Darren Chaker

Computer forensics is the concept of collecting, examining and confirming on digital information in ways that’s legally admissible. You can use it within the recognition and protection against crime as well as in any dispute where evidence is saved electronically. Computer forensics has comparable examination stages with other forensic disciplines and faces similar issues. For more information aboutcomputer search, visit our website.

Relating to this guide

This informative guide talks about computer forensics from the neutral perspective. It’s not associated with particular legislation or meant to promote a specific company or product and isn’t designed in prejudice of either police force or commercial computer forensics. It’s targeted in a non-technical audience and offers a higher-level look at computer forensics. This informative guide uses the word “computer”, however the concepts affect any device able to storing digital information. Where methods happen to be pointed out they’re provided as good examples only and don’t constitute recommendations or advice. Copying and posting the entire or thing about this article is licensed exclusively underneath the the Creative Commons – Attribution Non-Commercial 3. license

Purposes of computer forensics

You will find couple of regions of crime or dispute where computer forensics can’t be applied. Police force agencies happen to be one of the earliest and heaviest customers of computer forensics and therefore have frequently been the main thing on developments within the area. Computer systems may constitute a ‘scene of the crime’, for instance with hacking [ 1] or denial and services information attacks [2] or they might hold evidence by means of emails, internet history, documents or any other files highly relevant to crimes for example murder, kidnap, fraud and drug trafficking. It is not only the information of emails, documents along with other files which might be of great interest to researchers but the ‘meta-data’ [3] connected with individuals files. A computer forensic examination may reveal whenever a document first made an appearance on the computer, if this was last edited, if this was last saved or printed and which user completed these actions.

More lately, commercial organisations used computer forensics for their benefit in a number of cases for example

Ip thievery

Industrial espionage

Employment disputes

Fraud research


Matrimonial issues

Personal bankruptcy research

Inappropriate email and internet use within the job place

Regulating compliance


For evidence to become admissible it should be reliable and never prejudicial, and therefore whatsoever stages of the process admissibility ought to be the main thing on a computer forensic examiner’s mind. Some recommendations that has been broadly recognized to assistance with this is actually the Association of Chief Cops Sound Practice Guide for Computer Based Electronic Evidence or ACPO Guide for brief. Even though the ACPO Guide is targeted at Uk police force its primary concepts are relevant to any or all computer forensics in whatever legislature. The 4 primary concepts out of this guide happen to be produced below (with references to police force removed):

No action should change data held on the computer or storage media which might be subsequently depended upon in the court.

In conditions in which a person finds it essential to access original data held on the computer or storage media, that individual should be competent to do this and have the ability to give evidence explaining the relevance and also the implications of the actions.

An audit trail or any other record of processes put on computer-based electronic evidence ought to be produced and maintained. A completely independent third-party should have the ability to examine individuals processes and get exactly the same result.

The individual responsible for the analysis has overall responsibility for making certain the law which concepts are stuck to.

To sum up, no changes ought to be designed to the initial, if however access/changes are essential the examiner have to know what they’re doing and also to record their actions.

Live acquisition

Principle 2 above may enhance the question: With what situation would changes to some suspect’s computer with a computer forensic examiner be necessary? Typically, the computer forensic examiner will make a duplicate (or acquire) information from the device that is switched off. A write-blocker[4] would be employed to make a precise bit for bit copy [5] from the original storage medium. The examiner works then out of this copy, departing the initial demonstrably unchanged.

However, it is sometimes difficult or desirable to change a computer off. It might not be easy to switch a computer if doing this would lead to considerable financial or any other loss for that owner. It might not be desirable to change a computer if doing this indicates potentially valuable evidence might be lost. Both in these conditions the computer forensic examiner would want to do a ‘live acquisition’ which may involve managing a small program around the suspect computer to be able to copy (or acquire) the information towards the examiner’s hard disk.

By running this type of program and affixing a destination drive towards the suspect computer, the examiner can make changes and/or inclusions in the condition from the computer that have been not present before his actions. Such actions would remain admissible as lengthy because the examiner recorded their actions, was conscious of their impact and could explain their actions.

Stages of the examination

For that reasons want to know , the computer forensic examination process continues to be split into six stages. Although they come within their usual chronological order, it’s important throughout a test to become flexible. For instance, throughout case study stage the examiner may get a new lead which may warrant further computer systems being examined and means coming back towards the evaluation stage.


Forensic readiness is a vital and from time to time overlooked stage within the examination process. In commercial computer forensics it may include educating clients about system readiness for instance, forensic exams will give you more powerful evidence if your server or computer’s built-in auditing and logging systems are started up. For investigators you will find many places that prior organisation might help, including training, regular testing and verification of software and equipment, knowledge of legislation, coping with unpredicted issues (e.g., how to proceed if child pornography exists throughout an industrial job) and making certain that the on-site acquisition package is finished and functional.


The evaluation stage includes the receiving of obvious instructions, risk analysis and allocation of roles and assets. Risk analysis for police force can include an exam on the probability of physical threat on entering a suspect’s property and just how best to cope with it. Commercial organisations should be conscious of safety and health issues, while their evaluation would also cover reputational and financial risks on accepting a specific project.


The primary area of the collection stage, acquisition, continues to be introduced above. If acquisition will be completed on-site instead of a computer forensic laboratory this stage would come with determining, acquiring and recording the scene. Interviews or conferences with personnel who may hold information that could apply to the examination (that could range from the clients from the computer, and also the manager and person accountable for supplying computer services) would usually be completed at this time. The ‘bagging and tagging’ audit trail would start here by sealing any materials in unique tamper-apparent bags. Consideration must also get to safely and securely moving the fabric towards the examiner’s laboratory.


Analysis is dependent around the more knowledge about each job. The examiner usually provides feedback towards the client throughout analysis and out of this dialogue case study might take another path or perhaps be simplified to a particular areas. Analysis should be accurate, thorough, impartial, recorded, repeatable and completed inside the time-scales available and assets allotted. You will find myriad tools readily available for computer forensics analysis. It’s our thoughts the examiner should use any tool they understand as lengthy as they possibly can justify their choice. The primary needs of the computer forensic tool is it does what it’s designed to do and the only method for investigators to be certain of to these to regularly make sure calibrate the various tools they will use before analysis happens. Dual-tool verification will tell you result integrity throughout analysis (if with tool ‘A’ the examiner finds artefact ‘X’ at location ‘Y’, then tool ‘B’ should replicate these results.)


This stage usually requires the examiner creating an organized set of their findings, addressing what exactly within the initial instructions together with any subsequent instructions. It might also cover every other information that the examiner deems highly relevant to the analysis. The report should be written using the finish readers in your mind oftentimes the readers from the report is going to be non-technical, therefore the terminology should acknowledge this. The examiner ought to be ready to take part in conferences or telephone conferences to go over and elaborate around the report.


Together with the readiness stage, review stage is frequently overlooked or disregarded. This might be because of the perceived costs to do work that’s not billable, or even the need ‘to start the following job’. However, an evaluation stage integrated into each examination might help cut costs and lift the amount of quality by looking into making future exams more effective and time effective. Overview of a test could be simple, fast and can start throughout any of these stages. It might incorporate a fundamental ‘what went wrong and just how is this improved’ along with a ‘what went well and just how will it be integrated into future examinations’. Feedback in the instructing party ought to be searched for. Any training learnt out of this stage should be relevant to the following examination and given in to the readiness stage.

Issues facing computer forensics

The problems facing computer forensics investigators could be divided into three broad groups: technical, legal and administrative.

File encryption – Encoded files or hard disk drives could be impossible for researchers to see with no correct key or password. Investigators should think about the key or password might be saved elsewhere around the computer or on another computer that the suspect has already established use of. It might also live in the volatile memory of the computer (referred to as RAM [6] that is usually lost on computer shut-lower one more reason to think about using live acquisition techniques as layed out above.

Growing space for storage – Storage media holds ever larger amounts of information which for that examiner implies that their analysis computer systems must have sufficient processing energy and available storage to effectively cope with searching and examining large numbers of information.

Technology – Computing is definitely an ever-altering area, with new hardware, software and os’s being constantly created. Not one computer forensic examiner is definitely an expert on every area, though they might frequently be anticipated to analyse a thing that they haven’t worked with before. To be able to cope with this case, the examiner ought to be prepared capable to make sure test out the behavior of recent technologies. Networking and discussing understanding along with other computer forensic investigators can also be very helpful in this way as it is likely another person might have already experienced exactly the same problem.

Anti-forensics – Anti-forensics is the concept of trying to thwart computer forensic analysis. This might include file encryption, the over-writing of information to really make it unrecoverable, the alteration of files’ meta-data and file obfuscation (disguising files). Just like file encryption above, evidence that such techniques happen to be used might be saved elsewhere around the computer or on another computer that the suspect has already established use of. Within our experience, it’s very rare to determine anti-forensics tools used properly and sometimes enough to fully obscure either their presence or the existence of evidence these were accustomed to hide.


Legal arguments may confuse or draw attention away from from the computer examiner’s findings. A good example here will be the ‘Trojan Defence’. A Trojan viruses is a bit of computer code disguised as something benign but with a hidden and malicious purpose. Trojan viruses have numerous uses, and can include key-logging [7], uploading and installing of files and installing of infections. An attorney may have the ability to reason that actions on the computer weren’t completed with a user but were automated with a Trojan viruses with no user’s understanding this type of Trojan viruses Defence continues to be effectively used even if no trace of the Trojan viruses or any other malicious code was located on the suspect’s computer. In such instances, a reliable opposing lawyer, provided with evidence from the competent computer forensic analyst, should have the ability to dismiss this kind of argument.

Recognized standards – You will find an array of standards and recommendations in computer forensics, couple of which seem to be globally recognized. This really is because of numerous reasons including standard-setting physiques being associated with particular legislations, standards being targeted either at police force or commercial forensics although not at both, the authors of these standards not recognized by their peers, or high joining costs dissuading professionals from taking part.

Fitness to rehearse – In lots of areas there’s no being approved body to determine the competence and integrity of computer forensics professionals. In such instances anybody may promote themselves like a computer forensic expert, which may lead to computer forensic exams of questionable quality and an adverse view of the marketplace in general.

Assets and additional reading through

There doesn’t seem like great deal of fabric covering computer forensics that is targeted in a non-technical audience. Nevertheless the following links at links at the end of the page may end up being of great interest end up being of great interest:


1. Hacking: modifying a computer in way that was not initially intended to be able to help the hacker’s goals.

2. Denial and services information attack: an effort to avoid legitimate customers of the computer system from getting use of that system’s information or services.

3. Meta-data: in a fundamental level meta-information is data about data. It may be embedded within files or saved externally inside a separate file and could contain details about the file’s author, format, creation date and so forth.

4. Write blocker: a hardware device or software program which prevents data from being modified or put into the storage medium being examined.

5. Bit copy: bit is really a contraction from the term ‘binary digit’ and it is the essential unit of computing. A little copy describes a consecutive copy of each and every bit on the storage medium, including regions of the medium ‘invisible’ towards the user.

6. RAM: Ram. RAM is really a computer’s temporary workspace and it is volatile, meaning its contents are lost once the computer is powered off.

7. Key-logging: it of keyboard input giving the opportunity to read a user’s typed passwords, emails along with other private information. Darren chaker provides detailed information on Computer Forensics, Computer Forensics Software, Computer Forensics Consulting and more.

Add Comment

Required fields are marked *. Your email address will not be published.

− one = one