The Changing Face of Computer Forensics
A Backup Article Contributed by Andrew Whitehead
The Changing Face of Computer Forensics
In computer forensics, new methods are constantly need to be devised in order to keep pace with ever changing computer technology. When a new test for the presence of prohibited drugs, explosives, fibres, bodily tissues, etc. is developed, there will be ongoing development in which the test will be either changed for the better or proven defective, but the actual need for the test is unlikely to change. In computer forensics, newness on the one hand and obsolescence on the other is the norm.
Changing Media and Computer Forensics.
One of the fundamentals of computer forensics is the examination of data media. This is rendered more complicated because whole new forms, techniques, and methods of data storage occur at intervals of less than 5 years. Only ten years ago, the standard floppy disk really was floppy, constructed in a 5.25 inch format, and held 360 KB. The current equivalent, itself rapidly becoming obsolete, holds 1.44 MB on a 3.5 inch disk.
A typical hard-disk size for a PC 5 years ago was a few Megabytes, built in 5.25 inch form, and used MFM controller technology. PCs now have hard-disks measured in Gigabytes, constructed in 3.5 in or even 2.5 inch form, and use IDE or RLL technology. Minis and mainframes may hold data on RAID arrays, with individual files split and spread over 8 or more separate disks - a nightmare for computer forensics.
Computer Forensics and Hardware Changes.
Computer systems have also changed drastically in the same period. They have become far more powerful, to the extent that businesses relying on a large central mainframe living in splendid isolation are now a rarity, equivalent computing power is achieved using a multitude of smaller computers interacting over a network. Peripherals too keep changing, modems and routers have become "intelligent", scanners are everyday devices, and wide area communication, with its continually changing protocols, is becoming routine.
Computer Forensics and the Growth of Applications
Client/server applications, in which software on client local machines interacts seamlessly with software and data on a server mainframe, gets ever more popular. The problem from a computer forensics viewpoint is that in this situation documents are often assembled on demand on one computer that draws the required information from others. Evidence may only be provable by presenting records from all the computers involved, as well as an explanation of how the assembly took place.
Computer-based order systems such as EDI have very complex structures, with some files being held on the customers computers and some by the EDI supplier. The methods of writing and developing software regularly change, with more use of libraries of procedures. There are changing computer language models, object-oriented programming environments, and new methods of program development. The standards and methods used in testing also change.
The result of this is that computer forensic methods have very little time in which to establish and prove themselves. They never achieve the longevity, and resulting trust of the courts, that more traditional forensics enjoys.
