As the widespread use of personal computers in both business and the home, crime investigators to have access to computer based information are increasingly required.
When handling computers for legal purposes, investigators face the following four main types of problems:
* How to recover data from computers whilst preserving evidential integrity.
* How to securely store and handle recovered data.
* How to find the significant information in a large volume of data.
* How to present the information to a court of law, and to defense during disclosure.
The traditional response to the problem has been to either ignore computers altogether, or to assemble ‘home grown’ equipment and procedures, or to use outside ‘so-called’ expert services. The first of these options, to ignore the potential of computer-based evidence, is unacceptable and can prevent a crime being investigated. The second leads to a plethora of untried and non-standard techniques, which do not fulfill the forensic objective. The third too often results in work being completed by ‘expert services’ that overcharge, under perform and are deficient in both training and the understanding of basic forensic techniques.
In recent years awareness amongst the legal community of the need for professional computer forensic services and equipment has increased substantially and many potentially successful prosecutions are at risk of failure due to unsatisfactory equipment, procedures and presentation in court.
Adding the ability to practice sound computer forensics will help you ensure the overall integrity and survivability of your network infrastructure. You can help your organization if you consider computer forensics as a new basic element in what is known as a “defense-in-depth” approach to network and computer security. For instance,
understanding the legal and technical aspects of computer forensics will help you capture vital information if your network is compromised and will help you prosecute the case if the intruder is caught.
What happens if you ignore computer forensics or practice it badly? You risk destroying vital evidence or having forensic evidence ruled inadmissible in a court of law. Also, you or your organization may run afoul of new laws that mandate regulatory compliance and assign liability if certain types of data are not adequately protected. Recent legislation makes it possible to hold organizations liable in civil or criminal court if they fail to protect customer data.
Computer forensics is also important because it can save your organization money. Many managers are allocating a greater portion of their information technology budgets for computer and network security. International Data Corporation (IDC) reported that the market for intrusion-detection and vulnerability-assessment software will reach 1.45 billion dollars in 2006. In increasing numbers, organizations are deploying network security devices such as intrusion detection systems (IDS), firewalls, proxies, and the like, which all report on the security status of networks.
From a technical standpoint, the main goal of computer forensics is to identify, collect, preserve, and analyze data in a way that preserves the integrity of the evidence collected so it can be used effectively in a legal case.
What are some typical aspects of a computer forensics investigation? First, those who investigate computers have to understand the kind of potential evidence they are looking for in order to structure their search. Crimes involving a computer can range across the spectrum of criminal activity, from child pornography to theft of personal data to destruction of intellectual property. Second, the investigator must pick the appropriate tools to use. Files may have been deleted, damaged, or encrypted, and the investigator must be familiar with an array of methods and software to prevent further damage in the recovery process.
Two basic types of data are collected in computer forensics. Persistent data is the data that is stored on a local hard drive (or another medium) and is preserved when the computer is turned off. Volatile data is any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off. Volatile data resides in registries, cache, and random access memory (RAM). Since volatile data is ephemeral, it is essential an investigator knows reliable ways to capture it.
System administrators and security personnel must also have a basic understanding of how routine computer and network administrative tasks can affect both the forensic process (the potential admissibility of evidence at court) and the subsequent ability to recover data that may be critical to the identification and analysis of a security incident.