Computer Forensics Investigation
A Backup Article Contributed by Melissa Larose
Computer Forensics Investigation
Computer forensics investigation has a language and a life all of its own. Similar in some aspects to regular forensics investigation, its nature requires a delicacy and a knowledge that is at once technical and investigative. Knowing what the suspected crime is and completing some level of investigation into the background of the suspect(s) can give the experts an idea of the suspects area of expertise, knowledge and sophistication and a possible motive.
Computer Forensics and the Suspect
If no background evidence is available on the suspect or the suspect is unknown, it must be assumed from the beginning that a suspect is smart and capable of covering his or her trail. This means the suspect can leave behind computer scripts that can run when a given action occurs a literally wipe out and destroy the evidence needed.
The general rule of approach on computer forensics crime scenes is to act as a regular, normal user. The computer system needs to believe you are supposed to be there. If this approach is not taken and a forensics expert immediately begins his or her work, the very actions they take can trigger the script that erases the evidence. If a hacker is good enough to get in it must be believed they know how they might be tracked and will act to protect themselves. They destroy the evidence against them.
Computer Forensics Procedures
The area and room should be inspected for any loose evidence. Those experts that have worked in IT will know instinctively what types of evidence show indications of tampering or destruction.
The system in question should never be used to analyze the evidence found on it. Complete copies of the hard drive sin question should be made. These copies should be made using software designed for court use only. The hard drive and documents are always copied and never altered. It is the nature of the typical computer system to attach information files to every file created. These files usually identify the date the file was open and the person and time it was open. Software for computer forensics evidence does not do this but instead keeps all files and drives in the found state.
Active machines have the open windows examined for evidence that might have been left behind. Powering down the machine in the exact manner as the suspects is important. A computer forensics expert can glean information that is recorded at boot and closing that may be valuable. Traps, self-destruct mechanisms, and intrusion detection devices must be searched for and deactivated.
Finally the configuration of the system is fully documented by removing the case and looking inside and the hard drives are copied.
Computer Forensics Continues
At this stage of investigation forensics experts, with their duplicates in hand, are able to use software to further search the system for files, logs, and processes that will show evidence of the crime committed. This type of software can track binary patterns, open hundreds of different file types and retrieve previously deleted files and partitions.
