Digital forensics

Computer Forensics: Criminal Investigations

Computer Forensics: An Inseparable Part of Criminal Investigations

Computer Forensics has become an increasingly important element in cyber inquiry. Its use is not just limited to monitoring the computer activities of your employees, tracking a hacker or setting the internet security of an organization. It is becoming a part of criminal investigations too. It is being used to solve murder cases, rape, fraud and kidnapping. The investigators dig up computers, cell phones, chats and networks to extract the information that was lost or deleted. The investigators can recover the web history of a computer, deleted emails, images and even attachments, keywords searched on the browser, online chats and even the instant messenger conversations. By simply analyzing a person’s hard drive, all the web browsing activities can be evaluated.

How is Computer Forensics used in Criminal Investigations?

The forensic investigation is conducted in 5 basic steps. Here is are the procedures followed to gather evidence for a criminal investigation:

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

1. Verification

The investigation is normally conducted as part of an incident response scenario. So, the first step is to verify an incident occurred. It is a preliminary step that helps determine the characteristics of the incident and the right approach for identifying, preserving and collecting the evidence.

System description

This step defines where to start gathering data about the incident. The operating system is outlined along with its configuration like RAM, disk format and the location of the evidence.

Evidence acquisition

This is the crucial part of the investigation. The analysts have to identify the sources of data and verify the integrity of the data. First step is to gather all volatile data such as login sessions, content of the RAM, ARP ache, and network connections. The second step is to collect non- volatile data like the hard drive. Once the data is acquired and verified, then chain of custody is defined which includes how the evidence was found, how it was handled and whatever happened to it.

Evidence examination

Some procedures need to be set in place for retrieving, copying and storing the evidence to investigate the evidence. A variety of methods are used for this purpose. Analysis software is one such procedure which is used to search data archives and procedures to retrieve files that were deleted. The investigators use suspicious programs to look for encrypted information. They also analyze the time and date of the data as well as the file names. They work closely with criminal investigators and lawyers to understand the nuances of the case, outline what investigation actions should be taken and what type of information should be preserved as evidence.

Documenting and reporting

The computer forensic investigators have to keep an accurate record of all the activities related to the investigation, the methods used for testing the system, retrieving, copying and storing the data. All this information is documented to ensure the integrity of the user data. The documented data can then be presented to the court of law in the form of an evidence.

Real-time use of Computer Forensics in Criminal Investigation – The Famous BTK Case

Computer Forensics was used to solve a very famous case of the BTK Serial Killer. The American police spent millions of dollars and a lot of years to find the identity of a man who killed 10 people in Wichita, Kansas between the year 1974 and 1991. Finally, in February 2005, Computer Forensics investigators were able to accomplish what the police had failed to do over the course of thirty years. The Computer Forensics investigators successfully managed to identify the killer whose name was Dennis Rader. It all started in January 1975 when Rader strangled 4 members of the Otero family to death. During this murder spree, Rader sent bizarre notes to the police. He even nicknamed himself BTK short for Blind, Torture & Kill. His letter included pictures, puzzles and twisted poems. He used to mail the letters to the media, to the police directly and sometimes, he used to hide them. He then went completely silent for more than 10 years. In 2004, he resumed communications with the police. This time, he sent them a word document in a floppy disk. The Computer Forensics investigators were immediately able to follow his trail. By using software called EnCaseForensics, they pulled metadata out of the document. It had been modified by a person named Dennis at the Christ Lutheran church. When the Forensics investigators searched for the website of the church, it was revealed that Dennis Rader was the President of the congregation council of the church. The police then checked his background and examined the DNA evidence and the murder mystery was solved. He was linked with the BTK murders. Originally, Rader was pleaded not guilty, but then he confessed that he was responsible for all the murders.

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

What’s the future?

Computer Forensics has already played an essential role in criminal investigations and it won’t be long before “Computer Forensic Analyst” will become an essential part of the criminal justice processes.