Computer forensics is a clear, well-defined methodology used to preserve, identify, recover, and document computer or electronic data. Although the computer forensics field is relatively new to the corporate sector, law enforcement has been practicing this science since the mid-1980s. Growth in this field is directly related to the ever-growing popularity of electronics.
Computers are one of the most targeted items of examination, but they are not the only devices subject to forensic analysis. Cellphones, PDAs, pagers, digital cameras, and just about any electronic device also can be analyzed. Attempted hacking attacks and allegations of employee computer misuse have added to the organization's need to examine and analyze electronic devices. Mishandling concerns can cost companies millions. Companies must handle each in a legal and defensible manner. Because electronic information can be easily changed, a forensic examination usually follows these three steps:
Acquire This is usually performed by means of a bit-level copy. A bit-level copy is an exact duplicate of the original data, allowing the examiner to scrutinize the copy while leaving the original copy intact.
Authenticate This process requires an investigator to show that the data is unchanged and has not been tampered with. Authentication can be accomplished through the use of checksums and hashes such as MD5 and SHA.
Analyze The investigator must be careful to examine the data and ensure that his actions are documented. The investigator usually recovers evidence by examining drive slack space, file slack space, hidden files, swap data, Internet cache, and other locations, such as the recycle bin. Copies of the original disks, drive, or data are usually examined to protect the original evidence.
How Forensics Was Used to Catch the Creator of the Melissa Virus
When the Melissa virus was released, it quickly slowed the Internet. By disguising itself as email from friends or colleagues, it spread quickly and took down networks. As the manhunt intensified to find the creator, computer forensics was put to the test. David Smith was tracked down and apprehended in about one week.
Many were surprised by how quickly the FBI found the perpetrator. Much of this success was linked to the FBI's ability to use software to sniff newsgroups to determine where the virus was originally posted and then by examining and tracking a globally unique identifier (GUID). A GUID is a unique number embedded in a Word file that shows which computer the file was created on. David Smith received a $5,000 fine and 20 months in prison. The Melissa virus is believed to have caused more than $80 million in damages.
The handling of evidence is of special importance to the forensic investigator. This is addressed through the chain of custody, a process that helps protect the integrity and reliability of the evidence by providing an evidence log that shows every access to evidence, from collection to appearance in court. A complete chain of custody report also includes any procedures or activities that were performed on the evidence.
A primary image is the original image. It should be held in storage and kept unchanged. The working image is the one used for analysis purposes.
Locard's Exchange Principle states that whenever two objects come into contact, a transfer of material will occur. The resulting trace evidence left behind during this transfer can be used to associate objects, individuals, or locations to a crime. Simply stated, no matter how hard someone tries, some trace evidence always remains. Although criminals can make recovery harder by deleting files and caches, some trace evidence always remains.
Drive wiping is the process of overwriting all addressable locations on the disk. The Department of Defense (DoD) drive-wiping standard #5220-22M states, "All addressable locations must be overwritten with a character, its complement, then a random character and verify." By making several passes over the media, an organization can further decrease the possibility of data recovery. Organizations worried about proper disposal of used media then get clean, unrecoverable media. In the hands of the criminal, drive wiping offers the chance to destroy evidence.
Standardization of Forensic Procedures
In March 1998, the International Organization on Computer Evidence (IOCE) was appointed to draw international principles for the procedures relating to digital evidence. The goal was to harmonize methods and practices among nations and guarantee the capability to use digital evidence collected by one state in the courts of another state. The IOCE (www.ioec.org) has established the following six principles to govern these activities:
The CISSP Cram Sheet
A Note from Series Editor Ed Tittel
About the Author
We Want to Hear from You!
The CISSP Certification Exam
Access-Control Systems and Methodology
System Architecture and Models
Telecommunications and Network Security
Applications and Systems-Development Security
Business Continuity Planning
Law, Investigations, and Ethics
Practice Exam 1
Answers to Practice Exam 1
Practice Exam 2
Answers to Practice Exam 2