Computer Forensics For Dummies Cheat Sheet - dummies
Cheat Sheet

Computer Forensics For Dummies Cheat Sheet

From Computer Forensics For Dummies

By Linda Volonino, Reynaldo Anzaldua

Computer forensics is often painstaking, but finding electronic evidence that helps convict or exonerate someone can be immensely satisfying. Find out what a computer forensics investigator does and where the evidence is, the steps that investigators follow when obtaining and preparing e-evidence, and how that evidence is used.

Computer Forensics: Where to Find Electronic Evidence

If you’re working in computer forensics, knowing where to look for electronic evidence is critical. A computer forensics investigator seeks evidence in all the electronics on the following list:

Computer: Digital memories don’t forget anything. A hard
drive is a goldmine for locating every file that was created,
saved, downloaded, sent, or deleted to it or from it, including
documents, e-mails, images, and financial records. You can find
file content intact, as well as a lot of details about when the
file was created, accessed, and edited, and you might even be able
to find prior versions. In short, a hard drive is the perfect time
Web site that was visited: Any digital device used to
access the Internet can be searched for a listing of where on the
Web a user has visited — and when. No one surfs
PDA: A handheld device records a person’s life like no
other device does. To find out the where, what, with whom, and how
much of a person’s life, check his PDA.
MySpace, Facebook, or another social network: Full
transcripts of private chats and postings in social networks are
gaining on e-mail as the primary source of e-evidence.
Note: These chatters chat a lot and don’t use
punctuation or an easily recognizable language.
Cellphone or smart phone: As on a PDA, the information
you can find on a user’s phone can be the e-evidence you need
— or it can lead you toward other e-evidence. You can find
detailed logs of incoming and outgoing messages and text messages;
transcripts of text messages; address books, calendars; and
Chat room: Sadly, predators and other criminals hang out
in chat rooms all over the world.
E-mail: Everything, no matter how incriminating
or stupid, is sent and received by e-mail. In fact, nothing is
subjected to searches more than e-mail is. It serves as truth
serum, and, for exactly that reason, the notorious connection
between e-mail and jail is usually ignored.
Any device that has memory: Digital cameras, iPods,
flash drives, SIM cards — if it uses memory, it might have
GPS device: Tracking technology has already been used in
high-profile court cases. To find a person’s whereabouts, check the
GPS device.
Network or Internet service provider (ISP): An ISP is a
fertile source of digital dirt and details. If bytes pass through
it, each network device records it.

Steps to Take in a Computer Forensics Investigation

Computer forensics is a meticulous practice. When a crime involving electronics is suspected, a computer forensics investigator takes each of the following steps to reach — hopefully — a successful conclusion:

  1. Obtain authorization to search and seize.

  2. Secure the area, which may be a crime scene.

  3. Document the chain of custody of every item that was seized.

  4. Bag, tag, and safely transport the equipment and e-evidence.

  5. Acquire the e-evidence from the equipment by using forensically sound methods and tools to create a forensic image of the e-evidence.

    Keep the original material in a safe, secured location.

  6. Design your review strategy of the e-evidence, including lists of keywords and search terms.

  7. Examine and analyze forensic images of the e-evidence (never the original!) according to your strategy.

  8. Interpret and draw inferences based on facts gathered from the e-evidence. Check your work.

  9. Describe your analysis and findings in an easy-to-understand and clearly written report.

  10. Give testimony under oath in a deposition or courtroom.

How Computer Forensics Is Used in Legal Cases

The science of computer forensics is increasingly used in legal cases. E-evidence can make or break a prosecutor’s case. Here’s a sampling of legal cases where electronic evidence plays a role:

  • Prove that something happened. You might find evidence in an e-mail indicating sexual harassment; in financial files indicating fraud or IRS violations; or in file transfers indicating theft of intellectual property, for example.

  • Prove that someone did not do something. Image files of child exploitation on a person’s office PC might have been downloaded by someone else because the PC had no password or firewall protection.

  • Figure out what the facts prove or demonstrate. You might discover private e-mail messages, texting, financial accounts, or other online activities that demonstrate contract or patent violations, hidden assets, infidelity, theft of intellectual property, misuse of company networks, or illegal activities.

The Role of a Computer Forensics Investigator

As part of the legal system, a computer forensics investigator helps build a case for or against a person or company accused of wrongdoing. Jobs that a computer forensics investigator might take on include those in the following list:

  • Examine the prosecution’s or opposing counsel’s e-evidence for alternative interpretations. The allegation that a defendant manipulated accounting software might not be supportable by the e-evidence that has been collected.

  • Assess the strength of the e-evidence against a suspect. Sometimes the client and the accused need to know what the prosecution knows in order to decide whether taking a plea deal is the right choice. Pleading guilty carries less jail time than being found guilty.

  • Scrutinize expert reports for inconsistencies, omissions, exaggerations, and other loopholes. Check these documents carefully to see whether you can find mistakes.