Chapter 2: Types of Computer Forensics Technology

OVERVIEW

Defensive information technology will ultimately benefit from the availability of cyber forensic evidence of malicious activity. Criminal investigators rely on recognized scientific forensic disciplines, such as medical pathology, to provide vital information used in apprehending criminals and determining their motives. Today, an increased opportunity for cyber crime exists, making it imperative for advances in the law enforcement, legal, and forensic computing technical arenas. As previously explained, cyber forensics is the discovery, analysis, and reconstruction of evidence extracted from any element of computer systems, computer networks, computer media, and computer peripherals that allow investigators to solve a crime. Cyber forensics focuses on real-time, on-line evidence gathering rather than the traditional off-line computer disk forensic technology.

Two distinct components exist in the emerging field of cyber forensics technology. The first, computer forensics, deals with gathering evidence from computer media seized at the crime scene. Principle concerns with computer forensics involve imaging storage media, recovering deleted files, searching slack and free space, and preserving the collected information for litigation purposes. Several computer forensic tools are available to investigators. The second component, network forensics, is a more technically challenging aspect of cyber forensics. It gathers digital evidence that is distributed across large-scale, complex networks. Often this evidence is transient in nature and is not preserved within permanent storage media. Network forensics deals primarily with in-depth analysis of computer network intrusion evidence, because current commercial intrusion analysis tools are inadequate to deal with today’s networked, distributed environments.

Similar to traditional medical forensics, such as pathology, today’s computer forensics is generally performed postmortem (after the crime or event occurred). In a networked, distributed environment, it is imperative to perform forensic-like examinations of victim information systems on an almost continuous basis, in addition to traditional postmortem forensic analysis. This is essential to continued functioning of critical information systems and infrastructures. Few, if any, forensic tools are available to assist in preempting the attacks or locating the perpetrators. In the battle against malicious hackers, investigators must perform cyber forensic functions in support of various objectives. These objectives include timely cyberattack containment; perpetrator location and identification; damage mitigation; and recovery initiation in the case of a crippled, yet still functioning, network. Standard intrusion analysis includes examination of many sources of data evidence (intrusion detection system logs, firewall logs, audit trails, and network management information). Cyber forensics adds inspection of transient and other frequently overlooked elements such as contents or state of the following: memory, registers, basic input/output system, input/output buffers, serial receive buffers, L₂ cache, front side and back side system caches, and various system buffers (drive and video buffers).

Now, let’s briefly look at specific types of computer forensics technology that are being used by the following computer specialists: military, law enforcement, and business. It is beyond the scope of this chapter to cover in detail every type of computer forensic technology. The rest of the chapters in this book as well as the appendices have been designed and created to do that specific task.