Computer Forensics Basics  

By Wayne T. Miles - Atlas Information Research, Inc.

When someone mentions the term "Computer Forensics", a lot of people have no idea of what it really is. At least most people outside of the investigative business anyway.  Regardless, I thought I would start out by giving my definition of what is is . . .

"Computer Forensics" involves the preservation, identification, extraction, documentation and interpretation of computer data. It all sounds very simple put into words, but there's a lot more to it than that. It's really more of an "art" than a "science". 

As with most investigative procedures, computer forensics specialists need to follow strict guidelines and procedures when performing their work. Because of the different computer operating systems out there today, one has to be extremely careful when poking around a computer system looking for clues. I know from being a computer consultant for many years, that various operating systems have come and gone. It seems that as soon as you learn all the new tricks and think you know everything, someone comes along with a newer version and you have to start all over again. One thing is for sure - when it comes to computers - the learning curve never seems to end! 

Computer forensics has not been around for a long time. It's only been a few years since the largest hard drives were able to be copied or backed up on zip drives. That made collecting data simple. Today, hard drives are much larger and they involve networks and the internet. Much more to add to that learning curve I mentioned . . . The thing to remember is that although the computer systems change, the basic method in which you conduct your investigation does not change. Develop a winning methodology now and stick to it.

A good method to use is commonly known as the "Three A's" . . .

1. Acquire the evidence without altering or damaging the original.
2. Authenticate that the evidence is the same as the original.
3. Analyze the data without modifying it.

And of course, keep very good documentation along the journey. I know, you hate writing reports! But as any good investigator knows, you have to treat every investigation as if it will end up in court. Document everything right from the very beginning.

The very first step in the computer forensics process is acquiring the evidence. To do that you have to gain access to the subject computer. There are many ways to do that of course - you could have someone bring it to you. That would be real easy and you would have all the time and space you need to conduct your investigation. Normally that is not the case for the Private Investigator . . . we get to sneak in and use our immense stealth capabilities to gather our information and leave without waking the dog! Remember the "old days" before computers, when all you needed to do was break in to the Watergate Hotel and rummage through the files? Times have sure changed since then.

I was asked one time "What do you do when you get inside someone's computer and mess things up?". My first response to that question was "Run - run fast!". But after a brief moment of flash backs I said "Know what you are doing before you go in - or don't go in at all". It's kind of like doing surveillance on someone and letting them get away because you don't want to blow your cover - you can always pick them up another day. But if you blow your cover it's over - at least for you. Don't be afraid of backing away from a situation that you don't know enough about. Call in some help if you need to. As a Private Investigator, you are not expected to be an expert on all the different operating systems and networks that are out there in today's business world. You may find that all you are able to do is gather information about the system and then return later with the proper tools and knowledge to gain access to the system. 

In some cases you may not have access to a "system administrator" or even someone that can tell you what kind of network system they have! I have been to businesses where all they can tell you about the computer system is "that's the server thing under the desk". That's about all they know.

The tricky thing about computers is that no two are ever alike. You have to be very careful and analyze what is going on with it before you dive in and snoop around. It's possible to set up different types of networking within the same operating system. For example, with Microsoft Windows 2000 Professional, you can have the network configured in many different ways. It could be set up as a simple peer to peer network or as a dedicated server. These are things that you will have to determine right away and will determine what level of expertise you are going to need before you dive in and start playing around.

I was doing some consulting work with another agency once and I received a call from a female agent who unknowingly was about to make a very big mistake. She was assigned the task of installing some monitoring software on a computer and had never even seen the software work before! Also her basic computer skills were lacking to say the least. Needless to say this was going to turn into a total disaster so I helped her through it by going with her and making it a training assignment for her. The lesson here is this . . . Just because you are an "Investigator", that doesn't mean you can poke around anywhere you want to. Know your limitations. Know your skills. If you have doubts about your computer skills practice at the office. And don't be afraid to call for backup! The best time to do that is before you get in over your head.

The most important thing to remember about computer forensics is that it requires special skills. That's what makes it an "art". Every case will be different and require a different approach. You as an investigator will be required to have a good sets of skills to draw upon once you get in from of the computer. Don't think that because you can log onto AOL and get your eMail, that you are qualified to enter a corporate network system, collect your evidence, and leave without a trace - It ain't gonna happen! Know what you are doing and know your limitations. Don't be afraid to ask for assistance or bring in the experts. It's always better to hand off the assignment than to blow your investigation and damage the evidence. Once you do that, it's pretty much over.  

A lot of agencies have not had a need to do computer forensics, or they have just avoided it up until now. But the day will soon come that you are asked to investigate an incident and you will have to be prepared. As you learn more, you will gain confidence and acquire new skills. Even if all you do is a low level assessment, follow the "Three A's" and I am sure that your efforts will be a success. 

Be flexible. Be cautious. Know what you are doing. 

Good luck!

~   A b o u t   t h e   A u t h o r   ~
Wayne T. Miles     e-Mail

As a licensed private investigator in Florida and a computer consultant, Wayne has over twenty years of experience working with corporations and individuals. His expertise include computer security, internet and fire walls, data recovery, computer forensics and more. He is also well versed in investigations, covert video and undercover operations.