An Explanation of Computer Forensics
By: Dr. P. Dennis Newsom, C.I.S.
© September, 2000


 Computer Forensics Overview

Computer forensics is merely the application of computer examination and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crimes or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud, child pornography, disputes of ownership, prevention of destruction of evidence, etc. Computer specialists can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information. Any or all of this information may help during discovery, depositions, settlements, or actual litigation.

The Payoff for Using a Professional Process

The impartial computer expert who helps during discovery will typically have experience on a wide range of computer hardware and software. This is always beneficial when your case involves hardware and software with which this expert is directly familiar. But fundamental computer design and software implementation is often quite similar from one system to another, and experience in one application or operating system area is often easily transferable to a new system.

Unlike paper evidence, computer evidence can often exist in many forms (temporary, volatile, semi-permanent, & permanent), with earlier versions still accessible on a computer disk. Knowing the likelihood of their existence, even different formats of the same data can be discovered. The detection process can be served well by a well-informed, educated expert identifying more possibilities that can be requested as possibly relevant evidence. In addition, during on-site premises inspections, for cases where computer disks are not actually seized or forensically copied (see below), the forensics expert can more quickly identify places to look, signs to look for, and additional information sources for relevant evidence. These may take the form of earlier versions of data files (e.g. documents, spreadsheets) that still exist on the computer's disk or on backup media, or differently formatted versions of data, either created or treated by other application programs (e.g. word processing, spreadsheet, e-mail, timeline, scheduling, project file or graphic).

Safeguarding and protection of evidence is critical. A knowledgeable computer forensics professional will ensure that a subject computer system is carefully handled to ensure that:

no possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to investigate the computer.
no possible computer virus is introduced to a subject computer during the analysis process.
extracted and possibly relevant evidence is properly handled and protected from later mechanical or electromagnetic damage.
a continuing chain of custody is established and maintained.
business operations are affected for a limited amount of time, if at all.
any client-attorney information that is inadvertently acquired during a forensic exploration is ethically and legally respected and not divulged.


The Process Normally Associated With the Forensic Expert


The computer forensics professional will take several careful steps to identify and attempt to retrieve possible evidence that may exist on a subject computer system:

Protects the subject computer system during the forensic examination from any possible modification, damage, data corruption, or virus introduction.
Discovers all files on the subject system. This includes existing normal files, deleted yet remaining files, hidden files, password-protected files, and encrypted files.
Recovers all (or as much as possible) of discovered deleted files.
Reveals (to the extent possible) the contents of hidden files as well as temporary or swap files used by both the application programs and the operating system.
Accesses (if possible and if legally appropriate) the contents of protected or encrypted files.
Analyzes all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes but is not limited to what is called 'unallocated' space on a disk (currently unused, but possibly the storehouse of previous data that is significant evidence), as well as 'slack' space in a file (the leftover area at the end of a file, in the last assigned disk cluster, that is unused by current file data, but once again may be a possible site for previously created and relevant evidence).
Prints out an overall analysis of the subject computer system, as well as a listing of all possibly relevant files and discovered file data. Further, provides an opinion of the system layout, the file structures discovered, any discovered data and authorship information, any attempts to hide, delete, protect, encrypt information, and anything else that has been discovered and appears to be relevant to the overall computer system examination.
Provides expert consultation and/or testimony, as required.

Forensic Examination Procedures


These procedures are established as the Forensic Examination standards to ensure that competent, professional forensic examinations are conducted. It is acknowledged that almost all forensic examinations of computer media are different and that each cannot be conducted in the exact same manner for numerous reasons, however there are three essential requirements of a competent forensic examination. These are:

Forensically sterile examination media must be used.
The examination must maintain the integrity of the original media, in as much as is possible.
Printouts, copies of data and exhibits resulting from the examination must be properly marked, controlled and transmitted.


Add to these Ethics

Maintain the highest level of objectivity in all forensic examinations and accurately present the facts involved.
Thoroughly examine and analyze the evidence in a case.
Conduct examinations based upon established, validated principles.
Render opinions having a basis that is demonstratively reasonable.
Not withhold any findings, whether culpatory or exculpatory, that would cause the facts of a case to be misrepresented or distorted.


Hard Disk Examination

The following are the recommended procedures for conducting a complete examination of computer Hard Disk Drive (HDD) media:


Forensically sterile conditions are established. All media utilized during the examination process is freshly prepared, completely wiped of non-essential data, scanned for viruses and verified before use.

All forensic software utilized is licensed to, or authorized for use by, the examiner and/or agency/company.

The original computer is physically examined. A specific description of the hardware is made and noted. Comments are made indicating anything unusual found during the physical examination of the computer.

Hardware/software or other precautions are taken during any copying or access to the original media to prevent the transference of viruses, destructive programs, or other inadvertent writes to/from the original media. We recognize that because of hardware and operating system limitations and other circumstances, this may not always be possible.
The contents of the CMOS, as well as the internal clock are checked and the correctness of the date and time is noted. The time and date of the internal clock is frequently very important in establishing file creation or modification dates and times.
The original media is not normally used for the examination. A bitstream copy or other image of the original media is made. The bitstream copy or other image is used for the actual examination. A detailed description of the bitstream copy or image process and identification of the hardware, software and media is noted.

The copy or image of the original HDD is logically examined and a description of what was found is noted.


The boot record data, and user defined system configuration and operation command files, such as, the CONFIG.SYS file and the AUTOEXEC.BAT file are examined and findings are noted.

All recoverable deleted files are restored. When practical or possible, the first character of restored files are changed from a HEX E5 to "-", or other unique character, for identification purposes.

A listing of all the files contained on the examined media, whether they contain potential evidence of not, is normally made.

If appropriate, the unallocated space is examined for lost or hidden data.
If appropriate, the "slack" area of each file is examined for lost or hidden data.
The contents of each user data file in the root directory and each sub-directory (if present) are examined.

Password protected files are unlocked and examined.
A printout or copy is made of all apparent evidentiary data. The file or location where any apparent evidentiary data was obtained is noted on each printout. All exhibits are marked, sequentially numbered and properly secured and transmitted.
Executable programs of specific interest should be examined. User data files that could not be accessed by other means are examined at this time using the native application.

Properly document comments and findings.

Limited Examinations

In many instances a complete examination of all of the data on media may not be authorized, possible, necessary or conducted for various reasons. In these instances, the examiner should document the reason for not conducting a complete examination. Some examples of limited examinations would be:

The search warrant or the courts limit the scope of examination.
The equipment must be examined on premises. (This may require the examination of the original media. Extreme caution must be used during this type of examination.)

The media size is so vast that a complete examination is not possible.
The weight of the evidence already found is so overwhelming that a further search is not necessary.

It is just not possible to conduct a complete examination because of hardware, operating systems or other conditions beyond the examiner's control.



The Use of Computer Forensic Evidence

Criminal and civil proceedings can and do make use of evidence revealed by computer forensics specialists:

Criminal Prosecutors use computer evidence in a variety of crimes where incriminating documents can be found: homicides, financial fraud, drug and embezzlement record keeping, and child pornography.

Civil litigations can readily make use of personal and business records found on computer systems revolving from litigation on: fraud, divorce, discrimination, and harassment cases.

Insurance Companies may be able to mitigate costs by using discovered computer evidence of possible fraud in accident, arson, and workman's compensation cases.

Corporations often hire computer forensics specialists to ascertain evidence relating to: sexual harassment, embezzlement, theft or misappropriation of trade secrets and other internal/confidential information.

Law Enforcement Officials frequently require assistance i

n pre-search warrant preparations and post-seizure handling of the computer equipment.
Individuals sometimes hire computer forensics specialists in support of possible claims of: wrongful termination, sexual harassment, or age discrimination.