Digital Fingerprints in Digital Devices

What Do Computer Forensics Analysts Actually Do?

Joseph Naghdi

--

Computer forensics, or digital forensics, is a fairly new field. It is the art and science of applying computer science to aid the legal process or help an investigation. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it. Forensic investigators typically follow a standard set of procedures and require specialised expertise and tools that go beyond the usual methods of collecting and storing data available to end users or technical support personnel in companies. This involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.

What Does Computer Forensics Cover?

Electronic Discovery:

Electronic discovery otherwise known as e-disclosure or electronic disclosure is the process of securing, searching, locating and organising electronic data (including emails, spreadsheets, documents, images, chat logs and media files) on a laptop, mobile phone, tablet or desktop computer or over a local computer network or cloud network with the intention of using the data based on the criteria given by the client to be used by lawyers, solicitors, investigators, detectives, fact finders, law enforcement agencies, examiners, auditors and company managers as as part of evidence for a civil, criminal, internal inquiry or legal case.

Mobile forensics:

There are literally just over 3.6 billion mobile devices around. Luckily for digital examiners, the war between developers of mobile device operating systems has come to an end. Now 99% of mobile devices are running either iOS or Android. Knowledge of the forensic artefacts of just these two mobile operating systems allows a digital examiner to explore a vast number of mobile devices. Mobile devices store a lot of private data about their owners. This can be used to investigate both civil and criminal cases. Also, some mobile devices are vulnerable to virus attacks despite actions taken by the developers, which can lead to data theft by hackers. There are several good tools for extracting and analysing data from mobile devices, however manual analysis of mobile devices will result in better detection of forensic artefacts.

Cell Site Analysis

Cell site analysis enables the the investigator to identify the location of a mobile phone when a call, text message was made, received or social media activity occurred and link that to GPS and location of the incident. This type of analysis is essential when the location and timing of an incident is important in discovering or corroborating a fact or an alibi in the computer forensics investigation process. Digital evidence collected in this way can be instrumental in the outcome of any criminal or civil investigation into mobile devices such as mobile phones, sat navs, drones and tablets

Cloud Forensics:

Exploring the artefacts of cloud services such as Google Drive, Box, Dropbox, One Drive, Hotmail, Yahoo, Gmail, Web browsing history and Internet search on the owner’s devices gives us a lot of information what files were uploaded or downloaded to or from a cloud and enable the investigator to gather other information about the use of cloud services and the data in the clouds.

Drone Forensics:

Every day, more and more drones are used in everyday life either for business, personal or criminal purposes. Investigating information extracted from drones will soon become a routine job for digital examiners. We already see the use of encryption to protect data in the memory of drones and the use of cloud services for storing information necessary for a drone’s successful functioning.

Automotive Forensics:

With the advent of electric cars and the simple fact that even non-electric cars use a lot computer hardware and software and store a lot of information, automotive forensics analysis of car data will help accident investigators, insurance companies, police and all other other interested parties to extract a lot of digital evidence in a structured manner.

Windows Forensics:

The vast majority of PCs and laptops are running Windows OS. Also, companies often use a server running Windows OS. Researchers constantly report the discovery of new artefacts that can be used in a forensic analysis. Therefore, knowledge of Windows operating system and in particular good knowledge of Windows registry and Poweshell is essential for any digital examiner.

Mac Forensics:

The number of Mac computer owners varies from country to country, but the general trend is that the number of Macs finding their way into digital forensic laboratories is increasing day by day. Knowledge in Mac Forensics will allow a digital examiner to successfully explore all Mac-OS based devices such as iBooks, iMacs, MacBook Pros, MacBook Airs etc.

File Systems Forensics:

Forensic examination of different file systems such as EXT, FAT16, FAT32, NTFS, HFS+, ReFS and APFS requires good knowledge of these file systems and the type of artefacts that can be investigated in these file system in immense. File system digital evidence is essential in computer forensics, incident response, data recovery and mobile forensics.

Memory Forensics:

Knowledge in memory forensics allows significantly faster detection of malware, password cracking, and helps in decrypting of drives and partitions. The examiner can retrieve and access a lot of live critical data assisting the forensic examiner in finding privileged information.

Network Forensics:

This allows detection of unauthorised network traffic in the operation of computer networks and detection of hackers and intruders. It is also used in dynamic analysis of malware.

Cyber ​​Crime Investigation:

Hackers and pen testers can use a huge number of methods and tools to penetrate a computer or a router. Knowledge of cyber ​​threat intelligence allows the examiner to separate several most likely methods of attack from a whole variety of sources. This allows the forensic examiner to reduce response time to an incident and identify all compromised computers and routers.

Malware and & Spyware Forensic Analysis:

Knowledge of a digital examiner should suffice to understand which of the viruses participated in the incident and understand how the attack was carried out on a compromised system. A typical attack on a computer can be an email with a malicious document arriving at the email address of the owner of the computer. When someone tries to open this document, it runs a Powershell script that downloads an executable file infecting the target machine and making critical information accessible to the attacker. In order to understand how the incident happened and what happened on the compromised computer, knowledge in Malware Forensics is needed.

Forensic Data Recovery:

Forensic recovery of data is required when a digital device such as a hard drive or a memory stick is damaged because of a malfunction or has been accidentally or deliberated damaged. Also data recovery is required if the file system is corrupted or files were deleted or disk was formatted in an attempt to get rid of the incriminating evidence. The computer forensic analyst needs to get the data recovered before any forensic examination of the digital device can take place for the purpose of collecting the digital artefacts.

--

--

Joseph Naghdi
Joseph Naghdi

Written by Joseph Naghdi

Forensic computer scientist and senior computer forensics analyst working with Computer Forensics Lab in London, United Kingdom.

No responses yet