Computer Forensics: Areas of Study
Introduction
Computer forensics contains six primary areas for study. Each of them is significant and provides sufficient information to understand the scope of this subject. To become a forensics expert, the candidates must know these six study areas, which are described below.
1. The Legal and Ethical Principles of Computer Forensics
Ethics are sets of rules that can be used to measure the performance of the computer forensics examiners. Various professions term ethics as “codes of professional conduct or responsibility.”
Learn Digital Forensics
Forensics Analyst’s Roles in Testifying
When the case proceeds to trial, the forensics analyst can play two types of roles to give testimony, such as an “expert witness” or as a “technical/scientific witness.” The expert witness has an opinion regarding what he/she has observed or found. However, a technical/scientific witness provides only the facts he/she has found in the investigation—any evidence that meets the standard.
Although there is no universal standard for computer forensics, efforts have been made to provide legal and ethical principles to the computer forensics analysts. The following organizations have provided legal and ethical principles in the realm of computer forensics.
- The U.S. Department of Defense
- Federal Rules of Evidence
- FBI Computer Analysis and Response Team (CART)
- The International Organization for Standardization (ISO)
- The Computer Fraud and Abuse Act (CFAA)
Various organizations listed below provide certification in different areas of computer forensics. These organizations have designed their own code of ethics because there is no universal standard for the code of ethics.
- International Society of Forensics Computer Examiner (ISFCE)
- International High Technology Crime Investigation Association (HTCIA)
- International Association of Computer Investigative Specialists (IACIS)
- Global Information Assurance Certification (GIAC)
- (ISC)2 Code of Ethics
2. Computer Forensics Investigations
The worldwide proliferation of computers and the growth of Internet have increased the demand for digital investigations. In fact, cybercriminals and even “the agents of terror and chaos” commit computer crimes, including company policy violations, email harassment, and leaks of proprietary information. Attorneys, law enforcement agents, network administrators, and private investigators now look for computer forensics experts to investigate the civil and criminal cases.
Civil vs. Criminal vs. Administrative Investigations
In computer forensics, civil investigations involve the violations of civil rights, lawsuits, and contracts between two or more parties. The private investigators conduct the civil investigations. The winning party receives compensation in the form of payment, property, or services.
On the other hand, criminal investigations involve serious offenses, such a murder attempt or a crime against the state, such as compromising state integrity or security. Law enforcement agents carry out the criminal investigations.
Administrative investigations involve the misbehavior and corruption of employees, such as sexual harassment; bribe taking, stalking, and racial discrimination within the organization. Private investigators, detectives, analysts, clerks, and law enforcement agents all can perform administrative investigations.
Prerequisites for an Effective Investigation
Before carrying out the investigation, the examiner should recognize the proficiency level of the actors involved in the case, such as police offers or attorney. Also, the examiner must receive DES training, necessary resources for investigation, and right tools to acquire and analyze evidence.
Following Legal Processes
The legal processes of criminal cases’ investigation depend on the local customs, legislative standards, and the rules of evidence. Generally, criminal cases follow three stages:
- The complaint
- The investigation
- The prosecution
Computer Forensics Lab and Investigations
A computer forensics lab is a place where the investigations are conducted and the evidence is stored. The evidence stored in the lab must not be destroyed or corrupted, so the lab must be physically secured.
Report Writing for High-Tech Investigations
The investigators must ensure that the report’s sections are labeled and follow a regular numbering scheme. Avoid using jargon, vague wording, and slang.
Maintaining Professional Conduct
When conduction an investigation, the examiner must adhere to legal principles and exhibit the highest level of ethical behavior.
3. Computer Forensics: Forensic Science
Forensic science is described as “the use of science and technology to scrutinize and establish facts in a civil or criminal justice system” (Hankins & Jigang 2009).
Computer Forensics as a Forensics Science
Over the past few years, computer forensics has proven to be an emerging forensic science and has been recognized as a distinct forensic discipline. In 2003, the American Society of Crime Laboratory Directors (ASCLD) recognized computer forensics as a fully grown forensic science discipline.
Locard’s Exchange Principle
In the early 20th century, Locard’s principle was presented for the purpose of collecting the trace evidence. Whenever two or more people come into contact with one another, a physical transfer takes place. Skin, hair, pollen, clothing fiber, glass fragments, makeup, debris from clothing, or any other material can be transferred from one person to another. These materials help the investigators to search out the real culprit.
Peer Review
In a peer review process, one forensic scientist examines the work, findings, and conclusions of another forensic scientist. This examination aims at diminishing the chances of inaccuracy of the work by technically looking for errors and bias in findings.
Quality Assurance in Forensic Science
The forensic evidence presented in the court must be accurate, reliable, and unbiased. Quality assurance and management ensure that the forensic evidence is not incorrect or inaccurate by validating and testing the evidence.
4. Digital Forensics
Digital forensics, also known as computer forensics, is a branch of forensic science. Digital forensics is used by the forensic analysts to recover and investigate the data found in computer devices, often in computer-related crimes. The concepts contained in the realm of digital forensics are described below.
Media and File System Forensics
Media and file system forensics deals with storage media, such as a hard drive, where digital evidence can be found, as well as several types of file systems the medium can have, such as the Fat32 and NTFS.
Operating System Forensics
Operating system forensics is the process of retrieving useful information from the operating system (OS) of the computer or mobile device in question. Operating systems include Windows, Linux, and Android.
Network Forensics
Network forensics refers to investigations in which the investigators monitor and analyze network traffic to detect intrusion, aiming at collecting the digital evidence.
Mobile Device Forensics
Mobile phone data can be used as evidence in court, as happened during the recent murder trial of Scott Peterson and the rape scandal at Duke University. A mobile device has various locations where data can be stored, such as volatile or non-volatile memories, multimedia card, and compact flash card. While conducting a mobile device investigation, search and seizure procedures must be followed.
Virtual System Forensics
Virtual machines are widely used in organizations and are a common part of a forensic investigation. Examiners must be familiar with the file extensions that show the existence of virtual machines. To examine a virtual machine, the investigators first create an image of the host machine and then export files associated with a virtual machine.
5. Application Forensics
Application forensics involves the investigation of software rather than hardware. The following concepts are important in application forensics.
Software Forensics
Software forensics is the field of software science aimed at authorship analysis of computer source code for some legal purposes. It involves the area of author identification, discrimination, and characterization. Forensic specialists attempt to determine if the same programmer authored two or more code fragments. This is certainly valuable information if security breaches are frequent. In this case, software forensics can assist in finding the culprit.
Web and Email Forensics
Browser history, cookies, registry entries on the client side, and log files on the server side can be a great source of digital evidence.
Email scammers use phishing and scam techniques to acquire sensitive information of individuals or organizations. The role of email forensics is to identify the scammer behind the crime. Email investigations rely heavily on email message files, email headers, and email server log files.
Database and Malware Forensics
Database forensics involves the study of databases and their related metadata for the purpose of collecting the digital evidence. Database forensics may have several goals, including:
- Find database security breaches
- Determine database intrusion
- Recover deleted database data
- Identify data pre-transaction and post-transaction
Malware forensics is used to investigate and analyze malicious code, such as viruses, Trojan horses, or worms. Today, professional criminals use malware to steal confidential information from the computer.
6. Hybrid and Emerging Technologies
Hybrid and emerging technologies includes the following branches of computer forensics:
Cloud Forensics
Cloud forensics involves the investigations of cyberattacks, policies violations, fraud complaints, and data recovery. Cloud forensic is often considered a subset of network forensics. In cloud forensics, cloud experts encounter some technical challenges, such as cloud architecture, analysis of cloud data, data collection, incident response, legal issues, training, and standards.
Social Network Forensics
Social media can provide empirical evidence in civil and criminal cases. However, the software for social media investigation is yet to be developed.
The Big Data Paradigm
The big data paradigm includes various operations on data, such as:
- Data mining
- Data sharing and acquisition
- Digital surveillance technology (DST)
- Data warehousing
- Data management
The big data paradigm can help in discovering digital evidence.
Computer Forensics Boot Camp
Looking for a digital media forensics course? If you are aspiring for CCFE or CMFE certification, InfoSec Institute offers you an Authorized Computer Forensics Boot Camp Course that teaches you the necessary skills to investigate computer crimes and computer threats.
Learn Digital Forensics
InfoSec also offers thousands of articles on all manner of security topics.