COMPUTER FORENSICS
The purpose of computer forensics techniques is to search,
preserve and analyze information on computer systems to find
potential evidence for a trial. Many of the techniques detectives
use in crime scene investigations have digital counterparts, but
there are also some unique aspects to computer investigations.
Case number—The number your organization assigns when an
investigation is initiated.
The phases of a computer forensics investigation are as
follows
- Secure the computer system to ensure that the equipment and
data are safe. This means the detectives must make sure that no
unauthorized individual can access the computers or storage devices
involved in the search. If the computer system connects to the
Internet, detectives must sever the connection.
- Find every file on the computer system, including files that
are encrypted, protected by passwords, hidden or deleted, but not
yet overwritten. Investigators should make a copy of all the files
on the system. This includes files on the computer's hard drive or
in other storage devices. Since accessing a file can alter it, it's
important that investigators only work from copies of files while
searching for evidence. The original system should remain preserved
and intact.
- Recover as much deleted information as possible using
applications that can detect and retrieve deleted data.
- Reveal the contents of all hidden files with programs designed
to detect the presence of hidden data.
- Decrypt and access protected files.
- Analyze special areas of the computer's disks, including parts
that are normally inaccessible. (In computer terms, unused space on
a computer's drive is called unallocated space. That space could
contain files or parts of files that are relevant to the
case.)
- Document every step of the procedure. It's important for
detectives to provide proof that their investigations preserved all
the information on the computer system without changing or damaging
it. Years can pass between an investigation and a trial, and
without proper documentation, evidence may not be admissible.
Robbins says that the documentation should include not only all the
files and data recovered from the system, but also a report on the
system's physical layout and whether any files had encryption or
were otherwise hidden.
- Be prepared to testify in court as an expert witness in
computer forensics. Even when an investigation is complete, the
detectives' job may not be done. They may still need to provide
testimony in court.