Computer Forensics
Essay by 24 • December 21, 2010 • 1,650 Words (7 Pages) • 3,217 Views
Abstract
The Internet is growing explosively, as is the number of crimes committed against or using computers. As a response to the growth of computer crime, the field of computer forensics has emerged. Computer forensics involves carefully collecting and examining electronic evidence that not only assesses the damage to a computer as a result of an electronic attack, but also to recover lost information from such a system to prosecute a criminal. With the growing importance of computer security today and the seriousness of cyber crime, it is important for computer professionals to understand the technology that is used in computer forensics. This paper will discuss the need for computer forensics to be practiced in an effective and legal way. It promotes the idea that the competent practice of computer forensics and awareness of applicable laws is essential for today's organizations.
Computer Forensics
As technology has advanced, computers have become incredibly powerful. Unfortunately, as computers get more sophisticated, so do the crimes committed with them. Distributed Denial of Service Attacks, ILOVEYOU and other viruses, Domain Name Hijacking, Trojan Horses, and Websites shut down are just a few of the hundreds of documented attack types generated by computers against other computers. Managers of information systems should understand computer forensics. Forensics is the process of using scientific knowledge for collecting, analyzing and presenting evidence to the courts. Forensics deals primarily with the recovery and analysis of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stainsbloodstains to the files on a hard drive.
Computer forensics is defined as "the application of computer investigation and analysis techniques in the interests of determining potential legal evidence." (Robbins 2007) Computer forensics can be used to uncover potential evidence in many types of cases including, for example:
- Copyright infringement
- Industrial espionage
- Money laundering
- Piracy
- Sexual harassment
- Theft of intellectual property
- Unauthorized access to confidential information
- Blackmail
- Corruption
- Decryption
- Destruction of information
- Fraud
- Illegal duplication of software
- Unauthorized use of a computer
- Child pornography
The three main steps in computer forensics are acquiring, authenticating, and analyzing the data. Acquiring the evidence in a computer forensics investigation primarily involves gaining the contents of the suspect's hard drive. Ideally, the forensic analysis is not done directly on the suspect's computer but on a copy instead. This is done to prevent tampering and alteration of the suspect's data on the hard drive. Authentication is the process of ensuring that the evidence has not been altered during the acquisition process. Any changes to the evidence will render the evidence inadmissible in court. Analysis is the most important part of the investigation since this is where incriminating evidence may be found. Part of the analysis process is spent in the recovery of deleted files. The job of the investigator is to know where to find the remnants of these files and interpret the results. Any file data and file attributes found may yield valuable clues.
Data recovery is only one aspect of the forensics investigation. Tracking the hacking activities within a compromised system is also important. With any system that is connected to the Internet, hacker attacks are as certain as death and taxes. Although it is impossible to completely defend against all attacks, as soon as a hacker successfully breaks into a computer system the hacker begins to leave a trail of clues and evidence that can be used to piece together what has been done and sometimes can even be used to follow a hacker home. Computer forensics can be employed on a compromised system to find out exactly how a hacker got into the system, which parts of the system were damaged or modified. However, system administrators must first be educated in the procedures and methods of forensic investigation if a system is to be recovered and protected. With the help of computer forensics, administrators are able to learn about mistake made in the past and help prevent incidents from occurring in the future.
Because of the wealth of information that can be gained from a computer forensics investigation, ethical considerations should be examined. Computer forensics is essentially a means for gathering electronic evidence during an investigation. In order to use this information to prosecute a criminal act and to avoid suppression during trial, evidence must be collected carefully and legally. It is particularly important to be aware of the privacy rights of suspects, victims and uninvolved third parties. An investigator needs to have knowledge of several laws that govern electronic evidence collection including the fourth amendment of the constitution, the wiretap statute, the Electronic Communications Privacy Act, and the USA PATRIOT Act. Each of these items affects the legality of electronic evidence and the appropriate procedures to acquire that evidence.
Technology has invaded most aspects of our lives, and computers have become ubiquitous. In 2003, more than sixty-two percent of American households had a computer. (Davis, 2005) Many people have access to computers, including those with criminal intentions. In some cases, computers are simply fancy storage devices for keeping records.
In legal cases that involve seizure of a computer or other electronic device, it is important that investigators comply with the Fourth Amendment. The Fourth Amendment states:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. (Mason, 1791)
The amendment mandates that, in order to search a suspect's personal property, the investigating office must first obtain a
...
...