What Exactly is Computer Forensics?

The field of computer forensics has grown to become a science in itself. Computer forensics is also known as cyber forensics. It involves applying computer investigation and analysis techniques to solve a crime and provide evidence to support a case. Investigators often use proprietary forensic applications and software programs to examine computer hard drives, extract certain types of data from files and folders, and also to recover information from encrypted files. This digital information must be organized and documented into an official report form to be presented in a court of law.

Computer Forensics Defined

The computer forensics definition can be broken down into several technical aspects of the actual science of computer forensics. The general definition of computer forensics is the processes and investigative methods used to find digital evidence and prepare it for legal proceedings. The more in-depth definition includes the preservation of media and data, identification of computer-related evidence, extraction of the data and interpretation. Interpretation is perhaps the most important element of the computer forensics definition because this is where forensics experts must draw conclusions from a formal forensic analysis.

Throughout the process of data gathering and interpretation, the computer forensics specialist must document everything in a structured fashion. They must report exactly what types of investigations were performed and document all of the steps taken to retrieve various files, folders and data. The courts can then apply various types of methodology and testimonies in order to determine whether evidence presented can actually be used in the legal proceedings. This is why computer forensics specialists must learn about the different legal processes involved in an investigation and make sure that there is always a high level of integrity of evidence.

Why the Computer Forensics Definition Can Change

It's important to recognize that there are two main types of computer forensics investigations so the computer forensics definition can change. The first involves investigations where a computer or digital technologies were used to perform the crime (cybercrime). The second is when a computer is used as the target of a crime, such as when a hacker retrieves sensitive information or someone has their identity stolen online. In both of these situations, the computer forensics definition may change slightly because the investigator uses different techniques and methodologies to solve the crime.

The digital forensic experts from DLA use their knowledge of investigation and forensic software to find and reveal the computer or mobile forensic evidence that your require.

When should you consider using computer forensics?

If any form of digital information is even remotely involved in a case or legal situation, a computer forensic examination will be required. Digital information has invaded virtually every aspect of our day-to-day existence, having become a basic component of our lives, from computers, to smartphones, to social networking, digital information plays a crucial role in almost every case.

Computer forensics differs from data recovery, which is, recovery of data after an event affecting the physical data, such as a hard drive crash. Computer forensics goes much further. Computer forensics is a complete computer examination with intricate analysis of digital information being the ultimate goal.

For a successful forensics examination, you must have all the information relevant to a matter, not only to construct effective legal strategies, but also to focus your expectations and efficiently budget your services. There is nothing more difficult to address than a case which has become complicated by new facts, where you once expected the matter to proceed smoothly and without significant cost. Knowing all the facts early in a matter, allows you to better prepare for those cases that will require significant legal expertise to manage.

In response to pending litigation, analysing your relevant ESI is an excellent way to discharge your duties to preserve evidence and avoid spoliation, while also acquiring all relevant information essential to your legal theories and strategies. Similarly, as part of critical business decisions, forensically analysing relevant computers and devices can provide essential information. For example, analysing the computers of corporate officers or employees as part of the termination process can alert you to possible litigation issues such as violation of non-compete agreements, improper copying of intellectual property, etc.

To prepare for litigation, an attorney ought to determine whether a Request for Production of Documents will obtain all relevant evidence. A simple question to ask is whether you want to discover part of the relevant information (i.e. visible by your opponent’s operating system) or all of it (deleted, hidden, orphaned data, etc). It is not unrealistic to anticipate that information contained on a computer system which is helpful to a matter would be saved, while that which is harmful would be deleted, hidden, or rendered invisible. For example, in sexual harassment cases, it is not unusual to discover deleted emails and other data invisible to the operating system that significantly impacts the case. Computer forensic analysis extracts all the emails, memos, and other data that can be viewed with the operating system, as well as all invisible data. In many cases, the invisible data completely changes the nature of a claim or defense, often leading to early settlement and avoiding surprises during litigation.

In any situation in which one or more computers may have been used in an inappropriate manner, it is essential to call a forensic expert. Only a computer forensic analyst will be able to preserve, extract, and analyze the vital data that records the “tracks” left behind by inappropriate use. Taking the wrong steps in these circumstances can irrevocably destroy the vestiges of wrongful use that may result in litigation or criminal prosecution.

Digital, computer and mobile forensics requires much more than what you may think. At DLA, our seasoned investigators use a special set of skills and tools to recover or find the digital data that you need!

How Computer Forensics Works - Phases of a Computer Forensics Investigation

The experts at DLA listed the following steps every digital forensic investigators should follow to retrieve digital evidence:

1. Secure the computer system to ensure that the equipment and data are safe. This means the detectives must make sure that no unauthorized individual can access the computers or storage devices involved in the search. If the computer system connects to the Internet, detectives must sever the connection.

2. Find every file on the computer system, including files that are encrypted, protected by passwords, hidden or deleted, but not yet overwritten. Investigators should make a copy of all the files on the system. This includes files on the computer's hard drive or in other storage devices. Since accessing a file can alter it, it's important that investigators only work from copies of files while searching for evidence. The original system should remain preserved and intact.

3. Recover as much deleted information as possible using applications that can detect and retrieve deleted data.

4. Reveal the contents of all hidden files with programs designed to detect the presence of hidden data.

5. Decrypt and access protected files.

6. Analyse special areas of the computer's disks, including parts that are normally inaccessible. (In computer terms, unused space on a computer's drive is called unallocated space. That space could contain files or parts of files that are relevant to the case.)

7. Document every step of the procedure. It's important for detectives to provide proof that their investigations preserved all the information on the computer system without changing or damaging it. Years can pass between an investigation and a trial, and without proper documentation, evidence may not be admissible.

8. Be prepared to testify in court as an expert witness in computer forensics. Even when an investigation is complete, the detectives' job may not be done.

All of these steps are important, but the first step is critical. If investigators can't prove that they secured the computer system, the evidence they find may not be admissible. It's also a big job. In the early days of computing, the system might have included a PC and a few floppy disks. Today, it could include multiple computers, disks, thumb drives, external drives, peripherals and Web servers.

Computer Forensics Basics – How it works

The purpose of computer forensics techniques is to search, preserve and analyze information on computer systems to find potential evidence. Many of the techniques detectives use in crime scene investigations have digital counterparts, but there are also some unique aspects to computer investigations.

For example, just opening a computer file changes the file -- the computer records the time and date it was accessed on the file itself. If detectives seize a computer and then start opening files, there's no way to tell for sure that they didn't change anything. Lawyers can contest the validity of the evidence when the case goes to court.

Some people say that using digital information as evidence is a bad idea. If it's easy to change computer data, how can it be used as reliable evidence? Many countries allow computer evidence in trials, but that could change if digital evidence proves untrustworthy in future cases.

Computers are getting more powerful, so the field of computer forensics must constantly evolve. In the early days of computers, it was possible for a single detective to sort through files because storage capacity was so low. Today, with hard drives capable of holding gigabytes and even terabytes of data, that's a daunting task. Detectives must discover new ways to search for evidence without dedicating too many resources to the process.

What are the basics of computer forensics? What can investigators look for, and where do they look? Find out when the digital forensic experts from DLA discuss the steps in collecting evidence from a computer?

6 essential computer forensic tips

Cybercrime is becoming even more of a concern, which makes computer forensics a growing science. The worst thing a business can do when digital forensic professionals are working is to proceed carelessly. That is why it is vital to keep these tips in mind when a computer is being investigated on your watch.

1. A computer is a crime scene, and it needs to be treated as such. All investigation activity needs to be logged and all the equipment inventoried.

2. The machine should be isolated from the network.

3. Investigators should almost never work with the original hard disk or media or any original files. Rare exceptions to this rule include situations when turning off the computer will destroy evidence. But most often, examiners should make copies—and not just any copies, but forensically sound ones. Just backing up a drive, for example, will not transfer slack space and deleted files that need to be searched.

4. Don’t violate the chain of custody. If evidence is to be used in a legal case, it must be clearly established what the evidence is, where the evidence was, and what was done to it at all times. If there’s any suspicion that the evidence was tampered with or altered, then you may be left without a case.

5. Don’t be in a fixed frame of mind. No two investigations are alike. Because of this, investigators use training and experience to narrow the scope of an investigation.

6. Don’t digress. Remember that the point of an investigation is to determine three things: whether a violation took place, the exact sequence of events that took place, and finally, who was responsible.

In this day and age, businesses are all too vulnerable to high tech crimes. Whether the computers are used to commit felonies or simply to violate company policy – businesses can be embarrassed, inconvenienced and even shut down. If you are ever in this situation, contact the digital forensic experts at DLA!

3 important reasons why you need a digital forensic examiner

I bet you haven’t seen the top 3 reasons you need to hire a digital forensic investigator!  Not to be outdone, we’ll try to keep it to only five:

1)  Data is everywhere

Think about all the digital devices you own and use.  Chances are, you probably use your handheld portable device in the morning, transition to laptop/desktop computer during work hours, then go back to mobile with heavy use of tablets during the evening hours (probably because you and your partner don’t want to watch the same TV shows).

So the bottom line is, virtually everything you do during the day will involve a digital device on some level and leave a digital footprint.  That data is stored on those devices and if you’re involved in some sort of dispute, accident, encounter, etc. that may lead to legal action down the road, you’re going to want a trained digital forensic expert to acquire, analyse and report that data for you. 

2)  Data breaches affect everyone

In the past year or so, there have been dozens of high-profile data breaches occur in the private commercial and government sectors.  For everyday consumers like us, it means that our personal information could be shared with unsavoury types, so whether you’re hiring a digital forensic examiner yourself or your bank is hiring one to help find out what happened and by whom, it does affect you.

3)  Chances are, you’ll be involved in litigation at some point

Not all legal matters are contested, but when they are, you want the data to show the truth.  And if you believe #1 (data is everywhere), the likelihood that you will not only be involved in some sort of contested litigation, but that the litigation will likely involve retrieving & reporting data that is critical to your case in a verifiable, forensically sound manner is very real.  From divorces to child custody to distracted driving personal injury to criminal cases, the universal nature of the devices we carry and the data they store cannot be denied.

So there’s the list.  If nothing else, we hope this serves to educate just some of the reasons why you may need a digital forensic examiner on speed-dial.  Is a digital forensic examiner someone you need every day?  No.  But much like your car mechanic, your exterminator and your lawyer, you sure want to know how to contact a good one when the time comes! Contact DLA Digital Forensics today – we can’t wait to be of service to you.

The Apple vs. FBI congressional hearing

For two weeks, there has been a heated debate over the Apple vs. FBI debacle, and the two sides of the argument have stated their cases before the House Judiciary Committee at a hearing called "The Encryption Tightrope: Balancing Americans' Security and Privacy."

On one side, the FBI wants to force Apple to help them get into the iPhone of San Bernardino shooter Syed Farook; on the other side, Apple wants to maintain the security integrity of its devices and not set a precedent of the government forcing tech companies to develop workarounds to encryption.

The hearing took place in Washington DC. If you're interested in watching the testimony, you can watch the live video right here:

https://www.youtube.com/watch?v=g1GgnbN9oNw

Digital Forensics (cellular & computer based) requires much more than some well-developed software that can be purchased over the internet. It requires a thorough understanding of investigative process, the law of evidence and of naturally the appropriate background to criminal and civil investigations.

DLA is based in Cape Town and combines the experience of two seasoned investigators with both criminal and civil backgrounds with the latest technologies to achieve the results that you require - contact DLA today!

What to do if a computer in your business contains important evidence

First of all – STOP using the computer or device! Any use of this may damage or taint any evidence present. If the suspected computer is turned off, then leave it off.

If the computer or device is on, do not go through the normal “Shut Down” process… rather call the digital forensic experts first.

Do not allow your internal IT staff to conduct a preliminary investigation.

It is important to recognise that all you have initially is information and data, not actual evidence. Unless your IT staff is certified in computer forensics and trained on evidentiary procedures (very few are), they most likely have not followed other accepted evidence techniques. 

Another thing to keep in mind is that even if proper evidence handling techniques have been used, the collection process itself has most likely changed or altered the data collected. By opening, printing and saving files, the meta-data is changed! Lastly, the simple act of just turning on the computer changes files, caches, which along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was present.

Depending on the damage done, a skilled computer forensic specialist may be able to salvage the damaged evidence. This however, can be an arduous and time-consuming process which often costs several times more than it should. However, it is always important to bear in mind that it is not always possible to restore evidence from computers that have been mishandled.

Keep a detailed log of who had access, what was done and where the computer has been stored since the dates in question.

Computer forensics may be an unknown and mysterious discipline to many, but it is easy to avoid the most common mistakes by following the guidelines outlined! Only use certified digital forensic experts, such as the professionals from DLA, contact them today and get the job done right.

This gruesome murder case was solved by computer forensics after 30 years of searching

For more than 30 years, the case of the BTK serial killer went as one of the biggest unsolved mysteries in America. Police spent thousands of hours and millions of dollars trying to figure out the identity of this man, who killed 10 people in and around Wichita, Kansas, between 1974 and 1991.

But, on the 16^th of February 2005, in a few short hours computer forensic specialists accomplished what police had failed to do for more than 30 years – they identified the BTK killer as a man named Dennis Rader! This case remains the most famous ever solved by computer forensics.

The case started on the 15^th of January 1975, when Dennis Rader killed four members of the Otero family. Over the next 15 years, he would admit to killing six more female victims.

As he was committing these murders, Rader would taunt police by sending them bizarre notes. His first note was found in the Wichita Public Library; in it he claimed responsibility for the Otero murders and provided details only the police would know. He also promised that he would kill again and suggested a nickname for himself – BTK (Bind, Torture, Kill).

Rader went on to write numerous letters to the police, including twisted poems, puzzles and pictures. Sometimes he would send the letters straight to the police and other times he would mail them to the media or hide them somewhere.

Local police worked with the FBI and spent thousands of hours studying these communications. They hired the best criminal psychologists, followed up on every possible lead and interviewed thousands of people. Even with so much evidence and effort, police were still unable to tie any of the murders to Dennis Rader.

It was not until 2004, after 10 years of silence from the BTK killer, that police finally caught a break. That year, Rader resumed his communications with police. He sent them a Word document on a floppy disk that computer forensic experts immediately examined.

By using special forensics software, police were able to pull up a Word document that have been deleted. The document revealed a clue – it had last been modified by someone named Dennis at Christ Lutheran Church. A quick search of the church’s website revealed that Dennis Rader was actually the president of the church’s congregation council!

Police were then able to quickly link Rader to the BTK murders.

Today, computer forensics is used more than ever to solve crimes, such as murder, kidnapping, fraud and embezzlement. Forensic investigators are able to dig up information that was thought to be long gone on cellphones, computers, laptops, hard drives and chats. The tools these experts use are growing more and more advanced every day.

Looking for professional forensic investigators to find the digital evidence that you need? At DLA, two seasoned investigators join and use the latest technologies to weed out the result's that you're looking for!

Use these 3 pointers to fly through your first computer forensic interview

Have you always wanted to work in computer forensics and now finally you’ve been invited to an interview. But how should you prepare? Well, the first thing to do is to get the interview into perspective and develop the right mindset.

Computer forensic job interviews take all sorts of different formats, with some being very technical while others are a mix of technical skills, competencies and personality.

Here are 3 pointers to help you fly through your interview:

1. Technical Questions

The technical level you need to demonstrate differs depending on the job and organisation. Just make sure you do all the obvious things beforehand, like researching the mentioned areas in the job description, reading forums, etc.

The golden rule here is to not try and bluff your way through when you don’t know the answer. If you are not technically strong enough for a role, there really is nothing you can do about it on the day.

2. Competencies

Most interviewers will focus their questions around the following competencies: Interpersonal skills, problem solving and decision making, planning and organizing, information handling and analysis, written/oral communication skills and team working.

The best thing to do is to prepare two/three examples of each before the interview. This preparation should avoid you having to desperately think of new examples under pressure on the day.

3. Personality

Always remember, if the interviewer doesn’t like you then it is very unlikely that you will be successful. When answering technical questions it can be easy to become almost robotic with your answers and that often leads to people failing in computer forensic interviews because they don’t allow their personality to come through.

If you don’t land the computer forensic job you were hoping for, it really isn’t the end of the world. So learn from experience and make sure to use these 3 pointers to land the job you’ve dreamed of!

Prepare well, be yourself and good luck!

DLA (cellular and computer based forensics) is based in Cape Town and combines the professional skills of two investigators with the latest technologies to get you the digital evidence that you need - Contact us today and let us follow the electronic trail for you.