By Jason Swoyer

 Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer forensics involves the preservation, identification, extraction, interpretation, and documentation of computer evidence.  Typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved.

 The goal of computer forensics is to explain the current state of a digital artifact.  The term digital artifact can include a computer system, a storage media (such as a hard disk or CD- ROM), an electronic document (an message or JPEG image) or even a sequence of packets moving over a computer network.

 Preparation (of the investigator)  Collection (the data)  Examination  Analysis  Reporting

 Preparation is the key to a successful investigator in the area of computer forensics. The slightest bit of effort before the incident happens can make the investigation process much quicker, easier, and can result in more reliable information.  The collection process involves searching for, the acknowledgment of, the collection of, and the documentation of all digital evidence that will be collected during the whole entire process. The digital evidence may involve real time information or stored information that may be lost unless certain safety measures are taken at the scene.

 The authentication process involves the creation of mathematical validation codes of collected digital evidence. This process greatly helps to answer or resolve any questions that may have been raised during court cases about the accuracy of the evidence.  The examination process helps to make the evidence visible and explainable from its origin and significance. This process should document all components of the collected evidence as a whole. This process also involves looking deeper to search for any information that may be hidden or masked. What, where, when, and how

 The analysis process is somewhat like the examination process, only that with the analysis process, you inspect the outcome of the examination of the evidence for its importance and values to the case as a whole.  The documentation is listed as the last step in the process; it is a step that takes place throughout all of the other steps. This step is important because one usually has real time documentation to prove what happened during the investigation process.

 In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases).  To recover data in the event of a hardware or software failure.  To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.  To gather evidence against an employee that an organization wishes to terminate.  To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.

 Active Data: Active data is the information that we can actually see. This includes data files, programs, and files used by the operating system. This is the easiest type of data to obtain.  Archival Data: Archival data is data that has been backed up and stored. This could mean backup tapes, CDs, floppies, or entire hard drives.  Latent Data: Latent Data is the information that one typically needs specialized tools to access. An example of latent data would be information that has been deleted or partially overwritten.

 Handle the original evidence as little as possible to avoid changing the data.  Establish and maintain the chain of custody.  Documenting everything that has been done.  Use tools and methods that have been tested and evaluated to validate their accuracy and reliability.

 Capture a picture of the system and its surroundings. You may even want to videotape the entire process while the analyst works on the system to have an undisputable record for later use.  Keep detailed notes. These should include times and dates of all the actions taken and done at the site. Since it is hard to keep up with the output and system errors, you may want to record the server and surrounding area with a video camera and focus it at the terminal monitor.  Limit direct access to the file system as you are collecting the evidence and avoid updating the files or directory access table. If possible, analysis should be done on a bit-level copy of the system’s storage media, rather than the original.

 Do not run programs that modify files or their access times.  Do not shutdown the computer until the most volatile evidence has been collected.  Do not trust the programs on the system. It is common to find that critical forensic tools have been modified with trojanized versions, which can provide false information.

 Digital evidence can be collected from many sources. Obvious sources include computers, cell phones, digital cameras, hard drives, CD-ROM, USB memory devices, and so on.  Non-obvious sources include settings of digital thermometers, black boxes inside automobiles, RFID tags, and web pages.  Special care must be taken when handling computer evidence, most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place unless other measures have been taken.  For this reason it is common practice to calculate a cryptographic hash of an evidence file and to record that hash elsewhere.

 Begin by making a list of all the systems, software, and data involved in the incident as well as the evidence that has been collected.  Establish criteria regarding what is most likely to be relevant and could hold up and be accepted in court.  Remove all external factors that could cause accidental or misleading modifications of the file system or system state.

 Perform a quick analysis of external logs and IDS output to provide a hint to where to focus the investigation on.  Check the processes running on the system, but following the levels of volatility, starting with memory, and look for any that appear out of place and copy the arp cache and so on.  Capture the temporary files that are important or may be deleted if the system should shutdown and reboot.

 Make a byte to byte copy of the entire media and the evidence you have collected onto a backup device such as a flash drive.  Volatile Levels  Memory  Registry, routing table, arp cache, process table  Network connections  Temporary files  Disk or storage device

 Who is logged into the system.  Open ports and listening applications.  Lists of currently running processes.  Registry information.  System information.  Attached devices (this can be important if you have a wireless-attached device not obvious at the crime scene