Nowadays, the great majority of legal cases involve a digital component that, if properly uncovered and examined, has a great chance of helping your case. An examination can reveal a number of interesting things. The scope and cost of the analysis often depends on the nature of the case, so it is very important for the Forensic Examiner to have a clear understanding of what the case is about
My goal with this article is to help you identify the 10 most common applications and elements of a properly executed forensic application strategy, and how it can positively impact the outcome of your legal cases.
- What is Computer Forensics or Digital Forensics?
Computer Forensics/Digital Forensics is a science involving the recovery and investigation of items found in electronic devices, usually involved in crimes or corporate investigations. A forensic examination can be done on any of the following: computers, laptops, external hard drives, thumb drives, memory cards (such as the ones found in smart phones and digital cameras) among others
- Forensic Imaging
A forensic image of the device being examined should be the first step taken before any examination or analysis begins. It is a read-only image of the entire hard drive or device: it includes all the files and unallocated or un-used space of the hard drive. A forensic image is done by using either hardware duplicators or software.
Sometimes, when encryption is involved (discussed next), it may be necessary to do a “live forensic image.” A live image is done by making a forensic image of the computer while it is still turned on and logged into by the user.
- Forensic Copy
A “forensic copy” is used to collect and preserve active files and is an exact, unaltered copy of the data, including original file metadata. A forensic copy may be used to preserve data from a users’ home share on the server, or now with the use of the cloud being so popular, preserving a forensic copy of the data in question.
The downside to a forensic copy is that you will not be able to capture deleted files or information; it only applies to the active files or the files you can see.
Encryption is when data is converted into a format that is not easily accessed without some sort of password or key. This is something that is often overlooked. If encryption is being used, the examiner will need the key to decrypt the image.
If the key cannot be made available, it will be necessary to do a live forensic image since the data is already decrypted. Many companies and individuals are using encryption as an added layer of protection on their devices.
While this is a great way to secure the data, it poses a layer of difficulty for forensics if the type of encryption is not known and/or the key is not made available. Some popular encryption software include McAfee’s SafeBoot Encryption, Symantec’s Endpoint Encryption, and PGP Whole Disk Encryption. Windows and Apple OS both have built-in encryption options which are not active by default but can be turned on: Bit-locker (Windows) and File Vault (Apple).
- Deleted Files vs Deleted Overwritten Files
The device or media being examined will likely contain deleted files. A forensic examination can determine a list of deleted files and deleted overwritten files. Deleted files, for the most part, can be recovered in full.
When a file is deleted, the portion of the hard drive that the file resided on is marked for deletion and is considered “unallocated space.” Once the operating system writes to that area, the file becomes overwritten. Deleted overwritten files may not be fully recoverable.
The lack of deleted files on a device or hard drive being analyzed, can be a sign of data wiping, operating system re-installation or some other type of concealing data.