Tuesday, May 28, 2013

How to Solve a Computer Forensic Case

Computer forensics is the section of forensic science that deals with obtaining legal evidence that can be found in computers and digital media. In a computer forensic case, computer systems and their storage media are analyzed so that evidence can be gathered to support legal theories regarding the defendant or litigant. This is a highly specialized branch of science that requires the individual to follow appropriate regulations regarding the chain of custody related to evidence.

Computer to investigate
Imaging tool, either hardware or software
Writeblocking tool
Storage medium for collected data

Instructions

Prepare for the forensic examination. Talk to key people to find out what you are looking for and what the circumstances surrounding the case are. When you have a foundation in the case, start assembling your tools to collect the data in question.
Collect the data from the target media. You will be creating an exact duplicate image of the device in question. To do this, you will need to use an imaging software application like the commercial EnCase or the open source SleuthKit/Autopsy (see Resources section).

In order to extract the contents of the computer in question, connect the computer you are investigating to a portable hard drive or other storage media and then boot the computer under investigation according to the directions for the software you are using. It is imperative that you follow the directions precisely because this is where the chain of custody starts. Make sure that you use a writeblocking tool when imaging the media under investigation. This makes sure that nothing is added to the device when you are creating your image.
When collecting evidence, be sure to check email records as well. Oftentimes, these messages yield a great deal of information
Examine the collected evidence on the image you created. Document anything that you find and where you found it. There are tools available to help look into open files, encrypted files, mapped drives and even analyze network communications. You can look into both commercial products and open source ones.
Analyze the evidence you have collected by manually looking into the storage media and, if the target is a Windows computer, the registry. Be sure to look into Internet searches as well as email and pictures that are stored on the target computer. Many times, criminals will hide incriminating information in pictures and emails through a process called steganography.
Report your findings back to your client. Be sure to provide a clear, concise report; this report may end up as evidence in a court case.