• Category Archives in-depth
  • A Detailed Look at Computer Forensics


    The professional world has become smaller and much more accessible. The barriers that previously existed between corporations and professionals located in different parts of the world no longer seem to exist. Huge technological advancements relating to information and communications have taken place in a myriad of industries, businesses and homes. And like many other countries, the United States of America has also been impacted by these advancements. America is primarily into management and information processing instead of making goods, which as a result has impacted the personal and professional lives of its citizens. Our funds get banked and transferred electronically almost on a daily basis, and emails have become more common than traditional letters. According to CommerceNet Research Council 2000 estimates, the global online population is approximately 349 million.

    In this era of information technology (IT), law enforcement requirements are making huge leaps as well. Some conventional crimes, relating to commerce and finance, are being upgraded technologically on a continual basis. Electronic trails have replaced paper trails. Crimes relating to data manipulation and theft are detected every day. Crimes pertaining to violence also aren’t immune to information age and its effects. A costly and serious terrorist act is now much likelier to emerge from online sources than nuclear bombs. A serial killer’s diary could be documented on a hard disk or floppy disk drive instead of paper.

    Similar to how industries have shifted from being primary manufacturers to information processing units, criminal activities have also predominantly adopted the cyber path, getting rid of the traditional physical dimensions. This means any evidence and investigation relating to criminal activity is now likely to be carried out on the Internet.

    Computer Forensic Science

    The computer forensic science field was made to address the law enforcement’s articulated and particular requirements, thereby reaping the benefits of the electronic evidence format. The science entails acquiring, retrieving, preserving, and presenting information that has been electronically processed and amassed on various forms of computer media. The forensic discipline has had a major impact on quite a few prosecutions and investigations as well, quite similar to what DNA technology was able to achieve back in the day.

    At its base, computer forensic science differs from the majority of conventional forensic disciplines. The examined computer material and techniques at the examiner’s disposal are the results of a private sector that’s driven by the market. Along with this, contrasting regular forensic analyses, it’s commonly required to conduct computer examinations virtually at any physical space, and not just within controlled settings. Instead of making interpretative conclusions, like in several forensic disciplines, this forensic science variant develops direct data and information. This direct data collection type has a range of consequences for both the forensic scientist-investigator relationship and forensic computer examination’s work product.


    Primarily, computer forensic science refers to a demand response for service coming from the community of law enforcement. In 1984, FBI laboratory and similar law enforcing agencies started developing programs for computer evidence examination. To appropriately address the increasing demand of prosecutors and investigators in a programmatic and structured way, the FBI made CART or Computer Analysis and Response Team and made it accountable for computer analysis. Though CART’s positioning within the FBI is unique, its organization and functions are replicated in several similar law enforcement firms in America and quite a few other nations.

    An initial issue that the law enforcement addressed was detecting resources within the firm that can be utilized for examining computer evidence. Often, the resources could be found scattered across the firm. Currently, shifting these examinations to a controlled or laboratory environment is gaining precedence. The U.S. Secret Service conducted a survey in 1995 indicating 48 percent of the firms were having computer forensic labs and close to 68 percent seized or recouped computer evidence was moved to the professionals in these laboratories. Though these statistics can be motivating enough to facilitate a monitored programmatic response for computer forensic requirements, the survey also reported that close to 70 percent of the law enforcement firms were carrying out the work sans a written procedure manual in place.

    Computer forensic exams are carried out in data processing departments, forensic labs, and the squad room of a detective, in some cases. Assigning personnel to perform these exams is often based on the expertise available, and also the departmental policy. Irrespective of the exams’ location, a reliable and valid forensic exam is needed. The requirement acknowledges no boundaries relating to bureaucracy, politics, jurisdiction or technology.

    Efforts are ongoing for developing exam standards and structuring computer forensic exams. In 1991, an ensemble comprising 6 global law enforcement firms interacted with many American federal law enforcement establishments. It was unanimously agreed that computer forensic science standards were not up to the mark. The conference convened again in 1995, in Baltimore, Maryland; in 1996, in Australia; and in 1997, in Netherlands. This ultimately resulted in the International Organization on Computer Evidence taking shape. Also, Scientific Working Group on Digital Evidence (SWGDE) became a thing to address the problems synonymous with several federal law enforcement establishments.

    A Fresh Relationship

    Disciplines of forensic science have dramatically impacted multiple criminal investigations, offering compelling testimonies during trials. To improve objectivity and reduce the bias perception, forensic science has traditionally stayed at arms distance from the majority of the real investigation. Only specific investigation details that are required for the examination end up getting used. The details could entail possible contamination sources at the scene of crime or individuals’ fingerprints that are not associated with the investigation but have come in physical contact with the evidence. The science depends on the scientists’ ability to draft a report using the scientific examination’s objective results. The actual case could have a small role to play in the exam process. In fact, a DNA exam for a rape case could be carried out without knowing the name of the victim, subject, or the crime’s specific circumstances.

    Computer forensic science can be effective if it is driven by the data unearthed at the time of investigation. With a personal microcomputer’s average storing capacity nearing 30 gigabytes, and 60 GB or more storage potential systems readily available for wide-scale use, it is highly impossible or not practical to examine all the stored computer files. Also, since computers provide such varied and wide uses in a household or company, searching each file may be going against the law. Computers of physicians or lawyers won’t just comprise evidence pertaining to fraud but also privileged patient and client information. Centrally stored computer server data could have an incriminating email made by the subject and also innocent third party emails.

    As aforementioned, scanning each and every computer file is difficult and practically impossible. Similarly, reading and assimilating the information within the files would not be easy too. For instance, printed text information amounting to the size of 12 GB would create a paper stack as high as 24 stories. Therefore, for practical reasons, this type of forensic science gets most effectively used when just the investigation’s probative data and details are given to the forensic examination team. The examiner can use this data to make a keyword list that culls probative, specific, and case-related data from huge file groups. Though the examiner could be legally in the position to search for each file, several judicial constraints such as time limitations won’t provide approval. In most cases, the examination must only be limited to well-identified probative data.

    Forensic Output

    Historically, forensic science has given results that are known to be both reliable and valid. For instance, DNA analysis tries to make specific identifying data corresponding to a person. To endorse the findings, forensic DNA scientists gather extensive information on DNA profiles upon which the conclusions are based. By comparison, computer forensic science produces or extracts the data. The computer examination’s purpose is finding case-related information. For supporting computer forensic exam results, procedures are required to make sure the information stored on computer files aren’t altered during the exam process. Unlike many forensic disciplines such as DNA analysis, computer forensic science doesn’t interpret statements for the actual information’s reliability, accuracy, or discriminating power.

    Beyond the forensic item and pertinent information related to the case, there is one more major difference between computer forensic science and traditional forensic science. Conventional forensic analysis could be controlled within a laboratory and the progresses could be made incrementally, logically and in understanding with widely accepted practices of forensic science. Comparatively, market and technology drives computer forensic science, usually outside laboratory setting, with the exams presenting distinct variations in all situations possible.

    Common Objectives

    Keeping the dissimilarities aside, scientific conclusions of both conventional forensic analyses and computer forensic science information are unique forensic examinations. Generally, all the good and legal traditional forensic sciences practice requirements are shared. Both would be furnished in the court during adversarial and at times extremely probing scenarios. Both should produce reliable and valid results from state-of-art detailed, peer-reviewed and documented procedures, and protocols that are accepted by the concerned scientific community.

    As laboratories start examining further computer-related proof, they should substantiate policies relating to computer forensic exams and develop procedures and protocols from these policies. The policies must reflect the community-wide, broad objective of offering reproducible and valid results, despite the submissions emanating from different sources and presenting unique examination problems. As the lab shifts to protocol development from policy statement, every individual procedure should be documented properly and must be robust enough to resist challenges to the methodology and results.

    However, unlike a few conventional forensic counterparts, computer forensic science can’t depend on getting similar proof with each submission. For example, once the contaminants of a DNA are cleared and the DNA is decreased to its basic form, it becomes generic. Thereon, the forensic DNA analysis protocols could be applied similarly for all submissions. The system of criminal justice expects a reliable and valid output using the DNA protocols. For the below mentioned rationales, computer forensic science could seldom expect the same standardized repetitive testing elements in the majority of its submissions.

    • Operating systems that define a computer’s identity and functioning vary across makers. For instance, personal computer techniques that incorporate the DOS (disk operating system) environment may not necessarily be similar to operating systems, like UNIX, which are ideal for multiple users.
    • Unique application programs.
    • Storage techniques could be distinct to both the media and device.
    • Typical computer exams should recognize the diverse and fast-changing world wherein the examiner functions.

    Analyzing Computer Evidence

    Computer evidence portrayed by physical items like boards, chips, storage media, central processing units, printers, and monitors could be easily and accurately described as a unique physical evidence format. The description, logging, disposition, and storage of physical proof are understood well. Forensic labs have detailed strategies that describe acceptable techniques for handling physical proof. The evidence doesn’t represent any specific challenge, provided there is no physical component to computer evidence. But the proof, while being stored in the physical things, is latent and only exists in an abstract electronic form. The output being reported from the exam is the discovery of this latent data. Though forensic labs are extremely good at maintaining the controlled physical items’ integrity, computer forensics also needs methods for ensuring the equity of the data in the physical items. The challenge with computer forensic science is developing techniques and methods that offer reliable and valid results while safeguarding the real proof from being harmed.

    To further complicate matters, almost no computer evidence exists in solitude. It is the stored data’s output, the application used for creating and storing it, and the system directing these pursuits. To some extent, it is also an output of the software applications used in the lab for extraction.

    Computer forensic science problems should be tackled within a rapidly altering and emerging environment’s context. However, even with the environmental changes, both international and national law enforcement establishments acknowledge the requirement for typical technical approaches and standards. Due to this, a model should be erected that functions long-term even when the temporary changes are not the exceptions but the rules. The model described is a hierarchical three-level model that consists of the following:

    • An overarching examination principles concept
    • Practices and policies
    • Techniques and procedures

    Exam principles are big concepts that apply to the test almost always. They’re the consensus approaches relating to what’s important among laboratories and professionals. They are representative of collective technical practice, along with forensic computer examiner experience.

    Organizational practices and policy are guiding rules that apply to forensic exams. They’re designed for ensuring workplace efficiency and quality. Within computer forensic science, they are the ideal lab practices that help plan, perform, record, monitor and report examinations to ensure the work product’s integrity and quality.

    Techniques and procedures are hardware and software solutions for particular forensic issues. These techniques and procedures are detailed directives for particular software applications and also a step-by-step manual for describing the whole exam procedure.

    As a complete example, a laboratory could need the exams being carried out, if feasible, on the original evidence’s copies. The requirement is an exam principle. It is representative of a logical method adopted by the whole computer forensic group, and it relies on the principle of safeguarding the original proof from unintentional or accidental manipulation or damage. The principle is premised on the truth that digital corroboration could be precisely replicated for creating an accurate and true copy.

    Drafting the copy and making sure it is accurate and authentic comprises the principle’s subset – i.e., practice and policy. Each examiner and agency should decide on a case-by-case principle implementation strategy. The factors affecting the decision include the data set’s size, method used for creation, and the media it’s available on. In specific cases, comparing the listed files’ creation dates and size could be sufficient. In other cases, application of mathematically rigorous and technically robust techniques like message digest (MD) calculation or cyclical redundancy check (CRC) could be required.

    MD and CRC are computer algorithms producing the data’s unique mathematical representations. The algorithms are devised for both the copy and original and then put through comparison to determine identity. The tool selection should be based on the evidence’s character instead of just the laboratory policy. It is likely that the examiners would require multiple options for performing this function.

    An examiner that duplicates proof should first determine the right verification level for weighing time constraints against the bigger file varieties. These algorithms’ discriminating power and mathematical precision typically correlate directly to the total time required for calculating them. In case there were a million files to be replicated, computational and time constraints would probably be a huge determining attribute for every file (not more than 1 kb size). The scenario will likely lead to the need to use a less discriminating and precise, but faster data integrity algorithm.

    After having determined the best way to assure the completion and accuracy of the copy process, next is the main task. It’s a subset of practice and policy, or techniques and procedures. These almost represent a standard cookbook method for protocol development. These are complete and comprise necessary detailed steps, which could be used for copying the information, verify the operation’s completion, and ensure production of an accurate and true copy.

    Again, as per Figure 1 illustration, a principle could generate multiple policies, which could accept several different techniques. The route taken by the examiner in every case is technologically sound and properly documented for the specific case. However, it could not be the identical route the examiner adopts with another case. Conventional forensic exams, like the DNA exam of blood recouped from a crime spot, make way for a standardized and routine string of steps that could be repeated with every case. Generally, there isn’t anything as common computer proof procedures. The proof is likely to differ substantially each time the laboratory receives a submission, and a tailored examination plan would likely be mandatory as well. Though this scenario could present a recurring account of management controls and checks within the lab setting, the consideration should be looked into and enhanced if this rising forensic discipline needs to stay a reliable and effective tool within the criminal justice setup.


    Reliable and valid techniques for recovering information from computers captured as criminal investigation evidence are becoming rudimentary for global law enforcement agencies. These techniques should be robust technologically to ensure recovery of all probative data. They should be legally defensible too for ensuring no part of the original proof gets edited and no information is deleted from or added to the original. The forensic regulation of acquiring, safeguarding, recovering, and exhibiting electronically processed and digitally stored information is known as computer forensic science.

    This article looks into the problems enveloping the need for developing laboratory computer forensic science protocols that adhere to critical legal and technological objectives. Computer forensic scientists must develop long-term affiliations with criminal justice establishments they serve. The following are the reasons behind such relationships:

    • While putting efforts to reduce the amount of information that should be retrieved and to make their exams more effective and efficient, scientists of computer forensic science should have particular know-how of the investigative details. This requirement is clearly more sought after than standard forensic science requests, placing more emphasis on case data.
    • Courts require more data than seized equipment. This needs merged efforts between computer forensic scientists and law enforcement officers to make sure the needed technical resources for search warrant execution are good enough for addressing both the complexity and scope of the search.
    • Computers could logically comprise both data detected in the warrant along with the information that could be protected constitutionally. Probably, a computer forensic scientist is the most qualified individual to direct both the prosecutor and investigator on how to detect technical answers for these intricate scenarios.

    Making computer examination customs for the purpose of forensic computer study is unique for multiple reasons:

    • Unlike a few standard conventional studies that try to amass maximum data possible from a proof sample, the intent with computer forensic analysis is recovering any probative data from a huge volume of heterogeneous data.
    • Computer forensic science should consider the market-driven reality of computer forensic science, and the field should quickly adapt to fresh innovations and products with reliable and valid analysis and examination methods.
    • A computer forensic exam’s work product also differentiates itself from the majority of conventional forensic work items.

    Traditional forensic science tries developing a string of reliable and accurate facts. For instance, the blood DNA gathered at a scene of crime could be matched to a particular individual for establishing the truth that the shed blood belonged to the particular individual. Generally, computer forensic science doesn’t make any interpretive statement regarding the obtained information’s reliability or accuracy and usually only renders the recovered data.

    The protocols for computer forensic science must be laid down in a hierarchical way, as that would ensure the overarching principles stay constant and don’t fluctuate unnecessarily. However, examination techniques could quickly adapt to the computer setup that needs to be examined. The computer forensic protocols approach could differ from the ones created for several other disciplines of forensic science. However, making room for a unique forensic exam is necessary.

    Recovering and Examining Computer Forensic Evidence