Internet can be searched for a listing of where on the Web a user has visited — and when. No one surfs anonymously.|
|PDA: A handheld device records a person's life like no other device does. To find out the where, what, with whom, and how much of a person's life, check his PDA.||MySpace, Facebook, or another social network: Full transcripts of private chats and postings in social networks are gaining on e-mail as the primary source of e-evidence. Note: These chatters chat a lot and don't use punctuation or an easily recognizable language.|
|Cellphone or smart phone: As on a PDA, the information you can find on a user's phone can be the e-evidence you need — or it can lead you toward other e-evidence. You can find detailed logs of incoming and outgoing messages and text messages; transcripts of text messages; address books, calendars; and more.||Chat room: Sadly, predators and other criminals hang out in chat rooms all over the world.|
|E-mail: Everything, no matter how incriminating or stupid, is sent and received by e-mail. In fact, nothing is subjected to searches more than e-mail is. It serves as truth serum, and, for exactly that reason, the notorious connection between e-mail and jail is usually ignored.||Any device that has memory: Digital cameras, iPods, flash drives, SIM cards — if it uses memory, it might have evidence.|
|GPS device: Tracking technology has already been used in high-profile court cases. To find a person's whereabouts, check the GPS device.||Network or Internet service provider (ISP): An ISP is a fertile source of digital dirt and details. If bytes pass through it, each network device records it.|
Steps to Take in a Computer Forensics Investigation
Computer forensics is a meticulous practice. When a crime involving electronics is suspected, a computer forensics investigator takes each of the following steps to reach — hopefully — a successful conclusion:
Obtain authorization to search and seize.
Secure the area, which may be a crime scene.
Document the chain of custody of every item that was seized.
Bag, tag, and safely transport the equipment and e-evidence.
Acquire the e-evidence from the equipment by using forensically sound methods and tools to create a forensic image of the e-evidence.
Keep the original material in a safe, secured location.
Design your review strategy of the e-evidence, including lists of keywords and search terms.
Examine and analyze forensic images of the e-evidence (never the original!) according to your strategy.
Interpret and draw inferences based on facts gathered from the e-evidence. Check your work.
Describe your analysis and findings in an easy-to-understand and clearly written report.
Give testimony under oath in a deposition or courtroom.
How Computer Forensics Is Used in Legal Cases
The science of computer forensics is increasingly used in legal cases. E-evidence can make or break a prosecutor's case. Here's a sampling of legal cases where electronic evidence plays a role:
Prove that something happened. You might find evidence in an e-mail indicating sexual harassment; in financial files indicating fraud or IRS violations; or in file transfers indicating theft of intellectual property, for example.
Prove that someone did not do something. Image files of child exploitation on a person's office PC might have been downloaded by someone else because the PC had no password or firewall protection.
Figure out what the facts prove or demonstrate. You might discover private e-mail messages, texting, financial accounts, or other online activities that demonstrate contract or patent violations, hidden assets, infidelity, theft of intellectual property, misuse of company networks, or illegal activities.
The Role of a Computer Forensics Investigator
As part of the legal system, a computer forensics investigator helps build a case for or against a person or company accused of wrongdoing. Jobs that a computer forensics investigator might take on include those in the following list:
Examine the prosecution's or opposing counsel's e-evidence for alternative interpretations. The allegation that a defendant manipulated accounting software might not be supportable by the e-evidence that has been collected.
Assess the strength of the e-evidence against a suspect. Sometimes the client and the accused need to know what the prosecution knows in order to decide whether taking a plea deal is the right choice. Pleading guilty carries less jail time than being found guilty.
Scrutinize expert reports for inconsistencies, omissions, exaggerations, and other loopholes. Check these documents carefully to see whether you can find mistakes.