Security.com

computer forensics (cyber forensics)

By Rahul Awati

What is computer forensics (cyber forensics)?

Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation and maintain a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.

Computer forensics -- which is sometimes referred to as cyber forensics, computer forensic science, or digital forensics -- essentially is data recovery with legal compliance guidelines to make the information admissible in legal proceedings.

Digital forensics starts with the collection of information in a way that maintains its integrity. Investigators then analyze the data or system to determine if it was changed, how it was changed and who made the changes.

Real-world case studies of computer forensics

Computer forensics has been used by law enforcement agencies and in criminal and civil law since the 1980s to collect evidence. Some notable cases include:

Murder is just one of the many types of crime computer forensics can aid in combating. Learn how forensic financial analysis software is used to combat fraud.

Why is computer forensics important?

As computers and other data-collecting devices are used more frequently everywhere, digital evidence -- and the forensic process used to collect, preserve and investigate it -- has become more important in solving crimes and other legal issues. Computer forensics plays a role in identifying and preserving digital evidence and also helps ensure its integrity when presented in court cases.

The goal of computer forensics is to perform a structured investigation and maintain a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.

The average person never sees much of the information modern devices collect. For instance, the computers in cars continually collect information on when a driver brakes, shifts and changes speed without the driver being aware. However, this information can prove critical in solving a legal matter or a crime, and computer forensics often plays a role in identifying and preserving that information.

Digital evidence isn't just useful in solving digital-world crimes, such as data theft, network breaches and illicit online transactions. It's also used to solve physical-world crimes, such as burglary, assault, hit-and-run accidents and murder.

Of course, its use isn't always tied to a crime. The forensic process is also used when the goal is data recovery: to gather data from a crashed server, failed drive, or reformatted operating system (OS), and in situations where a system has unexpectedly stopped working.

Businesses often use a multilayered data management, data governance and network security strategy to keep proprietary information secure. Having data that's well managed and safe can help streamline the forensic process should that data ever come under investigation.

As the world becomes more reliant on digital technology for the core functions of life, cybercrime is rising. As such, computer forensic specialists no longer have a monopoly on the field. See how the police in the U.K. are adopting computer forensic techniques to keep up with increasing rates of cybercrime.

Use cases for digital forensics

Digital evidence is useful in criminal investigations, particularly in solving cybercrime and digital-world crimes, such as data theft, network breaches and illicit online transactions. It's also used to solve physical-world crimes, such as burglary, assault, hit-and-run accidents, and even murder.

Businesses and governments also use computer forensics to find information related to a system or network compromise, and then use these discoveries to identify and prosecute cyberattackers. In addition, they can use digital forensic experts and processes to facilitate data recovery in the event of a system or network failure caused by a natural or other disaster.

Digital forensics are also used in civil litigation cases (fraud, divorce), and to investigate cases of intellectual property theft.

Types of computer forensics

There are various types of computer forensic examinations, including:

How does computer forensics work?

Forensic investigators typically follow standard procedures, which vary depending on the context of the forensic investigation, the device being investigated or the information investigators are looking for. In general, these procedures include the following three steps:

  1. Data collection. Forensic examiners search hidden folders and unallocated disk space on a digital device for copies of deleted, encrypted or damaged files, make a digital copy -- i.e., forensic image -- of the device's storage media, and then lock the original device in a secure facility. The investigation is conducted on the digital copy. They might also use publicly available information for forensic purposes, such as social media posts or charges logged in a payment application, such as public Venmo charges for purchasing illegal products or services displayed on the Venmo website.
  1. Analysis. Investigators analyze digital copies of storage media in a sterile environment to gather the information for a case using various tools including Basis Technology's Autopsy for hard drive investigations and the Wireshark network protocol analyzer. A mouse jiggler is useful when examining a computer to keep it from falling asleep and losing volatile memory data that is lost when the computer goes to sleep or loses power. Discovered evidence is carefully documented in a findings report and verified with the original device in preparation for legal proceedings.
  2. Presentation. The investigators present their findings in a legal proceeding, where it might be used to determine the result. In a data recovery situation, the investigators present what they could recover from a compromised system.

Often, multiple tools are used in computer forensic investigations to validate the results they produce. Learn how a researcher at Kaspersky Lab in Asia created an open source forensics tool for remotely collecting malware evidence without compromising system integrity.

Techniques used in computer forensics

Forensic investigators use a myriad of techniques and applications to examine digital copies of compromised devices. They search hidden folders and unallocated disk space for copies of deleted, encrypted or damaged files. Any evidence found on the digital copy is carefully documented in a finding report and verified with the original device in preparation for legal proceedings that involve discovery, depositions or actual litigation.

Computer forensic investigations use a combination of techniques and expert knowledge. Some common techniques include the following:

Computer forensics careers and certifications

Computer forensics has become its own area of scientific expertise, with accompanying coursework and certification. The average annual salary for a computer forensic analyst is $101,612, according to Salary.com. Some examples of cyber forensic career paths include the following:

A bachelor's degree -- and, sometimes, a master's degree -- in computer science, cybersecurity or a related field are required of computer forensic professionals. There are several certifications available in this field, including the following:

Learn more about the tools and techniques required in a cloud computing forensics investigation. Also, read about the patchwork of organizations that work together to combat international cybercrime. Explore how digital forensics and incident response combine to detect, investigate and respond to cybersecurity events.

27 Feb 2024

All Rights Reserved, Copyright 2000 - 2024, TechTarget | Read our Privacy Statement