Computer Forensics: Areas of Study

Computer forensics contains six primary areas for study. Each of them is significant and provides sufficient information to understand the scope of this subject. To become a forensics expert, the candidates must know these six study areas, which are described below.

1. The Legal and Ethical Principles of Computer Forensics

Ethics are sets of rules that can be used to measure the performance of the computer forensics examiners. Various professions term ethics as “codes of professional conduct or responsibility.”

Forensics Analyst’s Roles in Testifying

When the case proceeds to trial, the forensics analyst can play two types of roles to give testimony, such as an “expert witness” or as a “technical/scientific witness.” The expert witness has an opinion regarding what he/she has observed or found. However, a technical/scientific witness provides only the facts he/she has found in the investigation—any evidence that meets the standard.

Although there is no universal standard for computer forensics, efforts have been made to provide legal and ethical principles to the computer forensics analysts. The following organizations have provided legal and ethical principles in the realm of computer forensics.

• The U.S. Department of Defense
• Federal Rules of Evidence
• FBI Computer Analysis and Response Team (CART)
• The International Organization for Standardization (ISO)
• The Computer Fraud and Abuse Act (CFAA)

Various organizations listed below provide certification in different areas of computer forensics. These organizations have designed their own code of ethics because there is no universal standard for the code of ethics.

• International Society of Forensics Computer Examiner (ISFCE)
• International High Technology Crime Investigation Association (HTCIA)
• International Association of Computer Investigative Specialists (IACIS)
• Global Information Assurance Certification (GIAC)
• (ISC)² Code of Ethics

2. Computer Forensics Investigations

The worldwide proliferation of computers and the growth of Internet have increased the demand for digital investigations. In fact, cybercriminals and even “the agents of terror and chaos” commit computer crimes, including company policy violations, email harassment, and leaks of proprietary information. Attorneys, law enforcement agents, network administrators, and private investigators now look for computer forensics experts to investigate the civil and criminal cases.

Civil vs. Criminal vs. Administrative Investigations

In computer forensics, civil investigations involve the violations of civil rights, lawsuits, and contracts between two or more parties. The private investigators conduct the civil investigations. The winning party receives compensation in the form of payment, property, or services.

On the other hand, criminal investigations involve serious offenses, such a murder attempt or a crime against the state, such as compromising state integrity or security. Law enforcement agents carry out the criminal investigations.

Administrative investigations involve the misbehavior and corruption of employees, such as sexual harassment; bribe taking, stalking, and racial discrimination within the organization. Private investigators, detectives, analysts, clerks, and law enforcement agents all can perform administrative investigations.

Prerequisites for an Effective Investigation

Before carrying out the investigation, the examiner should recognize the proficiency level of the actors involved in the case, such as police offers or attorney. Also, the examiner must receive DES training, necessary resources for investigation, and right tools to acquire and analyze evidence.

Following Legal Processes

The legal processes of criminal cases’ investigation depend on the local customs, legislative standards, and the rules of evidence. Generally, criminal cases follow three stages:

1. The complaint
2. The investigation
3. The prosecution

Computer Forensics Lab and Investigations

A computer forensics lab is a place where the investigations are conducted and the evidence is stored. The evidence stored in the lab must not be destroyed or corrupted, so the lab must be physically secured.

Report Writing for High-Tech Investigations

The investigators must ensure that the report’s sections are labeled and follow a regular numbering scheme. Avoid using jargon, vague wording, and slang.

Maintaining Professional Conduct

When conduction an investigation, the examiner must adhere to legal principles and exhibit the highest level of ethical behavior.

3. Computer Forensics: Forensic Science

Forensic science is described as “the use of science and technology to scrutinize and establish facts in a civil or criminal justice system” (Hankins & Jigang 2009).

Computer Forensics as a Forensics Science

Over the past few years, computer forensics has proven to be an emerging forensic science and has been recognized as a distinct forensic discipline. In 2003, the American Society of Crime Laboratory Directors (ASCLD) recognized computer forensics as a fully grown forensic science discipline.

Locard’s Exchange Principle

In the early 20^th century, Locard’s principle was presented for the purpose of collecting the trace evidence. Whenever two or more people come into contact with one another, a physical transfer takes place. Skin, hair, pollen, clothing fiber, glass fragments, makeup, debris from clothing, or any other material can be transferred from one person to another. These materials help the investigators to search out the real culprit.

Peer Review

In a peer review process, one forensic scientist examines the work, findings, and conclusions of another forensic scientist. This examination aims at diminishing the chances of inaccuracy of the work by technically looking for errors and bias in findings.

Quality Assurance in Forensic Science

The forensic evidence presented in the court must be accurate, reliable, and unbiased. Quality assurance and management ensure that the forensic evidence is not incorrect or inaccurate by validating and testing the evidence.

4. Digital Forensics

Digital forensics, also known as computer forensics, is a branch of forensic science. Digital forensics is used by the forensic analysts to recover and investigate the data found in computer devices, often in computer-related crimes. The concepts contained in the realm of digital forensics are described below.

Media and File System Forensics

Media and file system forensics deals with storage media, such as a hard drive, where digital evidence can be found, as well as several types of file systems the medium can have, such as the Fat32 and NTFS.

Operating System Forensics

Operating system forensics is the process of retrieving useful information from the operating system (OS) of the computer or mobile device in question. Operating systems include Windows, Linux, and Android.

Network Forensics

Network forensics refers to investigations in which the investigators monitor and analyze network traffic to detect intrusion, aiming at collecting the digital evidence.

Mobile Device Forensics

Mobile phone data can be used as evidence in court, as happened during the recent murder trial of Scott Peterson and the rape scandal at Duke University. A mobile device has various locations where data can be stored, such as volatile or non-volatile memories, multimedia card, and compact flash card. While conducting a mobile device investigation, search and seizure procedures must be followed.

Virtual System Forensics

Virtual machines are widely used in organizations and are a common part of a forensic investigation. Examiners must be familiar with the file extensions that show the existence of virtual machines. To examine a virtual machine, the investigators first create an image of the host machine and then export files associated with a virtual machine.

5. Application Forensics

Application forensics involves the investigation of software rather than hardware. The following concepts are important in application forensics.

Software Forensics

Software forensics is the field of software science aimed at authorship analysis of computer source code for some legal purposes. It involves the area of author identification, discrimination, and characterization. Forensic specialists attempt to determine if the same programmer authored two or more code fragments. This is certainly valuable information if security breaches are frequent. In this case, software forensics can assist in finding the culprit.

Web and Email Forensics

Browser history, cookies, registry entries on the client side, and log files on the server side can be a great source of digital evidence.

Email scammers use phishing and scam techniques to acquire sensitive information of individuals or organizations. The role of email forensics is to identify the scammer behind the crime. Email investigations rely heavily on email message files, email headers, and email server log files.

Database and Malware Forensics

Database forensics involves the study of databases and their related metadata for the purpose of collecting the digital evidence. Database forensics may have several goals, including:

• Find database security breaches
• Determine database intrusion
• Recover deleted database data
• Identify data pre-transaction and post-transaction

Malware forensics is used to investigate and analyze malicious code, such as viruses, Trojan horses, or worms. Today, professional criminals use malware to steal confidential information from the computer.

6. Hybrid and Emerging Technologies

Hybrid and emerging technologies includes the following branches of computer forensics:

Cloud Forensics

Cloud forensics involves the investigations of cyberattacks, policies violations, fraud complaints, and data recovery. Cloud forensic is often considered a subset of network forensics. In cloud forensics, cloud experts encounter some technical challenges, such as cloud architecture, analysis of cloud data, data collection, incident response, legal issues, training, and standards.

Social Network Forensics

Social media can provide empirical evidence in civil and criminal cases. However, the software for social media investigation is yet to be developed.

The Big Data Paradigm

The big data paradigm includes various operations on data, such as:

• Data mining
• Data sharing and acquisition
• Digital surveillance technology (DST)
• Data warehousing
• Data management

The big data paradigm can help in discovering digital evidence.

Computer Forensics Training

Computer Forensics Boot Camp

If you are aspiring for CCFE or CMFE certification, InfoSec Institute offers you an Authorized Computer Forensics Boot Camp Course that teaches you the necessary skills to investigate computer crimes and computer threats.

InfoSec also offers thousands of articles on all manner of security topics.

Be Safe

Section Guide

Fakhar
Imam

View more articles from Fakhar

You'll leave InfoSec Institute's Computer Forensics course with 3 industry certifications!

Learn More!