Computer Forensics: Techniques and Analyses

Computer Forensics is a branch of Computer Forensic Science, which goal is to examine  digital media in a forensically sound manner with the aim to identify, preserve, recover, analyze and present targeted information. Computer forensics involves similar techniques to those applied in data recovery, but with additional guidelines and practices to create a legal audit trail. Computer forensics is used worldwide to investigate  and present digital evidence in court proceedings on a variety of crime, including financial fraud, cyberstalking and child pornography.

Computer forensics investigation techniques:

  • cross drive analysis   A forensic technique that correlates information found on multiple hard drives.
  • live analysis    The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.
  • file carving (recovery of deleted files)  Common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data. Most operating systems and file systems do not always erase physical file data, allowing investigators to reconstruct it from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.
  • steganography (hiding data inside of a picture or digital image)  One of the techniques used to hide data is via steganography, the process of hiding data inside of a picture or digital image. This process is often used to hide pornographic images of children as well as information that a given criminal does not want to have discovered. Computer forensics professionals can fight this by looking at the hash of the file and comparing it to the original image (if available.) While the image appears exactly the same, the hash changes as the data changes.

Data capture and analysis:

Physical Image:
A physical image of a hard drive will capture all of the ones and zeroes contained on the drive. It will capture the deleted space on the hard drive even if the drive has been recently formatted. It will capture deleted files and file fragments on a hard drive. If one is making a physical image of a 1 TB drive the resulting image file(s) will be 1  TB, unless compression algorithms are used.

Logical Image:
A logical image of a hard drive will capture all the “active” data. If you look at the My Computer icon on your computer and browse through the C drive you are viewing the logical drive and active files. This is what will be captured if one performs a logical capture. Typically, deleted space, deleted files and fragments will NOT be captured. If one is making a logical image of a 1 TB drive, but only 30 GB is active files, then the resulting image will be 30 GB uncompressed.

Targeted Collection:
If a specific set of files or documents are being requested it may be possible to selectively copy only those items from a storage medium to an image file. This is what we  call a targeted collection. If only one folder residing on a network share has responsive documents it may be prudent or necessary to only preserve those documents. This may be difficult to do if a custodian is not organized or the custodian has e-mail in eight different PSTs and none are in separate folders. With current technology it is also possible to run search terms or other filters across a set of data and only capture those files that match the criteria. Targeted collections can greatly reduce the volume of data collected and subsequently reduce costs at all stages of the discovery process.