Monday, January 7, 2013

Computer Forensics

Computer forensics is defined as

techniques used to enable secure collection of computer data and analysis which can be admissible as evidence.

The two key principles of computer forensics are evidential integrity and evidential continuity. Evidential integrity is that the evidence taken must be an exact copy. Evidential continuity means that the chain of events between data contact and evidence presentation must be unbroken.

Throughout a computer forensic exercise, it is important to document all steps thoroughly. When deciding what you need it is important to collect the data you might need for a variety of scenarios. It is good practice to assume that the case may end up in litigation. Remembering that unauthorised seizure can be criminal, it is critical to gain proper permission when gathering evidence. Illegal seizure of equipment or data would lead to an evidential fail.

Care should be taken when gathering evidence as there is a risk that the computer equipment is booby trapped and a poorly executed information gathering may destroy important evidence (e.g dates). Fishing expeditions often result in evidential fails. The use of specialists should be considered. They would often take images of the data to preserve the integrity of the  source data.

How the evidence is retained is important as you must be able to account for evidence at all times post seizure. To ensure evidential integrity forensic software locks data when it is extracted. Failure to perform similar steps would be the third and final example of an evidential fail.