Besides the scientific status of computer forensic investigation, combining all the juridical, social and deontological norms that portray its main activities and objectives, forensic investigations have an indisputable practical use. Digital forensic science is known to be the branch of forensic science in charge of the recovery and investigation in material found in digital devices, most often related to computer crime. Computer forensic investigation is a more specific field of it and it encompasses examining digital media in order to identify, extract, document and interpret the data found for evidentiary or root cause analysis.
The methods used to discover, recover, monitor or detect juridical relevant information in order to analyze, inspect or resolve a wide range of computer crimes and misuses. The relevance of the inspected data can lead to termination of employment, arrests, preventing future similar activity and even prosecutions, depending on the act severity.
There are numerous activities inside the computer forensic investigations’ spectrum of activity, in both business and nonbusiness fields. Some examples of such eligible situations are: theft, trade secrets, fraud, extortion, pornography, virus distribution, any branches of intellectual property, unauthorized use of personal information, industrial espionage.
As some of these examples can be encountered in business environments as well, there are also some specific examples here as well: tracking internet browsing habits, reconstructing events, wrong dismissal claims, software piracy or selling company bandwidth. All these investigations have a large usage among civil litigations, criminal prosecutors, private corporations, insurance companies, law enforcement officials as well as private citizens.
The entire process is divided in four main steps, as it follows: acquisition, identification, evaluation and presentation. Each of them involves accuracy and dealing with top secret information. Among the numerous restrictions that the investigators have to work with
some of the most important are: not damaging any piece of possible evidence or any document that is not included in the investigating process, preventing viruses or any software applications from affecting the computer in cause, protecting the pieces of evidence
from any possible mechanical or electromagnetic damage once extracted from the device.
Another very important responsibility of the investigator is to establish and maintain a continuous chain of custody, limiting at the same time the amount of the operations made and assuring the honoring of all the ethical rules and laws under which the entire process takes place.
The specificity standard set of the procedure supposes careful analysis of the information that might be useful during the investigation, but the modus operandi implies radical rules to be followed, given the importance of the conclusions and their accuracy. One of these very important things to take into account when searching for evidence is not being random about it, but very organized and selective. One of the ways to do this is designating suspected equipment as off-limits to normal activity.
During the investigation, it is recommended to give special time and effort to installing the proper monitoring tools in order to assure the security of the entire process. After the necessary information gets collected, it is highly relevant that its storage is held in maximum security.
The information is classified in volatile and nonvolatile, after the perishability degree. Some of the most common in the first category are network information, active processes, loggedon users, open files. The nonvolatile information encompasses configuration settings, system files and registry settings available after rebooting and the most adequate way to use it is from a backup copy.
In order for the forensic investigation to develop under normal conditions it is necessary that some requirements are respected concerning the knowledge of the subject given the investigation. These regard hardware features of hard drives and settings, familiarity with BIOS and the way it works, operation systems, software packages knowledge and, selfexplanatory, forensic techniques and packages.
In order to gain experience many such investigations are needed to be performed. But the authorities recommend 16 standardized steps in computer forensic investigation trainings: shutting down the device, documenting the system hardware configuration, taking the system to a secure location, making backups of the hard disks, authenticate the data on every device, documenting the system date, making a list of key words to search for, evaluating the Windows swap, evaluating the file slack, evaluating the unallocated space, searching files, document file names, identify anomalies found, evaluate program functionality, document findings and retain copies of the used software.
The name given to data detecting and recovery is steganalysis. It encompasses some specific methods of detecting and decoding data, such as: human observation, software analysis, statistical analysis on the detecting activity and reconstruction and check swap files for data recovery.