Guide to Computer Forensics


Computer forensics is the practice of collecting, analyzing, and reporting on virtual facts, so this is legally admissible. It may be used to detect and prevent crime and in any dispute wherein evidence is saved digitally. Computer forensics has similar exam levels to other forensic disciplines and faces comparable troubles.

About this guide

This guide discusses computer forensics from an impartial attitude. It is not related to unique regulation or meant to sell a specific enterprise or product and isn’t written in a bias of both regulation enforcement or industrial pc forensics. It is aimed at a non-technical target audience and gives an excessive-level view of computer forensics. This guide makes use of the term “pc.” However, the ideas follow to any device capable of storing digital records. Where methodologies have been cited, they are supplied as examples and do not represent guidelines or advice. Copying and publishing the whole or a part of this article is licensed totally under the Creative Commons’ phrases – Attribution Non-Commercial 3.0 license.


Uses of computer forensics

There are few regions of crime or dispute where laptop forensics cannot be carried out. Law enforcement organizations were most of the earliest and heaviest customers of pc forensics and consequently have frequently been at the leading edge of trends in the subject. Computers may additionally represent a ‘scene of a crime,’ for instance, with hacking [ 1] or denial of provider attacks [2], or they’ll maintain proof in the form of emails, internet history, files, or different files applicable to crimes consisting of murder, kidnap, fraud and drug trafficking. It isn’t always simply the content of emails, documents, and other files that can be of hobby to investigators; however, additionally, the ‘meta-information’ [3] associated with those files. A pc forensic exam may additionally monitor whilst a record first appeared on a pc, whilst it became closing edited, whilst it turned into ultimate stored or printed, and which consumer did those actions. More lately, commercial companies have used laptop forensics to their advantage in a ramification of instances which include;

  • Intellectual Property robbery
  • Industrial espionage
  • Employment disputes
  • Fraud investigations
  • Forgeries
  • Matrimonial issues
  • Bankruptcy investigations
  • Inappropriate e-mail and internet use in the work location
  • Regulatory compliance
  • Guidelines

For proof to be admissible, it should be reliable and now not prejudicial, which means that admissibility must be at the vanguard of a computer forensic examiner’s mind at all levels of this method. One set of pointers that have been widely ordinary to help in this is the Association of Chief Police Officers Good Practice Guide for Computer-Based Electronic Evidence or ACPO Guide for short. Although the ACPO Guide is aimed toward United Kingdom law enforcement, its principal ideas apply to all laptop forensics in something legislature. The four major standards from this manual were reproduced beneath (with references to regulation enforcement removed):

No movement has to alternate data hung on a laptop or storage media, subsequently relied upon in court. In circumstances wherein someone finds it vital to get admission to unique statistics hung on a computer or storage media, that person needs to be able to achieve this and be capable of supply proof explaining the relevance and the results in their moves. An audit trail or another report of all strategies carried out to pc-based totally electronic evidence should be created and preserved. An impartial third-party ought to be capable of having a look at one’s techniques and acquire identical results.

The man or woman in fee of the research has a common responsibility for making sure that the regulation and those standards are adhered to. In precise, no changes need to be made to the original. Still, if get the right of entry to/modifications are important, the examiner must realize what they’re doing and document their moves.

Live acquisition

Principle 2 above may raise the query: In what scenario might changes to a suspect’s pc by a laptop forensic examiner be essential? Traditionally, the pc forensic examiner might make a replica (or collect) statistics from a tool that’s grown to become off. A write-blocker[4] could make a genuine bit for bit reproduction [5] of the authentic storage medium. The examiner would paintings than from this replica, leaving the unique demonstrably unchanged.

However, from time to time, it is not viable or perfect for exchanging a laptop off. It won’t be feasible to interchange a pc off if doing so would result in substantial economic or other loss for the proprietor. It might not be appropriate to exchange a pc off if it could mean that potentially precious evidence can be lost. In both those instances, the laptop forensic examiner would want to perform a ‘live acquisition,’ which might contain running a small software on the suspect computer for you to reproduce (or accumulate) the statistics to the examiner’s hard drive.

By walking this sort of software and attaching a vacation spot power to the suspect computer, the examiner will make modifications and/or additions to the laptop country, which have been now not present earlier than his movements. Such moves would remain admissible as long as the examiner recorded their movements, turned into privy to their impact, and became able to explain their movements.

Stages of an examination

For this newsletter, the laptop forensic examination procedure has been divided into six ranges. Although they may be presented in their common chronological order, an exam’s duration needs to be flexible. For instance, at some stage in the analysis degree, the examiner might also discover a new lead, which would warrant similar computer systems being examined and mean a go back to the evaluation degree.


Forensic readiness is a critical and every so often omitted level within the exam procedure. In commercial computer forensics, it may educate clients about gadget preparedness; for example, forensic examinations will offer stronger evidence if a server or PC’s integrated auditing and logging systems are all switched on. For examiners, there are many regions where earlier business enterprise can help, inclusive of training, every day checking out and verification of software program and gadget, familiarity with the law, handling surprising problems (e.G., what to do if child pornography is present during a business activity) and ensuring that your on-website online acquisition kit is whole and in operating order.


The evaluation level includes receiving clear commands, threat evaluation, and allocation of roles and resources. Risk evaluation for regulation enforcement may encompass an evaluation of the probability of bodily hazard on entering a suspect’s assets and how best to deal with it. Commercial firms also need to be privy to fitness and protection problems. Their evaluation might also cover the reputational and financial dangers of accepting a particular task.


The most important part of the collection stage, acquisition, has been added above. If an acquisition is to be done on-website in preference to a laptop forensic laboratory, this level will encompass figuring out, securing, and documenting the scene. Interviews or conferences with employees who might also preserve facts relevant to the exam (which could include the stop customers of the laptop and the manager and character liable for providing computer services) would generally be accomplished at this degree. The ‘bagging and tagging’ audit trail could start here utilizing sealing any materials in unique tamper-obvious baggage. Consideration also wishes to accept to safely and correctly transporting the fabric to the examiner’s laboratory.


The analysis depends on the specifics of each process. The examiner usually offers remarks to the client at some point of analysis. From this speech, the analysis may additionally take a distinct route or be narrowed to specific regions. Analysis needs to be accurate, thorough, impartial, recorded, repeatable, and completed within the time-scales to be had and assets allocated. There are myriad tools available for computer forensic analysis. It is our opinion that the examiner must use any tool they feel secure with as long as they justify their choice. The foremost necessities of a laptop forensic device are that it does what it is supposed to do. The most effective manner for examiners to make sure is for them to frequently take a look at and calibrate the equipment they use earlier than evaluation takes location. Dual-tool verification can verify result integrity in the course of analysis (if with device ‘A’ the examiner reveals artifact ‘X’ at vicinity ‘Y,’ then device ‘B’ have to replicate these outcomes.)


This degree generally entails the examiner producing a structured report on their findings, addressing the preliminary instructions’ factors, and any subsequent instructions. It could additionally cover some other records which the examiner deems applicable to the research. The document must be written with the top reader in mind; in many cases, the report reader can be non-technical, so the terminology has to acknowledge this. The examiner should also be organized to participate in meetings or smartphone meetings to talk about and tricky at the report.


Along with the readiness degree, the overview degree is frequently omitted or left out. This can be because of the perceived prices of doing paintings that are not billable or want ‘to get on with the subsequent task.’ However, an assessment degree integrated into every exam can help keep cash and raise the extent of first-rate through making future examinations more efficient and time-effective. An exam overview can be simple, brief, and may start all through any of the above levels. It may include a simple ‘what went incorrect and how can this be improved’ and a ‘what went properly and how can or not it’s included in future examinations.’ Feedback from the instructing celebration ought to also be sought. Any instructions learned from this stage need to be carried out to the following exam and fed into the readiness degree.

Issues going through pc forensics

Computer forensics examiners’ issues can be broken down into three huge categories: technical, felony, and administrative. Encryption – Encrypted files or tough drives maybe not possible for investigators to view without a suitable key or password. Examiners ought to don’t forget that the key or password may be stored some other place on the laptop or on another laptop to which the suspect has had access. It may also reside inside the volatile reminiscence of a computer (referred to as RAM [6] that’s typically lost on computer shut-down; any other purpose is to do not forget the use of stay acquisition techniques outlined above.

Increasing garage area – Storage media holds more quantities of statistics ever. For the examiner method, their evaluation computer systems need to have sufficient processing strength and available garage to look and analyze sizable quantities of statistics efficiently. New technologies – Computing is an ever-changing vicinity, with new hardware, software program, and working systems being constantly produced. No unmarried computer forensic examiner may be a professional in all regions, even though they may frequently be expected to examine something they have not handled earlier. To cope with this situation, the examiner ought to be prepared and able to test and experiment with recent technologies’ behavior. Networking and sharing expertise with other laptop forensic examiners is likewise very beneficial in this recognition as someone else may additionally have already encountered the equal difficulty.

Anti-forensics – Anti-forensics is the practice of attempting to thwart laptop forensic evaluation. This may include encryption, the over-writing of statistics to make it unrecoverable, the change of documents’ meta-data, and record obfuscation (disguising files). As with encryption above, the evidence that such strategies had been used may be saved someplace else on the laptop or on some other pc which the suspect has had to get right to entry. In our experience, it’s far scarce to look at anti-forensics tools used efficiently and regularly sufficient to completely obscure both their presence or the presence of the evidence they were used to hide.

Legal Troubles

Legal arguments may additionally confuse or distract from a pc examiner’s findings. An instance right here will be the ‘Trojan Defence.’ A Trojan is a piece of pc code disguised as something benign, which has a hidden and malicious reason. Trojans have many uses and include key-logging [7], importing and downloading of files, and set up of viruses. A lawyer can be able to argue that actions on a computer had been now not done using a person, however, were computerized by a Trojan without the person’s know-how; any such Trojan Defence has been efficiently used even if no hint of a Trojan or different malicious code turned into discovered on the suspect’s computer. In such cases, an equipped opposing attorney, furnished with proof from a ready pc forensic analyst, must be capable of push aside such an issue.

Accepted requirements – There are many requirements and tips in pc forensics, few of which seem universally usual. This is because of some of the motives, including standard-setting our bodies being tied to specific legislation, requirements being aimed either at regulation enforcement or commercial forensics. Still, no longer at each, the authors of such standards no longer being generic through their peers, or high joining charges dissuading practitioners from taking part.

Fitness to practice – In many jurisdictions, there may be no qualifying body to check the competence and integrity of pc forensics experts. In such cases, anyone may additionally gift themselves as a computer forensic professional, which may also bring about laptop forensic examinations of questionable high-quality and a negative view of the profession as an entire.

Resources and similarly studying.

There no longer looks like an amazing quantity of cloth protecting computer forensics, which is aimed at a non-technical readership. However, the subsequent hyperlinks at links at the bottom of this page may prove to be of interest proved to be a hobby:


1. Hacking: enhancing a computer in a way that changed into not at first supposed to benefit the hacker’s desires.

2. Denial of Service assault: a try to prevent legitimate users of a pc device from gaining access to that system’s statistics or services.

3. Meta-facts: at a primary level, meta-information is recorded approximately facts. It may be embedded inside files or stored externally in a separate document and may comprise records approximately the report’s author, layout, advent date, and so on.

4. Write blocker: a hardware tool or software program software that prevents any information from being changed or delivered to the garage medium being examined.

5. Bit replica: bit is a contraction of the term ‘binary digit’ and is the fundamental computing unit. A bit replica refers to a sequential reproduction of every bit on a storage medium, which includes areas of the medium ‘invisible’ to the user.

6. RAM: Random Access Memory. RAM is a computer’s transient workspace and is unstable, and this means that its contents are misplaced while the pc is powered off.

7. Key-logging: the recording of keyboard input giving the ability to study a consumer’s typed passwords, emails, and different personal data.

Leah Leonard

Coffee expert. Troublemaker. Typical music guru. Friendly beer fanatic. Introvert. Web specialist. Uniquely-equipped for implementing bullwhips in Ocean City, NJ. Spent a year importing licorice in Hanford, CA. Have some experience licensing cigarettes for the government. Once had a dream of selling toy monkeys in Las Vegas, NV. Spent the 80's working on hula hoops in Minneapolis, MN. What gets me going now is working with action figures in the government sector.

Related Articles

Back to top button