Forensic means to use in court. Computer forensics is the collection, preservation, analysis, extraction, documentation and in some cases, the court presentation of computer-related evidence which has either been generated by a computer or has been stored on computer media.
Traditional Forensic v/s Computer Forensic
The difference between traditional forensics workers and the computer forensics folks is that the traditionalists tend to work in two locations only. The initial crime scene but the majority of the investigation goes on back at the lab. The computer forensics investigators may have to take on their analyses wherever the equipment is located or found rather than just in the pristine environment and the products that are used by investigators come from a market-driven private sector. Traditional forensics investigators are expected to interpret their findings and draw conclusions accordingly whereas computer forensics investigators must only produce direct information and data that will have significance in the case they are investigating.
Component steps for Computer Forensics:
Make a Forensic Image
• Requires Extensive Knowledge of Computer Hardware and Software, Especially File Systems and Operating Systems.
• Requires Special “Forensics” Hardware and Software
• Requires Knowledge of Proper Evidence Handling.
Create Indexes and setup “case”
Access Data Forensic Toolkit (FTK)
• Implements “Hashing” concept.
• Hashing is done using hash functions which is a well-defined procedure or mathematical function for turning some kind of data into a comparatively small integer.
• The values returned by hash function are called hash values
Look for evidence within the image
• View Emails, Documents, Graphics etc.
• Searching for Keywords
• Bookmark relevant material for inclusion into report
• Good investigation skills needed to interview the client to get background material needed to focus the CF investigation.
Generate CF Report
• Usually in HTML format
• Can be printed or on CD-ROM
• Basis for Investigation Report, Deposition, Affidavits, and Testimony.
• CF Report often supplemented with other investigation methods (Online Databases, Email / Phone Interviews)
Forensic Software:
Byte Back, Drive Spy, EnCase , Forensic Tool Kit (FTK), Hash Keeper, Ilook, Maresware, Password Recovery Toolkit (PRTK), Safeback, Thumbs Plus
Pros and cons of Computer Forensics
Pros:
• Searching and analyzing of a mountain of data quickly and efficiently.
• Valuable data which has been deleted and lost by offenders can be retrieved. It may become substantial evidence in court.
• Preservation of evidence.
• Ethical process
Cons:
• Retrieval of data is costly.
• Evidence on the other hand can only be captured once.
• Privacy concerns.
• Data corruption
With computers becoming more and more involved in our everyday lives, both socially and professionally, there is a need for computer forensics. This field will enable crucial electronic evidence to be found, whether it was deleted, lost, hidden, or damaged and used to prosecute individuals that believe they have successfully beaten the system.
Payal Khandelwal