Computer forensics is the process of uncovering, docu-menting, analyzing, and preserving criminal evidence that has been stored on (or created using) a computer system. (For the use of computers by police, see law enforcement and computers.)
In general, computer forensics involves both adher-ence to legal evidentiary standards and the use of sophis-ticated technical tools. The legal standards require practices similar to those used in obtaining other types of criminal evidence (observing expectations of privacy, knowing when a warrant is needed to search and seize evidence, and so on).
Once there is a go-ahead for a search, the first step is to document the layout and nature of the equipment (gener-ally by photographing it) and to identify both devices that might be problematic or notes or other materials that might reveal passwords for encrypted data.
If the system is running it may be viewed or scanned to determine what applications are running and what network connections may be active. However, this has to be done as unobtrusively as possible, since some machines can detect physical intrusions.
Step by step, the forensic technician must document each software program or other tool used, and why it is justified (such as the possibility that simply shutting down the system might lead to loss of data in RAM). There are a variety of such tools, particularly for UNIX/Linux environ-ments, some of which have been ported to Windows. (In some cases a Linux “live” CD might be booted and used to explore a Windows file system.)
The next step is to collect the evidence from storage media in such a way as to ensure that it is accurately and completely preserved. A running machine must generally first be shut down in such a way as to prevent trigger-ing any “trip wire” or intrusion-detection or self-destruct mechanism that may have been installed.
As a practical matter, once the system has been properly shut down or immobilized, it is usually taken to the foren-sic laboratory for extraction, copying, and documenting of the evidence (such as files on a hard drive or other storage device).
Once the data has been collected, each file or document must be analyzed to determine if it is relevant to the crimi-nal investigation and what key information it contains. For example, e-mail headers may be analyzed to determine the source and routing of the message.
Some Typical Cases
Computer-based evidence may be relevant for almost any type of crime, but certain kinds of crimes are more likely to involve computer forensics. These include:
• financial crimes, such as embezzlement
• corporate crimes such as insider trading, where e-mails may reveal who knew what and when
• data or identity theft, including online scams or phishing
• stalking or harassment, particularly involving chat rooms or social networks
• child pornography, particularly distribution of images
In recent years many law enforcement agencies have become aware of the importance of proper investigation and treatment of evidence in our digital society, and demand for trained computer forensic specialists is expected to increase.
No comments:
Post a Comment