Assisting with Computer Forensics Support

Businesses, public agencies, and individuals increasingly rely on a wide range of computers, often linked together into networks, to accomplish their missions. Because computers have become ubiquitous, they are often a highly productive source of evidence and intelligence that may be obtained by properly trained and equipped InfoSec and investigative professionals. Equipping the specialists to be able to competently search IWC systems is essential. In many cases, a suspect will use a computer to plan the crime, keep diaries or records of acts in furtherance of a conspiracy, or communicate with confederates about details via electronic mail. In other schemes the computer will play a more central role, perhaps serving as the vehicle for an unauthorized intrusion into a larger system from which valuable files or other information is downloaded or tampered.

Surprisingly, even many sophisticated criminals who are highly computer literate remain unaware of the many software utilities available that allow evidence to be scavenged from various storage media, including hard drives, random access memory, and other locations in the operating system environments such as file slack, swap, and temporary files. Therefore, every investigation of crimes and unauthorized activities should now assume that some effort will be invested in examining computers and computer records to locate relevant evidence that will prove or disprove allegations or suspicions of wrongdoing.

Whether computers are themselves used as the tool to commit other crimes or merely contain documents, files, or messages discussing the scheme or plans, computers can provide a wealth of useful information if properly exploited. A major barrier to obtaining this potentially valuable evidence is the relative lack of knowledge of many corporate and law enforcement investigators concerning high-technology—computer technology. This lack of familiarity and experience hampers the computer forensics specialists' ability to conduct effective searches. When the crime scene itself is a computer or a network, or when the evidence related to the illegal or unauthorized activities is stored on a computer, there is no substitute for the use of "computer forensics" to gather relevant evidence.

Webster's Dictionary defines forensics as "belonging to, used in, or suitable to courts of judicature or to public discussion and debate."^[2] Thus, computer forensics is a term that we define as describing the application of legally sufficient methods and protocols and techniques to gather, analyze, and preserve computer information relevant to a matter under investigation. Operationally, computer forensics encompasses using appropriate software tools and protocols to efficiently search the contents of magnetic and other storage media and identify relevant evidence in files, fragments of files, and deleted files, as well as file slack and swap space.

The ISSO and InfoSec Non-Compliance Inquires (NCI) specialist assigned as the security support focal point provided a computer forensics awareness briefing to the IWC security staff. The briefing gave an introduction to computer forensics and also discussed the support the ISSO staff would give the security staff. The ISSO agreed to support the IWC security staff by providing high-technology-related forensic services. ^[3]

^[2]Merriam-Webster's Collegiate Dictionary. G.&C. Merriam Company, 1973.

^[3]Supplemental information concerning one approach to retrieving and preserving electronic evidence can be found at the author's web site: http://www.shockwavewriters.com. Click on Books, this book, and then Chapter 11.