We’ve all heard the stories about how a ruthless murder plot is solved when detectives confiscate hard drives, search computer activities and untangle a web of cyber evidence leading to a diabolical killer. It’s the stuff intriguing movie plots are made of? But does it really happen that way? What is computer forensics anyway? Here’s a brief overview of how this emerging cyber sleuthing really goes down, according to tech writer Jonathan Strickland.
Fairly early on the legal system figured out that computer evidence would require unique processes and procedures for obtaining information and still protecting the rights of citizens. Detectives and computer scientists partnered to discuss what they would need to gather evidence from computers which eventually led to the field of study we’ve come to know as computer forensics.
Detectives typically have to get a warrant to search a suspects computer to obtain evidence. The warrant will include where detectives are allowed to search and what type of evidence they can search for. Detectives are not allowed to look any and every where they are suspicious about –the terms of the warrant can’t be too general, they need to be as specific as possible about the evidence they are seeking to gather. This means detectives have to do as much research as possible on the suspect before requesting a warrant. If a detective obtains a warrant to search as suspects laptop, but sees a desktop when he arrives at the suspect’s home, the detective will need to obtain specific permission to search that desktop.
While some computer investigations can be executed quickly, others may take considerably longer. Factors that can impact how long it might take include the detectives level of experience, how many computers will be search, the amount of computer storage that must be searched, whether or not information was hidden or deleted, and any encrypted or password protected files.
And when it comes to how evidence is gathered, here’s what the movies leave out. Computer forensics expert Judd Robbins explains the steps detectives follow when gathering evidence from a computer:
–Secure the computer system to ensure that the equipment and data are safe. This means the detectives must make sure that no unauthorized individual can access the computers or storage devices involved in the search. If the computer system connects to the Internet, detectives must sever the connection.
–Find every file on the computer system, including files that are encrypted, protected by passwords, hidden or deleted, but not yet overwritten. Investigators should make a copy of all the files on the system. This includes files on the computer’s hard drive or in other storage devices. Since accessing a file can alter it, it’s important that investigators only work from copies of files while searching for evidence. The original system should remain preserved and intact.
–Recover as much deleted information as possible using applications that can detect and retrieve deleted data.
–Reveal the contents of all hidden files with programs designed to detect the presence of hidden data.
–Decrypt and access protected files.
–Analyze special areas of the computer’s disks, including parts that are normally inaccessible.
–Document every step of the procedure. It’s important for detectives to provide proof that their investigations preserved all the information on the computer system without changing or damaging it. Years can pass between an investigation and a trial, and without proper documentation, evidence may not be admissible. Robbins says that the documentation should include not only all the files and data recovered from the system, but also a report on the system’s physical layout and whether any files had encryption or were otherwise hidden.
–Be prepared to testify in court as an expert witness in computer forensics. Even when an investigation is complete, the detectives’ job may not be done. They may still need to provide testimony in court All of these steps are important, but the first step is critical. If investigators can’t prove that they secured the computer system, the evidence they find may not be admissible. It’s also a big job. In the early days of computing, the system might have included a PC and a few floppy disks. Today, it could include multiple computers, disks, thumb drives, external drives, peripherals and Web servers.
–Some criminals have found ways to make it even more difficult for investigators to find information on their systems. They use programs and applications known as anti-forensics. Detectives have to be aware of these programs and how to disable them if they want to access the information in computer systems.
[source Computer Forensics Basics]
As fascinating as these procedures are in their use to nab criminals, prosecutors must still be able to authenticate evidence in order for it to ever be introduced in a trial. Ultimately, prosecutors must be able to prove that the evidence came from the suspect’s computer and it hasn’t been altered in any way.