Table of Contents
- What is Computer Forensics
- What is Digital Forensics?
- What is a Forensic Investigator?
- Forensic Technology & Forensic Computers
- Computer Forensic Software
- Forensic Data Recovery of Digital Evidence
- History of Computer Forensics
What is Computer Forensics
You may have heard the term digital forensics mentioned on the hit show CSI. Or perhaps you’ve seen the lab techs on Law & Order perform analysis on a hard drive and wondered what this form of computer forensics was. Well, not to worry – you are not alone in wondering what is forensic investigator, what do they do and is there job important. In fact, because digital forensics is such a new career field there are lots of people wondering what is digital forensics, is it real, and why have I never heard of it before?
Digital forensics is a subset of the forensic sciences. As you may know forensic science is the study and examination of evidence having to do with the past. In real world application’s this analysis of evidence typically has to do with a crime and the scientist is looking at the evidence trying to resolve what happened, who was involved, and when it took place. As in any scientific discipline, a forensic investigator has to use specific methods in his examination of evidence to make sure that he does not tamper with the evidence. The analysis that the scientist makes may be used to determine the guilt within a company, may be used to prosecute a criminal, or may be used to prove someones innocence.
Within the digital forensic section of the forensic sciences, a forensic investigator is tasked with examining and analyzing digital evidence on digital devices. When the profession first began it was typically limited to mainframe computers. But, as we know technology has rapidly progressed since the 1970’s. Now a digital forensic investigator has to know about computers, the internet, smart phones, servers, databases, portable storage devices, and new technologies as they are invented.
Computer Forensics Definition
A branch of digital forensic science whose job is to examine in a forensically sound manner evidence recovered from digital media and devices.
What is Digital Forensics?
Digital forensics has become a synonym for computer forensics. In the 1970’s a computer forensic investigator was only concerned with main frame computers. In the 80’s his role of investigations increased to include personal computers. But, since the 80’s technology has exploded and now data can be stored and transmitted from all sorts of devices. To better explain what is a forensic investigator and to include all of the many devices that he is capable of examining, the definition of computer forensics was changed to digital forensics to include all digital devices.
With this expansion, came an entire new branch of the forensic sciences. No one person is capable of being an expert in all of the many different technology fields. Within IT forensics for instance there are the subsets of network security, database analysis, database examination, database security, internal breach control, external breach analysis, and many more. As new technologies are created, they create new branches within the digital forensic science category.
If someone is interested in a career in digital forensics, the first thing they must determine is ultimately which of these subsets do they want to specialize in or do they want to be a generalist that handles IT forensics, computer forensics, and any other digital forensics that comes their way. Typically in government agencies you will find more general specialists that may understand a wide range of technologies and lend a hand in several different capacities. In the private sector, however, digital forensic investigators and experts are typically more specialized in one or two specific computer forensic fields.
What is a Forensic Investigator?
When talking about digital forensics, a forensic investigator is someone who is called upon to either retrieve, restore, examine, or analyze digital data. In most cases, these tasks are connected with solving a crime, preventing a crime, or tracking a criminal.
Forensic Investigator Solves Crimes
There have been numerous reports and instances of digital data being retrieve from a crime scene, delivered to the lab, and ultimately a forensic investigator is able to use the information to figure out who committed the crime. In one famous instance, Dr. Conrad Murray was convicted of killing Michael Jackson because his computer contained digital data evidence that showed he was administering to much of the propofol drug. This is just one of many instances where a digital forensic investigator looked for clues on a computer, a smart phone, laptop, or little trails left on the internet that proved a criminal’s guilt.
Forensic Investigator Prevents Crimes
Within the private sector one of the most sought after and lucrative digital forensic position is that of a computer security expert. Because corporations most sensitive data is stored digitally they are at huge risk of having their most important documents stolen by rival companies, thiefs, or as an attempt at cyber warfare. Because these corporations are putting themselves at such risk by storing their information digitally they require the absolute best digital security. Just like how Ft. Knox is secured every second of every day – a corporation’s internal and external network has to be secure. An IT Forensics expert whose focus is network security checks the network daily, monitors traffic, and probes any access points for potential points of failure. The hope is that they find the flaws or security holes first before the criminals do. If they can find them first, then it is just a matter of correcting the problems and going about their business knowing the network has been secured.
How a Forensic Investigator Tracks Criminals
Cell phones are amazing, right? Of course! We can talk almost anywhere and are able to be connected with our email, favorite websites, and text messages. But, this always on connectivity does come at a cost. If a warrant is granted a IT Forensics expert is able to track a phone number and use GSM triangulation or GPS to find out where a suspect is located and where they are moving. Although a bit scary when you think about it (like a sci-fi thriller gone wrong) when used correctly it is hugely benefical for law enforcement officers that are trying to prevent a murder, capture a serial killer, or otherwise stop a dangerous crime from happening. All of this is thanks to a digital forensic investigators skill at tracking cell phones.
Forensic Technology & Forensic Computers
We’ve discussed how rapidly technology changes. With each of these changes comes a new wave of both hardware and software technologies that digital forensic experts use to examine and analyze their evidence. These new forensic technology products are built and designed to address the new needs of forensic scientists. Initially most of the digital forensics tools were hardware based. They allowed a forensic computer examiner to perform his necessary analysis on the physical digital components. For instance in the early 90’s one of the most important jobs of a computer forensic investigator was to be able to take a hard drive and make an exact (perfect) replica while taking great care as to not write any additional data on the duplicate or the original. The importance of not altering anything was greatly emphasized in court battle after court battle. The claim by the criminal’s attorney was that if there was no proof that nothing was altered then anything the digital forensic expert said or any analysis he did was worthless because he could have purposely or accidentally altered information on the hard drive.
This claim was successful in quite a few cases where forensic standards were not used and the computer forensic expert was unable to prove the validity of his analysis. Because some criminals were able to get away with their crimes, a handful of very specialized hardware devices were designed and sold to law enforcement agencies that allowed them to make a perfect duplicate copy but literally disabled the ability for any data to be written or transmitted in a non-read state.
A device like this would have absolutely no purpose in a consumer environment but, as far as a forensic computer examiner was concerned this new forensic technology was absolutely vital for him to be able to perform his job. This tool led way to other digital forensics tools that were developed out of very special forensic technology needs.
Computer Forensic Software
As time progressed and computers advanced the need for specialty digital forensic tools that were hardware based started to decrease. Instead digital forensic investigators found that they needed computer forensics software to analyze the data they recovered. They needed software to examine network traffic, to analyze text message meta data, to examine the source data attached to images that were saved, as well as other advanced tasks. Forensic technology manufacturers adapted and began designing digital forensics tools that a forensic computer examiner could use to break through the data that was recovered and find the information they needed to solve a crime.
At times, a computer forensic expert doesn’t need a specialized forensic computer or computer forensic software – instead they just need an intimate knowledge of Linux or Windows operating systems and are able to search and find the data they need on the criminals hard drive. For instance in the case of the BTK Killer, digital forensic experts were able to look at the files that Dennis Radar (the serial killer) had sent the police (to taunt them) and determine not only where the files were created, what computer created them, and who created them. This led to the arrest of Dennis Radar a serial killer that had killed 10 people across 16 years. Thank goodness for the forensic computer examiner who didn’t have to wait for special computer forensic software but instead used his keen understanding of Windows to track down this killer.
Forensic Data Recovery of Digital Evidence
A special digital forensic subset is that of forensic data recovery. Many times when the police investigators get to the crime scene the criminal in an attempt to avoid being caught tries to destroy the digital evidence. This may be by wiping his hard drive, burning his computer, or stepping on his cell phone. All of these physical destruction tactics are meant to damage the digital evidence held in the device. That’s where an investigator and digital forensic tools come in handy! An often unknown fact is that when you delete a file off of your hard drive (even after emptying the recycle bin or choosing to permanently delete it) there are still small sections of data stored deep inside the hard drive. This data, believe it or not can be recovered and reassembled and analyzed to see what the suspect is up to.
In the instance where a criminal tries to physically destroy the digital evidence, an investigator still has forensic technology at his disposal that will enable him to recover certain key portions of the computer, hard drive, or digital device and help him recover the data off of the device. The key factor for the forensic data recovery expert is not whether or not the device will work and accept input, etc. but he just needs to be able to pull the data out of memory. By using specialized digital forensic tools and advanced forensic technology the recovery expert has a very good chance at taking a destroyed device and getting useful information out of it.
History of Computer Forensics
With a science as overwhelmingly helpful both to the private and government sector as digital forensics it must have a long and fascinating history, right? Actually, no. It is an extremely new discpline – one that did not have an official name until 1992! The digital forensic science was born out of necessity. As computers became standard in corporate offices in the 1970’s crimes involving computers were bound to take place.
The very first computer crime ever recorded were acknowledged in the 1978 Florida computer crimes act. This act specifically legislated against the unauthorized deletion or modification of data on a computer. Signing an act or legislating a law certainly sounds good – but, how are you going to enforce it? How will you know if data was deleted or modified? Well, that is where the history of computer forensics begins. A law was written and crimes were starting to take place, so there needed to be someone to call when a computer crime happened. Someone that could look at the digital evidence and find the culprite. Because technology since 1978 has exploded rapidly the academic sciences and the government regulating bodies have not been able to keep up. Instead forensic technology and the digital forensic sciences have wildly grown without many standards.
Computer crimes grew drastically in the 1980’s and law enforcement, both local and national, realized that they needed computer specialists to handle computer crimes. They needed specialists that knew how to handle digital evidence not to mention someone that knew what to do with the evidence once it was processed. That’s where a forensic computer examiner came into play. His role was to analyze the digital evidence that was brought in. As computer crimes increased, the digital forensics field increased as well.
Finally, by the 2000’s computer crimes were such a major part of society that the worldwide governing bodies realized that they needed standards. These standards would dictate how digital forensic analysis was conducted. The rules a forensic computer examiner must follow in order for his analysis to be permissible in court. And what sort of forensic technology could be used with or without a warrant.
As cyber-terrorism and cyber warfare continues to increase the need for well trained, certified, and experienced digital forensic experts has grown. Since the early 2000’s numerous accredation programs have formed – from the Scientific Working Group on Digital Evidence to the Certified Computer Forensic Examiner program. Many other certifications exist all with the goal of training the next generation of digital forensic professionals to be prepared to go to battle with domestic and foreign digital enemies.
The digital forensic field has certainly grown in the past 40 years and will continue to grow as cyber warfare becomes a more viable method of attacking a nation or corporation. It is a perfect career choice for anyone who likes computers, enjoys solving problems, and wants to help their nation protect itself. If you’re interested in learning about digital forensics jobs make sure to check out our resource on that!