Archive for April 2011

Computer Forensic Evidence

April 27, 2011


Ever since the computers and the internet started to be the tool that drives the businesses to accomplish their goal of making profits online; the crimes of computer intrusion, credit card fraud, and fraudulent purchases have been increased on the e-commerce sites (Wherever money goes, crime follows). Today’s attackers are more efficient and more aggressive in seeking financial gain than ever before, and as such; new regulations and standards are in place to respond to computer security breaches. To run investigation around the security incident, it’s imperative that a well trained person should handle the incident. Untrained individual such as system administrator, law enforcement officer or computer security expert may destroy a very valuable evidence accidently or may fail to discover a crucial clues of unauthorized activities (Prosise and Mandia, 2001).

Incident Response and Data Collection

Prosise and Mandia (2003) stated that computer forensics (Cyber forensics), is the application of computer investigation and analysis technique to collect evidence about the cyber crimes incidents. The main goal of computer forensics is to maintain evidence during performing a structural investigation to understand what exactly happened on a computer and who was responsible for such crime. In doing such investigation, a set of standard procedures has to be followed. Before any investigation the computer in question has to be isolated to make sure it can’t be contaminated by accident. The only part of the computer that can carry a permanent data is the hard drive, and as such; an additional copy of the hard drive has to be made. Once this process is completed the hard drive has to be locked in a secure place that will maintain its perfect condition while all the investigation will be done on the digital copy. There are many forensic applications available to examine the hard drive and searching for hidden folders, deleted or damaged files. Any evidence found during the search on the digital copy, usually documented, verified with the original media and documented in findings report. Forensics experts ensure that all gathered evidence is preserved in its original form. Some of the facts that are known to the forensics experts are:

  • Deleted computer files can be easily recovered even when the format process has been done several times on the hard drive.
  • Most of the online activities can be revealed during the research for the forensic evidence such as what web sites have been visited and what files were downloaded.
  • Any printing document activities that were done on the computer can be revealed during the search even if it was a document from a floppy drive or any other media.
  • The forensic analysis can reveal the history of any file exists in the hard drive such as when the file was last accessed, and when the file was deleted.
  • During the forensic analysis any file has been encrypted can be decrypted.
  • During the forensic analysis any activities related to e-mail access tools can be revealed during the process even if a web based e-mail server was used such as Yahoo, MSN or Hotmail.

There are many factors that might affect the way an incident is handled, and these factors can be legal, political, business and technical factors that might change the shape and the way the investigation will be approached. The investigator should be prepared to face any of these factors, to be able to present the evidence without any influence that might be in the way of the investigation. Also investigator has to plan ahead an approach to obtain all the information without affecting any potential evidence (Prosis and Mandia, 2001).

Computer forensics few years ago started to be an important method to identify and prosecute computer criminals, and prior that time, many cases of computer crimes were left unsolved because the methods and the techniques of computer forensics were not maturely developed. One of the main reasons that might lead to unsuccessful investigation is the lack of preparation, and the lack of the tools and skills that required for gathering evidence. In many instances all of theses reasons are in place; however the organization might be lacking the correct procedures and the training that might lead to unwanted results such as the collected evidence being disputed. To avoid such problems; computer forensics seeks to establish a framework that can be used and applied to the wide field of extracting and examining evidence from a computer crime scenes. By establishing a general framework; this will guarantee that certain steps will be considered in order to conduct a successful investigation for computer crimes. Also, all organizations should have standard policies and procedures in place to help increase the success of the forensic investigation results. On the other hand, organizations have to institute internal policies and procedures to gain protections against computer crimes. These procedures and standards help to state clearly what constitutes harmful actions against an organization, and also stating the essential steps toward effectively protecting its information and assets. The next step for an organization is to apply the correct forensic framework that will be used to gather evidence suitable to be represented in the court of law. In establishing the framework, all the forensic investigations conducted within the framework has to comply with the legal requirements and be conducted in a scientific manner. Also, evidence has to be collected in these manners regardless of the purpose (e.g. court case, or internal investigation) (Kohn and Elof, 2004).


Kohn and Elof (2004) stated that there are numbers of frameworks out there that can be used to conduct a forensic investigation. Each framework has different model where some of them either focus on the investigation itself while others emphasize a particular stage of the investigation. Some examples of these models are:

  • The Department of Justice – This model consists of four phases: Collection, Examination, Analysis, and Reporting.
  • The Scientific Crime Scene Investigation Model – This model consists of four phases: Recognition, Identification, Individualization, and reconstruction.
  • The Digital Forensics Research Working Group – This model consists of seven phases: Identification, Preservation, Collection, Examination, Analysis, Presentation, and Decision.

The frameworks mentioned above have similarity in approaching the investigation, and some of these models focus on different areas of the investigation. To compile a reasonable framework; Kohn and Elof (2004) suggested a framework that has the following stages to be considered: Preparation, investigation, and presentation. These stages also comply with the general definition of the forensics, and it should be considered the minimum three stages to be conducted when any investigation has to be considered. Also, these three stages contained in a framework that considered the legal requirements   (Kohn and Elof, 2004).

Kohn and Elof (2004) explained that having the knowledge of the relevant legal base prior setting the framework is an important step towards building the right framework, and suggested that any framework for forensic investigation should include the following:

  • The preparation stage – Has to include the standards that are used within the organization, and the policies that will assist in the investigation. Some of the elements that will help the preparation stage are: Good training, the existence of the legal advice, communication with the correct authorities, the existence of the documentation of previous cases, and the approach strategy.
  • The Investigation stage – This stage has to include the following: searching and identifying computer evidence, collection of computer evidence, securing the evidence that was collected at the scene, examining the evidence using proper tools, and analyzing the evidence to value the evidence found.
  • Presentation Stage – This is an important step since it specifies the definition of forensic, and it should include the following: presenting the analysis and providing the evidence of the theory reached during the investigation.  

(Prosis and Mandia, 2001) explained that the philosophy behind incident preparation to the framework (infrastructure) it to provide the answers to the following questions that the investigation will be looking for:

  • What exactly occurred?
  • What system(s) was included and was affected by the incident?
  • What information was compromised by the incident?
  • Who may have caused the incident to occur?
  • What steps should be taken into consideration to quickly recover the business operation.

(Prosis and Mandia, 2001) explained that in responding to incident, the overall methodology should involve the following steps:

  • Preparation process for the incident
  • Detect
  • Investigate
  • Formulate the response strategy
  • Respond to the incident
  • Follow up with the details collected

(Prosis and Mandia, 2003) in computer forensic process common mistakes in handling evidence has to be avoided, some of these mistakes are:

  • Failure to maintain the proper documentation – Every step during the investigation has to be documented.
  • Failure to provide accurate information to the decision makers – Decision makers can’t make reasonable decision without enough information.
  • Failure to control access to digital evidence – Control over the access to the network devices has to be maintained.
  • Failure to report the incident in a timely fashion – the longer the waiting on the incident the more chances for the questions to the investigation to be forgotten.
  • Underestimating the scope of the incident – The preparation for the incident should consider the worst case scenario.
  • No incident response plan in place – Execution without prior planning can lead to failures.


In recent years society has witnessed a remarkable increase in technologies that are available to the modern societies. As much as these technologies added advantages to our daily lives, these technologies are accompanied by disadvantages. Among these disadvantages is the misuse of technology. With the internet being the most common means of entry, two most common computer-based crimes are committed through theft of proprietary information and fraud (Moore, 2005).

Computer forensics is the analysis of information contained within the computer systems. The main part of the investigation has to include what occurred, when it occurred, how it occurred and who was involved. The first step of the certified investigator is to determine the purpose and the objective of the investigation, and to decide the best approach to the framework that will be used. It’s imperative before any investigation to be done is for the investigator to determine the legal issues at hand in dealing with evidence such as communication with attorneys, and relevant law cases. It’s also imperative to establish clear guidelines that state the steps that will be followed in a forensic process. These steps should be clearly defines a framework that can be used in a forensic investigation. Also, thorough study of the framework will help avoid the overlap of phases that can lead to destroying evidence. Also, the legal requirements for such framework and the documentation of all the steps that are included in the framework will help to reach better results.


Kohn, M. & Elof, J. (2004) Framework for a Digital Forensic Investigation [Online]. Available from: (Accessed: 10 November 2009).

Moore, R. (2205) Search and Seizure of Digital Evidence, LFB Scholarly Publishing LLC [Online]. Available from: (Accessed: 10 November 2009).

Prosise, C. & Mandia, K. (2003) Incident Response: Computer Forensics, McGraw-Hill Osborne [Online]. Available from: (Accessed: 10 November 2009).

Prosise, C. & Mandia, K. (2001) Incident Response: Investigating Computer Crime, McGraw-Hill Companies [Online]. Available from: (Accessed: 10 November 2009).