What is Computer Forensics?
Electronic devices are extremely commonplace. As time goes on, more and more people not only have a device, but use multiple ones daily. People use them to enhance their social life with apps like Twitter, Facebook, or eHarmony. They keep schedules, communication, and other important data on them. Add to that all of the information that applications and companies like Google collect, and you could learn a ton about a person you’d never met just by accessing the information on their device. Collecting information from a device for use in a court of law is the purpose of computer forensics.
Computer Forensics Use
Crimes directly involving computers such as DDOS attacks, scams, malware, etc. are the most obvious use for computer forensics. A stalker or sexual predator’s images, website activity, and communication history can bolster the case against them and prove their guilt. Having GPS information, communication history, and activity could aid in an alibi or place someone near the scene of a crime.
Because technology is advancing at an astronomical pace, the laws surrounding search, seizure, and usage of device information have been trying to catch up. In 2014, the Supreme Court ruled that because phones house such an enormous amount of personal data, it is not considered a closed container. Not classifying it as such keeps it from being subject to search like as a purse, wallet, or bag is. In order for the police to search a phone, a warrant is required. Otherwise, it is a violation of the fourth amendment which gives citizens the right “to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.”
How Does it Work?
When you need information to be as sound as possible, such as for use in a court of law, excellent documentation and record keeping is imperative. Having a map of the folders and files catalogues what information is available and where it came from. Documenting the steps and processes used to gain the information ensures that steps aren’t missed and assists in ensuring the data gathered is legally and accurately.
Securing the device is incredibly important. If the device is tampered with, data could be altered or destroyed, ruining its usefulness and validity for court. Not only does it need to be secured physically, but electronically too. A person with ill intent doesn’t necessarily need to access it from its physical interface, they could also gain access electronically via the internet or other digital connection.
Before an analyst goes digging through folders and opening files, copies must be made. Only these copies will be used for analysis. If data becomes corrupted or information is altered, whether intentionally or unintentionally, it’s better for that to happen on a copy and not occur on the primary source.
Once copies have been made, an analyst can begin digging in and analyzing the data. If encrypted files are found, an analyst tries to decrypt them. In addition to the obvious files and folders, a forensics specialist will look for hidden files. These can be files or pieces of information that the user tried to delete or that are floating in unallocated space.
Just finding and documenting the information on a device isn’t enough. A specialist also needs to be able to understand their findings. Because the information is likely to be used in a trial, the work will be heavily scrutinized. Being able to astutely describe findings and explain their relevance is part of the job and can make or break a case.
Ok, so you make some copies, look at the files and document all your work. It sounds straightforward enough. If you were doing forensics on your friend’s or your parent’s devices, it may be. Working on a device owned by a tech savvy criminal is likely another story.
Information can be hidden in multiple ways. It can be encrypted, where an algorithm is applied to the data that changes it and makes it almost unusable without breaking the code and knowing the algorithm. Some information is stored in misleading files. All sorts of information can be hidden in seemingly mundane files. There is more to data than what meets the eye. Just because you don’t see it doesn’t mean it’s not there. If you were to examine the source code of this webpage, you would notice that the amount of text is vastly different. While most is used to render the page as you see it with the correct formatting, fonts, images, etc, other data could be nestled in there, just hiding.
Files can also be broken up into smaller files and stored in multiple locations. It’s kind of like a reverse defrag. Data can be hidden in, or combined with, other files. Images can be modified to hide data, such as another image or even programs, in the pixels.
Some anti-forensics programs are created specifically for hiding or destroying information. Data deletion is the most common feature. Some delete just the metadata on files, others delete browser-related information, and others wipe the whole disk. Another take on anti-forensics is to do the reverse. These programs add erroneous data to be stored, obscuring what is really important, and giving forensic specialists more to evaluate. Some programs do a little of both, removing data while overwriting it with junk.
Computer forensics is a fascinating field that merges technology and law. In order to provide useful and admissible information, everything must be documented well and protocols followed to a T. Between dealing with substantial amounts of data and software created to destroy evidence or hamper their investigation, forensics investigators have their work cut out for them.