Digital forensics is a branch of computer science that focuses on developing evidence pertaining to digital files for use in civil or criminal court proceedings. Digital forensic evidence would relate to a computer document, email, text, digital photograph, software program, or other digital record which may be at issue in a legal case.
How does it work?
Investigative process of digital forensics can be divided into four major stages, preservation, collection, examination, and analysis.
Preservation: Preservation stage corresponds to freezing the crime scene.
Collection: Collection stage consists in finding and collecting digital information that may be relevant to the investigation.
Examination: Examination stage consists in an in-depth systematic search of evidence" relating to the incident being investigated.
Analysis: The aim of analysis is to draw conclusions based on evidence found.
A number of techniques are used during computer forensics investigations:
Cross-drive analysis: A forensic technique that correlates information found on multiple hard drives. The process, which is still being researched, can be used for identifying social networks and for performing anomaly detection
Live analysis: The examination of computers from within the operating system using custom forensics or existing system administration tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.
Deleted files: A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data. Most operating systems and file systems do not always delete physical file data, allowing it to be reconstructed from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.
Volatile data: When seizing evidence, if the machine is still active, any information stored solely in RAM that is not recovered before powering down may be lost. One application of "live analysis" is to recover RAM data (for example, using Microsoft's COFEE tool) prior to removing an exhibit. RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate. The length of time for which data recovery is possible is increased by low temperatures and higher cell voltages. Holding unpowered RAM below −60 °C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination.
Analysis tools: A number of open source and commercial tools exist for computer forensics investigation. Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review.
Dr Ian Hancox, 024 76 150380 email i dot hancox at warwick dot ac dot uk
|Warwick collect/analyse data|
|Warwick collect data|
|Available to user with expertise/ contribution|
|Spare capacity for collaborative research|