Forensics ideally means the use of scientific techniques in identifying, verifying and presenting all the evidence related to a certain crime. This evidence is then used in court to convict or to release a suspect. Therefore, forensics usually deals with the collection of vital information so as to be used in court. Computer forensics can therefore be defined as the process of collecting vital information from computers, storage devices and communication network so as to be used in court to proof a given case. Such information could have been tampered with, destroyed or encrypted. The information is very much important in carrying out a trial, impounding and prosecuting suspects. The process of computer forensics usually follows the standards that are set by and accepted by courts of law (http://www.cpsr.org/prevsite/cpsr/privacy/crime.html.) Computer forensics specialist usually targets storage devices for this vital information. Such storage devices include hard disk, flash disks, 3.5 floppy and the CDs. There are also various parts whereby the data can be obtained apart from these storage devices. Information could also be found at the server where the source information could have been processed, the network used and the work station in which the information originated. This information could be very much important in tracing the source of the crime. The results which are usually obtained during computer forensics should always be treated very carefully. This is because it has to meet the required standards in order for it to be accepted as evidence.
Therefore the collected data should be guarded against dangers that might destroy the information. These include computer worms (viruses), exposure of the devices to strong magnetic field strengths and careless handling of the devices which could lead to physical damages. There are also various ways which can be employed to ensure that the data is not tampered with. This involves the use of forensic tools that meets the required set standards. Therefore the tools should always be tested so as to verify if it really meets the standards. There are various institutions which provide free testing to the forensic tools.
Procedures followed when carrying out Computer Forensic:
Once a crime has been committed and discovered, there are various procedures to be used and followed so as to seize untampered information. First of all, the area in which the crime took place and its surrounding should be restricted from the general public. This is done by creating a perimeter barrier around the crime area using a yellow tape. Therefore, there will be less interruptions and tampering of the data. After securing the area, it is always recommended that one should write a report before embarking on the real investigations. This would assist the forensic collector incase he/she was to provide a testimony in the law courts. It will also demonstrate that quality procedures were used in carrying out the whole process since it will form a foundation for the whole procedure. Writing of the report also demonstrates the seriousness the investigator had in carrying out the whole process. Such seriousness should be demonstrated during the real hearing of the case and incase there are some doubts regarding the seriousness of the procedure, the investigator might be charged hence putting himself and the whole investigation in danger (http://ncfs.org/craiger.forensics.methods.procedures.final.pdf.)
Once the report writing has been documented, the computers should be immediately checked for any running programmes. These programmes could be destructive and could also be erasing the vital information that could be very useful as far as the whole process is concerned. Incase such running programmes are detected, the process should be terminated immediately by cutting off the power that is being used by the machine. The disk drives should also be sealed to ensure that there is no information that is lost or added. The date and time should also be recorded from the computers that are suspected to have been used to carry out the crime. This information should be compared with those of other computers since somebody could have interrupted with the settings of the date and time (http://www.oas.org/juridico/spanish/cyb-best-pract.pdf.) Correct date and time will be very much important during the whole investigation as it will help in connecting various activities that were carried out by the suspects.
All the computer information should also be written down on paper. This information should also include the computer location and its environs. This information should be accompanied by photos and even videos. The most important computer information to be written down should include the computer’s internal and external appearances. E.g. hard disk size, RAM size, speeds of the computer, the make of the machine and also information about the existence of any other external peripherals. The activities and the appearance of the computer screen should also be photographed. This will serve as evidence for demonstrating what was running at that very instance when the crime had just been committed. Such running program will be scrutinized to determine its motives and objectives. Incase the computer is to be taken for further investigations; photographs of all the connections which had been made to it should be taken. These photos will show how the computer had been initially connected thus enabling the investigators to put all the connections exactly the same way as it was. The computer’s physical appearance on the inside and also outside should be photographed. The photos will serve to demonstrate all the internal and also external peripherals.
Such peripherals include hard disks, USB, network cards and many other connections. All the surrounding equipments on the crime scene area such as gadgets, papers and any other material or device that can provide vital information should also be seized. In situations where the computer with suspected information is to be scrutinized and has to be transported to forensic lab, each and every component should be labeled well and placed in a safe transporting material. All the written information and materials such as papers should also be seized in the crime scene area. Such written papers are mainly found in the drawers, dust pins, below the table, beneath the keyboard and others are sticked into the monitors. These papers might contain vital information especially the passwords that the suspect has been using (http://www.computerforensics.net/forensics.htm). The computer purchasing information should also be seized. Such information might include things such as the computer manual and other manufacturer’s information. Once the required evidence has been obtained, it should be stored safely so as to avoid any tampering of the primary important information.
Ways of handling Computer Devices in the scene
There are also various procedures for handling different computer devices. These devices and the procedures for dealing with them are as follows.
Un-networked computer: When dealing with investigations of un-networked computer, the entire machine should be put off immediately to prevent it from running any program. This is done by unplugging the power cable. For the laptops, the powering batteries should be removed and the power cable should be unplugged to prevent any tampering of data by any running program.
Networked Computer: For the networked computers, the power should not be cut-off immediately, the normal procedure of shutting down the computer should be followed. This is done in order to protect the existence of the files that are being shared in the network. After the machines have been shut down completely, all the power cables should be unplugged and labeled (http://staff.Washington.edu/dittrich/misc/forensics ).
Servers: The server should not be shut down immediately. This is to enable the recovery of the volatile data that has been saved. The normal procedures should also be used when shutting down servers.
Ways and tools of Acquiring Data:
There are various ways in which data can be acquired from these devices. In various occasions, the initial step to take before the machine is shut down is to collect the volatile data. These are the information which are stored in RAM and can be lost when the machine is turned off. This information therefore should be given priority before the computer is switched off. There are also tools that can be used in the recovery of the information from encrypted files and also from the hard disk. These tools are very much useful in recovering and also in the process of un-encrypting encrypted data. Examples of these tools include the Helix and also the Knopixx. There are also commercial software tools that can be used; an example of such software is the Encase (http://www.isfs.org.hk/publications/computer Forensics/computer forensics-part 2.pdf). All these tools are very much important in retrieving the information from the RAM and also in identifying the recently visited sites in the internet, the mails sent and those received and also the user name and the password used. Incase there is a power loss before the data from RAM is collected; these tools serve the purpose of retrieving such information from the RAM. It is also easier to retrace and retrieve information which has been stored for longer in RAM by using such tools. Such information is easier to retrieve so long as RAM is not exposed to electromagnetic field and as long as it is kept in low temperatures. There is also another software tool which can be used in reproducing all the information which has been stored in the hard disk. This software tool is called the IXimager. When such a tool is used, all the entire contents in the hard disk is reproduced and transferred to another hard disk. The duplicate of the original hard disk can therefore be used during further investigation while the original one can be kept in a safe place which is very much secure. In the process of reproducing another hard drive, the already reproduced duplicate should be protected from any further addition of data by write protecting it (http://www.fbi.gov/hq/lab/fsc/backissu/oct 2000/computer.htm).
Computer forensic is therefore very important especially during this era where most of the companies have networked their computers. Computer forensic therefore play a key role incase the company’s computer network is facing a threat from intruders. These processes will ensure such intruders are investigated and judged in the court of law. Computer forensics is also very important in saving the company’s expenditure. Many companies and organizations are spending so much money in purchasing software that is used to detect any intrusion. But of late, this software has become so much expensive and the only option is to rely on computer forensics.
Craiger, J. Computer Forensic procedures and Methods. Retrieved May 13, 2008, from http://ncfs.org/craiger.forensics.methods.procedures.final.pdf.
(2006). Best practices for computer Forensics. Retrieved May 13, 2008, from http://www.oas.org/juridico/spanish/cyb-best-pract.pdf.
Computer professional for social Diversity: Computer Crime Directory. Retrieved May 13, 2008 from http://www.cpsr.org/prevsite/cpsr/privacy/crime.html
Computer Forensics. Retrieved May 13, 2008, from http://www.isfs.org.hk/publications/computer Forensics/computer forensics-part 2.pdf
Dittrich, D. (2001). Basic steps in Forensic Analysis of Unix systems. Retrieved May 13, 2008, from http://staff.Washington.edu/dittrich/misc/forensics.
Noblett, M. (2000). Recovering and Examining Computer Forensic Evidence. Retrieved May 13, 2008, from http://www.fbi.gov/hq/lab/fsc/backissu/oct 2000/computer.htm
Robbins & Judd. An Explanation of Computer forensics. Retrieved May 13, 2008, from http://www.computerforensics.net/forensics.htm.