Forensic Computer Investigations Require Specific Protocol For The Legal Handling Of Recovered Data

By Author: Andy Butler
Total Articles: 916
Comment this article

Forensic computer investigations seek to gather evidence for determining whether computer systems have been used for unlawful or unauthorized activities. The evidence can reside in computers, storage devices and the network.

The investigations have to be conducted in a forensically sound manner acceptable to a court of law. Essentially this means that the evidence must be gathered in a manner that cannot be challenged in a court of law on grounds of tampering, inaccuracy, etc.

Forensic computer investigators require an awareness of legal issues involved as well as technical skill and familiarity with computer systems.

Collecting Evidence From Computer Systems

Taking digital photographs of the room, computers and surroundings is a typical starting point. This is done when the system is seized and before anything is changed.

A forensic computer investigator should be aware that the suspect who committed the unlawful activities could be an expert. This means that the person is quite likely to have installed anti-detection measures such as wiping out evidence whenever certain actions of ...
... an investigative nature are initiated.

Hence, the investigator should proceed in a manner that simulates an ordinary user when handling the computer.

When working with live systems, much of the data is in a highly perishable form. For example, the contents of RAM, which can include passwords, encryption keys and system/program settings, can disappear if the computer is powered off.

The investigator has to proceed in a manner that the more perishable data are collected first. The typical order will be:
Network connection that can reveal the points with which a computer had been connected to and what data was being transferred
RAM that can provide details of programs that were currently running or were recently run
System settings that can identify all users, currently logged in users, system date and time, currently accessed files and current security policies
Hard disks that can contain much of the data needed for the investigation must be imaged in such a way as to not affect the original drives data or impair any investigation using the image.

The forensic investigator then proceeds to collect all removable computer storage media such as CD/DVD, USB memory cards, music players, digital camera cards and so on. In addition to computer hardware and media, the investigator will collect printouts, notes and other physical evidence lying around.

Notes can contain user id password combos and security related instructions that make the task of investigation much easier. An even more valuable source is the user of the system, who can reveal passwords, encryption methods and other information that can help the investigation immeasurably.

Forensically Sound Computer Investigation

Courts scrutinize all evidence produced before them for acceptability. Defense lawyers can challenge the evidence by pointing to any actions or circumstances that make the evidence unreliable. It is thus highly important that all evidence be collected in a manner that leaves no room for such challenges.

The investigator has to document every action the person has taken. The evidence must be kept under safe custody in a manner that only authorized team members can access them. Analysis of storage media is done with copies and not with the originals, because the analytical procedures can change the contents.

The tools used must have been tested and evaluated to validate their accuracy and reliability. Exact duplicates of all storage media are made using such validated tools and it is these copies that are worked with.

The above are just some of the major concerns that illustrate how a forensic computer investigation proceeds. Only a trained investigator is likely to secure forensic evidence that can satisfy a court of law.

Conclusion

Forensic computer investigations seek to help determine whether unlawful or unauthorized activities have been committed using computer systems. The investigator collects data residing in network connections, computer memories, the computer hardware, hard disks and removable storage media.

The investigation is done using validated tools and in a manner that would be acceptable to a court of law. A forensic computer investigator requires legal awareness as well as technical skill to collect and analyze the gathered evidence.

About Author:

Andy Butler from ABC Data Recovery writes about Forensic-Computer-Investigations visit www.abc-data-recovery.co.uk for further information.