Computer Forensics
Cybercrime is widespread due to the first world having such reliance on computers. Some examples of occurrences are seen here. Email spam and denial of service attacks are carried out by computers infected with viruses, your computer could be responsible for these and you wouldn’t even know. There are also less obvious occurrences such as embezzlement and extortion, where the evidence of such crimes could be stored on computers.
When a cybercrime incident occurs, there are a series of steps usually taken to respond. This page will focus on the investigation of the incident which includes data collection and data analysis.
Data collection is the retrieval of information and hardware necessary for investigation and is the first step for data analysis. Important factors in data collection are chain of custody and evidence validation.
Md5sum is a program used to ensure evidence integrity. It issues a number to the data collected and if the data is modified in any way, that number changes. This acts as a virtual evidence seal, making it an extremely useful program for the investigative and legal processes. This program is usually executed in the presence of witnesses to ensure the integrity of the evidence.
In order to properly collect forensic evidence, you need to know where to find it. For this reason, there is a set of data for collection that is almost always extracted and catalogued. This data includes system date and time, list of users logged on, time stamps for all the files, currently running applications and a list of systems connected to the system either at the time of the collection or previously.
To ensure the evidence is protected from manipulation after the time of collection, qualified forensic duplicates are used. A qualified forensic duplicate is an exact copy of the data found at the scene of a crime. Some methods of analysis can be destructive such as restoring deleted files, for this reason, duplicates are used. This ensures that the original evidence is not altered in any way, preserving it for court as well as offering extensive testing on a direct copy of the original evidence.
Much like there are usual sites for data collection, there are common locations for forensic evidence. The first place that is looked at is usually hardware. Hardware is easy to isolate as it has a physical location. Here are the two main locations of forensic evidence, RAM (random access memory) and Hard Disk Drive. Contrasting this is data. Data relevant to the investigation can be found almost anywhere in computer but there are several common locations of this data. This includes the registry, event logs, temporary files, recycling bin and email storage.
Deleted files are a good location to find evidence because contrary to popular belief, deleted files can be restored completely or partially, depending on how many times the file has been overwritten. These deleted files can be restored in different ways depending on how they have been deleted such as recycling bin restore or programs made to restore deleted files.
Hard Disk Drives, as previously mentioned, are a secondary source of evidence. It is made up of free space and used space. The used space contains active or stored data. Free space is the remainder of the hard drive left over from the used space. This space was previously used space but it is available to be written over. As mentioned before, this free space can be repaired or restored, bringing back the files that were originally there.
Random Access Memory or RAM is the primary location of data on a computer. It is used as very short term storage and is used in all programs. Ram is also volatile storage, meaning if power is lost, the data is eventually removed. In recent cybercrime arrests, officers have brought liquid nitrogen to freeze RAM and thereby preserving all the data on it.
The windows registry is a data location found in the virtual space of the computer. It collects data files that stores vital configuration data of the system. For this reason, it contains information about the hardware and software installed, including log files of all installs.