Six Unexpected Places A Forensic Investigation Can Go For Clues

Forensics is an ancient discipline, but the introduction of computers into the world of crime introduced a few new twists. To deal with those twists, the field of computer forensics was born. Computer forensics has evolved with computers to include all types of computing devices and networks. Because of the vast array of technologies covered by the field, success in computer forensics requires creativity and imagination. Here are six unexpected places a forensics investigator might look for evidence.


1. Networks: Anyone who knows anything about computer forensics knows investigators will look for clues on the computer. Usually they will go through an outside source, which specializes in . If people think about information on the network, they usually think in terms of data on servers or browser history. Some will think about browser cache. But one of the best sources of information can be the network itself. At its simplest, data gathering might involve logging the origin and destination of every information packet on the local network. A more involved example would be a proxy server – computer positioned between (or on) the gateway router between the local network and the internet. It could log all traffic, and might even perform analysis to find out what is in the packets going from the local network to the internet.

2. Smart Phones: A basic feature phone can provide information like where the owner has been and where he spends time using the GPS data it provides the carrier and records of text messages. The forensic possibilities of a smart phone are much greater. The smart phone is a very powerful computer. It probably has personal information, maybe even financial information on it. Pictures, email and text messages all provide information, sometimes information people don’t even know is there. An investigator might even be able to have the carrier provide information on web habits when the owner is using the carrier’s data network to web surf.

3. Digital Cameras: The newer the camera, the more data it may provide the forensic investigator. A few years ago a camera might provide a time and date stamp. Today it may provide that plus geo-location data, social media information, and any information in the memory card. While not as information rich as a smart phone, many digital cameras provide a wealth of information through photos and sharing data.

4. OnStar and similar services: Car support services like gather data about the automobile and its passengers, though passenger data is limited to what they say through the system and any fiddling with controls like the radio or A/C. Today that information is includes communications with OnStar representatives, location data, approximate speed, and how you use the features in the car. In the OnStar style services may provide other data for the forensic investigator.

5. Search Queries: It is no secret that search engines use the information they learn about us to target advertising. Less known, but no less true, is that even when search data has been ‘anonymized’ to hide who it came from, it is possible to track back to a person using their search data. Forensic investigators can use the searches coming from a single person to identify that person, even if the data is supposed to be anonymous.

6. Hidden Files: Hidden files like print spool files can provide a lot of information. Files can be viewed on a computer without being on the computer hard drive. A web page or a document on a thumb drive may be viewed without leaving any evidence on the computer. But if the document is printed the print spool document will be on the hard drive. Swap files – information saved to the hard drive when RAM is needed – contain information that resided in RAM, but may never have existed on the hard drive. Some applications create their own version of swap files as part of their memory management.

Forensics has changed much over the centuries. Computer forensics has seen as much change in a few decades. Of the six unexpected places for an investigator to find clues listed above, three were either negligible or nonexistent ten years ago. As technology advances, the field will continue to change and grow, and forensic investigators will continue to change and grow with it.

Leave a Reply

Your email address will not be published. Required fields are marked *