A Definition of Computer Forensics
Computer forensics is the identification, collection, preservation, acquisition, investigation, analysis and reporting of digital devices and data present on them so that any information identified is admissible in court proceedings.
The findings of any computer forensics examination should be provided in an understandable and clear format and be supported by a technical or expert witness who is able to explain their findings to a variety of people who may be involved in a trial or the final court hearing.
The Use of Computer Forensics
Anyone can use a computer forensics investigation service to identify and retrieve data from their device.
Law enforcement use computer forensics within any cases where a digital device may be involved. This is conducted to secure and obtain evidence to form the basis of a case or to support other more fundamental evidence within a Prosecution case.
Computer Forensics can also be used by a Defendant in a case to prove their innocence, for example, text messages sent or received on a mobile phone or Internet activity on a computer may show activity and/or intent that differs from the allegations being made by the Prosecution in a case.
A company may use computer forensics techniques to assess the activities of an employee to determine whether a breach in contract has occurred, for example, to identify browsing inappropriate websites or copying or distributing confidential client information including the examination of deleted emails from a server or workstation.
A private individual may require computer forensics services to identify whether a partner has been communicating with another party.
Guidelines for Computer Forensics Providers and Practioners
The ACPO Guidelines sets out 4 main principles that digital forensic evidence must be adhered to, they are as follows:
No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
Why are the 4 Principles of Computer Forensics Necessary
The 4 principles of computer forensics are required to ensure that any such evidence produced from a computer or a mobile phone and placed before a court as part of legal proceedings is subject to the same rules and laws that apply to any other evidence.
They ensure that computer forensic evidence relied upon is no more and no less now than when it was first seized so that it is an accurate reflection of the ‘crime scene’ and so that an independent third party forensics expert could review the findings and achieve the same result.
If, for example, a computer or mobile phone was switched on whilst in Police custody in an uncontrolled manner then the operating system would automatically alter the content of the data present, including Internet activity, time stamps and the removal of live or deleted data resulting in the loss of potential evidence.
A computer forensic copy should be acquired in a manner that does not cause the data present to be altered through the use of a write blocking hardware unit or through software.
If starting the device is absolutely necessary, the individual responsible should be sufficiently qualified and experienced to be able to explain the consequences of that alteration.
The Processes Involved in the Examination and Investigation of Computer Forensics
In order to adhere to the main principles there are stages that computer forensics should follow. These stages are often fluid to the type of device involved and the type of potential evidence present on it, however, they are summarised in general below.
Seizure and Handling Procedures
It is critical to establish and follow strict guidelines and procedures when seizing digital evidence, in the same way as any other evidence. The seizure should be documented and the evidence secured sufficiently so that it can be uniquely identified and prevented from any destruction or alteration of the data present taking place.
Normally, the time/date and person responsible for the seizure, as well as the location would be noted contemporaneously.
It is often necessary for a computer forensics examination to take place onsite, rather than be taken away from the user, so that they can continue working with the device if it is essential to their business etc. In this event, whilst it is often less thorough than taking place offsite, a decision could be made for a search of the device to be conducted at the scene. Any procedures employed to examine a device onsite should adhere to the same principles to ensure that no alteration or loss of data takes place.
If seizure has taken place then the device can be transported securely to the storage location. The device would be conveyed securely without being subjected to any actions or environments likely to cause damage to it. The device would be booked into the property storage location and the log of any movement of the device is recorded.
Evidence Acquisition Procedures
In order that a computer forensics examination can take place the data present upon it also needs to be secured and this normally involves acquiring, where possible, a physical though often or logical copy of the data present. The copy of the data would then be used to form the basis of the examination and investigation.
During the acquisition of any data present, a contemporaneous record of actions and activities taken with the device or the hard drive, memory card or SIM card within it should be taken. The serial or unique numbers that can be used to specifically identify it are recorded and even photographed to ensure that it can be proven that the correct device was examined and the correct procedures were employed in obtaining an accurate and complete copy of the content of the device.
The computer forensic software used to acquire any data from a device should also include the facility to produce hash values against any data retrieved. This normally includes an MD5 or SHA hash value against the data when it was acquired (normally referred to as an acquisition hash value) and a continual verification of the imaged data against a new hash value (normally referred to as verification hash).
The hash value of data allows for the verification at any point that it is the same as the data that was present on the original date and can be used by any independent forensic expert in the future to verify that the data has not been altered.
The Computer Forensics Examination Process
Once an accurate and verified copy of the evidence has been acquired, the investigation and analysis of that computer evidence can take place.
The process of the examination relates specifically to the type of device to be examined, the specific nature of the investigation and the type of evidence that is being sought.
However, the process would include the use of specialist computer or mobile phone forensic software so that all of the live, deleted and hidden data can be included and considered as part of the examination. Additional software may be required to consider certain specific types of data, including through the use of virtual machines to replicate the operating system and the behaviour of it on the device.
It is also important if possible, at this stage, to identify any user specific activity that could allow for the identification of the user responsible as well as to test any theories that may be formed during the course of the digital investigation and examination.
Documenting and Reporting
Once the computer or mobile phone has been examined, the findings of the investigation should be documented in a clear and concise format so that it can be considered by the instructing party and, if necessary, by the court.
The report should be completely free of bias and written by an individual sufficiently qualified and experienced to provide the type of report being produced. If the individual is providing a technical report then they should not offer opinion within it, if the individual is considered to hold an expert level of training and/or experience then the report can not only include factual technical information, it can also include expert opinion based upon the evidence found.
The findings and the reasons for the conclusions should also include detailed information to explain the evidence used and the rationale behind those findings. The report should provide enough material so that an independent third party forensic examiner/expert could identify the same data and consider it at a later date and adhere to the necessary requirements for the court due to hear the evidence (criminal, court martial or civil).
Computer Forensics Expert Witness Testimony
Ultimately, it may be necessary for the computer or mobile phone forensic examiner/expert to provide their examination findings verbally at court.
Initially that is likely to be to legal representatives in a conference to explain the findings and reasoning and to clarify any points that may arise from the report.
Once the final proceedings have begun, if the evidence identified during the examination is significant to the case then it is likely that verbal evidence would be required to explain the processes and procedures undertaken as well as the findings made as a result of the examination.
Depending upon the type of report produced and the acceptance by the court, the evidence given may include expert testimony which can include opinion based upon fact, however, any opinion and findings must be independent of any instruction and limited to assisting the court in the pursuit of truth and fact.
Written by Matthew Jackson BSc (Hons) MCSFS MEWI MBCS
Computer Forensic and Mobile Phone Forensic Expert Witness for 17 Years
Director, Senior Forensic Consultant of Athena Forensics 0845 882 7386