Computer Forensics

11 10 2011

If you have ever watched a modern TV crime drama such as CSI or Law and Order, chances are you have seen the “tech geeks” who are brought into a crime scene to investigate a computer and recover data and files for the investigation.  What you may not know is that these people do actually exist in the real world, and they are actively working each day to bring criminals to justice.  Their efforts help to find digital criminals around the world, and are an important part of digital crime investigations.

US-CERT defines computer forensics as “the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law” [1].  Compiling this evidence is an important part of the investigative process for the two primary types of computer investigations, when one or more computers were used as an instrument to commit a crime or some other type of misuse, and when the computer or network is the target of a crime [2].  While analysis of the collected data is what ultimately provides the necessary evidence, it can sometimes be difficult to collect the information in the first place.

The two basic types of data collected by investigators are persistent data and volatile data.  Persistent data is the data that is stored on a local hard drive (or another medium) and is preserved when the computer is turned off [1].  Volatile data is any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off [1].  It is the volatile data that can be difficult to collect, as it can be easily lost during the collection process if the investigators are not careful.  Additional complications to collecting data are damaged, deleted, or encrypted files that require investigators to use the correct tools to prevent further damage to the files during the collection process [1].

One example of forensics assisting in a court trial is provided in the recent information released regarding the death of pop singer Michael Jackson.  The computer forensics examiner in the trial recovered critical timeline emails, digital medical charts thought to be non-existent, and a damaging audio recording of an impaired Michael Jackson reportedly made by his personal doctor, who is on trial [4].  This example showcases the ability of computer forensics to recover data that is believed to be lost or undiscoverable.  Modern methods and training are still evolving and improving, increasing the number and skills of individuals who can provide support in cases such as this.

If you are wondering how you can get your foot in the door to the computer forensics world, one example of a training certification program is the Computer Hacking Forensic Investigator certification provided by the EC-Council.  This certification program provides people with the “necessary skills to identify an intruder’s footprints and to properly gather the necessary evidence to prosecute in the court of law” [3].  Such individuals are in-demand, and can apply new and evolving technologies in order to recover evidence in the field.  While certification programs such as this one provide the training, it is also important to acknowledge that methods must adapt as the technology evolves.  For this reason, research facilities like CERT are looking into new methods for computer forensics.

At CERT, the forensics team works on “gap areas” that are not addressed by commercial tools or standard techniques [5].  These areas include resource amplification, memory extraction and analysis, and encryption counter-measures [5].  The study of these areas is intended to improve the performance of computer forensics and increase the ability of investigators to recover and analyze data.  If successful, the success and quality of digital investigations would be greatly improved.  As the field continues to evolve and improve, I think it would be great to be on the cutting edge of innovative ideas and techniques for recovering and analyzing data that can aid in the capture of cyber criminals.  While you may not have your own trailer or dressing room, you could be a real-life TV star working to bring criminals to justice, though you may have to bring your own camera.





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: