Who attacked this computer system? What actions did they take? What
damage did they do? With what degree of certainty, and under what assumptions,
do we make these assertions? Will these assertions be acceptable in a court?
These questions are asked during the computer forensic analysis Process.
The term forensics derives from the Latin forensis, which meant in open
court or public,” which itself comes from the term forum, referring to an
actual location a public square or marketplace used for judicial and other
business.” Contemporary use of the word forensics, therefore, generally continues
to relate to law, and has come to mean scientific tests or techniques used
with the detection of crime.” Thus, computer forensics implies a
connection between computers,
the scientific method, and crime detection. Many computer scientists have
simply been using the word forensics” as a process of logging, collecting,
and auditing or analyzing data in a post-hoc investigation”. Computer
Forensics is the science of obtaining, preserving, and documenting evidence
from digital electronic devices. Such as computers, digital cameras, mobile
phones and various memory storage devices. All must be done in a manner
designed to preserve the probative value of the evidence and to confirm its
admissibility in a legal proceeding.
Computer-based evidence has only recently become common in court
proceedings, but its impact in the legal system has been significant.
Computer scientists can take steps to move computer forensics into a more
rigorous position as a science by being able to make well-reasoned and concrete
claims about the accuracy and validity of conclusions presented in court. Our
goal is to try to point out the confusion between forensic practitioners, law
enforcement officials, and computer scientists, and to encourage a dialog, in
hopes that the groups will begin to work more closely together in order to
solve the critical problems that exist in the application of computer science
to legal issues. We seek to help the different groups understand the steps that
must be taken in order to make claims about computer forensic data, and under
what conditions those claims are appropriate and when they are not.
The Internet is
growing explosively, as is the number of crimes committed against or using
computers. As a response to the growth of computer crime, the field
of computer forensics has emerged. Computer forensics involves carefully
collecting and examining electronic evidence that not only assesses the damage
to a computer as a result of an electronic attack, but also to recover lost
information from such a system to prosecute a criminal. Computer forensics uses computer investigation and analysis
techniques to collect evidence regarding what happened on a computer that is
admissible in a court of law. Computer forensics requires a well balanced
combination of technical skills, legal and ethical conduct. Computer forensics
specialists use powerful software tools to uncover data to be sorted and then
must figure out the important facts and how to properly present them in a court
of law. Cyber crime rates are accelerating and computer forensics is the
crucial discipline that has the power to impede the progress of these cyber
criminals. Computer forensics is defined as “the application of computer
investigation and analysis techniques to gather evidence suitable for
presentation in a court of law”.
is a widespread use of personal computers in businesses and homes. Companies
are exchanging more information online than ever before, and high-tech crimes
are increasing at a rapid rate. This creates more of a need for crime
investigators to have access to computer based information. Law enforcement and
the legal establishment are facing a new
challenge. Criminal acts are being committed and the evidence of these
activities is recorded in electronic form. Additionally, crimes are being
committed in computer forensics.
evidence, by it’s very nature is invisible to the eye. Therefore the evidence
must be developed using tools other than the human eye. Each step requires the
use of tools or knowledge, the process must be documented, reliable and
repeatable. The process itself must be understandable to the members of the
court. Identifying a piece of digital
evidence represents a three-step process.
must be definable in its physical form
must be identifiable as to its logical position. Where does it reside relative
to the file system?
the evidence in the correct context in order to read it’s meaning
1.2 Forensic Language and Terminology
Those involved in computer forensics often do
not understand one other. Groups have evolved separately with only little
interaction. Each group has largely separate conferences, journals, and
research locations, and few attempts have successfully brought these groups
together. Indeed, the language used to describe computer forensics and even the
definition of the term itself varies considerably among those who study and
practice it: computer scientists, commercial ventures, practitioners, and the
legal profession. As a result, it is difficult for these groups to communicate
and understand each others’ goals.
Legal specialists commonly refer only to the
analysis, rather than the collection, of enhanced data. The tools and
techniques to recover, preserve, and examine data stored or transmitted in
binary form.” By way of contrast, computer scientists have defined it as valid
tools and techniques applied against computer networks, systems, peripherals,
software, data, or users to identify actors, actions, or states of
Even within the computer science discipline,
there is disagreement about terminology. Software forensics” has been defined
as tracing code to its authors. Some computer scientists focus largely on the
examination of file system data, whereas others also include the collection of
practice, forensic analysis of a computer system involves identifying
suspicious objects or events and then examining them in enough detail to form a
hypothesis as to their cause and effect. Data for forensic analysis can be
collected by introspection of a virtual machine during deterministic replay, as
long as nondeterministic events can be logged, the overhead is acceptable, and
the target machine has only a single processor (because multiprocessors
introduce no determinism). Specialized hardware can make nondeterministic event
logging practical, but this kind of hardware is rarely available. Most existing
tools simply operate on a live, running system, and look both at system and
network-level events and files on a disk.
concepts of “logging” and auditing” have been around for a long
time. Anderson and Bonyun first proposed use of audit trails on computer
systems. They discussed the merits of certain data and the placement of
mechanisms to capture that data, but did not discuss how the process of
selecting data could be generalized. Throughout the early evolution of audit
trails, sophisticated logging capabilities were developed for multiple
platforms. However, the purpose was purely an ad-hoc method of capturing data
thought to be useful for investigatory purposes, and was not intended for legal
UNIX system log (syslog) entries, and the equivalents on other operating
systems, are commonly used forensic data sources. However, these mechanisms
were designed for debugging purposes for programmers and system administrators,
and not for forensics. Similarly, the Sun Basic Security Module (BSM) and
cross-platform successors are constructed based on high-level assumptions about
what events are important to security, and not to answer specific forensic
questions such as who committed a certain action. The most successful forensic
work has involved unifying these tools using a toolbox” approach that combines
application-level mechanisms with low-level memory inspection and other
state-based analysis techniques
forensic software used in the vast majority of court cases cannot make the
distinction among these methods of file creation. Such software does not
provide sufficient information to enable an analyst to reconstruct previous
events rather than just objects, particularly when those events appear ordinary,”
such as when committed by insiders. In court, a jury must consider questions
that are not as straightforward as whether a file exists or an action has taken
place. The jury needs to know how the file got there and who took the action.
1.4 Benefits of
the research study
from the technical aspect, legal issues are also involved. Computer forensic
analysts make their investigation in such a way that the electronic evidence
will be admissible in court.
are advantages and disadvantages when it comes to computer forensics. This
field is relatively new and criminal matters usually dealt with physical
evidences. This makes electronic evidence something very new. Fortunately it
has been a helpful tool wherein important data needed for a case that has been
lost, deleted or damaged can be retrieved.
forensics’ main advantage is its ability to search and analyze
a mountain of data quickly and efficiently. They can search
keywords in a hard drive in different languages which is beneficial since cyber
crimes can easily cross borders through the internet.
Valuable data that has been lost and deleted by offenders can be retrieved
which becomes substantial evidence in court. Legal professionals are able to
produce data in court that were previously impossible.
when using electronic or digital evidence is making it admissible in court. Data can
be easily modified. Analyst must be able to fully comply with
standards of evidence required in the court of law. The computer forensic
analyst must show that the data is tampered.
His or her own investigation must also be fully documented and accounted for.
Computer forensics must also training of legal standard procedures when
James Wardell and G. Stevenson Smith, “Recovering Erased Digital
Evidence from CD-RW Discs in a Child Exploitation Investigation,” International
Journal of Digital Forensics & Incident Response 5 (no. 1–2),
Noblett; Mark M. Pollitt; Lawrence A. Presley (October 2000). “Recovering and examining computer forensic
evidence”. Retrieved 26
(September 2004). “A Formalization of Digital Forensics” (PDF).
A Yasinsac; RF
Erbacher; DG Marks; MM Pollitt (2003). “Computer forensics
education”. IEEE Security & Privacy. CiteSeerX 10.1.1.1.9510?
Warren G. Kruse; Jay G. Heiser (2002). Computer forensics: incident response essentials. Addison-Wesley. p. 392. ISBN 0-201-70719-5. Retrieved 6 December 2010.
Gunsch, G (August 2002). “An Examination of Digital Forensic Models” (PDF).
Adams, R. (2012). “‘The Advanced Data Acquisition Model (ADAM): A
process model for digital forensic practice”.
Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.
Various (2009). Eoghan Casey, ed. Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN 0-12-374267-6. Retrieved 27 August 2010.
(August 2006). “Forensic Feature Extraction and Cross-Drive
“EXP-SA: Prediction and Detection of Network
Membership through Automated Hard Drive Analysis”.
David Cowen; Chris Davis (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional. p. 544. ISBN 0-07-162677-8. Retrieved 27 August 2010.
(January 2001). “A detailed look at Steganographic Techniques and
their use in an Open-Systems Environment”.
J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William
Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten (2008-02-21). “Lest We Remember: Cold Boot Attacks on Encryption
Keys”. Princeton University. Retrieved 2009-11-20.
(March 2005). “Evaluating Commercial Counter-Forensic Tools” (PDF).
“CCFP Salaries surveys”. ITJobsWatch. Retrieved 2017-06-15.
“X-PERT Certification Program”. X-pert.eu.