What is Computer Forensics?
Computer forensics is the investigation of electronic equipment and associated storage media within correct rules and protocols that enable the evidence produced to be used in a court of law or other tribunal or forum.
The forensically sound investigation of computers is not just the preserve of law enforcement, but needs to be applied in any dispute or process whereby computers may deliver up evidence which may be used, or indeed tested, during some decision making or fault-finding process.
A forensically sound process means that the integrity and continuity of the evidence is preserved, and, if necessary, a subsequent examination by a third party could arrive at the same conclusion as the original investigation.
Why is Computer Forensics necessary?
Just by turning on a personal computer, changes can be made to the contents of the hard disk drive, even before anybody touches a keyboard or mouse. Similarly, by connecting a hard disk drive to a modern WindowsTM computer will enable data to be written automatically to that hard disk drive, unless precautions are taken to block such activity.
If someone is reckless enough to attempt to investigate the contents a computer without first taking steps to protect the integrity of the evidence they seek to examine, then they can expect to be judged harshly on their actions, which may result in their findings being discounted.
What is of paramount importance here, is that it is understood that working to accepted standards does not simply mean buying a piece of "forensic" software, before being let loose on the "suspect computer".
It must be understood that the correct procedures start when the incident is first discovered, and must be adhered to all the way through to the conclusion of the incident, thereby covering the following areas:
- Incident identification and reporting
- Investigation management and documentation
- Identification of potential sources of evidence
- Seizure, handling and identification of exhibits
- Imaging and analysis of data
- Expert opinion
- Presentation of findings
- Report writing
- Providing oral and written evidence to the court or tribunal (if required)
- Backup and data archiving
From experience it can be said that a professionally managed computer investigation can help prove:
- An individual's or organisation's guilt or culpability,
- An individual's or organisation's innocence or non-involvement,
- That an earlier investigation has missed important evidence, or
- That evidence has even been planted.
If you investigate security breaches properly and in a structured manner, you will learn how they happened, who did what and why, but most importantly, perhaps, how to prevent them in the future.
A computer forensic investigation should be viewed as an integral part of the lifecycle of your IT security provision. A successfully managed investigation will add real value to your level of your IT security.
A properly managed computer forensic investigation can be the best value and most productive piece of consultancy your organisation will ever experience.