Computer forensics: Donning your detective hat (Biggs, 2005) describes computer forensic activity as a four-phase process that involves evidence collection, evidence preservation, analysis and reporting. While a high-level synopsis, the article does provide some useful insight into these steps, specifically the need for specialized forensics software.
In the collection phase, an organization should have forensic tools capable of collecting data from a wide variety of computer infrastructure components such as servers, hard drives, log files, applications, portable devices and security tools. Newer forensic tools remove the need to remove a suspected hard drive to make a write-protected image and, instead, allow extraction of an image from a CD on a separate machine. For larger, multi-user systems, it is not necessary to capture an image of all content provided that the process is well documented and complies with legal seizure methods.
The next phase, preservation, requires the use of cryptographic checksums, mathematical values assigned to a file. These serve the purpose of not only making sure that data are properly transmitted and stored, but are also necessary to verify that data has not been changed after collection. Forensic tools automate the generation of checksums as well as algorithms for creating digital signatures.
The article cautions that Unix- or Windows-based search tools are not sufficient to analyze collected information. Specialized forensic tools will be necessary to retrieve and analyze deleted, renamed and encrypted data that search tools will overlook. Further, forensic tools will help with complex information correlation. For example, to construct a timeline of events it may be necessary to tie network log stamps and data together with database access and usage logs.
You’re 71% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.