Computer forensics is the process of locating evidence found on computer hard drives and digital storage media, and securing and preserving that evidence in a manner that allows for its use in court.
Computers may contain evidence relevant to criminal, civil or family law cases, ranging from email correspondence and text messages, through text and data files, through spreadsheets and other documents.
A search for evidence can include searching for deleted files and file fragments, meta data associated with files, as well as various history files that reflect program use and Internet activity. It will often be possible to determine when a document or file was first saved to a computer or digital device, when it was last modified, when it was last saved, and the identity of the computer user who last saved or modified the document.
When looking for digitally stored, it is important that an investigator abide by four basic principles:
Preservation of the Original Data: In the process of searching for and securing data held on a computer or storage media, no changes should be made to the original data.
Competence: The person who accesses data on a computer or digital storage media should be competent to perform those tasks, and should be able to provide an expert explanation of all steps taken to access the data and why those steps were taken.
Maintain an Audit Trail: The investigator searching for evidence should create and preserve a record of how any evidence was found, with that record being of sufficient detail that an independent third party can carry out the same steps in order to replicate the results of the original forensic investigation.
Supervision and Control: The person who is responsible for the investigation should make certain that the investigation is properly handled and documented, consistent with the law and industry practices.
Ideally, data will be obtained from a device that is turned off. The forensic investigator will make an exact copy of the information stored on the original storage medium, using tools that make no changes to the original data. All subsequent analysis is performed from the copy.
Sometimes it's not possible to power down the computer on which the original data is stored. If that's the case, it is necessary to make a hot copy of the data, running a program on the computer that allows the examiner to obtain an exact copy of the data as it exists at the time the program is run.
The process of making a hot copy requires making changes to the original data, and thus must be handled with great care such that the forensic examiner can establish why it was necessary to obtain the data from a device that was not shut down, that proper protocols were followed to minimize any changes, and that the process used did not cause any changes that might have affected the evidence recovered from the device.
The exact process for analyzing data and recovering possible evidence can be case specific.
- In some situations the process will be relatively simple, with the evidence obtained simply by examining files found within the stored data.
- Sometimes a more in-depth analysis will recover data from files that have been deleted, even when they're partially overwritten.
A complete forensic examination will examine all data found on the storage device, including the remnants of deleted and partially deleted files, hidden data and data found in unallocated space and other parts of the digital storage medium that are inaccessible during normal use.
Sometimes factors exist that make data recovery considerably more difficult:
Encryption: Where electronic data is encrypted, it is necessary to either obtain the password that was used to encrypt the data or to crack the encryption algorithm in order to decrypt the data without a password. With the sophistication of modern encryption software, it can be all-but-impossible to crack a data file protected by a well-chosen password.
A brute force effort may be made, where a computer tries one password after another in the hope of finding the correct password. Although some people choose weak or insecure passwords, where a strong password is used the amount of time it can take to find a password for even a simple file can be years or decades, with some passwords being effectively unguessable with current computer technology.
Live Database Data: It can be difficult to get an exact copy of a database that is actively being used at the time a copy is made, as various tables are likely to be changed during the period of time it takes to make the copy.
Large Quantities of Data: In the modern era, electronic storage devices have become so capacious that they allow for the storage of vast numbers of files and data. The volume of data may make it difficult to locate relevant evidence.
Intentional Destruction of Data: Whether in the hope of frustrating a forensic investigation or simply as a matter of data security, upon examining digitally stored data the forensic investigator may find that files have been encrypted, that deleted files have been overwritten in a manner that makes it all-but-impossible to recover any portion of the file, and that data is encrypted.
The trend for smart phones is to automatically encrypt most information relating to communication activities, including text messages.
Sometimes the investigator will discover that the person who controls the data has modified files or run computer programs that modify file meta data and scrub information from digital storage, or have employed software that breaks secret files apart and hides the pieces within other, seemingly innocent files. Anti-forensic applications, designed specifically to frustrate computer forensic science, are commercially available.
While it may be obvious that the programs have been used, it may be impossible to recover useful information from the storage device. A computer may be configured so that unauthorized access triggers a program that is designed to destroy data, or to specifically counter known forensic investigation software.
When data is unrecoverable from the targeted computer, thought should be given to the possibility that the data exists on a different computer. For example,
- Perhaps there's a backup file that was created before the data was encrypted or destroyed.
- Perhaps the data is in the form of an email or document that was shared with other people and continues to exist on their computers.
When data is found on a computer that supports civil liability or criminal activity, the most likely challenge will be that the investigator did not follow proper procedures in obtaining the data or is mistaken about what they found.
The investigator can minimize the viability of any such challenge by:
- Following proper protocols to preserve the original data,
- Following proper investigative procedures, and
- Creating a strong audit trail.
Another challenge that may be raised, particularly in criminal cases, is that the data found on the computer was not placed there by the owner, but was saved to the computer by malicious computer code - malware, spyware, a Trojan horse (a program that, once saved to the computer, allows somebody to execute malicious code and perhaps remotely control the entire computer), or virus.
A forensic examiner should anticipate this type of defense, and should determine if any malicious code existed on the device and, if so, whether it could have created or saved the documents being offered as evidence.