Computer Forensics

Computer Forensics deals with the preservation, identification, extraction, and documentation of computer evidence with respect to irregularities, compromised soft and hardware, computer breaches and incidents of any kind

Like forensics in all other fields, computer forensics involves the use of sophisticated technology that must be applied to guarantee the accuracy of the preservation of evidence and the accuracy concerning evidence processing. Typically, computer forensics tools exist in the form of computer software. The computer forensics specialist guarantees the accuracy of evidence processing results through the use of time-tested evidence procedures, and the use of multiple software tools, developed by different and independent developers. This combination - forensics software of different developers plus forensics specialists - is important to avoid inaccuracies introduced by potential software design flaws and software bugs.


Some typical reasons for an investigation include but are not limited to:
  • Internet usage exceeds norm
  • Inappropriate use of e-mail
  • Use of Internet, e-mail, or computer in a non-work-related manner
  • Theft of information
  • Violation of security policies or procedures
  • Intellectual property infractions
  • Electronic tampering

Baselines that guide a justification to investigate very often include a violation of:

  • Enterprise security policies
  • Legal statutes
  • Mandatory statutes
  • Regulatory statutes

The investigator will need to consult these baselines as appropriate before the determination of the impact begins.

Impact of Incident

Once the reasons for an investigation and the baseline have been determined, it is necessary to determine the impact of the incident.

Some items when determining the impact include, but are not limited to:

  • Benefits to pursue the investigation
  • Liabilities for not pursuing an investigation
  • Obligations to pursue or not pursue
    • Goodwill
    • Partners
    • Other contracts

  • Availability of resources
    • Time
    • People
    • Finances
    • Tools

It is necessary to interview a lot of people during this process and gather the appropriate information. The next step is to draw up a timeline and consider what resources are available to conduct the investigation.

The timeline can begin as a rough estimate of the incident, but as the investigation unfolds, it will grow in its conciseness and completeness. Information from access logs, system logs, and phone logs will construct the timeline. From that point, the different systems and activities will be added so that the penetration becomes a sequence of definable processes.

Furthermore, it is necessary to consider the tools which could be used to gather the information. Various tools aim at providing the auditor with access to erased or hidden data.

The relationship between the business data and systems and the intrusion must be determined. This involves gathering a concise description of all of the compromised systems and their place in the business, including input from data owners, information systems personnel, or upper management. Once the information is compiled, then any correlation between the data and the business must be contemplated. That is, the compromised systems must be taken as a whole to decide if there is a business link between them.

There is an ambiguous part to every investigation: the part where the auditor has to hypothesize, theorize, and even guess what happened.

It might be necessary to isolate or quarantine equipment as part of the investigation. There are a few steps to ensure the protection of the equipment, isolate and protect data from tampering, and secure the investigation scene. Important is to backup the complete machine immediately in order to ensure that data doesnt get lost while performing the investigation.