Cyber forensics

Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.

Forensic investigators typically follow a standard set of procedures: After physically isolating the device in question to make sure it cannot be accidentally contaminated, investigators make a digital copy of the device's storage media. Once the original media has been copied, it is locked in a safe or other secure facility to maintain its pristine condition. All investigation is done on the digital copy.

Investigators use a variety of techniques and proprietary software forensic applications to examine the copy, searching hidden folders and unallocated disk space for copies of deleted, encrypted, or damaged files. Any evidence found on the digital copy is carefully documented in a "finding report" and verified with the original in preparation for legal proceedings that involve discovery, depositions, or actual litigation.

Cybercrimes cover a broad spectrum, from email scams to downloading copyrighted works for distribution, and are fueled by a desire to profit from another person's intellectual property or private information. Cyberforensics can readily display a digital audit trail for analysis by experts or law enforcement. Developers often build program applications to combat and capture online criminals; these applications are the crux of cyberforensics.

Cyber-forensic techniques include:

Cross-driven analysis that correlates data from multiple hard drives

Live analysis, which obtains data acquisitions before a PC is shut down

Deleted file recovery

Each of the above techniques is applied to cyberforensic investigations.

Why is Computer Forensics Important?

Adding the ability to practice sound computer forensics will help you ensure the overall

integrity and survivability of your network infrastructure. You can help your organization

if you consider computer forensics as a new basic element in what is known as a

“defense-in-depth” approach to network and computer security. For instance,

understanding the legal and technical aspects of computer forensics will help you capture

vital information if your network is compromised and will help you prosecute the case if

the intruder is caught. 

Legal Aspects of Computer Forensics 

Anyone overseeing network security must be aware of the legal implications of forensic activity. Security professionals need to consider their policy decisions and technical actions in the context of existing laws. For instance, you must have authorization before you monitor and collect information related to a computer intrusion. There are also legal ramifications to using security monitoring tools. Computer forensics is a relatively new discipline to the courts and many of the existing laws used to prosecute computer-related crimes, legal precedents, and practices related to computer forensics are in a state of flux. New court rulings are issued that affect how computer forensics is applied. The best source of information in this area is the United States Department of Justice’s Cyber Crime web site.4 4 http://www.cybercrime.gov The site lists recent court cases involving computer forensics and computer crime, and it has guides about how to introduce computer evidence in court and what standards apply. The important point for forensics investigators is that evidence must be collected in a way that is legally admissible in a court case. Increasingly, laws are being passed that require organizations to safeguard the privacy of personal data. It is becoming necessary to prove that your organization is complying with computer security best practices. If there is an incident that affects critical data, for instance, the organization that has added a computer forensics capability to its arsenal will be able to show that it followed a sound security policy and potentially avoid lawsuits or regulatory audits.