Beginner’s Guide to Computer Forensics


Computer forensics is the practice of collecting, analysing and reporting on virtual statistics in a manner this is legally admissible. It can be used inside the detection and prevention of crime and in any dispute in which evidence is saved digitally. Computer forensics has comparable examination tiers to other forensic disciplines and faces similar troubles.


About this manual

This manual discusses laptop forensics from a impartial perspective. It isn’t always linked to unique rules or supposed to promote a specific agency or product and isn’t written in bias of either regulation enforcement or industrial computer forensics. It is geared toward a non-technical target audience and offers a excessive-stage view of pc forensics. This manual makes use of the term “computer”, but the ideas practice to any tool able to storing digital data. Where methodologies have been mentioned they’re supplied as examples simplest and do no longer constitute guidelines or recommendation. Copying and publishing the entire or part of this text is licensed entirely beneath the terms of the Creative Commons – Attribution Non-Commercial 3.Zero license

Uses of laptop forensics

There are few areas of crime or dispute wherein pc forensics can’t be carried out. Law enforcement groups have been many of the earliest and heaviest users of pc forensics and consequently have frequently been at the leading edge of traits in the subject. Computers might also constitute a ‘scene of against the law’, as an instance with hacking [ 1] or denial of provider attacks [2] or they will keep proof inside the form of emails, internet history, files or different files applicable to crimes together with homicide, kidnap, fraud and drug trafficking. It isn’t always just the content of emails, documents and other files which can be of hobby to investigators however also the ‘meta-facts’ [3] associated with the ones documents. A computer forensic exam may additionally screen when a record first seemed on a laptop, whilst it turned into closing edited, while it changed into ultimate saved or published and which user accomplished those actions.

More recently, commercial organisations have used laptop forensics to their advantage in a spread of cases consisting of;

For evidence to be admissible it have to be dependable and now not prejudicial, that means that at all ranges of this system admissibility should be at the forefront of a laptop forensic examiner’s mind. One set of tips which has been widely usual to assist in this is the Association of Chief Police Officers Good Practice Guide for Computer Based Electronic Evidence or ACPO Guide for brief. Although the ACPO Guide is aimed at United Kingdom law enforcement its predominant principles are relevant to all pc forensics in whatever legislature. The four fundamental principles from this manual have been reproduced under (with references to regulation enforcement eliminated):


No motion should exchange data hung on a computer or storage media which may be subsequently relied upon in court.

In instances where a person finds it essential to get admission to authentic records held on a computer or storage media, that man or woman ought to be ready to do so and be able to give proof explaining the relevance and the implications of their movements.

An audit path or different document of all processes applied to pc-based totally digital evidence must be created and preserved. An independent 0.33-birthday party should be able to study those strategies and attain the equal result.

The individual in rate of the investigation has usual responsibility for making sure that the law and these concepts are adhered to.
In summary, no modifications have to be made to the authentic, but if get admission to/changes are necessary the examiner should understand what they may be doing and to file their moves.

Live acquisition

Principle 2 above might also boost the query: In what state of affairs might modifications to a suspect’s pc by using a pc forensic examiner be vital? Traditionally, the computer forensic examiner might make a copy (or collect) data from a tool which is turned off. A write-blocker[4] could be used to make an precise bit for bit copy [5] of the original storage medium. The examiner could paintings then from this copy, leaving the original demonstrably unchanged.

However, on occasion it isn’t always feasible or acceptable to interchange a laptop off. It might not be possible to replace a laptop off if doing so would result in good sized monetary or other loss for the proprietor. It won’t be perfect to switch a pc off if doing so might mean that doubtlessly treasured proof can be lost. In both those occasions the pc forensic examiner might want to perform a ‘stay acquisition’ which would involve walking a small software at the suspect laptop so that you can copy (or collect) the statistics to the examiner’s difficult power.

By going for walks this type of program and attaching a destination pressure to the suspect laptop, the examiner will make changes and/or additions to the country of the pc which were now not present before his movements. Such actions could remain admissible as long as the examiner recorded their actions, changed into aware about their impact and became able to explain their actions.

Stages of an exam

For the functions of this article the laptop forensic exam process has been divided into six tiers. Although they are presented in their standard chronological order, it’s far essential all through an exam to be flexible. For example, all through the analysis stage the examiner may also discover a new lead which would warrant further computer systems being tested and would mean a go back to the assessment degree.


Forensic readiness is an essential and every so often ignored degree within the examination process. In business laptop forensics it is able to include instructing customers about device preparedness; as an example, forensic examinations will offer stronger proof if a server or computer’s built-in auditing and logging structures are all switched on. For examiners there are many regions in which earlier company can assist, consisting of schooling, regular testing and verification of software program and gadget, familiarity with legislation, dealing with sudden problems (e.G., what to do if child pornography is gift all through a commercial process) and making sure that your on-web site acquisition package is whole and in operating order.


The assessment degree includes the receiving of clear commands, danger evaluation and allocation of roles and sources. Risk analysis for law enforcement might also include an evaluation at the likelihood of physical hazard on coming into a suspect’s assets and how first-class to cope with it. Commercial enterprises additionally need to be privy to health and protection troubles, whilst their evaluation might additionally cover reputational and economic dangers on accepting a specific project.


The main a part of the collection stage, acquisition, has been added above. If acquisition is to be finished on-web page as opposed to in a laptop forensic laboratory then this stage might consist of identifying, securing and documenting the scene. Interviews or conferences with employees who may also hold statistics which could be relevant to the examination (that can include the cease users of the pc, and the manager and person answerable for imparting computer services) would usually be accomplished at this degree. The ‘bagging and tagging’ audit trail might begin right here through sealing any materials in specific tamper-obvious baggage. Consideration also desires to accept to securely and effectively transporting the fabric to the examiner’s laboratory.


Analysis depends on the specifics of each activity. The examiner typically gives comments to the client at some point of analysis and from this dialogue the analysis might also take a extraordinary route or be narrowed to particular areas. Analysis have to be accurate, thorough, unbiased, recorded, repeatable and finished within the time-scales available and assets allocated. There are myriad equipment available for computer forensics analysis. It is our opinion that the examiner ought to use any device they experience relaxed with as long as they could justify their choice. The fundamental requirements of a laptop forensic device is that it does what it is supposed to do and the handiest manner for examiners to be sure of this is for them to often check and calibrate the equipment they use earlier than analysis takes vicinity. Dual-device verification can confirm end result integrity at some point of analysis (if with device ‘A’ the examiner finds artefact ‘X’ at location ‘Y’, then tool ‘B’ ought to mirror those consequences.)


This degree commonly includes the examiner generating a established document on their findings, addressing the factors in the preliminary commands along side any next instructions. It would also cover some other data which the examiner deems applicable to the investigation. The file have to be written with the cease reader in thoughts; in lots of instances the reader of the record may be non-technical, so the terminology need to acknowledge this. The examiner need to additionally be prepared to participate in conferences or phone meetings to talk about and complicated on the record.


Along with the readiness degree, the overview stage is frequently left out or not noted. This can be because of the perceived prices of doing paintings that is not billable, or the want ‘to get on with the following process’. However, a overview degree included into each examination can help shop money and lift the level of great by making destiny examinations greater efficient and time powerful. A overview of an exam may be easy, brief and can begin during any of the above levels. It may encompass a basic ‘what went wrong and how can this be advanced’ and a ‘what went well and the way can it be included into future examinations’. Feedback from the teaching birthday party have to additionally be sought. Any classes learnt from this level need to be applied to the subsequent exam and fed into the readiness stage.

Issues going through computer forensics

The issues dealing with laptop forensics examiners may be damaged down into three broad classes: technical, legal and administrative.

Encryption – Encrypted documents or hard drives can be not possible for investigators to view without the ideal key or password. Examiners have to do not forget that the important thing or password may be saved some other place at the computer or on every other pc which the suspect has had get admission to to. It could also live inside the unstable memory of a laptop (referred to as RAM [6] that’s commonly misplaced on pc close-down; another motive to take into account using stay acquisition techniques as outlined above.

Increasing storage space – Storage media holds ever extra amounts of data which for the examiner way that their evaluation computers need to have sufficient processing strength and to be had storage to effectively address searching and analysing enormous quantities of statistics.

New technology – Computing is an ever-changing area, with new hardware, software program and running systems being continuously produced. No single laptop forensic examiner may be an professional on all regions, although they may regularly be predicted to examine some thing which they haven’t treated before. In order to address this case, the examiner ought to be organized and in a position to test and test with the behaviour of latest technology. Networking and sharing understanding with different computer forensic examiners is likewise very useful in this respect because it’s possibly a person else may have already encountered the same issue.

Anti-forensics – Anti-forensics is the exercise of trying to thwart computer forensic evaluation. This may additionally consist of encryption, the over-writing of information to make it unrecoverable, the change of documents’ meta-statistics and file obfuscation (disguising files). As with encryption above, the proof that such strategies were used may be stored some place else on the computer or on some other laptop which the suspect has had get right of entry to to. In our experience, it’s far very rare to see anti-forensics equipment used efficaciously and regularly sufficient to totally difficult to understand both their presence or the presence of the proof they had been used to hide.

Legal troubles

Legal arguments might also confuse or distract from a pc examiner’s findings. An instance right here will be the ‘Trojan Defence’. A Trojan is a piece of computer code disguised as some thing benign but which has a hidden and malicious purpose. Trojans have many uses, and consist of key-logging [7], importing and downloading of files and set up of viruses. A lawyer may be able to argue that moves on a laptop had been no longer finished by means of a user however have been computerized with the aid of a Trojan without the person’s know-how; the sort of Trojan Defence has been correctly used even if no hint of a Trojan or different malicious code became determined at the suspect’s laptop. In such cases, a in a position opposing legal professional, furnished with evidence from a capable computer forensic analyst, have to be capable of brush aside such a controversy.

Accepted requirements – There are a plethora of requirements and recommendations in computer forensics, few of which appear like universally widespread. This is because of a number of reasons inclusive of popular-setting our bodies being tied to specific legislation, requirements being aimed either at regulation enforcement or industrial forensics but not at both, the authors of such standards now not being accepted by way of their peers, or excessive becoming a member of expenses dissuading practitioners from participating.

Fitness to practice – In many jurisdictions there’s no qualifying body to test the competence and integrity of computer forensics professionals. In such instances absolutely everyone can also present themselves as a laptop forensic expert, which can also result in computer forensic examinations of questionable best and a negative view of the profession as an entire.

Resources and similarly studying

There does now not appear like a tremendous quantity of cloth covering pc forensics which is geared toward a non-technical readership. However the subsequent links at links at the lowest of this web page may also prove to be of hobby show to be of hobby:


1. Hacking: enhancing a pc in way which turned into now not at the beginning supposed with the intention to gain the hacker’s goals.

2. Denial of Service attack: an attempt to prevent valid customers of a pc system from having access to that device’s facts or offerings.

3. Meta-information: at a primary level meta-statistics is statistics approximately facts. It can be embedded within files or stored externally in a separate record and might include facts about the file’s author, layout, advent date and so on.

4. Write blocker: a hardware tool or software software which prevents any information from being changed or added to the storage medium being examined.

5. Bit copy: bit is a contraction of the term ‘binary digit’ and is the fundamental unit of computing. A bit replica refers to a sequential reproduction of every bit on a storage medium, which incorporates regions of the medium ‘invisible’ to the user.

6. RAM: Random Access Memory. RAM is a laptop’s temporary workspace and is unstable, this means that its contents are misplaced whilst the laptop is powered off.

7. Key-logging: the recording of keyboard enter giving the capability to read a person’s typed passwords, emails and different private data.

Jeffery D. Silvers
Love and share my articles, I will be happy to react on it ! Spent 2002-2009 promoting weed whackers in Edison, NJ. Earned praise for importing junk food for fun and profit. Spent 2001-2006 exporting teddy bears in Atlantic City, NJ. Had some great experience investing in tattoos in Fort Walton Beach, FL. Spent 2002-2007 selling action figures in the aftermarket. Enthusiastic about working on basketballs on the black market.