Jump to content

Computer forensics: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
m Use as evidence: Added in two references to BTK
m Reverted edit by 2403:A080:C04:3D82:C169:CAFD:DCEE:5B29 (talk) to last version by Aadirulez8
 
(44 intermediate revisions by 29 users not shown)
Line 1: Line 1:
{{short description|Branch of digital forensic science}}
{{short description|Branch of digital forensic science}}
[[File:Computer Investigations and Analysis Division (39033998171).jpg|thumb|A forensic expert examining a mobile device that was seized during an investigation]]
{{ForensicScience|digital|image=Hard disk.jpg}}
[[File:PersonalStorageDevices.agr.jpg|thumb|Media types used for computer forensic analysis: a [[Fujifilm FinePix]] [[digital camera]], two [[flash memory]] cards, a [[USB flash drive]], a 5GB [[iPod]], a [[CD-R]] or [[DVD recordable]], and a [[Mini CD]].]]
[[File:PersonalStorageDevices.agr.jpg|thumb|Media types used for computer forensic analysis: a [[Fujifilm FinePix]] [[digital camera]], two [[flash memory]] cards, a [[USB flash drive]], a 5GB [[iPod]], a [[CD-R]] or [[DVD recordable]], and a [[Mini CD]].]]
{{ForensicScience|digital}}


'''Computer forensics''' (also known as '''computer forensic science'''<ref name="noblett"/>) is a branch of [[digital forensics|digital forensic science]] pertaining to evidence found in computers and digital [[storage media]]. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.
'''Computer forensics''' (also known as '''computer forensic science''')<ref name="noblett"/> is a branch of [[digital forensics|digital forensic science]] pertaining to evidence found in computers and digital [[storage media]]. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing, and presenting facts and opinions about the digital information.


Although it is most often associated with the investigation of a wide variety of [[computer crime]], computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to [[data recovery]], but with additional guidelines and practices designed to create a legal [[audit trail]].
Although it is most often associated with the investigation of a wide variety of [[computer crime]], computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to [[data recovery]], but with additional guidelines and practices designed to create a legal [[audit trail]].


Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high-profile cases and is accepted as reliable within U.S. and European court systems.
Evidence from computer forensics investigations is usually subjected to the same guidelines and practices as other digital evidence. It has been used in a number of high-profile cases and is accepted as reliable within U.S. and European court systems.


==Overview==
==Overview==
In the early 1980s personal computers became more accessible to consumers, leading to their increased use in criminal activity (for example, to help commit [[fraud]]). At the same time, several new "computer crimes" were recognized (such as [[Software cracking|cracking]]). The discipline of computer forensics emerged during this time as a method to recover and investigate [[digital evidence]] for use in court. Since then computer crime and computer related crime has grown, and has jumped 67% between 2002 and 2003.<ref name=leigland /> Today it is used to investigate a wide variety of crime, including [[child pornography]], fraud, [[espionage]], [[cyberstalking]], murder and rape. The discipline also features in civil proceedings as a form of information gathering (for example, [[Electronic discovery]])
In the early 1980s, personal computers became more accessible to consumers, leading to their increased use in criminal activity (for example, to help commit [[fraud]]). At the same time, several new "computer crimes" were recognized (such as [[Software cracking|cracking]]). The discipline of computer forensics emerged during this time as a method to recover and investigate [[digital evidence]] for use in court. Since then, computer crime and computer-related crime has grown, with the FBI reporting a suspected 791,790 internet crimes in 2020, a 69% increase over the amount reported in 2019.<ref>{{cite web|url=https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf |title=2020 Internet Crime Report |website=IC3.gov}}</ref><ref>{{cite web|title=IC3 Releases 2020 Internet Crime Report |url=https://www.fbi.gov/news/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics |website=Federal Bureau of Investigation}}</ref> Today, computer forensics is used to investigate a wide variety of crimes, including [[child pornography]], fraud, [[espionage]], [[cyberstalking]], murder, and rape. The discipline also features in civil proceedings as a form of information gathering (e.g., [[Electronic discovery]]).


Forensic techniques and expert knowledge are used to explain the current state of a ''digital artifact'', such as a computer system, storage medium (e.g. [[hard disk drive|hard disk]] or [[CD-ROM]]), or an [[electronic document]] (e.g. an email message or JPEG image).<ref name="cf-education"/> The scope of a forensic analysis can vary from simple [[information retrieval]] to reconstructing a series of events. In a 2002 book, ''Computer Forensics'', authors Kruse and Heiser define computer forensics as involving "the preservation, identification, extraction, documentation and interpretation of computer data".<ref name="kruse" /> They go on to describe the discipline as "more of an art than a science", indicating that forensic methodology is backed by flexibility and extensive domain knowledge. However, while several methods can be used to extract evidence from a given computer the strategies used by law enforcement are fairly rigid and lack the flexibility found in the civilian world.<ref name=gunsch />
Forensic techniques and expert knowledge are used to explain the current state of a ''digital artifact'', such as a computer system, storage medium (e.g., [[hard disk drive|hard disk]] or [[CD-ROM]]), or an [[electronic document]] (e.g., an email message or JPEG image).<ref name="cf-education"/> The scope of a forensic analysis can vary from simple [[information retrieval]] to reconstructing a series of events. In a 2002 book, ''Computer Forensics'', authors Kruse and Heiser define computer forensics as involving "the preservation, identification, extraction, documentation and interpretation of computer data".<ref name="kruse"/> They describe the discipline as "more of an art than a science," indicating that forensic methodology is backed by flexibility and extensive [[domain knowledge]]. However, while several methods can be used to extract evidence from a given computer, the strategies used by law enforcement are fairly rigid and lack the flexibility found in the civilian world.<ref name="gunsch"/>


=== Cybersecurity ===
=== Cybersecurity ===
Computer forensics is often confused with cybersecurity but they both are quite different. Cybersecurity is about prevention and protection whilst computer forensics is more reactionary and active such as tracking and exposing. There are usually two teams, cybersecurity and computer forensics that work co in hand. They complement each other as cybersecurity team would create systems and programs to protect data and if they fail then the computer forensics team recovers and finds out how it happened and tracks etc. There are many similarities however which is why these two fields help each other. They both require knowledge of computer science and both fields are apart of IT/STEM.<ref>{{Cite web |title=What Is Computer Forensics? |url=https://www.wgu.edu/blog/computer-forensics2004.html |access-date=2022-03-04 |website=Western Governors University |language=en}}</ref>
Computer forensics is often confused with [[cybersecurity]]. Cybersecurity focuses on prevention and protection, while computer forensics is more reactionary and active, involving activities such as tracking and exposing. System security usually encompasses two teams: cybersecurity and computer forensics, which work together. A cybersecurity team creates systems and programs to protect data; if these fail, the computer forensics team recovers the data and investigates the intrusion and theft. Both areas require knowledge of computer science.<ref>{{cite web|title=What Is Computer Forensics? |url=https://www.wgu.edu/blog/computer-forensics2004.html |website=Western Governors University}}</ref>


=== Computer-related crimes ===
=== Computer-related crimes ===
Computer forensics are used to convict people who have performed physical and digital crimes. Some of these computer related crimes include interruption, interception, copyright infringement, and fabrication. Interruption relates to the destruction and stealing of computer parts and digital files. Interception is the unauthorized access of files and information stored on technological devices. Copyright Infringement is using, reproducing, and distributing copyrighted information, including software piracy. Fabrication is accusing someone of using false data and information put in the system through an unauthorized source. Examples of interceptions are the Bank NSP case, Sony.Sambandh.com case, and business email compromise scams. The Bank NSP Case was a situation where a bank's management employee's ex-girlfriend created fraudulent emails, which were sent to the bank client to gain money. The Sony.Sambandh.com case was a call center worker using a foreigner's credit card information to buy a TV and headphones. The business email compromise scams refer to hackers gaining access to the CEO/CFO email and using it to gain money from their employees.<ref name="Rajesh Ramesh 2016">{{cite journal |last1=Rajesh |first1=K.V.N |last2=Ramesh |first2=K.V.N. |title=Computer Forensics: An Overview |journal=I-manager's Journal on Software Engineering |date=2016 |volume=10 |issue=4 |pages=1–5 |id={{ProQuest|1816335831}} |doi=10.26634/jse.10.4.6056 }}</ref>
Computer forensics are used to convict those involved in physical and digital crimes. Some of these computer-related crimes include interruption, interception, copyright infringement, and fabrication. ''Interruption'' relates to the destruction and stealing of computer parts and digital files. ''Interception'' is the unauthorized access of files and information stored on technological devices.<ref>{{cite book|last1=Kruse II|first1=Warren G.|last2=Heiser|first2=Jay G.|title=Computer Forensics: Incident Response Essentials |publisher=Pearson Education |date=2001 |isbn=978-0-672-33408-5}}</ref> [[Copyright infringement]] refers to using, reproducing, and distributing copyrighted information, including software piracy. ''Fabrication'' involves accusing someone of using false data and information inserted into the system through an unauthorized source. Examples of interceptions include the Bank NSP case, Sony.Sambandh.com case, and business email compromise scams.<ref>{{cite book|last=Sabry|first=Fouad|title=Digital Forensics: How digital forensics is helping to bring the work of crime scene investigating into the real world |publisher=One Billion Knowledgeable |date=2022 |isbn=978-1-792-30942-6}}</ref>


==Use as evidence==
==Use as evidence==
In court, computer forensic evidence is subject to the usual requirements for [[digital evidence]]. This requires that information be authentic, reliably obtained, and admissible.<ref name="theadam" /> Different countries have specific guidelines and practices for evidence recovery. In the [[United Kingdom]], examiners often follow [[Association of Chief Police Officers]] guidelines that help ensure the authenticity and integrity of evidence. While voluntary, the guidelines are widely accepted in British courts.
In court, computer forensic evidence is subject to the usual requirements for [[digital evidence]]. This requires that information be authentic, reliably obtained, and admissible.<ref name="theadam"/> Different countries have specific guidelines and practices for evidence recovery. In the [[United Kingdom]], examiners often follow [[Association of Chief Police Officers]] guidelines that help ensure the authenticity and integrity of evidence. While voluntary, the guidelines are widely accepted in British courts.


Computer forensics has been used as evidence in [[criminal law]] since the mid-1980s, some notable examples include:<ref name="casey" />
Computer forensics has been used as evidence in [[criminal law]] since the mid-1980s. Some notable examples include:<ref name="casey"/>
* BTK Killer: [[Dennis Rader]] was convicted of a string of serial killings that occurred over a period of sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy disk<ref>{{Cite web |title=The Capture of Serial Killer Dennis Rader, BTK {{!}} Psychology Today South Africa |url=https://www.psychologytoday.com/za/blog/wicked-deeds/202302/the-capture-of-serial-killer-dennis-rader-btk |access-date=2023-03-17 |website=www.psychologytoday.com |language=en-ZA}}</ref>. [[Metadata]] within the documents implicated an author named "Dennis" at "Christ Lutheran Church"; this evidence helped lead to Rader's arrest<ref>{{Cite web |last=News |first=A. B. C. |title=BTK serial killer's daughter: 'We were living our normal life. ... Then everything upended on us' |url=https://abcnews.go.com/US/btk-serial-killers-daughter-living-normal-life-upended/story?id=60428529 |access-date=2023-03-17 |website=ABC News |language=en}}</ref>.
* [[Dennis Rader|BTK Killer]]: Dennis Rader was convicted of a string of serial killings over sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy disk.<ref>{{cite web|title=The Capture of Serial Killer Dennis Rader, BTK|url=https://www.psychologytoday.com/za/blog/wicked-deeds/202302/the-capture-of-serial-killer-dennis-rader-btk |website=Psychology Today}}</ref> [[Metadata]] within the documents implicated an author named "Dennis" at "Christ Lutheran Church," helping lead to Rader's arrest.<ref>{{cite web|last=Dooley|first=Sean|title=BTK serial killer's daughter: 'We were living our normal life... Then everything upended on us' |url=https://abcnews.go.com/US/btk-serial-killers-daughter-living-normal-life-upended/story?id=60428529 |website=ABC News}}</ref>
* [[Joseph Edward Duncan]]: A spreadsheet recovered from Duncan's computer contained evidence that showed him planning his crimes. Prosecutors used this to show [[Premeditated murder|premeditation]] and secure the [[Capital punishment|death penalty]].<ref name="handbook" />
* [[Joseph Edward Duncan]]: A spreadsheet recovered from Duncan's computer contained evidence showing him planning his crimes. Prosecutors used this to demonstrate [[Premeditated murder|premeditation]] and secure the [[Capital punishment|death penalty]].<ref name="handbook"/>
* [[Sharon Lopatka]]: Hundreds of emails on Lopatka's computer lead investigators to her killer, Robert Glass.<ref name="casey" />
* [[Sharon Lopatka]]: Hundreds of emails on Lopatka's computer led investigators to her killer, Robert Glass.<ref name="casey"/>
* [[Einstein and Boyd v 357 LLC and the Corcoran Group, et al.|Corcoran Group]]: This case confirmed parties' duties to preserve [[digital evidence]] when [[litigation]] has commenced or is reasonably anticipated. Hard drives were analyzed by a computer forensics expert who could not find relevant emails the Defendants should have had. Though the expert found no evidence of deletion on the hard drives, evidence came out that the defendants were found to have intentionally destroyed emails, and misled and failed to disclose material facts to the plaintiffs and the court.
* [[Corcoran Group]]: In this case, computer forensics confirmed parties' duties to preserve [[digital evidence]] when [[litigation]] had commenced or was reasonably anticipated. Hard drives were analyzed, though the expert found no evidence of deletion, and evidence showed that the defendants intentionally destroyed emails.<ref name="casey"/>
* [[Dr. Conrad Murray]]: Dr. Conrad Murray, the doctor of the deceased [[Michael Jackson]], was convicted partially by digital evidence on his computer. This evidence included medical documentation showing lethal amounts of [[propofol]].
* [[Dr. Conrad Murray]]: Dr. Conrad Murray, the doctor of [[Michael Jackson]], was convicted partially by digital evidence, including medical documentation showing lethal amounts of [[propofol]].


==Forensic process==
== Forensic process ==
{{Main article|Digital forensic process}}
{{Main article|Digital forensic process}}
[[File:Portable forensic tableau.JPG|thumb|A portable Tableau [[Forensic disk controller|write blocker]] attached to a [[Hard disk drive|Hard Drive]]]]
[[File:Portable_forensic_tableau.JPG|thumb|A portable Tableau [[Forensic disk controller|write blocker]] attached to a [[Hard disk drive|hard drive]]]]
Computer forensic investigations typically follow the standard digital forensic process, consisting of four phases: acquisition, examination, analysis, and reporting. Investigations are usually performed on static data (i.e., [[Disk imaging#Hard drive imaging|acquired images]]) rather than "live" systems. This differs from early forensic practices, when a lack of specialized tools often required investigators to work on live data.

Computer forensic investigations usually follow the standard digital forensic process or phases which are acquisition, examination, analysis and reporting. Investigations are performed on static data (i.e. [[Disk imaging#Hard drive imaging|acquired images]]) rather than "live" systems. This is a change from early forensic practices where a lack of specialist tools led to investigators commonly working on live data.


=== Computer forensics lab ===
=== Computer forensics lab ===
The computer forensic lab is a safe and protected zone where electronic data can be managed, preserved, and accessed in a controlled environment. There, there is a very much reduced risk of damage or modification to the evidence. Computer forensic examiners have the resources needed to elicit meaningful data from the devices that they are examining.<ref>{{Cite web |title=Chapter 3: Computer Forensic Fundamentals - Investigative Computer Forensics: The Practical Guide for Lawyers, Accountants, Investigators, and Business Executives [Book] |url=https://www.oreilly.com/library/view/investigative-computer-forensics/9781118235225/OEBPS/9781118235225_epub_c03.htm |access-date=2022-03-04 |website=www.oreilly.com |language=en}}</ref>
The computer forensics lab is a secure environment where electronic data can be preserved, managed, and accessed under controlled conditions, minimizing the risk of damage or alteration to the evidence. Forensic examiners are provided with the resources necessary to extract meaningful data from the devices they examine.<ref>{{Cite web |title=Chapter 3: Computer Forensic Fundamentals - Investigative Computer Forensics: The Practical Guide for Lawyers, Accountants, Investigators, and Business Executives [Book] |url=https://www.oreilly.com/library/view/investigative-computer-forensics/9781118235225/OEBPS/9781118235225_epub_c03.htm |access-date=2022-03-04 |website=www.oreilly.com |language=en}}</ref>


===Techniques===
=== Techniques ===
A number of techniques are used during computer forensics investigations and much has been written on the many techniques used by law enforcement in particular.
Various techniques are used in computer forensic investigations, including:


;Cross-drive analysis
; Cross-drive analysis
: This technique correlates information found on multiple [[Hard drive|hard drives]] and can be used to identify [[social networks]] or detect anomalies.<ref>{{Cite journal |last=Garfinkel |first=Simson L. |date=2006-09-01 |title=Forensic feature extraction and cross-drive analysis |journal=Digital Investigation |series=The Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS '06) |language=en |volume=3 |pages=71–81 |doi=10.1016/j.diin.2006.06.007 |issn=1742-2876 |doi-access=free}}</ref><ref>{{Cite journal |last1=David |first1=Anne |last2=Morris |first2=Sarah |last3=Appleby-Thomas |first3=Gareth |date=2020-08-20 |title=A Two-Stage Model for Social Network Investigations in Digital Forensics |url=https://dspace.lib.cranfield.ac.uk/bitstream/1826/15732/4/Two-Stage_Model_for_Social_Network_Investigations_in_Digital_Forensics-2020.pdf |journal=Journal of Digital Forensics, Security and Law |volume=15 |issue=2 |doi=10.15394/jdfsl.2020.1667 |issn=1558-7223 |s2cid=221692362 |doi-access=free}}</ref>
: A forensic technique that correlates information found on multiple [[hard drive]]s. The process, still being researched, can be used to identify [[social networks]] and to perform [[anomaly detection]].<ref name="garfinkel" /><ref name="nsf" />


;Live analysis{{anchor|Live analysis}}
; Live analysis
: The examination of computers from within the operating system using custom forensics or existing [[sysadmin tools]] to extract evidence. The practice is useful when dealing with [[Encrypting File System]]s, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.
: The examination of computers from within the operating system using forensic or existing [[sysadmin tools]] to extract evidence. This technique is particularly useful for dealing with [[Encrypting File System|encrypting file systems]] where encryption keys can be retrieved, or for imaging the logical hard drive volume (a live acquisition) before shutting down the computer. Live analysis is also beneficial when examining networked systems or cloud-based devices that cannot be accessed physically.<ref>https://espace.curtin.edu.au/bitstream/handle/20.500.11937/93974/Adams%20RB%202023%20Public.pdf?sequence=1&isAllowed=y</ref>


;Deleted files
; Deleted files
: A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data.<ref name="exposed" /> Most [[operating system]]s and [[file system]]s do not always erase physical file data, allowing investigators to reconstruct it from the physical [[disk sector]]s. [[File carving]] involves searching for known file headers within the disk image and reconstructing deleted materials.
: A common forensic technique involves recovering deleted files. Most [[Operating system|operating systems]] and [[File system|file systems]] do not erase the physical file data, allowing investigators to reconstruct it from the physical [[Disk sector|disk sectors]]. Forensic software can "carve" files by searching for known file headers and reconstructing deleted data.


;[[Stochastic forensics]]
; [[Stochastic forensics]]
:A method which uses [[stochastic]] properties of the computer system to investigate activities lacking digital artifacts. Its chief use is to investigate [[data theft]].
: This method leverages the stochastic properties of a system to investigate activities without traditional digital artifacts, often useful in cases of [[data theft]].


;[[Steganography]]
; [[Steganography]]
: Steganography involves concealing data within another file, such as hiding illegal content within an image. Forensic investigators detect steganography by comparing file hashes, as any hidden data will alter the hash value of the file.
: One of the techniques used to hide data is via steganography, the process of hiding data inside of a picture or digital image. An example would be to hide [[child porn|pornographic images of children]] or other information that a given criminal does not want to have discovered. Computer forensics professionals can fight this by looking at the hash of the file and comparing it to the original image (if available.) While the images appear identical upon visual inspection, the hash changes as the data changes.<ref name=dunbar />


=== Mobile device forensics ===
=== Mobile device forensics ===
; Phone logs
Phone Logs: Phone companies usually keep logs of calls received, which can be helpful when creating timelines and gathering the locations of persons when the crime occurred.<ref name=":02">{{Cite book |last=Pollard |first=Carol |title=Computer Forensics for Dummies |publisher=John Wiley & Sons, Incorporated |year=2008 |isbn=9780470434956 |pages=219–230 |language=English}}</ref>
: Phone companies typically retain logs of received calls, which can help create timelines and establish suspects' locations at the time of a crime.<ref name=":02"/>


; Contacts
Contacts: Contact lists help narrow down the suspect pool due to their connections with the victim or suspect.<ref name=":02" />
: Contact lists are useful in narrowing down suspects based on their connections to the victim.<ref name=":02"/>


; Text messages
Text messages: Messages contain timestamps and remain in company servers indefinitely, even if deleted on the original device. Because of this, messages act as crucial records of communication that can be used to convict suspects.<ref name=":02" />
: Text messages contain timestamps and remain in company servers, often indefinitely, even if deleted from the device. These records are valuable evidence for reconstructing communication between individuals.<ref name=":02"/>


; Photos
Photos: Photos can be critical in either supporting or disproving alibis by displaying a location or scene along with a timestamp of when the photo was taken.<ref name=":02" />
: Photos can provide critical evidence, supporting or disproving alibis by showing the location and time they were taken.<ref name=":02"/>


; Audio recordings
Audio Recordings: Some victims might have been able to record pivotal moments of the struggle, like the voice of their attacker or extensive context of the situation.<ref name=":02" />
: Some victims may have recorded pivotal moments, capturing details like the attacker's voice, which could provide crucial evidence.<ref name=":02"/>


===Volatile data===
=== Volatile data ===
'''Volatile data''' is any '''data''' that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off. '''Volatile data''' resides in registries, cache, and random access memory (RAM). The investigation of this '''volatile data''' is called “live forensics”.
Volatile data is stored in memory or in transit and is lost when the computer is powered down. It resides in locations such as registries, cache, and RAM. The investigation of volatile data is referred to as "live forensics."


When seizing evidence, if the machine is still active, any information stored solely in [[Random access memory|RAM]] that is not recovered before powering down may be lost.<ref name="handbook" /> One application of "live analysis" is to recover RAM data (for example, using Microsoft's [[COFEE]] tool, WinDD, [[WindowsSCOPE]]) prior to removing an exhibit. CaptureGUARD Gateway bypasses Windows login for locked computers, allowing for the analysis and acquisition of physical memory on a locked computer.{{Citation needed|reason=Add a source describing which versions of Windows CaptureGUARD can unlock and under which circumstances.|date=December 2020}}
When seizing evidence, if a machine is still active, volatile data stored solely in [[Random access memory|RAM]] may be lost if not recovered before shutting down the system. "Live analysis" can be used to recover RAM data (e.g., using Microsoft's [[COFEE]] tool, WinDD, [[WindowsSCOPE]]) before removing the machine. Tools like CaptureGUARD Gateway allow for the acquisition of physical memory from a locked computer.{{Citation needed|reason=Add a source describing which versions of Windows CaptureGUARD can unlock and under which circumstances.|date=December 2020}}


RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate, an effect exploited by the [[cold boot attack]]. The length of time that data is recoverable is increased by low temperatures and higher cell voltages. Holding unpowered RAM below −60&nbsp;°C helps preserve residual data by an order of magnitude, improving the chances of successful recovery. However, it can be impractical to do this during a field examination.<ref name="ColdBoot" />
RAM data can sometimes be recovered after power loss, as the electrical charge in memory cells dissipates slowly. Techniques like the [[cold boot attack]] exploit this property. Lower temperatures and higher voltages increase the chance of recovery, but it is often impractical to implement these techniques in field investigations.


Some of the tools needed to extract volatile data, however, require that a computer be in a forensic lab, both to maintain a legitimate chain of evidence, and to facilitate work on the machine. If necessary, law enforcement applies techniques to move a live, running desktop computer. These include a [[mouse jiggler]], which moves the mouse rapidly in small movements and prevents the computer from going to sleep accidentally. Usually, an [[uninterruptible power supply]] (UPS) provides power during transit.
Tools that extract volatile data often require the computer to be in a forensic lab to maintain the chain of evidence. In some cases, a live desktop can be transported using tools like a [[mouse jiggler]] to prevent sleep mode and an [[uninterruptible power supply]] (UPS) to maintain power.


However, one of the easiest ways to capture data is by actually saving the RAM data to disk. Various file systems that have journaling features such as [[NTFS]] and [[ReiserFS]] keep a large portion of the RAM data on the main storage media during operation, and these page files can be reassembled to reconstruct what was in RAM at that time.<ref name=geiger />
Page files from file systems with journaling features, such as [[NTFS]] and [[ReiserFS]], can also be reassembled to recover RAM data stored during system operation.


===Analysis tools===
=== Analysis tools ===
{{see also|List of digital forensics tools}}
{{see also|List of digital forensics tools}}
Numerous open-source and commercial tools exist for computer forensics. Common forensic analysis includes manual reviews of media, Windows registry analysis, password cracking, keyword searches, and the extraction of emails and images. Tools such as [[Autopsy (software)]], [[Belkasoft Evidence Center]], [[Forensic Toolkit]] (FTK), and [[EnCase]] are widely used in digital forensics.


== Professional education and careers ==
A number of open source and commercial tools exist for computer forensics investigation. Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review.<ref name="casey" /> [[Autopsy (software)]], [[Belkasoft Evidence Center]], [[COFEE]], [[EnCase]] are the some of tools used in Digital forensics.

== Jobs in computer forensics ==


=== Digital forensics analyst ===
=== Digital forensics analyst ===
A digital forensics analyst is responsible for preserving digital evidence, cataloging collected evidence, analyzing evidence in a manner relevant to the ongoing case, responding to cyber breaches (usually in a corporate context), writing reports containing findings, and testifying in court.<ref>{{Cite web |date=2022-12-28 |title=What Is a Digital Forensic Analyst? |url=https://www.eccouncil.org/cybersecurity-exchange/computer-forensics/what-is-digital-forensic-analyst/ |url-status=live |archive-url=https://web.archive.org/web/20221128021454/https://www.eccouncil.org/cybersecurity-exchange/computer-forensics/what-is-digital-forensic-analyst/ |archive-date=2022-11-28 |access-date=2022-12-28 |website=EC Council}}</ref> A digital forensic analyst may alternatively be referred to as a computer forensic analyst, digital forensic examiner, cyber forensic analyst, forensic technician, or other similarly named titles, although these roles perform the same duties. <ref>{{Cite web |date=2022-12-28 |title=CISA Cyber Defense Forensics Analyst |url=https://www.cisa.gov/cyber-defense-forensics-analyst |url-status=live |archive-url=https://web.archive.org/web/20221105031326/https://www.cisa.gov/cyber-defense-forensics-analyst |archive-date=2022-11-05 |access-date=2022-12-28 |website=Cybersecurity & Infrastructure Security Agency (CISA)}}</ref>
A digital forensics analyst is responsible for preserving digital evidence, cataloging collected evidence, analyzing evidence relevant to the ongoing case, responding to cyber breaches (often in a corporate context), writing reports containing findings, and testifying in court.<ref>{{Cite web |date=2022-12-28 |title=What Is a Digital Forensic Analyst? |url=https://www.eccouncil.org/cybersecurity-exchange/computer-forensics/what-is-digital-forensic-analyst/ |url-status=live |archive-url=https://web.archive.org/web/20221128021454/https://www.eccouncil.org/cybersecurity-exchange/computer-forensics/what-is-digital-forensic-analyst/ |archive-date=2022-11-28 |access-date=2022-12-28 |website=EC Council}}</ref> A digital forensic analyst may also be referred to as a computer forensic analyst, digital forensic examiner, cyber forensic analyst, forensic technician, or other similarly named titles, though these roles perform similar duties.<ref>{{Cite web |date=2022-12-28 |title=CISA Cyber Defense Forensics Analyst |url=https://www.cisa.gov/cyber-defense-forensics-analyst |url-status=live |archive-url=https://web.archive.org/web/20221105031326/https://www.cisa.gov/cyber-defense-forensics-analyst |archive-date=2022-11-05 |access-date=2022-12-28 |website=Cybersecurity & Infrastructure Security Agency (CISA)}}</ref>

==Certifications==
There are several computer forensics certifications available, such as the ISFCE Certified Computer Examiner, Digital Forensics Investigation Professional (DFIP) and IACRB Certified Computer Forensics Examiner.

The top ''vendor independent'' certification (especially within EU) is considered the '''CCFP''' - Certified Cyber Forensics Professional.<ref>{{cite web |url=https://www.isc2.org/Certifications/CISSP# |title=Cybersecurity Certification |website=isc2.org |access-date=2022-11-18}}</ref><ref>{{cite web |url=https://www.itjobswatch.co.uk/jobs/uk/ccfp.do |title=CCFP Salaries surveys |publisher=ITJobsWatch |access-date=2017-06-15 |archive-url=https://web.archive.org/web/20170119005256/http://www.itjobswatch.co.uk/jobs/uk/ccfp.do |archive-date=2017-01-19 |url-status=dead }}</ref>

Others, worth to mention for USA or APAC are:
The International Association of Computer Investigative Specialists offers the [[Certified Computer Examiner]] program.

The International Society of Forensic Computer Examiners offers the [[Certified Computer Examiner]] program.

Many commercial based forensic software companies are now also offering proprietary certifications on their products. For example, Guidance Software offering the (EnCE) certification on their tool EnCase, AccessData offering (ACE) certification on their tool FTK, PassMark Software offering certification on their tool OSForensics, and X-Ways Software Technology offering (X-PERT) certification for their software, X-Ways Forensics.<ref>{{cite web|url=http://www.x-pert.eu/ |title=X-PERT Certification Program |publisher=X-pert.eu |access-date=2015-11-26}}</ref>

== Laws ==

=== India ===
Indian Laws Sections 65-77 relate to computer crimes. All the laws are enforced by evidence left digitally and remotely on the computer due to the permanent tracking of our actions on databases.<ref name="Rajesh Ramesh 2016"/>

Section 66: Law preventing the hacking of computers. The crime is punishable by three years in prison or a five lakhs rupee fine.<ref name="Rajesh Ramesh 2016"/>


=== Certifications ===
Section 66F: Law focused on cyber-terrorism such as malware, phishing, unauthorized access, identity theft, etc. If caught, it usually leads to a life sentence.<ref name="Rajesh Ramesh 2016"/>
Several computer forensics certifications are available, such as the ISFCE Certified Computer Examiner, Digital Forensics Investigation Professional (DFIP), and IACRB Certified Computer Forensics Examiner. The top vendor-independent certification, particularly within the EU, is the Certified Cyber Forensics Professional (CCFP).<ref>{{cite web |title=Cybersecurity Certification |url=https://www.isc2.org/Certifications/CISSP# |access-date=2022-11-18 |website=isc2.org}}</ref><ref>{{cite web |title=CCFP Salaries surveys |url=https://www.itjobswatch.co.uk/jobs/uk/ccfp.do |url-status=dead |archive-url=https://web.archive.org/web/20170119005256/http://www.itjobswatch.co.uk/jobs/uk/ccfp.do |archive-date=2017-01-19 |access-date=2017-06-15 |publisher=ITJobsWatch}}</ref>


Many commercial forensic software companies also offer proprietary certifications.<ref>{{cite web |title=X-PERT Certification Program |url=http://www.x-pert.eu/ |access-date=2015-11-26 |publisher=X-pert.eu}}</ref>
Section 67B: Law to prevent the spread and publishing of child porn. It could lead to up to 7 years in prison and a ten lakhs rupee fine.<ref name="Rajesh Ramesh 2016"/>


==See also==
==See also==
* [[Certified Computer Examiner]]
* [[Certified Forensic Computer Examiner]]
* [[Certified Forensic Computer Examiner]]
* [[Anti-computer forensics|Counter forensics]]
* [[Anti-computer forensics|Counter forensics]]
* [[Cryptanalysis]]
* [[Cryptanalysis]]
*[[Cyber attribution]]
* [[Data remanence]]
* [[Data remanence]]
* [[Disk encryption]]
* [[Disk encryption]]
Line 128: Line 114:
== References ==
== References ==
{{reflist|refs=
{{reflist|refs=
<ref name="theadam" >{{cite web|author=Adams, R.|title='The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice|year=2012|url=https://www.researchgate.net/publication/258224615}}</ref>
<ref name="theadam">{{cite web|author=Adams, R.|title='The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice|year=2012|url=https://www.researchgate.net/publication/258224615}}</ref>
<ref name="casey">{{cite book|last=Casey|first=Eoghan|title=Digital Evidence and Computer Crime, Second Edition|year=2004|publisher=Elsevier|isbn=978-0-12-163104-8|url=https://books.google.com/books?id=Xo8GMt_AbQsC}}</ref>
<ref name="casey">{{cite book|last=Casey|first=Eoghan|title=Digital Evidence and Computer Crime, Second Edition|year=2004|publisher=Elsevier|isbn=978-0-12-163104-8|url=https://books.google.com/books?id=Xo8GMt_AbQsC}}</ref>
<ref name="noblett">{{cite web|title=Recovering and examining computer forensic evidence|url=https://www.fbi.gov/about-us/lab/forensic-science-communications/fsc/oct2000/computer.htm|access-date=26 July 2010|author=Michael G. Noblett|author2=Mark M. Pollitt |author3=Lawrence A. Presley |date=October 2000}}</ref>
<ref name="noblett">{{cite web|title=Recovering and examining computer forensic evidence|url=https://www.fbi.gov/about-us/lab/forensic-science-communications/fsc/oct2000/computer.htm|access-date=26 July 2010|author=Michael G. Noblett|author2=Mark M. Pollitt |author3=Lawrence A. Presley |date=October 2000}}</ref>
<ref name="cf-education">{{cite journal |last1=Yasinsac |first1=A. |last2=Erbacher |first2=R.F. |last3=Marks |first3=D.G. |last4=Pollitt |first4=M.M. |last5=Sommer |first5=P.M. |title=Computer forensics education |journal=IEEE Security & Privacy |date=July 2003 |volume=1 |issue=4 |pages=15–23 |doi=10.1109/MSECP.2003.1219052 }}</ref>
<ref name="cf-education">{{cite journal |last1=Yasinsac |first1=A. |last2=Erbacher |first2=R.F. |last3=Marks |first3=D.G. |last4=Pollitt |first4=M.M. |last5=Sommer |first5=P.M. |title=Computer forensics education |journal=IEEE Security & Privacy |date=July 2003 |volume=1 |issue=4 |pages=15–23 |doi=10.1109/MSECP.2003.1219052}}</ref>
<ref name="handbook">{{cite book|last=Various|title=Handbook of Digital Forensics and Investigation|year=2009|publisher=[[Academic Press]]|isbn=978-0-12-374267-4|page=567|url=https://books.google.com/books?id=xNjsDprqtUYC|editor=Eoghan Casey|access-date=27 August 2010}}</ref>
<ref name="ColdBoot">{{cite journal|url=http://citp.princeton.edu/research/memory/|title=Lest We Remember: Cold Boot Attacks on Encryption Keys|author=[[J. Alex Halderman]], [[Seth Schoen|Seth D. Schoen]], [[Nadia Heninger]], William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, [[Jacob Appelbaum]], and [[Edward W. Felten]]|publisher=[[Princeton University]]|date=2008-02-21|access-date=2009-11-20}}</ref>
<ref name="handbook" >{{cite book|last=Various|title=Handbook of Digital Forensics and Investigation|year=2009|publisher=[[Academic Press]]|isbn=978-0-12-374267-4|page=567|url=https://books.google.com/books?id=xNjsDprqtUYC|editor=Eoghan Casey|access-date=27 August 2010}}</ref>
<ref name="garfinkel" >{{cite web|author=Garfinkel, S.|title=Forensic Feature Extraction and Cross-Drive Analysis|date=August 2006|url=https://darkhunts.com/image-forensics-collect-evidence-from-images/}}</ref>
<ref name="nsf" >{{cite web|title=EXP-SA: Prediction and Detection of Network Membership through Automated Hard Drive Analysis|url=https://www.nsf.gov/awardsearch/showAward.do?AwardNumber=0730389}}</ref>
<ref name="exposed" >{{cite book|title=Hacking Exposed: Computer Forensics|year=2009|publisher=McGraw Hill Professional|isbn=978-0-07-162677-4|page=544|url=https://books.google.com/books?id=yMdNrgSBUq0C|author=Aaron Phillip|author2=David Cowen |author3=Chris Davis |access-date=27 August 2010}}</ref>
<ref name="kruse">{{cite book|title=Computer forensics: incident response essentials|year=2002|publisher=Addison-Wesley|isbn=978-0-201-70719-9|page=[https://archive.org/details/computerforensic0000krus/page/392 392]|url=https://archive.org/details/computerforensic0000krus|url-access=registration|author=Warren G. Kruse|author2=Jay G. Heiser|access-date=6 December 2010}}</ref>
<ref name="kruse">{{cite book|title=Computer forensics: incident response essentials|year=2002|publisher=Addison-Wesley|isbn=978-0-201-70719-9|page=[https://archive.org/details/computerforensic0000krus/page/392 392]|url=https://archive.org/details/computerforensic0000krus|url-access=registration|author=Warren G. Kruse|author2=Jay G. Heiser|access-date=6 December 2010}}</ref>
<ref name="gunsch" >{{cite web|author=Gunsch, G|title=An Examination of Digital Forensic Models|date=August 2002|url=http://www.utica.edu/academic/institutes/ecii/publications/articles/A04A40DC-A6F6-F2C1-98F94F16AF57232D.pdf}}</ref>
<ref name="gunsch">{{cite web|author=Gunsch, G|title=An Examination of Digital Forensic Models|date=August 2002|url=http://www.utica.edu/academic/institutes/ecii/publications/articles/A04A40DC-A6F6-F2C1-98F94F16AF57232D.pdf}}</ref>
<ref name=":02">{{Cite book |last=Pollard |first=Carol |title=Computer Forensics for Dummies |publisher=John Wiley & Sons, Incorporated |year=2008 |isbn=9780470434956 |pages=219–230 |language=English}}</ref>
<ref name="leigland" >{{cite web|author=Leigland, R|title=A Formalization of Digital Forensics|date=September 2004|url=http://www.utica.edu/academic/institutes/ecii/publications/articles/A0B8472C-D1D2-8F98-8F7597844CF74DF8.pdf}}</ref>
}}
<ref name="geiger" >{{cite web|author=Geiger, M|title=Evaluating Commercial Counter-Forensic Tools|date=March 2005|url=http://www.dfrws.org/2005/proceedings/geiger_couterforensics.pdf|access-date=2012-04-02|archive-url=https://web.archive.org/web/20141230180719/http://www.dfrws.org/2005/proceedings/geiger_couterforensics.pdf|archive-date=2014-12-30|url-status=dead}}</ref>
<ref name="dunbar" >{{cite web|author=Dunbar, B|title=A detailed look at Steganographic Techniques and their use in an Open-Systems Environment|date=January 2001|url=http://www.sans.org/reading_room/whitepapers/covert/detailed-steganographic-techniques-open-systems-environment_677}}</ref>}}


==Further reading==
==Further reading==

Latest revision as of 10:51, 9 December 2024

A forensic expert examining a mobile device that was seized during an investigation
Media types used for computer forensic analysis: a Fujifilm FinePix digital camera, two flash memory cards, a USB flash drive, a 5GB iPod, a CD-R or DVD recordable, and a Mini CD.
Part of a series on
Forensic science
Physiological
Social
Criminalistics
Digital forensics
Related disciplines
Related articles

Computer forensics (also known as computer forensic science)[1] is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing, and presenting facts and opinions about the digital information.

Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.

Evidence from computer forensics investigations is usually subjected to the same guidelines and practices as other digital evidence. It has been used in a number of high-profile cases and is accepted as reliable within U.S. and European court systems.

Overview

[edit]

In the early 1980s, personal computers became more accessible to consumers, leading to their increased use in criminal activity (for example, to help commit fraud). At the same time, several new "computer crimes" were recognized (such as cracking). The discipline of computer forensics emerged during this time as a method to recover and investigate digital evidence for use in court. Since then, computer crime and computer-related crime has grown, with the FBI reporting a suspected 791,790 internet crimes in 2020, a 69% increase over the amount reported in 2019.[2][3] Today, computer forensics is used to investigate a wide variety of crimes, including child pornography, fraud, espionage, cyberstalking, murder, and rape. The discipline also features in civil proceedings as a form of information gathering (e.g., Electronic discovery).

Forensic techniques and expert knowledge are used to explain the current state of a digital artifact, such as a computer system, storage medium (e.g., hard disk or CD-ROM), or an electronic document (e.g., an email message or JPEG image).[4] The scope of a forensic analysis can vary from simple information retrieval to reconstructing a series of events. In a 2002 book, Computer Forensics, authors Kruse and Heiser define computer forensics as involving "the preservation, identification, extraction, documentation and interpretation of computer data".[5] They describe the discipline as "more of an art than a science," indicating that forensic methodology is backed by flexibility and extensive domain knowledge. However, while several methods can be used to extract evidence from a given computer, the strategies used by law enforcement are fairly rigid and lack the flexibility found in the civilian world.[6]

Cybersecurity

[edit]

Computer forensics is often confused with cybersecurity. Cybersecurity focuses on prevention and protection, while computer forensics is more reactionary and active, involving activities such as tracking and exposing. System security usually encompasses two teams: cybersecurity and computer forensics, which work together. A cybersecurity team creates systems and programs to protect data; if these fail, the computer forensics team recovers the data and investigates the intrusion and theft. Both areas require knowledge of computer science.[7]

[edit]

Computer forensics are used to convict those involved in physical and digital crimes. Some of these computer-related crimes include interruption, interception, copyright infringement, and fabrication. Interruption relates to the destruction and stealing of computer parts and digital files. Interception is the unauthorized access of files and information stored on technological devices.[8] Copyright infringement refers to using, reproducing, and distributing copyrighted information, including software piracy. Fabrication involves accusing someone of using false data and information inserted into the system through an unauthorized source. Examples of interceptions include the Bank NSP case, Sony.Sambandh.com case, and business email compromise scams.[9]

Use as evidence

[edit]

In court, computer forensic evidence is subject to the usual requirements for digital evidence. This requires that information be authentic, reliably obtained, and admissible.[10] Different countries have specific guidelines and practices for evidence recovery. In the United Kingdom, examiners often follow Association of Chief Police Officers guidelines that help ensure the authenticity and integrity of evidence. While voluntary, the guidelines are widely accepted in British courts.

Computer forensics has been used as evidence in criminal law since the mid-1980s. Some notable examples include:[11]

  • BTK Killer: Dennis Rader was convicted of a string of serial killings over sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy disk.[12] Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church," helping lead to Rader's arrest.[13]
  • Joseph Edward Duncan: A spreadsheet recovered from Duncan's computer contained evidence showing him planning his crimes. Prosecutors used this to demonstrate premeditation and secure the death penalty.[14]
  • Sharon Lopatka: Hundreds of emails on Lopatka's computer led investigators to her killer, Robert Glass.[11]
  • Corcoran Group: In this case, computer forensics confirmed parties' duties to preserve digital evidence when litigation had commenced or was reasonably anticipated. Hard drives were analyzed, though the expert found no evidence of deletion, and evidence showed that the defendants intentionally destroyed emails.[11]
  • Dr. Conrad Murray: Dr. Conrad Murray, the doctor of Michael Jackson, was convicted partially by digital evidence, including medical documentation showing lethal amounts of propofol.

Forensic process

[edit]
Main article: Digital forensic process
A portable Tableau write blocker attached to a hard drive

Computer forensic investigations typically follow the standard digital forensic process, consisting of four phases: acquisition, examination, analysis, and reporting. Investigations are usually performed on static data (i.e., acquired images) rather than "live" systems. This differs from early forensic practices, when a lack of specialized tools often required investigators to work on live data.

Computer forensics lab

[edit]

The computer forensics lab is a secure environment where electronic data can be preserved, managed, and accessed under controlled conditions, minimizing the risk of damage or alteration to the evidence. Forensic examiners are provided with the resources necessary to extract meaningful data from the devices they examine.[15]

Techniques

[edit]

Various techniques are used in computer forensic investigations, including:

Cross-drive analysis
This technique correlates information found on multiple hard drives and can be used to identify social networks or detect anomalies.[16][17]
Live analysis
The examination of computers from within the operating system using forensic or existing sysadmin tools to extract evidence. This technique is particularly useful for dealing with encrypting file systems where encryption keys can be retrieved, or for imaging the logical hard drive volume (a live acquisition) before shutting down the computer. Live analysis is also beneficial when examining networked systems or cloud-based devices that cannot be accessed physically.[18]
Deleted files
A common forensic technique involves recovering deleted files. Most operating systems and file systems do not erase the physical file data, allowing investigators to reconstruct it from the physical disk sectors. Forensic software can "carve" files by searching for known file headers and reconstructing deleted data.
Stochastic forensics
This method leverages the stochastic properties of a system to investigate activities without traditional digital artifacts, often useful in cases of data theft.
Steganography
Steganography involves concealing data within another file, such as hiding illegal content within an image. Forensic investigators detect steganography by comparing file hashes, as any hidden data will alter the hash value of the file.

Mobile device forensics

[edit]
Phone logs
Phone companies typically retain logs of received calls, which can help create timelines and establish suspects' locations at the time of a crime.[19]
Contacts
Contact lists are useful in narrowing down suspects based on their connections to the victim.[19]
Text messages
Text messages contain timestamps and remain in company servers, often indefinitely, even if deleted from the device. These records are valuable evidence for reconstructing communication between individuals.[19]
Photos
Photos can provide critical evidence, supporting or disproving alibis by showing the location and time they were taken.[19]
Audio recordings
Some victims may have recorded pivotal moments, capturing details like the attacker's voice, which could provide crucial evidence.[19]

Volatile data

[edit]

Volatile data is stored in memory or in transit and is lost when the computer is powered down. It resides in locations such as registries, cache, and RAM. The investigation of volatile data is referred to as "live forensics."

When seizing evidence, if a machine is still active, volatile data stored solely in RAM may be lost if not recovered before shutting down the system. "Live analysis" can be used to recover RAM data (e.g., using Microsoft's COFEE tool, WinDD, WindowsSCOPE) before removing the machine. Tools like CaptureGUARD Gateway allow for the acquisition of physical memory from a locked computer.[citation needed]

RAM data can sometimes be recovered after power loss, as the electrical charge in memory cells dissipates slowly. Techniques like the cold boot attack exploit this property. Lower temperatures and higher voltages increase the chance of recovery, but it is often impractical to implement these techniques in field investigations.

Tools that extract volatile data often require the computer to be in a forensic lab to maintain the chain of evidence. In some cases, a live desktop can be transported using tools like a mouse jiggler to prevent sleep mode and an uninterruptible power supply (UPS) to maintain power.

Page files from file systems with journaling features, such as NTFS and ReiserFS, can also be reassembled to recover RAM data stored during system operation.

Analysis tools

[edit]
See also: List of digital forensics tools

Numerous open-source and commercial tools exist for computer forensics. Common forensic analysis includes manual reviews of media, Windows registry analysis, password cracking, keyword searches, and the extraction of emails and images. Tools such as Autopsy (software), Belkasoft Evidence Center, Forensic Toolkit (FTK), and EnCase are widely used in digital forensics.

Professional education and careers

[edit]

Digital forensics analyst

[edit]

A digital forensics analyst is responsible for preserving digital evidence, cataloging collected evidence, analyzing evidence relevant to the ongoing case, responding to cyber breaches (often in a corporate context), writing reports containing findings, and testifying in court.[20] A digital forensic analyst may also be referred to as a computer forensic analyst, digital forensic examiner, cyber forensic analyst, forensic technician, or other similarly named titles, though these roles perform similar duties.[21]

Certifications

[edit]

Several computer forensics certifications are available, such as the ISFCE Certified Computer Examiner, Digital Forensics Investigation Professional (DFIP), and IACRB Certified Computer Forensics Examiner. The top vendor-independent certification, particularly within the EU, is the Certified Cyber Forensics Professional (CCFP).[22][23]

Many commercial forensic software companies also offer proprietary certifications.[24]

See also

[edit]

References

[edit]
  1. ^ Michael G. Noblett; Mark M. Pollitt; Lawrence A. Presley (October 2000). "Recovering and examining computer forensic evidence". Retrieved 26 July 2010.
  2. ^ "2020 Internet Crime Report" (PDF). IC3.gov.
  3. ^ "IC3 Releases 2020 Internet Crime Report". Federal Bureau of Investigation.
  4. ^ Yasinsac, A.; Erbacher, R.F.; Marks, D.G.; Pollitt, M.M.; Sommer, P.M. (July 2003). "Computer forensics education". IEEE Security & Privacy. 1 (4): 15–23. doi:10.1109/MSECP.2003.1219052.
  5. ^ Warren G. Kruse; Jay G. Heiser (2002). Computer forensics: incident response essentials. Addison-Wesley. p. 392. ISBN 978-0-201-70719-9. Retrieved 6 December 2010.
  6. ^ Gunsch, G (August 2002). "An Examination of Digital Forensic Models" (PDF).
  7. ^ "What Is Computer Forensics?". Western Governors University.
  8. ^ Kruse II, Warren G.; Heiser, Jay G. (2001). Computer Forensics: Incident Response Essentials. Pearson Education. ISBN 978-0-672-33408-5.
  9. ^ Sabry, Fouad (2022). Digital Forensics: How digital forensics is helping to bring the work of crime scene investigating into the real world. One Billion Knowledgeable. ISBN 978-1-792-30942-6. {{cite book}}: Check |isbn= value: checksum (help)
  10. ^ Adams, R. (2012). "'The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice".
  11. ^ a b c Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 978-0-12-163104-8.
  12. ^ "The Capture of Serial Killer Dennis Rader, BTK". Psychology Today.
  13. ^ Dooley, Sean. "BTK serial killer's daughter: 'We were living our normal life... Then everything upended on us'". ABC News.
  14. ^ Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN 978-0-12-374267-4. Retrieved 27 August 2010.
  15. ^ "Chapter 3: Computer Forensic Fundamentals - Investigative Computer Forensics: The Practical Guide for Lawyers, Accountants, Investigators, and Business Executives [Book]". www.oreilly.com. Retrieved 2022-03-04.
  16. ^ Garfinkel, Simson L. (2006-09-01). "Forensic feature extraction and cross-drive analysis". Digital Investigation. The Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS '06). 3: 71–81. doi:10.1016/j.diin.2006.06.007. ISSN 1742-2876.
  17. ^ David, Anne; Morris, Sarah; Appleby-Thomas, Gareth (2020-08-20). "A Two-Stage Model for Social Network Investigations in Digital Forensics" (PDF). Journal of Digital Forensics, Security and Law. 15 (2). doi:10.15394/jdfsl.2020.1667. ISSN 1558-7223. S2CID 221692362.
  18. ^ https://espace.curtin.edu.au/bitstream/handle/20.500.11937/93974/Adams%20RB%202023%20Public.pdf?sequence=1&isAllowed=y
  19. ^ a b c d e Pollard, Carol (2008). Computer Forensics for Dummies. John Wiley & Sons, Incorporated. pp. 219–230. ISBN 9780470434956.
  20. ^ "What Is a Digital Forensic Analyst?". EC Council. 2022-12-28. Archived from the original on 2022-11-28. Retrieved 2022-12-28.
  21. ^ "CISA Cyber Defense Forensics Analyst". Cybersecurity & Infrastructure Security Agency (CISA). 2022-12-28. Archived from the original on 2022-11-05. Retrieved 2022-12-28.
  22. ^ "Cybersecurity Certification". isc2.org. Retrieved 2022-11-18.
  23. ^ "CCFP Salaries surveys". ITJobsWatch. Archived from the original on 2017-01-19. Retrieved 2017-06-15.
  24. ^ "X-PERT Certification Program". X-pert.eu. Retrieved 2015-11-26.

Further reading

[edit]
[edit]
  • IEEE Transactions on Information Forensics and Security
  • Journal of Digital Forensics, Security and Law
  • International Journal of Digital Crime and Forensics
  • Journal of Digital Investigation
  • International Journal of Digital Evidence
  • International Journal of Forensic Computer Science
  • Journal of Digital Forensic Practice
  • Cryptologia
  • Small Scale Digital Device Forensic Journal
Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=Computer_forensics&oldid=1262059354"