COMPUTER FORENSICS

Introduction Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information. Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail. Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high profile cases and is becoming widely accepted as reliable within US and European court systems. Features Computer forensic investigations usually follow the standard digital forensic process (acquisition, analysis and reporting). Investigations are performed on static data (i.e. acquired images) rather than "live" systems. This is a change from early forensic practices where a lack of specialist tools led to investigators commonly working on live data. A number of techniques are used during computer forensics investigations. Cross-drive analysis Live analysis Deleted files Steganography Volatile data Characteristics Preservation When performing a computer forensics analysis, we must do everything possible to preserve the original media and data.

Identification In the initial phase, this has to do with identifying the possible containers of computer related evidence, such as hard drives, floppy disks, and log files to name a few. Understand that a computer or hard drive itself is not evidence - it is a possible container of evidence. Extraction Any evidence found relevant to the situation at hand will need to be extracted from the working copy media and then typically saved to another form of media as well as printed out. Interpretation Understand that just about anyone can perform a computer forensics "analysis." Some of the GUI tools available make it extremely easy. Being able to find evidence is one thing, the ability to properly interpret it is another story. Entire books could be written citing examples of when computer forensics experts misinterpreted their results of a forensic analysis. Documentation Documentation needs to be kept from beginning to end, as soon as you become involved in a case. This includes what is commonly referred to as a chain of custody form, as well as documentation pertinent to what you do during your analysis. Legal Processes This has to do with the processes and procedures for search warrants, depositions, hearings, trials, and discovery just to name a few. Purpose There are three primary areas that you will find computer forensics used. Public Sector Private Sector Public Sector Computer forensics is used in the public sector by government and law enforcement personnel to investigate and prosecute crimes. Criminals are using computer technology when committing "traditional" crimes such as homicide, fraud, and auto theft to name a few. They are also using computer technology to commit crimes that would not be possible without computing devices, such as breaking into a networked system and stealing or altering data, or harassing someone via email.

Private Sector In the private sector, computer forensic techniques and methodologies are used to investigate electronic break-ins, embezzlement, improper use of computing resources by employees, and theft of trade secrets among other things. Advantages The main task or the advantage from the computer forensic is to catch the culprit or the criminal who is involved in the crime related to the computers. The information of the computer is advantageous in case where the involvement of hardware and software with which forensics expert is familiar. The basics of the computer design and architecture play a prominent role and the expert professional should have a great deal of knowledge about the fundamental software design and implementation. This is quite often similar from one computer system to the other. Experience of one application, software, file system or the operating system can be applied to gain the results in the other aspects of the case. The computer crime exists in many forms. Computer Forensics deals extensively to find the evidence in order to prove the crime and the culprit behind it in a court of law. The forensics provides the organization with a support and helps them recover their loss. If it is known that the data exists then the alternate formats of the same data or the information can also be recovered. The discovery of the data or the information that can provide vital clues in the prosecution of the criminal is itself a process. A forensics expert always identifies many possibilities that to get a relevant evidence. In addition to all the benefits of utilizing the services of the computer forensics, the professional may also undertake the inspections of the location during on site premises. This may be required in the cases where the signs or clues of the physical movement are required. Some cases may also involve additional information regarding the earlier versions or the method of backups, formatted versions of data or information, which is either created or treated by the other application programs. The application programs may have different formats also. Some of the application programs include the word processors, spreadsheets, email, timeline and scheduling applications and even the usage of graphical applications. The important thing and the major advantage regarding the computer forensics is the preservation of the evidence that is collected during the process. The protection of
3

evidence can be considered as critical. A computer forensics professional expert should ensure that computer system that is being dealt with is handled carefully. Since the subject is legalized and there are many laws hence the computer forensic professionals maintain a code of ethics. The cost of operations is also lower in comparison with the security measures that are applied. Disadvantages

Everything that has an advantage obviously has some disadvantages as well. But the
disadvantages in case of the computer forensics can be considered as the limitations of the subject. The major disadvantage of the computer forensics is the privacy concern. It may happen in some cases that the privacy of the client is compromised. It is the duty of the computer forensics expert to maintain the high standards and the keep in mind the sensitivity of the case and maintain the privacy and secrecy of the data or the information of the clients interests. But in some circumstances it becomes almost impossible for the computer forensics professional to maintain the secrecy of the data or the information. This may happen if the information is necessary to prove the crime and should be produced as the evidence in the court of law in order to prove the crime. There are other disadvantages as well regarding the computer forensics. It is also possible that some sensitive data or information that is important to the client may be lost in order to find the evidence. The forensics professional must maintain the concern that the data information or the possible evidence is not destroyed, damaged, or even otherwise be compromised by the procedures that are utilized for the purpose of investigating a computer system. There are also the chances of introduction of some malicious programs in the computer system that may corrupt the data at a later stage of time. During the analysis process care should be taken that no possible computer virus is released or introduced in the computer system. IT is also possible that the hardware of the computer system is damaged physically. The evidence that is physically extracted and the relevant evidence should be properly handled as well as protected from later damage that may either mechanical or electromagnetic in nature. The integrity of the data and the information that is

acquired should be preserved. The custody of the data that is acquired as the evidence is the responsibility of the computer forensics team. During the time case is solved; it may be required that the data or the information is stored in the court. In some cases it is also possible that the data is in dispute and neither of the disputing parties can use the data. Due to this reason the business operations may also be affected. The duty of the computer forensics expert is to ensure that justice is delivered as fast as possible so that the inconvenience and the subsequent loss to the organization can be avoided. It is also important the information that is acquired during the forensic exploration is ethically and legally respected. More over despite some of the limitations of the Computer Forensics the subject is still perceived. Also the advantages and the benefits of the subject have wide applications in various situations. Measures should be taken and the care of the professional employed for the computer forensics is a must to avoid any subsequent damage to the computer system. It is also possible in cases that the operations cost may exceed. Steps should be taken to minimize the cost. Applications Use as evidence In court, computer forensic evidence is subject to the usual requirements for digital evidence. This requires that information be authentic, reliably obtained, and admissible. Some of the cases have been cited below. A spreadsheet recovered from Duncan's computer contained evidence that showed him planning his crimes. Prosecutors used this to show premeditation and secure the death penalty. Hundreds of emails on Lopatka's computer lead investigators to her killer, Robert Glass. Dr. Conrad Murray, the doctor of the deceased Michael Jackson, was convicted partially by digital evidence on his computer. This evidence included medical documentation showing lethal amounts of propofol.

Conclusion Computer forensics has become an important in disaster recovery management. It has become its own area of scientific expertise. As technology advances and as computers and digital data permeate more areas of our lives - including those involving crimes and civil disputes - this is likely to be a growth field in the future. Though many things have been discussed here, it doesnt cover the complete field of computer forensics. Its becoming an important factor of outcome for civil suites too along with the criminal cases. Hence job opportunities continues to progress towards the growth side. It can be concluded that besides our traditional form of evidences that are used, these electronic evidence will prove fatal and very important in the outcome for various cases in the forthcoming future.