1. Running head: COMPUTER FORENSICS 1
Computer Forensics
John Intindolo
October 17, 2014
ISSC455- Digital Forensics: Investigation Procedures and Response
Professor Michael Lewis
American Military University
2. COMPUTER FORENSICS 2
Computer Forensics is vital to criminal cases now more than it has ever been in the past. In the
past physical evidence was collected at a crime scene, but in today’s world where everything and
everyone is reliant upon technology, digital evidence has become more prevalent even in a typical
criminal case. For example, when the police arrive at the scene of a murder there may be digital
evidence on the victim’s phone that may help to determine whom may been in recent contact with the
victim, which could lead to solving the case. Therefore, due to the vital information that digital evidence
can produce, computer forensics plays a role in any type of case.
Throughout the course of this paper computer forensics will be discussed, as well as its history,
future trends, the role of computer forensics investigators, the fundamental steps required during an
investigation, common cyber-crimes, how to properly follow the chain of custody, a list of companies
who are available for hire to perform a computer forensic investigation, and a list of tools that can be
used to collect digital evidence. Once all of this has been an explained the reader will have a better
understanding of why computer forensics plays a vital role in all kinds of criminal cases.
Before getting into the different ways that computer forensics can be beneficial, what exactly is
computer forensics? According to Welch, computer forensics can best be defined as the study of
computer technology and its relation to the law (1997). A more thorough definition would be that
computer forensics can be described as the investigation and analysis of evidence via the use of
computer techniques and tools during a criminal case so that the evidence may be admissible in a court
of law. The most important thing to consider when dealing with computer forensics is that the evidence
gathered and analyzed must be preserved (by following the chain of custody throughout the entire
process) in order to be used in court. Without preservation of the evidence and the following of the
chain of custody all of the hard work put into collecting and analyzing the evidence will be for naught.
3. COMPUTER FORENSICS 3
So now that the definition of computer forensics is understood, the next issue is to determine the
importance or benefits that computer forensics provides. Computer forensics provides many benefits to
an organization due to the remarkable upsurge in the amount of cyber-crimes and litigations that large
organizations often encounter since computer systems and networks have become so heavily depended
on. Some of those benefits include the following: the assurance that an organization’s computer systems
and/or networks maintain their integrity, helps to collect pertinent data (in the event of an organization’s
computer systems and/or networks being breached) that was destroyed or deleted by the accused and
can be used to prosecute, provides the ability to search and analyze large amounts of data both quickly
and efficiently which will save an organization both time and money, and to help catch criminals
responsible for heinous acts such as child pornography and identity theft (“Advantages and,” 2009).
As explained previously, one of the benefits of using computer forensics is to collect valuable
data that can be used to prove guilt of someone when an incident has occurred. This does not always
need to be used to prosecute in a court of law, in fact in some cases an organization may just use
computer forensics to prove the guilt of an employee who has committed a crime. Rather than go
through lengthy and oftentimes expensive litigation, the company will simply use the information provided
from the computer forensic investigation to terminate the workers employment.
For example, when a CEO of a small San Diego publishing company began receiving
threatening e-mails and figured someone from inside the company’s IT department was involved he
hired a computer forensics expert to investigate. The man hired was Peter Garza the founder of
EvidentData and after finding a google search performed by an IT employee using the name of the
spyware and the world “legal” which took them to the spyware’s legal disclaimer and proved that the
employee knew what they were doing was wrong but proceeded anyway (Zimmerman, 2006, p. 56).
4. COMPUTER FORENSICS 4
Once this information was brought forth the CEO chose to simply fire the employ rather than proceed to
take it to court.
Now that the computer forensics has been defined as well as the benefits of using computer
forensics explained, the next logical step is to clarify the need for a computer forensic investigator.
Computer forensic investigators are specially trained professionals in the art of retrieving data from
computers and other storage devices that work with private firms or law enforcement agencies such as
the FBI. These highly specialized computer experts have an extensive working understanding of all
facets of computers including hard drives and encryption. The need is also compounded by the amount
of attacks that take place from inside the organization.
According to Vericept Corp., 54 percent of organizations estimate that insiders are responsible
for more than half of all internal security breaches (Bavisi, 2006, p. 37). Having a computer forensic
investigator will likely keep many of those “insiders” from going through with an attack, because they
know that they could easily get caught. As previously mentioned the world today is one that is driven by
technology, which shows the need for computer forensic investigators is in high demand in both the
public and private sectors.
The job responsibilities of a computer forensic investigator starts with being extremely familiar
with all facets of computers as mentioned above, but there are many other responsibilities they must
meet as well. The main responsibility of an investigator is to recover, analyze, and preserve all digital
evidence in such a way that it can be used as evidence in a court of law. Furthermore, it is the
investigator’s responsibility to collect the evidence quickly, convey a rough calculation of the damage
that the incident has had on the victim, to determine the reason the attacker chose to go through with the
5. COMPUTER FORENSICS 5
act, and also to discover the identity of the attacker. So how does one become a computer forensic
investigator?
Becoming a computer forensic investigator is not something that happens overnight and requires
a lot of commitment. A bachelor’s degree in computer science, information systems security, criminal
justice, or another related discipline is just the start. Computer experience as explained previously must
constitute all aspects of computers, and law enforcement experience while not required is also
something that will certainly help. Some things that are necessary are computer security and investigation
certifications such as EnCase Certified Examiner or EnCE, Certified Information Systems Security
Professional or CISSP, Certified Information Systems Auditor or CISA, and Security Essentials
Certification known as GSEC (“How to become,” 2014).
With the issue of computer forensics and the details of what it takes to become a computer
forensic investigator out of the way, the next area of focus is the crimes that these people are out to fight
against, cyber-crimes. What are cyber-crimes? Cyber-crimes are crimes that are committed on the
Internet, and take advantage of the accessibility, anonymity, and speed of the Internet to commit. The
accessibility factor simply means that it is rather convenient for criminals to perform a crime on the
Internet because they can commit a crime from half way across the globe via the Internet. The
anonymity refers to the fact that someone can commit a crime on the Internet without their identity being
known by masking their IP address for instance. Lastly, is the criminal’s use of high-speed Internet to
commit their crimes and get away before authorities have the chance to catch them.
There are many different examples of computer crimes including but not limited to hacking, the
spreading of viruses, Trojans, and worms, identity theft, credit card fraud, Denial-of-Service attacks,
software and copyright piracy, and child pornography. All of these examples are cyber-crimes, but their
6. COMPUTER FORENSICS 6
severity varies. For example, there is a huge difference between someone committing copyright piracy
by downloading their favorite band’s latest album and a child predator downloading pictures and videos
of child pornography. Both cyber-crimes are readily occurring on a daily basis on the Internet, with the
latter growing so fast that it has an estimated revenue of $3 billion (Pulido, 2013).
When speaking of cyber-crimes such as hacking, the spreading of viruses, Trojan, and worms,
DoS attacks, and identity theft there are areas of weakness or vulnerability on a computer system or
network that can make the attackers’ job much easier. One such vulnerability that exists is through
social engineering. This is when an attacker attempts to trick someone within an organization into
revealing (to some degree) or distributing information unknowingly that could disclose private
information to the attacker. Some other forms of vulnerabilities that are used to exploit computer
systems and networks are unencrypted mail servers, improperly configured firewalls, unpatched
software, and weak password management.
The important thing to remember is that the organization’s network does not have to be the
most secure; it only has to be more secure than others nearby. If good security measures are practiced
such as closing open ports, keeping all software updated and patched, encrypting mail servers,
practicing the principle of least privileges (where workers are only granted privileges to complete their
job duties), and enforcing strong password management then an attacker may look for a weaker target.
This is no different than in the wild where a lion will look for a buffalo that is weaker than the rest and
falls behind the herd before attacking.
The next topic of discussion when dealing with computer forensics is the forensic investigation
process. There are a set of fundamental steps that take place in every forensic investigation and they are
as follows: first a computer crime must be suspected of being committed, preliminary evidence such as
7. COMPUTER FORENSICS 7
marking the scene and photographing the scene should be collected, a warrant if necessary must be
obtained, first responder procedures are to be performed, evidence is seized securely (in evidence
bags), the evidence is then transported to the forensic lab, a working copy of the evidence is created
(because the original evidence is never worked off of), an MD5 checksum of any images is performed
(to verify their integrity), a chain of custody document is prepared (and any break in this chain could
cause the evidence to be thrown out of court), the original evidence is safe and secure from being
tampered with, the image copy is used to analyze for evidence, a forensic report is created (to describe
every facet of the forensic investigation and the tools used as well), the report is delivered to the client,
and if deemed necessary the investigator may testify as an expert witness in court (“Computer
Forensics, 2010, p. 1-17). Each of these steps plays an integral role in the investigation process.
The reason that an exact image of the original evidence is created is so that the contents of the
original are not altered or changed in any way. Sometimes even the lightest change could cause the
entire drive to be lost, so it is extremely vital to only work off of the copy of the original evidence. If the
original evidence is lost or damaged there is no way that it can be used in court. The chain of custody
refers to making sure that every single piece of potential evidence is accounted for at all times from the
beginning of the investigation all the way to the end when it is presented to the court.
Any time that someone needs to take the evidence for any reason out of the forensic lab it must
be documented stating who took it out as well as the date, and the same goes for documenting the
evidence being returned. If at any time the evidence is unaccounted for it will be deemed inadmissible
because there is no way to validate its integrity or that anyone altered it in some way. So where can this
evidence be extracted from? Digital evidence can be found in many places such as computers, laptops,
tablets, smart phones, portable hard drives, SIM cards, USB memory sticks, and any other portable
8. COMPUTER FORENSICS 8
storage devices. Many times the accused will believe that they have deleted the illegal or incriminating
data because they emptied their recycle bin, but that does not completely eliminate the data. Instead
investigators are able to use forensic tools to retrieve that so-called “deleted” data and use it against the
accused.
There are many different types of computer forensic tools used by a computer forensic
investigator, but some of the simpler tools used prior to extracting evidence include the following:
storage bags (wireless and passport), remote chargers, write-block devices, cables, and SIM card
readers. Wireless storage bags not only house wireless devices, but they are made of a certain fabric
that does not allow any wireless signals to get through. This ensures that someone cannot send out a
wireless signal to damage the evidence. Passport bags are used to hold RFID chips and ensure that no
one can read the data on them while in the passport bag. Having different chargers for different model
laptops and smartphones allows the investigator to extract evidence from a laptop or phone that may
have a dead battery. As for write-block devices, they are used as the name suggests, to block anyone
from changing or deleting data during an investigation.
In addition to the tools named above there are also software tools that are used to assist the
investigator throughout the investigation process. Some of the tools used by forensic experts include X-
Ways Forensics, SANS Investigative Forensics Toolkit (SIFT), EnCase, Registry Recon, the Sleuth
Kit, Volatility. X-Ways Forensics is an all-encompassing tool for forensics investigators that can
perform disk imaging and cloning and recover data amongst other things. SIFT is a multi-purpose
forensic OS that has all the required tools for a computer forensic investigation. EnCase is another and
one of the most popular of all multi-purpose forensic platforms. Registry Recon is used for analyzing the
registry, the Sleuth Kit is used for such things as analyzing disk images and carrying out a comprehensive
9. COMPUTER FORENSICS 9
analysis of file systems, and Volatility is used for incident response and malware analysis (“21 popular,”
2012).
So with a wide variety of forensic tools that server a multitude of purposes, what kind of
companies are available for hire to perform computer forensic investigations? There are many different
forensic companies that would be happy to help out an organization with any issues relating to computer
forensics. For the purposes of this paper however, only three will be discussed and they are Forensicon,
Cyber Investigation Service, and Kroll. Forensicon is a Chicago based forensic company that serves all
types of clients ranging from law firms to industrial equipment corporations all the way to healthcare
agencies, and are very familiar with many different types of cases including those that involve: digital
trade secret theft, digital fraud and white collar cyber-crime, internet investigations, computer forensics
expert witness testimony, etc. (“Forensicon,” 2014).
Cyber Investigation Services are a forensic company that has been seen on popular television
outlets such as FOX News and NBC, and they provide nationwide forensic coverage of forensic
services. The most common cases they deal with as the leader in cyber & internet attack defense
involves reputation concerns, anti-hacking forensics, and anti-stalking (“Cyber investigation,” 2014).
The third forensic company outlined here is Kroll. Kroll is a company that does more than just handle
cases involving computer forensics. Besides computer forensics Kroll also has a cyber security division,
a data breach and incident response division, and a data breach notification and remediation division.
The computer forensics division is known as cyber crime investigation and offers a wide-range of
insvestigative solutions such as evidence collection, data analysis, or fraud and internal investigations
(“Kroll: Cyber crime,” 2011). So where did computer forensics originate?
10. COMPUTER FORENSICS 10
Computer forensics history can be traced back all the way back to the 1970’s when military
investigators began finding instances of computer-related activity or cyber-crimes, and were looking for
a more comprehensive technique to solve these new technical type of crimes (“Computer forensics,”
2011). Once government personnel who were in charge of protecting confidential and secret
information saw the complexity of these cyber-crimes, they decided to perform forensic investigations
into these security breaches. From there they came up with measures to prevent the security breaches
from reoccurring. It was from that point on that the fields of information security and computer forensics
began to interweave, and it would eventually come to what is seen today.
Knowing where computer forensics originated and where it stands today, what does the future
hold for computer forensics? That is an interesting question because it is so heavily relied upon now
more than ever before. As the technology has advanced in hardware such as data device storage it has
taken longer for investigators to analyze data. The reason for this is because data storage devices that
hold more data means that there is more information to be sorted through and examined. This makes the
investigation process take longer and should continue to do so as more storage is available in the future.
Another trend that should continue into the future is the use of computer forensic tools that
should only get better and faster with advancements in technology. That means that as the technology of
computer forensic tools advances (meaning faster tools) then it will make analysis faster, and at the least
should compensate for the growth in the size of data storage devices. Additionally, another trend in the
future that should continue to grow is the amount of people figuring out new ways to crack the latest
security practices. Hackers are always one step ahead of those securing and protecting the data,
because if it were not for them finding out new ways to break down security measures who would then
look for new ways to mitigate vulnerabilities?
11. COMPUTER FORENSICS 11
In conclusion, it is clear to see that with how heavily reliant people and businesses have become
in this day and age with computer technology, the value that computer forensics plays in any criminal
case. No matter if it is a murder case, identity theft, the trading of child pornography or even a less
heinous crime such as illegally downloading an mp3 file off the Internet, the common denominator in
each of these types of crimes is that computer forensics can play an integral role in prosecuting the
accused. Since following the chain of custody is vital to the validity of the evidence presented, it is
important that everything that may potentially be used as evidence be properly documented. Without
properly following the chain of custody the evidence gathered will be inadmissible in a court of law, and
could also seriously damage the investigator’s reputation.
12. COMPUTER FORENSICS 12
References
21 popular computer forensics tools. (2012). Retrieved from
http://resources.infosecinstitute.com/computer-forensics-tools/
Advantages and disadvantages of computer forensics. (2009). Retrieved from
http://www.anushreepatil.myewebsite.com/articles/advantages-and-disadvantages-of-computer-
forensics.html
Bavisi, J. (2006). Computer Hacking Forensics Investigators: Reducing Security
Breaches. Certification Magazine, 8(3), 36-37.
Computer forensics history. (2011). Retrieved from
http://www.computerforensicstraining101.com/history.html
Computer Forensics: Investigation Procedures and Response. (2010). Published by: Cengage
Learning. ISBN: 1-4354-8349-7
Cyber investigation services. (2014). Retrieved from
http://sales.cyberinvestigationservices.com/cyber-investigations-page/?utm_term=+cyber
+investigation&gclid=CjwKEAjwwo2iBRCurdSQy9y8xWcSJABrrLiS-
j6dp7GnJG77DIQjRTo9-wItRJGdWJpn7S71q7e7kRoCSiPw_wcB
Forensicon. (2014). Retrieved from http://www.forensicon.com/
How to become a computer forensics investigator. (2014). Retrieved from
http://www.degreetree.com/resources/how-to-become-a-computer-forensics-investigator
Kroll: Cyber crime investigation. (2011). Retrieved from
http://www.krollcybersecurity.com/computer-forensics/cyber-crime-investigation/
13. COMPUTER FORENSICS 13
References Cont’d.
Pulido, M. L. (2013). Child pornography: Basic facts about a horrific crime. Retrieved from
http://www.huffingtonpost.com/mary-l-pulido-phd/child-pornography-basic-f_b_4094430.html
Welch, T. (1997). Computer crime investigation and computer forensics. Information Systems
Security, 6(2), 56.
Zimmerman, E. (2006). Digital Detectives. FSB: Fortune Small Business, 16(2/3), 55-57.