Cyber / Digital / Computer Forensics covers a wide expanse of activities and is often misunderstood.  Following is a list of activities which are associated with forensic investigation of the digital world:

• Disk recovery – when your hard drive or other digital recording device (CDs, DVDs, floppy disks, etc.) becomes unreadable and information MUST be recovered; it is a computer forensics expert or team of experts that conducts the investigation and recovery.

• Lost data recovery – when information that was known to be recorded cannot be found it is a computer forensics expert that conducts the investigation and recovery.

• System / network reconstruction – when it is necessary to establish the capabilities of a system and or network relative to performance or software effectiveness it is the computer forensics expert that recreates the original environment and then tests and evaluates the results.

• Criminal investigation – the process of examining computing devices, networks as well as various removable recording devices (CDs, DVDs, floppy disks, etc.) for digital evidence.

• Civil investigation – the process of examining computing devices as well as various removable recording devices (CDs, DVDs, floppy disks, etc.) for details relevant to the civil litigation which is often not readily discovered.

To this end, not infrequently we support challenges faced by those that are unjustly charged with cyber crimes.  While we have blogged on these matters within our own resources, recently we commenced detailing them within the (ISC)²® blog.

The impartial computer expert who helps during discovery will typically have experience on a wide range of computer hardware and software. This is always beneficial when your case involves hardware and software with which this expert is directly familiar. But fundamental computer design and software implementation is often quite similar from one system to another, and experience in one application or operating system area is often easily transferable to a new system.

Unlike paper evidence, computer evidence can often exist in many forms, with earlier versions still accessible on a computer disk. Knowing the possibility of their existence, even alternate formats of the same data can be discovered. The discovery process can be served well by a knowledgeable expert identifying more possibilities that can be requested as possibly relevant evidence. In addition, during on-site premises inspections, for cases where computer disks are not actually seized or forensically copied (see below), the forensics expert can more quickly identify places to look, signs to look for, and additional information sources for relevant evidence. These may take the form of earlier versions of data files (eg. memos, spreadsheets) that still exist on the computer's disk or on backup media, or differently formatted versions of data, either created or treated by other application programs (e.g. word processing, spreadsheet, e-mail, timeline, scheduling, or graphic).

Protection of evidence is critical. A knowledgeable computer forensics professional will ensure that a subject computer system is carefully handled to ensure that:

1. no possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to investigate the computer.
2. no possible computer virus is introduced to a subject computer during the analysis process.
3. extracted and possibly relevant evidence is properly handled and protected from later mechanical or electromagnetic damage.
4. a continuing chain of custody is established and maintained.
5. business operations are affected for a limited amount of time, if at all.
6. any client-attorney information that is inadvertently acquired during a forensic exploration is ethically and legally respected and not divulged.

The computer forensics specialist will take several careful steps to identify and attempt to retrieve possible evidence that may exist on a subject computer system:

• Protects the subject computer system during the forensic examination from any possible alteration, damage, data corruption, or virus introduction.

• Discovers all files on the subject system. This includes existing normal files, deleted yet remaining files, hidden files, password-protected files, and encrypted files.

• Recovers all (or as much as possible) of discovered deleted files.

• Reveals (to the extent possible) the contents of hidden files as well as temporary or swap files used by both the application programs and the operating system.

• Accesses (if possible and if legally appropriate) the contents of protected or encrypted files.

• Analyzes all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes but is not limited to what is called 'unallocated' space on a disk (currently unused, but possibly the repository of previous data that is relevant evidence), as well as 'slack' space in a file (the remnant area at the end of a file, in the last assigned disk cluster, that is unused by current file data, but once again may be a possible site for previously created and relevant evidence).

• Prints out an overall analysis of the subject computer system, as well as a listing of all possibly relevant files and discovered file data. Further, provides an opinion of the system layout, the file structures discovered, any discovered data and authorship information, any attempts to hide, delete, protect, encrypt information, and anything else that has been discovered and appears to be relevant to the overall computer system examination.

• Provides expert consultation and/or testimony, as required.

Many types of criminal and civil proceedings can and do make use of evidence revealed by computer forensics specialists:

• Criminal Prosecutors use computer evidence in a variety of crimes where incriminating documents can be found: homicides, financial fraud, drug and embezzlement record-keeping, and child pornography.

• Civil litigations can readily make use of personal and business records found on computer systems that bear on: fraud, divorce, discrimination, and harassment cases.

• Insurance Companies may be able to mitigate costs by using discovered computer evidence of possible fraud in accident, arson, and workman's compensation cases.

• Corporations often hire computer forensics specialists to ascertain evidence relating to: sexual harassment, embezzlement, theft or misappropriation of trade secrets and other internal/confidential information.

• Law Enforcement Officials frequently require assistance in pre-search warrant preparations and post-seizure handling of the computer equipment.

• Individuals sometimes hire computer forensics specialists in support of possible claims of: wrongful termination, sexual harassment, or age discrimination.