Every contact leaves a trace. This simple premise expressed by Locard’s Exchange Principle is the basis for all forensic sciences. Forensic anthropology, forensic pathology, DNA analysis, fingerprint comparison and other professions and methods all emerged from this basic principle. Forensics is defined as the use of science to investigate and establish facts in a criminal or civil court.
IBM introduced the personal computer to the general public on August 12th, 1981:
IBM is proud to announce a product you may have a personal interest in. It’s a tool that could soon be on your desk, in your home or in your child’s schoolroom. It can make a surprising difference in the way you work, learn or otherwise approach the complexities (and some of the simple pleasures) of living.
It’s the computer we’re making for you.
Then and Now
Over 30 years later, computing technology has leaped light-years forward. We use computers for all sorts of purposes in our daily lives. We use them for work, entertainment, finances, to store and share photographs and videos, communication, and research. No one needs to sell us on the idea that computers might add value and pleasure to our lives.
Computers are also sometimes used for illegitimate and criminal purposes. In fact, Interpol cites cyber crime as the fastest growing area of criminal activity.
Remember Locard’s Exchange Principle? Every activity on a computer or network leaves traces. Attempting to delete or hide these activities also leaves traces. When misuse is suspected, attempting to determine what another user did after the fact without using proper methodology leaves traces too. Knowledgeable computer forensics experts are needed to properly address potential evidence from computers and networks in a way that will withstand scrutiny in court or other proceedings.
Computer forensics is the preservation, identification, acquisition, examination, and presentation of information found on computers and networks relating to a criminal or civil investigation. Computer forensics is also known as cyber forensics or digital forensics.
Computer forensics is used outside the formal legal system for investigative and intelligence purposes, as well as when there is the potential for an incident to become involved in the legal system. The purpose of computer forensics is to examine digital evidence in a manner that preserves the integrity of the evidence, and to present facts and opinions about that evidence in a clear and understandable way.
In the complex and constantly evolving world of computing, this can be a challenge. Digital forensic artifacts are constantly updated as a result of the progression of computing capabilities, operating systems, and hardware. Laws don’t necessarily keep up with technology changes. Victims, investigators, attorneys, judges and juries, insurance companies, and other involved parties generally have only a rudimentary understanding of what data and metadata is stored by computers and how that data is stored. Expert guidance about how electronic evidence relates to the incident being investigated can clarify the difference between technical confusion and reasonable doubt, resulting in positive case outcomes.
The Forensic Process
The forensic process is used by examiners to standardize and formalize computer forensic examinations. Forensic examiners use the scientific method in order to identify digital evidence (sometimes also referred to as Electronically Stored Information or ESI) that supports or refutes a hypothesis about the incident in question. As with physical evidence, preservation of digital evidence is essential to avoid spoliation. Data acquisition methods that obtain digital evidence without changing the original are essential. Acquisition methods for collection of volatile data such as RAM or data stored in flash memory are also important.
Examination might be successfully accomplished with specialized forensic software tools. But these tools don’t always keep up with changes in technology, and can at times present erroneous findings. The scientific method allows examiners to test their tools and findings to obtain the greatest degree of certainty possible. Presentation of findings in a way that clearly explains relevancy of forensic artifacts and how they apply helps everyone involved.
Above and Beyond
Acquisition and analysis of digital evidence can require more than plugging the drive into a write blocker and running forensic tools. When performing computer forensics, we are oftentimes looking for a needle in a haystack. Commercial forensic tools can help, but technology changes faster than commercial tools can keep up. Our clients’ goals vary and each digital forensics case is unique. At Gillware, we work with our clients to determine what they hope to accomplish with digital forensics. Then we use whatever tools, purchased or homegrown, are necessary to address their questions. Gillware’s background in data recovery and experience in computer forensics means that regardless of the device, its physical condition, or how difficult the question that needs to be answered, we can assist.