Chapter 12 - Computer Forensics

© 2002 by CRC Press LLC
Chapter 12
Computer Forensics
Michael J. Corby
The computer forensics specialty is like the American TV show Quincy:
Medical Examiner gone space age. Instead of putting facts together about
a dead body from a few shreds of evidence, computers and their output
are used to figure out the cause of a failure and possibly the perpetrator
of a crime. This field has been evolving and developing since the mid-
1980s. With the proliferation of computer use, the need for computer
forensics has become a necessary and natural consequence of both law
enforcement and operations failure prevention. It is only now that the
business community is evaluating ways to incorporate this practice into
an effective security policy.
The exact nature of computer forensics has been open to interpretation.
The most basic definition is the collection, preservation, and analysis of
computer-related evidence. Judd Robbins, a computer forensics trainer,
has offered a more comprehensive definition:
Computer forensics is simply the application of computer investigation
and analysis techniques in the interests of determining potential legal
evidence. Evidence might be sought in a wide range of computer crime
or misuse, including but not limited to theft of trade secrets, theft of
or destruction of intellectual property, and fraud. Computer specialists
can draw on an array of methods for discovering data that resides in
a computer system, or recovering deleted, encrypted, or damaged file
information. Any or all of this information may help during discovery,
depositions, or actual litigation.1
This definition allows for various applications that support the underlying
practice that indicates there is no “right” way of conducting a computer
forensic examination. In fact, much computer forensics work is part sci-
ence and part art form.
The main priority and goal of this discipline is to provide solid legal
evidence that can be admitted into a court of law and can be understood
by laypeople. Kenneth Rosenblatt, Deputy District Attorney for Santa Clara
County, California (Silicon Valley), offers the following commentary on this
situation that is particularly appropriate:

There are a few guidelines and standard practices which present great
frustration for forensics investigators. One reason for the lack of stan-
dards stems from certain methods producing different results on dif-
ferent computer equipment. Furthermore, the pace that technology is
being developed prohibits the standardization of little; practices are
at risk of becoming outdated quickly.2
In addition to the delicacy of collecting, analyzing, and preserving evi-
dence, the examiner must conduct an examination under great time con-
straints to recover operations and still maintain the integrity and admis-
sibility of evidence. In other words, the chain of custody of evidence
(where handling of evidence is logged and documented to prove that the
evidence was not altered or compromised) is maintained throughout the
entire analysis. Steps taken in a logically organized and well-documented
manner diffuse a potential objection to compromised evidence and
improve the potential for that evidence to withstand courtroom scrutiny.
The steps used for criminal investigation are also highly valuable in inves-
tigating the root cause of “ﬂukes” or sporadic failures in the system envi-
ronment.
SCOPE OF COMPUTER FORENSICS
Like the Quincy TV show, the initial investigation may not even hint at a
possible crime or misbehavior. If the investigation is initiated with the
expectation that data collection will need to withstand the scrutiny of a
court trial, the processed audit trail and conclusions drawn will be well
established and can be reviewed and conﬁrmed by experts. These experts
might be court witnesses, internal auditors, regulators, operations man-
agers, or administrators. Events that warrant forensic analysis are not
based simply on crimes but can be the result of human behavior, physical
events, or organizational or operational issues.
Human Behavior
The term “computer forensics” often involves investigating and prosecut-
ing those with criminal motivations. Possible frauds, thefts, or denial-of-
service attacks are types of incidents that merit forensic examination.
Although the potential for criminal prosecution increases, success may
not. The burden of proof is highest in criminal cases requiring that evi-
dence collected be of the highest quality. Human behavior can be as simple
as a violation of company policy. It can also deny dependable service,
compromise data or process integrity, violate privacy and trade secret
agreements, or break the law. An event can occur because of a variety of
human behavioral actions based largely on the “seven deadly sins,” nota-
bly those of greed, jealousy, or revenge. Take a look at the following
underlying behaviors associated with suspect activity:

• Blackmail and extortion
• Fraud
• A disgruntled or surly employee
• “Dropping the dime”
• Sabotage or corporate espionage
Blackmail and extortion are synonymous. These actions can be targeted
at an employee who holds sole responsibility for a critical function in the
organization (e.g., Information Systems, Finance, or Human Resources).
An individual with significant responsibility can be threatened to use his
or her position to commit a crime against his or her company. Let it be
said that a huge percentage of the time, this temptation is one that is never
considered. However, for some, this option is considered, especially if the
employee has his or her reputation on the line. The direct source of the
blackmail and extortion starts with the decision by a person (the black-
mailer) to use knowledge of the person with the power (the blackmailee)
for his or her own personal gain. For example, one person may learn of
another’s skeleton in a closet and, in turn, threaten to post the information
on the Internet unless there is compensation to keep the information from
public attention. This malicious action is difficult to counteract and may
leave few options for the victim. A corrupt person uses blackmail to force
a person in power to prevent publication of a wrongdoing or an embar-
rassing act. It is also possible for someone to extort information, services,
or financial gain out of a person in power who has done nothing wrong.
In this case, the defense of allegations may be difficult to prove and may
result in costly legal fees and a severe distraction from regular duties. It
may actually be easier to capitulate to the extortionist’s demands than to
wage a viable defense. To combat this potential threat, the organization
can periodically require staff to rotate responsibility among several peo-
ple. The sensitive nature of the area will determine the number of people
with access to its information and responsibilities. This separation of
duties removes a concentration of power in the hands of one person while
allowing for checks and balances within the group. If the “person with the
power” changes frequently, the potential to wrongfully use that power is
reduced.
Fraud can be defined by combining the definitions of Black’s Law,
American College, and Random House dictionaries, and court citations as:
A perversion of the truth to induce a person to part with something
valuable belonging to them using false or misleading representations.
Elements of fraud include a false representation of a past or present
fact by the defendant; a plaintiff action based upon reliance of that
representation; and damages suffered by a plaintiff from the reliance
of the misrepresentation.3

Computers and their link to the Internet can provide the fraudster with
anonymity and validation in the same keystroke. Unfortunately, it can also
render a very efficient mechanism for communicating with a vastly large
number of possible victims, complete with an escape hatch to disappear
with little or no traces. It is for these reasons that fraud runs rampant and
will, in all likelihood, explode within this medium. Computer fraud has the
advantage of being cloaked, thereby making it extremely difficult to detect
and prove even if detected. As a result, at this stage, a proactive approach
may be most successful; namely, educating the public and the workplace
to the potential for fraud, coupled with firm, clear, and decisive security
policies within the workplace. Guarding against fraud requires constant
vigilance because of its cyclical nature. In fact, enforcing good security
practices, as a whole, is a cyclical procedure. The environment must be
evaluated for the risk areas, policies are then created to address them, a
logging system is created to document any incidents, the policies are
audited for effectiveness, and then the process repeats. Security and fraud
are both dynamic disciplines and require vigor, adaptability, patience, and
creativity. Prudent programs strike a balance between these demands.
The disgruntled employee presents a particularly challenging problem
to overall security. In this situation, the disgruntled employee has an
agenda to retaliate against a company for some perceived wrong that he
or she believes has occurred. The employee’s motivation is much greater,
thereby making him or her far more persistent than a hacker would be in
“getting the job done.” Vengeance is an undaunted ally to the disgruntled
employee. Furthermore, a disgruntled employee is privy to the inner work-
ings of the company, making it much easier to exploit company weak-
nesses to render harm. The damage exacted by a disgruntled employee
can be particularly harmful — if not lethal. Erecting defenses against this
threat has proven difficult. Formal security policies that are enforced can
prove to be the difference between the damaging consequences of a dis-
gruntled employee and preemptively thwarting them.
A surly employee who demonstrates cynical or negative behavior can
become a disgruntled employee and be a perpetrator of more serious
actions, including theft, damage, sabotage, or fraud. Good employees usu-
ally do not make a complete reversal of behavior and turn bad. Most
people develop an attitude of revenge, spite, or bitter retaliation as part
of a progressively more emotional campaign to retaliate against what is a
perceived wrongdoing. Failure to get a raise or promotion, termination or
layoff of a good friend, or hiring a new employee at a rumored higher
salary can trigger a campaign to “get even.” The attitude can deteriorate
over time until even criminal action seems reasonable. Employers must
be aware of this festering bad attitude and give employees every chance
to verbalize their fears, anger, and objections. This safety valve may not

resolve the employee’s dilemma and can result in resignation or termina-
tion, but it can also help to prevent damage or criminal action. Again, the
best method for reducing the potential for a bad incident lies in proper
training and providing readily available information support services. It
is crucial to encourage managers and co-workers who are unsure of a
particular course of action to ask first in order to act knowledgeably.
The term “dropping the dime” is a street term that refers to an
observer’s formally recorded information about an incident or a person
committing a criminal act. He or she may become aware of the situation
by chance or even by direct involvement. To address this potentially
complex situation, the investigator or security officer must first ascertain
the credibility of the informant. By establishing credibility, the investigator
can begin to determine the extent of the situation, the players involved,
and even the very existence of the situation. It is possible that an employee
might fabricate a story to implicate another employee, hoping that ill
consequences will befall the accused. By taking the employee’s story at
face value, many resources can be wasted on an investigation and can
even result in liability. In some situations, the informant might feel the
need to retaliate against the criminal element involved in damaging or
defrauding the company; he or she might perceive some wrong has been
perpetrated against him or her. Therefore, by “blowing the whistle” on the
entire operation, the spoils are denied to all. In this scenario, the informant
can potentially get away with the crime while his or her cohorts suffer
the consequences of termination and possible criminal prosecution. To
avoid this potentially embarrassing situation, company investigators must
carefully (but quickly) evaluate the complaint and the overall situation.
Finally, sabotage and corporate espionage are rapidly becoming issues
that security professionals must be equipped to handle. The explosion of
the Internet and the subsequent restructuring of the corporate environ-
ment have made it extremely difficult to secure the corporate perimeter
against those who have a hidden agenda. Sabotage is carried out by an
employee or an outsider who has gained access to the company’s infor-
mation network with the intention of subverting a company’s products,
services, or overall purpose. Industrial corporate espionage agents make
their presence known and often frequent places (real or virtual) where a
company’s trade secrets are intentionally acquired, traded, and sold. The
best defense for limiting the impact and damage of such acts, once again,
lies with sound security policies and practices that are regularly enforced.
Audit trails and extensive logging must be implemented and regularly
evaluated to determine that policies are followed and change those that
have proven ineffective.

Physical Events
Computer forensics can evoke an image of people in lab coats with mag-
nifying glasses or detectives stumbling around in a data center, poking
and prodding disk drives. However, in the corporate world, computer
forensics is often applied in a less clinical environment where forensic
methods can diagnose the cause of incidents that stem from physical
occurrences. The industry has known for years that physical events such
as floods, fires, earthquakes, and other natural disasters can all wreak
havoc with a system unless proper security and recovery controls and
measures are in place. To respond to this, electrical or mechanical failures
of computer systems (mainly hardware) have been addressed by systems
managers who focus on the practice of backing up all data at regular
intervals and rerouting communication activities to reduce the disruption
and loss of services to end users. In some highly vulnerable applications
such as banking ATM control, expensive fault-tolerant computers have
been implemented. There are instances where physical access to work
areas may be limited or denied because of obstructions (e.g., environmen-
tal hazards such as faulty wiring, unstable buildings, etc.). Many disaster
recovery plans have been intricately written to mitigate the effects of these
events and are often handled by activating satellite locations (hot and
cold sites) and remote access capabilities. Often, simple events such as
component theft and damage can be disruptive and cause serious service
interruptions.
The financial impact of these problems can be addressed through insur-
ance coverage, regular system backups, restricted access, and physical
security (e.g., guards, video camera surveillance, etc.), but many times a
physical event goes unidentified. The data center technicians walk around,
talk to each other, and after a few minutes, shrug their shoulders and re-
initiate the system or restart the application. This author has been told
several times by a software technician to simply reboot the computer and
try again. Maybe the reboot operation resolves the problem, but why did
it occur in the first place? My estimate is that over 90 percent of the causes
of computer glitches are never really known. Maybe they actually are
flukes, unexpected data, random communication signals, or accidental
keystrokes; but what if they are more malevolent? What if these glitches
are failed attempts to gain access or the result of malicious code gone bad?
Forensics can be used very effectively to explain the real cause of these
disruptions, especially when they affect many people. Too often, the server
or shared processor is simply restarted in an effort to restore service as
quickly as possible. If only some evidence were captured that could help
determine the cause of the interruption, future recurrences of the same
problem could be minimized. System weaknesses could be discovered and
eliminated, thereby reducing the risk of future disruptive acts. Forensics

is not just for the criminal, but the natural chaos surrounding physical
disaster recovery as well.
Organizational Issues
All organizations have general system maintenance functions that occur
periodically. These events can also cause inevitable problems. Whenever
the computer hardware or operating system is upgraded, there is
increased potential for disruption. Installing new hardware and application
software can also bring its own set of headaches. Even a good project
manager develops plans to minimize and prevent the problems that
accompany compatibility problems or other unknowns. (Nevertheless, to
paraphrase the popular idiom, “unpredictable occurrences happen.” If I
had a penny for every time a “routine” change that should pose “no
problem” caused a disruption in service, I would not be a millionaire, but
I bet I would have a pretty nice dinner.)
If technical changes are commonplace, organizational changes are even
more so. People leave their jobs, new people are hired, and people move
around within an organization. There are learning curves, procedures that
slip through the cracks, and little-known facts galore. These potentially
disruptive events can often be as devastating as fires, earthquakes, or
white-collar crimes. Forensic evaluation cannot discount these events
from causing problems as well.
Operational Issues
Last, but not least, normal operation is not 100 percent reliable. Some-
times, programs have errors in them that cause the system to stop or
abruptly “hang” or “crash.” Behind every interruption is a cause. Comput-
ers do not think for themselves. They do not know revenge, spite, or
getting even (although one sometimes has to wonder). Murphy’s law,
however, has no doubt been burnt into their microchips so that they will
fail when it is most critical that they run perfectly.
Although the first inclination is to call any operational malfunction a
“computer error,” forensic analysis should be conducted to determine if
there was a preventable condition or if, as mentioned before, the failure
was the result of an unsuccessful criminal attempt. If the system that is
affected houses strategic, sensitive, or critical financial data, a forensic
analysis and report should be completed for every operational disruption,
even if the cause is obvious.
DIRECT AND INDIRECT RESULTS OF DISRUPTIVE EVENTS
The costs to an operation, either business or organizational, as a result
of an incident’s occurrence can range from minimal to destructive. These

results can take the form of loss of service, discontinuity of reporting,
or profit loss. None of these results is pleasant. One could detail an
extensive cost justification for computer forensics to be employed after
each event, but that kind of study is thankfully not part of the recovery
process. Suffice it to say, disruptions are to be minimized. Where foren-
sics can be of real value is when the forensic process is reviewed and
procedures are put in place before the disruption occurs. Details of how
this is done are given in the next section. For now, consider each of the
results.
Loss of Service
Any disruption caused by an incident can result in a loss of service. The
extent of the disruption can range from a minor inconvenience to the
complete and prolonged loss of core business functions. Often, the degree
of disruption depends on how dependent the business is on the comput-
erized information network. For example, a mailing list company that relies
solely on accurate and timely maintenance of its databases of addresses
and client information would be brought to the brink of disaster if an event
occurs that cripples the operation of those databases. This is a clear
example of the heavy reliance on computerized information. Many indus-
tries — notably investment, freight movement, railroad, air traffic control,
etc. — behave the same way. However critical it is to a particular industry
or operation, computing has become an integral function of most busi-
nesses and organizations. The widespread use of desktop computers is a
clear manifestation of this dependence within organizations — both public
and private. Loss of service directly translates into a drop in personal
productivity. First, there is the period of uncertainty regarding whether
the system is “up” or “down.” This may be 5 to 15 minutes. Next is the
“water cooler” discussion that results when people who are denied com-
puter service congregate at the coffee maker or water cooler talk to
about the system or its reliability or relate stories about the last disrup-
tion. This can go on for a while. Finally, someone in the group places a
phone call or gets the system functioning again. Even if nothing criminal
has happened or the disruption has been minimal, a potentially large
number of people may have been inconvenienced and the business has
just lost tens to hundreds of hours of employee productivity, for which
salary dollars have been spent. Some may call this the cost of doing
business, but if the disruption was purposely caused, it could also be
called theft or sabotage.
Discontinuity of Reporting
Business operation is often hampered when information does not flow
freely between functions and among people. When computer services are
interrupted, the organization must put aside standard practices and begin

running in an alternative mode. Invariably, productivity is impacted and
the bottom line is accordingly affected. If this frequently occurs in a
business setting, results will be unacceptable.
In addition, over the past several years, organizations have imple-
mented functional reporting systems that depend on computer data to
provide managers and administrators with key operating data. Many times,
these systems have formed a closed-loop feedback system where opera-
tional changes generate performance data, which is then analyzed by
management to determine if the operational change was effective. Inter-
ruptions in the collection of the data points and fluctuations in produc-
tivity caused by computer interruptions can skew these results and lead
management to incorrect or flawed conclusions.
Either by forcing alternate methods of communication or by causing
“gaps” in the data collected from normal operations, interruptions can
change the results from success to failure in a short period of time. Again,
proper forensic analysis of the reasons for interruptions can help minimize
future occurrences and can also help identify changeable factors that
minimize the effect of these interruptions.
Productivity, Profit, and Loss
Almost any company can be successful if everything works as planned
and there are no operating surprises. Rarely, if ever, is this the case for
very long. Many daily events directly impact productivity levels, which
translates into profit losses due to the slowing or obstruction of normal
organizational activities. Irrespective of the organization’s mission (for
profit, nonprofit, or public service), computer failures can cripple or
destroy mission objectives. Without dependable and reliable systems, the
success of an organization hangs in the balance. It is a responsible and
appropriate organization that takes interruptions seriously and employs
prudent methods to determine the cause of interruptions and reduce their
potential for recurrence. If, in fact, the interruption was caused on pur-
pose, it is similarly prudent to take personnel or legal action to dissuade
the perpetrator or others from completing the same or similar acts in the
future.
There are no excuses for not taking precautions and employing proce-
dures that stabilize and maximize productivity. By taking care of the work-
place activity, it usually follows that profits or nonfinancial benefits
(employee pride, creativity, reputation, or fulfillment) are maximized and
the potential for loss — financial or otherwise — is minimized. Using
computer forensics to some degree simply makes good business sense.

ELEMENTS OF FORENSIC ANALYSIS
Computer forensics is not just figuring things out, but rather a structured
process of evidence preservation, damage control, and system restoration.
Much of what is completed during a forensic investigation cannot be
predefined because it is highly dependent on the unique events as they
exist and the technical skills of the investigator. Nonetheless, some stan-
dard procedures can be followed that make good sense in completing any
specific forensic analysis activities. A computer forensic analyst must be
well versed in pre-event activities, recovery methods, and determining the
cause of an interruption or event.
Pre-Event Preparation
Effective computer forensics does not start when the event occurs. Sure,
maybe this is when most organizations think of such activity and the result
may actually be useful, but the cost is usually very high and the effective-
ness is often less than 100 percent. The reasons for this are threefold:
1. Data that could have been a key resource in identifying facts sur-
rounding the event may not have been captured by the system logs
and audit trails.
2. Pressure from business operations results in a quick rush to restore
system operation. As part of the start-up process, the problem can
be exacerbated and key signals of what happened can be destroyed.
3. The opportunity for research and investigation of several theories
is limited because of the time involved in reviewing the information
and the potential destruction of the logs or evidentiary data in
testing the theory.
To provide the elements needed for an optimal forensic evaluation, the
system must be prepared to capture, preserve, and effectively analyze the
operational information immediately preceding the event. Logging and
documenting everything includes inventories of hardware, files, applica-
tions, door positions, locks, and access controls. This will supply a refer-
ence that can hold up in court if necessary. Trust nothing to memory,
which becomes less clear over time and may be successfully invalidated
by an astute attorney.
Backups, logs, and audit trails are generally available for all systems
and even for some components such as network connectors and modems.
Knowing how to activate these logs and where to record the information
provided by them is key to effectively capturing data. Frequently, when a
system is restarted, logs are erased or overwritten, thus destroying evi-
dence. Care must be exercised to avoid this crucial loss. The most effective
way to do this is to not restart or reboot the system. The entire data
structure and system boot sequence should be left unchanged while the

data is copied to alternate media. Several software programs exist to do
this, but there are some limitations. For example, if the system that was
affected is running Windows NT and uses the NTFS file system, data is not
available by booting from a regular DOS disk. For Windows NT and Novell
LAN servers, the following simple and usually cost-effective methods are
recommended:
• Keep the system startup data, audit logs, and other volatile infor-
mation on a single disk drive. Nothing else should be kept on that
drive.
• When an event occurs, the first steps would be to secure the site to
determine if any physical evidence is available or if safety precautions
must be taken (e.g., if the computer has been booby-trapped). If the
computer is powered on prior to the incident’s occurrence, any vol-
atile data available would be copied.
• Restoration will occur on mirror-image copies; the second copy (and
maybe others) can be used to evaluate evidence, list and review logs,
and identify events that happened immediately before the event
occurred.
Once these steps have been followed, research can be conducted, and the
system should be restored to normal operation without risking the loss
of key forensic data. Pre-event planning should facilitate this data recovery
and restoration process.
Similar methods can be adapted to other types of systems, including
minicomputer and even mainframe operating environments.
Remember that all who handle the evidence must have been docu-
mented as doing so in order to prove that if called upon in court, records
will show that the evidence was not altered, damaged, or corrupted.
Post-Event Recovery
Damage control is also important to minimize the event’s impact, which
can (and will) translate into financial loss, productivity/service reduction,
and loss of customer confidence. All can be especially damaging for the
long-term success of an organization if lowered customer confidence
results in loss of repeat business. Crucial to any operation is the ability
to quickly restore the system to its pre-event operational status. This must
occur with minimal discontinuity and disruption to activity while limiting
any further loss. In business, it can be difficult to balance management’s
decision to absorb the cost of evidence destruction and future prosecution
possibilities in the face of a short-term desire to minimize operation dis-
ruption, productivity levels, profit loss, etc. For this reason, a forensics
expert must be “tough” in the face of adversity. The challenge of the hunt
is many times stopped short because of a business decision to accept the

risk of future events or to minimize the cost (financial and public relations)
of any investigation and possible prosecution.
Nevertheless, if the pre-event plans have been put in place and are
followed, the system can typically be restored to normal operation in a
relatively short time period, with all evidence intact and all records pre-
served properly.
Many tools and methods are available to help guide the prompt recov-
ery of an affected system while still maintaining the evidence necessary
to identify the cause and potential to prosecute perpetrators. An example
of what can be done on the scene of a potential crime investigation is
outlined in the following summary.
Collect Evidence.
• Conduct a “no touch” examination of the physical site that includes
observations and recordings. When entering the site, each detail of
the scene must be recorded and preserved. It is a good idea to bring
video or still-camera equipment to provide visual backup for written
records. The placement of the computer equipment, keyboard,
mouse, computer output, references, cables and wires, and switches
may all be important items of evidence. Written logs must be created,
initialed, witnessed, or corroborated and then filed in a secure place.
Evidence bags can be useful if there are items that are removed from
the scene.
• Conduct an examination, disk “cloning,” and evidence collection. Install
“Write-Block” to ensure one does not accidentally write to the hard
drive. Furthermore, no programs should be executed from the hard
drive of the suspect computer — a “safeboot” diskette is useful in
preventing the computer from booting from the native hard drive.
Install guest drivers for either Jaz or Zip drives where evidence is to
be stored. Utilities that conduct a complete binary copy (e.g., Safe-
back, CPR Recovery Tools) are best because they preserve not only
the files, but also the file slack — encrypted, hidden, and deleted
files — and other subtle factors that can be important in the analysis
phase (file-by-file copies are also possible). Two drives should be
available for capturing evidence. Once copied, one “clone” can be
replaced in the computer and one “clone” can be taken to an evidence
research lab. The original should be placed in a sealed bag or enve-
lope and, if appropriate, turned over to law enforcement or a court
official for preservation as evidence. The original may be investigated
further for fingerprints and even advanced magnetic remanence collec-
tion of overwritten files. If the computer is powered on, some additional
evidence may be available. Remember that if the computer is suspected
of being used for a crime, some common utilities and functions may

be altered such that their use by an unsuspecting investigator could
destroy incriminating evidence. Use utility programs that are brought
to the scene to view logs, files that have been opened, and a history
of what has transpired since the system was last activated. Some files
may be rewritten or destroyed when the system is next powered on,
so those files should be copied to the Jaz or Zip drive. Once the
evidence has been collected, power-down the computer and take a
physical inventory of the computer’s hardware.
• Restoring operation. Often, the system restoration takes first priority,
but in forensics, restoration should only be initiated after the evidence
has been preserved. This may be a rigorous procedure if the subject
is unaware of the investigation. Photos or videotape can be handy in
restoring the desk to its exact former appearance. If the system was
turned on, one should restore it to its condition as left by the user.
The only exception to full restoration would be a case where network
or online connections may further compromise the company’s integ-
rity or security. For example, if the crime was providing online avail-
ability of confidential data, that data should not be made available.
Options to trap the offender can be used, including false databases
or tracking methods that can identify who is involved in the crime.
These trapping methods should be approached with caution. Tech-
nical, legal, and law enforcement advice should be sought before
proceeding with any of these activities.
These crucial activities may be rigorous and time consuming, but they
are essential for a successful analysis and potential prosecution. Only after
the evidence has been preserved can an analysis begin with the objective
to find the cause or trace the criminal’s activities.
Finding the Cause
Discovering the real cause of an event is the long-term objective of any
forensic examination. This analysis can be relatively short term or exten-
sive, depending on the size of the system being examined; anything from
a stand-alone PC to a mainframe determines the need for in-depth forensic
analysis. The skills of forensic investigators, the equipment, and the time
to launch a thorough and successful examination can all impact the time
necessary to reach a conclusion. Often, the most surprising factor in a
forensic evaluation is that computer forensics is both time and labor
intensive. Determining a cause may be quick and easy, but doing so in a
way that will be admissible in court can take much longer due to the need
to record and validate every action. As computing capabilities increase in
storage and application capacity, the amount of information that must be
disseminated will also increase greatly.

Computer forensics investigation requires substantial training. Fortu-
nately, most aspects are not “rocket science” because of its methodical
nature. Also, too much technology increases the risk that a judge or jury
may not understand such highly complicated methods. Still, technical
tools must be used to determine what the information collected can reveal.
Everything should be examined, including deleted files, encryption, hidden
files, and directories. Tools can be acquired to help this examination
process.
The fundamentals apply to most operating environments, but they must
be adapted to the specific environment and suspected cause of each
occurrence. The only constant factor in a forensic investigation is that
there are no absolutes. Even the most skilled computer forensics expert
experiences situations that can stop an investigation. Three common sit-
uations are:
• The loss value is small compared to the cost of investigation and
prosecution.
• The legal case against the perpetrator (if identified) is too weak to
prosecute.
• The system’s technology being examined surpasses the capabilities
of current forensic tools.
Furthermore, the tools, system conditions, and environment parameters
vary with each event. No two investigations are ever exactly the same.
FINAL OBJECTIVES OF FORENSICS
Proof in Court4
Proving an incident’s occurrence and identifying a perpetrator under a
legal reading can be particularly challenging. In addition to the amount of
resources expended on forensics (time, labor, money, etc.), the overall
process is taxing. The United States and many other countries are founded
on the presumption of innocence. Each court system is different; legisla-
tion has not advanced at the same clip as technology, and attorneys and
legal counsel are not all equally well trained in computer technology and
white collar crime. The U.S. legal system still demonstrates a lack of
understanding on the part of the key players within the legal system —
magistrates, attorneys, juries, etc. There are instances where there are
knowledgeable participants, much to the delight of the techno-expert, but
they are not yet the norm. Some courts are more receptive to prosecuting
this type of crime, while others are still resistant to the technological
advances within this society. Current legislation tends to be vague and
limited. Of course, technology’s rapid advancement challenges any standard-
ization and regulation. Laws handle tangible issues, while free-flowing infor-
mation is difficult to quantify and legislate. This is apparent with the issue

of jurisdiction in the United States — state, federal, and international —
which is complicated by data “crossing” state lines in committing a crim-
inal act. Jurisdiction is extremely complex. Fortunately, some steps have
been taken both at the federal and state levels to attempt to catch up with
the wave of computer crime. International boundaries remain the most
daunting aspect of prosecution, to the point where some cases may not
even be viable. As a result, diplomatic channels must be employed to
bolster this effort. It is a start, but there is much work to be done in this
area. Until then, forensic analysts must continue to be especially careful
and meticulous in gathering computer evidence.
Proof As a Business Function
Proving and determining why an event occurred as a function of computer
security is smart business practice. Using computer forensics procedures
as proactive tools can enhance and strengthen security policies. Further-
more, by finding the source of the incident, policies, practices, and pro-
grams can be implemented to mitigate and even prevent future occur-
rences. By running a tighter ship, system reliability can directly impact
future success (e.g., profits, services, and general customer satisfaction
and confidence). Computer forensics can improve security but cannot, on its
own, create good security. For computer forensics to be conducted at an
optimal level, standard security practices must be constructed and
enforced on a regular basis. Logging and auditing are two particularly
crucial security practices that greatly enrich the effectiveness of computer
forensics. Computer forensics, as part of the business function, requires
diligence, methodical procedures, and a bit of technological savvy.
The journey begins. As the frequency of computer events continues to
increase, computer forensics will become an integral function within any
well-organized organization. When computer forensics begins to emerge
as a viable business function, insurers, investors, and venture capitalists
will begin to include forensics capability in their evaluation of companies
during due diligence. The results, as usual, will be seen in financial terms.
Then we will really see computer forensics flourish as a business specialty.
CONCLUSION
Computer forensics is indeed on the cutting edge of technology — not as
a high-tech advanced specialty, but as a viable and necessary business
function of the twenty-first century. Computer crimes committed over the
Internet, the computer knowledge gained by the general public (for good
or bad), and the use of computers in traditional criminal activities such
as drug trafficking, vice activities, and good old theft and murder have put
the computer in the company of traditional criminal tools. Industry needs

to treat computers the same way it would treat any business risk, with
knowledge and measured intelligence.
What makes computer forensics especially appealing is the continued
mystery surrounding the computer systems environment in general. As
criminals get smarter, the business community stays the same but simply
uses computers more. The next time a system “freezes,” “crashes,” or
“bombs,” think … was it another computer glitch or did someone just try
to steal money, data, or knowledge? It is like the story of the mosquito
(which may or may not be true, but makes a nice story.)
The male mosquito makes noise but does not bite, while the female
mosquito needs your blood to mature newly hatched eggs, but is silent.
So the next time you are laying awake on a summer night and hear a
mosquito, do not worry, it is a male and will not bite you. However, if
you are laying awake and hear nothing …
Notes
1. Judd Robbins, “An Explanation of Computer Forensics by Judd Robbins” [article online];
available from http://www.knock-knock.com/forens01.htm.
2. Kenneth S. Rosenblatt, High-Technology Crime: Investigating Cases Involving Computers,
San Jose: KSK Publications, 1995, 224.
3. “Fraud — A Criminal Offense” [deﬁnition online]; available from http://www.uslaw-
books.com/books/fraud.htm.
4. David L. Carter, Computer Crime Categories, FBI Law Enforcement Bulletin, July 1995, 21–26;
Kenneth S. Rosenblatt, High-Technology Crime, San Jose: KSK Publications, 1995; John G.
Sauls, Computer Searches and Seizures: Challenges for Investigators, FBI Law Enforcement
Bulletin, June 1993, 24–32.

Chapter 12 - Computer Forensics

More Related Content

What's hot (20)

Similar to Chapter 12 - Computer Forensics (20)

More from Attaporn Ninsuwan (20)

Recently uploaded (20)

Chapter 12 - Computer Forensics