Bruno Mori
Sarah Mudge
Chris Neal
11/20/2005
Forensics Use Technology to Fight CrimesI. Background
Technology is everywhere today. Lots of money is traded over the Internet and other technological sources. Therefore, thieves and hackers are always looking for a bug or small hole in systems security. Attackers usually attack computers servers and other equipment where important or useful information is stored. This is big issue today especially because at least a piece of information about each of us is somewhere in the digital world. Authorities have to do something about it, so computer forensics started to be developed to identify these attackers. Besides hacking or attacks, computer forensics can solve other kinds of crimes. Using computer forensics, police can keep their eyes on suspect e-mails about terrorism for instance.
In definition, computer forensics is any kind of computer data preservation, identification, documentation or interpretation to acquire some extra information about a crime. The term computer forensics, sometimes is misunderstood many people. For instance, a person is killed; police and the FBI use technology to solve the crime using technology to identify the DNA of the victim’s hair in the suspect’s car. This example is not considered computer forensics but the use of technology to do forensics.
II. Inventor
The concept of computer forensics started in 1984 with the FBI the Magnetic Media Program which later on became the CART program (Computer Analysis and Response Team). INTERPOL also created a program to search suspect/attacked data called the INTERPOL Forensic Science Symposium. Today, computer forensics has been used to solve many important cases reaching more than 6,500.
III. Motivation and Purpose:
The motivation behind computer forensics is rather basic and rational, similarly as stated above: “Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence” (Robbins, p.1). This seemingly quintessential statement is actually quite pregnant with detail, mission and process. In fully describing the motivation of computer forensics study, we touch on the process and, as mentioned in more detail, analysis techniques and the mission of gathering legal evidence. But, the true source for this motivation is “[t]he ubiquity of computers as a communications tool” (Biggs, p.1).
With the continually growing use of computers for communications of all sorts and mediums and because the commonplace nature of computers in everyday life creates a very direct and potentially dangerous gateway into people’s lives, it becomes increasingly important to have a method for monitoring and recovering the data transmitted by computers. This source of the need for computer forensics is also the impetus that drives its importance. Computer forensics is there to handle criminal problems when they arise. As it is later discussed, computer forensics does have applications outside of legal evidence, but its purpose in any application is still centered on the manipulation of data in recovery, deletion, and editing as seen by the abundance of software designed with these three functions in mind (X-Ways, p.1). These three categories compose the purpose of computer forensics.
Data recovery is most frequently used and arguably the most useful purpose, depending on the context of course. Data recovery is the collection of evidence from a computer or network and the translation or copying of this evidence into a useable format. Copying or cloning hard disks or imaging the information it contains are the most common forms of data recovery. They are used because the worth of the information is determined by completeness and accuracy (Wikipedia, p.1).
Data deletion is a crucial part of computer forensics that is often the cause for forensics analysis in the first place. When volatile data is not deleted completely and correctly it becomes susceptible to stealing or misuse. Likewise, when criminal activity is not deleted completely and correctly it becomes susceptible to forensic discovery. According to Paul French, manager of NTI’s Computer Forensics Laboratory, “Tossing files in the trash…erase all the evidence of…crime. Suffice it to say, [that’s] wrong" (Villano, p.1).
Data editing is another part of computer forensics not often associated in a positive light, although editing can be used to correct problems caused by bugs and other damaging programs such as viruses. More complex than updating a spreadsheet, data editing in computer forensics is often concerned with fixing problems that arise is table or boot sectors, hard drive partitions, or RAM memory (WinHex, p.1). Editing allows you to access and manipulate this otherwise unseen information.
IV. Areas of Use:
With technology permeating rapidly through all facets of today’s society, there is a growing need for computer forensics in many different aspects. Currently, this type of forensics is most commonly being used in the corporate sector (Burns, p.1). Companies use computer forensics to fight against many different employee violations, including information leaks and misuse of company computers. According to Steve Keilman, a consultant specializing in computer forensic services, the most common type of company theft involves stealing computer aided designs showing upcoming product plans and selling them to competitors (Burns, p.1). After receiving the evidence from employee’s computers, the corporation has the choice to discipline the violator in-house or to formally charge them in a court of law.
The courtroom is a prominent place for the use of computer forensics, but the judicial system has not fully embraced the idea of digital evidence quite yet. Although computer crimes are growing substantially, less than two percent of reported cases actually result in conviction (Baryamureeba and Tushabe, p.1). However, as methodology and devices used in digital forensics are advancing, the court system will rely on digital evidence more and more to convict the perpetrators of these computer crimes.
Another area of application for computer forensics is in the military. Government officials are currently using computer forensics in their fight against terrorism since many terrorists are posting information on the internet. Seized computers from suspected terrorists are then analyzed to find evidence and prevent potential attacks on our country (Messmer, p.1).
V. Standardization
There is not a standard process used when collecting digital evidence, so each organization adopts its own methodology. An example of one of these processes is called the Forensic Process Model, which was developed by the U.S. Department of Justice and consists of four phases (Baryamureebe and Tushabe, p.2). This model consists of the collection phase, the examination phase, the analysis phase, and finally the reporting phase, respectively. Generally speaking, every computer forensics process used today is based on these four underlying phases.
VI. How It Works
When extracting data from a computer, much care must be taken not to tamper with the evidence. Most processes used to access data also change that data slightly in the process, which tampers with the original evidence and can destroy a potential case (Dees, p.2). Therefore the initial step in an investigation, or the collection phase, is to take an “image” of the hard drive, an exact replica of the original so that the evidence remains uncorrupt (Burns, p.2). Secondly is the examination phase, where the examiner uses a program to look through every bit of the computer. The programs used are derived from debugging software, which sort through every folder, program, and file to search for incriminating data (Knight, p.2). The amount of data retrieved for a case can reach up to 75 terabytes, so the analysis phase can take months to complete (Messmer, p.1-2). Investigators must meticulously inspect every bit recovered to build a solid case. In the final reporting phase, investigators prepare a summary of the relevant data for the clients, lawyers, or law officials so that they can take the next course of action warranted by the evidence found.
VII. Competition
Computer forensics is a very competitive field, illustrated by the wide variety of forensic companies in the market today, but no real substitute for this field of analysis is available. If digital evidence needs to be collected there is no other way to collect the information other than through computer forensics.
Yet, there is a very active competition between processes. Varying companies develop their own processes based off the above four step model and put them to use in the market; each a viable and correct option in its own right, the process and the company is ultimately measured in its overall successes and separated by its weaknesses, primarily weaknesses in training and operational standards differences (Whitehead, p.1).
VIII. Pros and Cons:
These differences translate into the pros and cons of computer forensics processes and ultimately into the pros and cons of computer forensics as a field. While computer forensics may involve many useful and beneficial applications for catching crime and punishing criminal activity, it is important to remember that any of its beneficent uses can conversely be turned equally malignant.
The general successes of computer forensics overshadow its misuses. More is done to stop criminal activity than create it in the true realm of computer forensics, because ultimately any activity is intended to be caught by forensic analysis whether good or bad. We can see these pros to computer forensics in all applications, similar to those mentioned previously, from personal to governmental.
On the personal level forensics can be used, like in any application, to discover tampering, dangerous computer problems like viruses and the nature of identity thieves, as well as other evidence of illegal or negative activity.
On a business or corporate level forensics can help to monitor the activity of an employee misusing company information and to stop their activity before extensive damage is done to the business. Used to the extreme, monitoring can be very negative and dissolve the employee morale which could result in information transferred in alternative ways reducing forensic effectiveness. Forensics could also identify security threats to a system and fix those problems in the event of a breach where private information is compromised.
Most of the purpose behind computer forensics ties into its use in law enforcement situations. Protection of your information and the prosecution of violators of your information is a central goal of computer forensics. Law enforcement agencies will use forensics for gathering information. Similar applications to business apply as well, but the main benefit of forensics in law enforcement applications is evidence collection.
Finally, the previous applications will all culminate into a governmental application under a judicial function. If forensics is to be carried out to the fullest in its traditional context, it generates evidence that is used to defend your privacy and prosecute those who violate it. This is how all other applications of computer forensics unite together under the judicial function of forensic application. The government has its own uses for forensics as well, which may or may not tie into judicial functions, similar to or used in the other three applications. Monitoring, analysis, prevention, information collection, etc. are uses of computer forensics in varied governmental institutions some of which are uniquely specialized in this field such as the Defense Cyber Crime Center and its subsidiary organizations (Defense Cyber Crime Center, p.1).
With the increasing use of mobile and other new technologies, computer forensics has learned to adapt itself to include more non-traditional digital information which could pose a threat to security (Willer, p.5). As our ability to infiltrate and analyze digital evidence grows, so does the risk to our privacy. Most people’s personal computers are an open book to their personal life. Financial, medical, and personal information is fair game to anyone with the knowledge and technology to access it. Strict legal and ethical boundaries must be set up so that this possible invasion of privacy is prevented.
Another downside to computer forensics is the emerging technology from the hackers’ end of the spectrum. Many hackers are now developing “antiforensics” software which is used to sabotage the efforts of computer forensic analysts (Knight, p.2). For example, a program known as the Defiler’s Toolkit was made available on the internet in 2002 from an anonymous source (Knight, p.3). However, investigators are certain that they can stay one step ahead of hackers, making their “antiforensics” software obsolete.
IX. Conclusion
Since its earliest inception, computer forensics has continued to grow exponentially with today's technology. Before the concept of computer forensics, lots of cases were unsolvable. Therefore, it grew out of a need to solve computer related crimes. The idea of the computer forensics was to recover, delete and edit information, but today, it is applicable to many facets of our society. It is a dynamic process which helps and also hinders its performance with useful methods and no standardization respectively. In the future, computer forensics will continue to grow in importance and applications in the offline and online worlds.
X. BibliographyBarba, Michael (2004). Computer Forensic Service, LCC created 2004. accessed. 17 Nov 2005<
http://www.computer-forensic.com/presentations/ASIS_Presentation.pdf>
Robbins, Judd. An Explanation of Computer Forensics. accessed 20 Nov 2005. <
http://www.computerforensics.net/forensics.htm>
Biggs, Maggie. (2005). Computer Forensics: Donning Your Detective Hat. created 14 Nov 2005. accessed 20 Nov 2005. <
http://www.fcw.com/article91394-11-14-05-Print>
Software for Computer Forensics, Data Recovery and IT Security. accessed 20 Nov 2005. <
http://www.x-ways.net/>
Computer Forensics. accessed 20 Nov 2005. <
http://en.wikipedia.org/wiki/Computer_forensics>
Villano, Matt. (2001). I.T. Autopsy. created 1 March 2001. accessed 20 Nov 2005. <
http://www.cio.com/archive/030101/autopsy.html>
WinHex: Computer Forensics & Data Recovery Software,Hex Editor & Disk Editor. accessed 20 Nov 2005. <
http://www.x-ways.net/winhex/index-m.html>
Whitehead, Andrew. Weaknesses in Computer Forensics. accessed 20 Nov 2005. <
http://free-backup.info/weaknesse-in-computer-forensics.html>
Defense Cyber Crime Center. accessed 20 Nov, 2005. <
http://www.dcfl.gov/dc3/dc3.htm>
Willer, Lori. (2001). Computer Forensics. created 30 April 2001. accessed 20 Nov 2005. <
http://www.giac.org/certified_professionals/practicals/gsec/1738.php>
Baryamureeba, Venansius and Tushabe, Florence. (2004). The Enhanced Digital Investigation Process Model. created 27 May 2004. accessed 20 Nov 2005. <
http://www.forensicfocus.com/enhanced-digital-model >
Burns, Sally. (2005). “Computer forensics can reveal legal issues for companies”. Tribune Business Weekly. Vol.16.20 p1. <
http://ezproxy.cl.msu.edu:2047/login?url=http://proquest.umi.com/pqdweb?did=899846031&sid=2&amp;amp;Fmt=3&clientId=3552&RQT=309&VName=PQD>.
Dees, Tim. (2004). "New Computer Forensics Tools". Law & Order. Vol.52.6. p24-25. <
http://ezproxy.cl.msu.edu:2047/login?url=http://proquest.umi.com/pqdweb?did=899846031&sid=2&amp;Fmt=3&clientId=3552&RQT=309&VName=PQD>.
Knight, Will. (2004). “Chasing the elusive shadows of e-crime”. New Scientist. Vol. 182.2446. p26-9. <
http://ezproxy.cl.msu.edu:2047/login?url=http://proquest.umi.com/pqdweb?did=640243651&sid=3&Fmt=3&clientId=3552&RQT=309&VName=PQD>.
Messmer, Ellen. (2005). "DoD targets child porn on military PCs". Network World. Vol. 22.2. p8. <
http://ezproxy.cl.msu.edu:2047/login?url=http://proquest.umi.com/pqdweb?did=783303491&sid=1&Fmt=4&clientId=3552&RQT=309&Vname=PQD>.
Rogers, Marcus (2004). The Future of Computer Forensics: a needs analysis survey. created 06 Jan 2004. accessed 17 Nov 2005<
http://www.tech.purdue.edu/Cpt/Courses/TECH581A/Rogers.pdf>
