Computer forensics (Forensic Science)
Since 1991, when the World Wide Web was developed, rapid growth has been seen in personal, professional, and criminal uses of the Internet—through e-mail, instant messaging, online chat rooms, social networking Web sites, Web logs, and more—and of networked computers and cellular devices. Computers and digital communication devices create and store huge amounts of details in their memory or log files. When computer files are saved, sent, or downloaded, the computer’s operating system and other software automatically record and store this information. The records and files stored on computers and other digital devices can be used as evidence to support or defend against allegations of wrongdoing.
Rarely are users aware that their activities have left multiple trails of evidence, and many may not even attempt to purge those trails regardless of how incriminating they are. Even technology-savvy users who want their activities to go undetected may not be able to delete or disguise all their trails of evidence completely. Often it is impossible to delete all traces of electronic evidence. The work of computer forensic investigators involves finding, analyzing, and preserving relevant digital files or data for use as electronic evidence.
The three primary types of evidence presented in legal proceedings are the testimony of witnesses, physical evidence, and electronic evidence. The newest of these is electronic evidence. Common types...
(The entire section is 367 words.)
Principles of Computer Forensics (Forensic Science)
A computer forensics investigation uses science and technology to acquire and examine electronic data in order to develop and test theories that can be entered into a court of law to answer questions about events that have occurred. Generally accepted computer forensics principles have been established to ensure that the chain of custody of the evidence can be verified later in court or other legal proceedings. Like physical evidence, electronic evidence can be easily contaminated if investigators ignore the forensic science principle of “do no harm.” The crime scene, which is the state of the computer, must be preserved to protect the integrity of the evidence; simply turning on a computer and searching through the files can alter those files and the computer’s records.
Forensic investigators are aware that they will need to defend their findings. Their electronic evidence-processing methods, tools, and techniques may be challenged rigorously by the opposing side in a court case. Documentation is important so that investigators can refresh their memories about the steps taken and duplicate the results of processing if necessary. Investigators must thus follow rigorous processes and procedures in the acquisition, authentication, analysis, and interpretation of electronic evidence.
The first step in any computer forensics investigation is acquisition of the evidence through the careful collection...
(The entire section is 793 words.)
Regional Computer Forensics Labs (Forensic Science)
In 1999, the Federal Bureau of Investigation (FBI) launched an innovative pilot program in San Diego, California. The Regional Computer Forensics Laboratory (RCFL) program was designed to help state, local, and other federal law enforcement gather electronic evidence from computers, PDAs, cell phones, digital cameras, and other digital devices. The FBI undertook the project because computer forensics was one of the fastest-growing disciplines within law enforcement, and the RCFL program quickly became a dynamic tool for fighting crime and terrorism. By 2007, the RCFL program had evolved into a network of cutting-edge electronic evidence labs created to meet a rapidly increasing need. The RFCLs have supported high-profile investigations such as the Enron case, the bribery case against former California congressman Randy “Duke” Cunningham, the public corruption case against former Illinois governor George Ryan, and the dissolution of an international child pornography ring.
Each RCFL is a full-service forensics laboratory and training center devoted to the examination of electronic evidence in support of criminal investigations, including terrorism, child pornography, crimes of violence, the theft or destruction of intellectual property, Internet crimes, and fraud. In 2006, the RCFLs, which are staffed by trained computer analysts from the FBI and more than one hundred other agencies, collectively analyzed...
(The entire section is 253 words.)
Further Reading (Forensic Science)
Carrier, Brian. File System Forensic Analysis. Boston: Addison-Wesley, 2005. Good reference source for anyone who wants to understand file systems; aimed at professionals who need to be able to testify about how file system analysis is performed.
Kipper, Gregory. Wireless Crime and Forensic Investigation. New York: Auerbach, 2007. Presents an overview of the various types of wireless crimes and the computer forensic investigation techniques used with wireless devices and wireless networks.
Sheetz, Michael. Computer Forensics: An Essential Guide for Accountants, Lawyers, and Managers. Hoboken, N.J.: John Wiley & Sons, 2007. Provides a useful introduction to the essentials of preserving evidence on a computer, understanding how computer crime occurs, and what to do when it is found and suspected.
Steel, Chad. Windows Forensics: The Field Guide for Corporate Computer Investigations. Hoboken, N.J.: John Wiley & Sons, 2006. Presents a primer on how Windows file systems work and how to perform forensic analysis on these systems.
Volonino, Linda, Reynaldo Anzaldua, and Jana Godwin. Computer Forensics: Principles and Practice. Upper Saddle River, N.J.: Prentice Hall, 2007. Comprehensive work addresses how investigators use forensically sound methodologies and software to acquire admissible electronic evidence. Includes discussion of computer and e-mail...
(The entire section is 202 words.)
Computer Forensics (World of Forensic Science)
Computers are often used in crime, whether to plot a terrorist attack, contact children for sexual abuse, commit bank or credit card fraud, or other
As with any other crime scene, suspects leave behind trace evidence of their actions when using computers to commit a crime. Gathering evidence from a computer can be challenging, but valuable, because every operation that an individual carries out on a computer leaves behind a record that is usually dated. However, computer traces can also be fragile and, without the proper approach, files containing valuable evidence can be lost. Since 1990, guidelines on computer forensics have evolved by using the input of authorities around the world.
Generally the investigator is careful to do nothing that would alter the original data on the computer. Usually this means taking a copy of the hard disk for investigation, rather than the original data. Should it be necessary to look at original data, experts are consulted and only they are permitted access to data stored on hard drives. All processes involving the investigation of computer-based evidence is carefully recorded and examined and reproduced by an independent third party.
The first step in the forensic examination of a computer is to determine the condition of the computer, noting whether it is turned on, plugged in, connected to a network, or to the Internet. Then, modem or network connections should be unplugged so the computer's owner cannot access the machine remotely to destroy evidence. Note-taking and photography are used to record all the connections and any screen display. The computer is usually turned off by simply pulling the plug, as some computer criminals will manipulate the usual orderly shutdown process to destroy evidence. The next task is to create two physical backups of the hard drive, one for analysis and the other for evidence.
Further investigation of a computer crime scene involves looking at many different components and data, including compact disks (read only, read-write, and write-only), hard disks, and digital video disks. A hard disk is divided into various segments. Unallocated space on the hard disk, for instance, can be a rich source of forensic information as this is where files that the suspect believes deleted may be stored. Passwords and identifications sometimes appear in a part of the hard disk called slack space. Retrieving this kind of information may require specialist forensic software and, if the suspect is a computer expert, he or she may be one step ahead of the forensic investigator.
The Internet is another important source of evidence. Investigators will track a suspect's e-mail messages, their contributions to newsgroups, bulletin boards, and chat rooms. The websites accessed by a suspect can also be valuable evidence, especially when sexual crime is involved. Web browsers such as Netscape® and MS Internet Explorer® create cache files to improve performance. These show which sites have been visited recently. Although they are difficult to view, there are utilities that can allow their contents to be revealed, showing if a suspect has been indulging in incriminating use of the Internet, such as visiting child pornography, or terrorist or racist web sties.
Computer forensics can provide key evidence in both civil and criminal investigations. For example, sometimes employees from a large organization want to break away and set up a rival company. To do this, a dishonest employee could break into the organization's network and steal information about clients. In many cases, the suspects have been taken by surprise when a manager called in a computer forensic expert to examine their machines. Inappropriate use of the Internet in the workplace, for instance to access pornographic websites, can also be uncovered by this type of investigation. Computer forensics is one of the most challenging branches of forensic science. It is not just computer technology that moves fast, but also the criminals who exploit it. Keeping up or even outpacing them can be a source of satisfaction to the computer forensic expert.
SEE ALSO Computer hardware security; Computer security and computer crime investigation; Computer software security.