Computer Forensics Overview
Computer forensics is merely the application of computer
examination and analysis techniques in the interests of determining
potential legal evidence. Evidence might be sought in a wide
range of computer crimes or misuse, including but not limited
to theft of trade secrets, theft of or destruction of intellectual
property, and fraud, child pornography, disputes of ownership,
prevention of destruction of evidence, etc. Computer specialists
can draw on an array of methods for discovering data that resides
in a computer system, or recovering deleted, encrypted, or damaged
file information. Any or all of this information may help during
discovery, depositions, settlements, or actual litigation.
The Payoff for Using a Professional Process
The impartial computer expert who helps during discovery
will typically have experience on a wide range of computer hardware
and software. This is always beneficial when your case involves
hardware and software with which this expert is directly familiar.
But fundamental computer design and software implementation is
often quite similar from one system to another, and experience
in one application or operating system area is often easily transferable
to a new system.
Unlike paper evidence, computer evidence can often exist
in many forms (temporary, volatile, semi-permanent, & permanent),
with earlier versions still accessible on a computer disk. Knowing
the likelihood of their existence, even different formats of
the same data can be discovered. The detection process can be
served well by a well-informed, educated expert identifying more
possibilities that can be requested as possibly relevant evidence.
In addition, during on-site premises inspections, for cases where
computer disks are not actually seized or forensically copied
(see below), the forensics expert can more quickly identify places
to look, signs to look for, and additional information sources
for relevant evidence. These may take the form of earlier versions
of data files (e.g. documents, spreadsheets) that still exist
on the computer's disk or on backup media, or differently formatted
versions of data, either created or treated by other application
programs (e.g. word processing, spreadsheet, e-mail, timeline,
scheduling, project file or graphic).
Safeguarding and protection of evidence is critical. A knowledgeable
computer forensics professional will ensure that a subject computer
system is carefully handled to ensure that:
no possible evidence is damaged, destroyed, or otherwise
compromised by the procedures used to investigate the computer.
no possible computer virus is introduced to a subject
computer during the analysis process.
extracted and possibly relevant evidence is properly
handled and protected from later mechanical or electromagnetic
a continuing chain of custody is established and maintained.
business operations are affected for a limited amount
of time, if at all.
any client-attorney information that is inadvertently
acquired during a forensic exploration is ethically and legally
respected and not divulged.
The Process Normally Associated With the Forensic Expert
The computer forensics professional will take several careful
steps to identify and attempt to retrieve possible evidence that
may exist on a subject computer system:
Protects the subject computer system during the forensic
examination from any possible modification, damage, data corruption,
or virus introduction.
Discovers all files on the subject system. This includes
existing normal files, deleted yet remaining files, hidden files,
password-protected files, and encrypted files.
Recovers all (or as much as possible) of discovered
Reveals (to the extent possible) the contents of hidden
files as well as temporary or swap files used by both the application
programs and the operating system.
Accesses (if possible and if legally appropriate) the
contents of protected or encrypted files.
Analyzes all possibly relevant data found in special
(and typically inaccessible) areas of a disk. This includes but
is not limited to what is called 'unallocated' space on a disk
(currently unused, but possibly the storehouse of previous data
that is significant evidence), as well as 'slack' space in a
file (the leftover area at the end of a file, in the last assigned
disk cluster, that is unused by current file data, but once again
may be a possible site for previously created and relevant evidence).
Prints out an overall analysis of the subject computer
system, as well as a listing of all possibly relevant files and
discovered file data. Further, provides an opinion of the system
layout, the file structures discovered, any discovered data and
authorship information, any attempts to hide, delete, protect,
encrypt information, and anything else that has been discovered
and appears to be relevant to the overall computer system examination.
Provides expert consultation and/or testimony, as required.
Forensic Examination Procedures
These procedures are established as the Forensic Examination
standards to ensure that competent, professional forensic examinations
are conducted. It is acknowledged that almost all forensic examinations
of computer media are different and that each cannot be conducted
in the exact same manner for numerous reasons, however there
are three essential requirements of a competent forensic examination.
Forensically sterile examination media must be used.
The examination must maintain the integrity of the original
media, in as much as is possible.
Printouts, copies of data and exhibits resulting from the examination
must be properly marked, controlled and transmitted.
Add to these Ethics
Maintain the highest level of objectivity in all forensic examinations
and accurately present the facts involved.
Thoroughly examine and analyze the evidence in a case.
Conduct examinations based upon established, validated principles.
Render opinions having a basis that is demonstratively reasonable.
Not withhold any findings, whether culpatory or exculpatory,
that would cause the facts of a case to be misrepresented or
Hard Disk Examination
The following are the recommended procedures for conducting
a complete examination of computer Hard Disk Drive (HDD) media:
Forensically sterile conditions are established. All media
utilized during the examination process is freshly prepared,
completely wiped of non-essential data, scanned for viruses and
verified before use.
All forensic software utilized is licensed to, or authorized
for use by, the examiner and/or agency/company.
The original computer is physically examined. A specific description
of the hardware is made and noted. Comments are made indicating
anything unusual found during the physical examination of the
Hardware/software or other precautions are taken during any
copying or access to the original media to prevent the transference
of viruses, destructive programs, or other inadvertent writes
to/from the original media. We recognize that because of hardware
and operating system limitations and other circumstances, this
may not always be possible.
The contents of the CMOS, as well as the internal clock are
checked and the correctness of the date and time is noted. The
time and date of the internal clock is frequently very important
in establishing file creation or modification dates and times.
The original media is not normally used for the examination.
A bitstream copy or other image of the original media is made.
The bitstream copy or other image is used for the actual examination.
A detailed description of the bitstream copy or image process
and identification of the hardware, software and media is noted.
The copy or image of the original HDD is logically examined
and a description of what was found is noted.
The boot record data, and user defined system configuration
and operation command files, such as, the CONFIG.SYS file and
the AUTOEXEC.BAT file are examined and findings are noted.
All recoverable deleted files are restored. When practical
or possible, the first character of restored files are changed
from a HEX E5 to "-", or other unique character, for
A listing of all the files contained on the examined media,
whether they contain potential evidence of not, is normally made.
If appropriate, the unallocated space is examined for lost
or hidden data.
If appropriate, the "slack" area of each file is
examined for lost or hidden data.
The contents of each user data file in the root directory and
each sub-directory (if present) are examined.
Password protected files are unlocked and examined.
A printout or copy is made of all apparent evidentiary data.
The file or location where any apparent evidentiary data was
obtained is noted on each printout. All exhibits are marked,
sequentially numbered and properly secured and transmitted.
Executable programs of specific interest should be examined.
User data files that could not be accessed by other means are
examined at this time using the native application.
Properly document comments and findings.
In many instances a complete examination of all of the data
on media may not be authorized, possible, necessary or conducted
for various reasons. In these instances, the examiner should
document the reason for not conducting a complete examination.
Some examples of limited examinations would be:
The search warrant or the courts limit the scope of examination.
The equipment must be examined on premises. (This may require
the examination of the original media. Extreme caution must be
used during this type of examination.)
The media size is so vast that a complete examination is not
The weight of the evidence already found is so overwhelming
that a further search is not necessary.
It is just not possible to conduct a complete examination
because of hardware, operating systems or other conditions beyond
the examiner's control.
The Use of Computer Forensic Evidence
Criminal and civil proceedings can and do make use of evidence
revealed by computer forensics specialists:
Criminal Prosecutors use computer evidence in a variety
of crimes where incriminating documents can be found: homicides,
financial fraud, drug and embezzlement record keeping, and child
Civil litigations can readily make use of personal and
business records found on computer systems revolving from litigation
on: fraud, divorce, discrimination, and harassment cases.
Insurance Companies may be able to mitigate costs by
using discovered computer evidence of possible fraud in accident,
arson, and workman's compensation cases.
Corporations often hire computer forensics specialists
to ascertain evidence relating to: sexual harassment, embezzlement,
theft or misappropriation of trade secrets and other internal/confidential
Law Enforcement Officials frequently require assistance
n pre-search warrant preparations and post-seizure handling
of the computer equipment.
Individuals sometimes hire computer forensics specialists
in support of possible claims of: wrongful termination, sexual
harassment, or age discrimination.