Type to search

Beginner’s Guide to Computer Forensics


Beginner’s Guide to Computer Forensics



Computer forensics is the exercise of gathering, analyzing, and reporting virtual statistics in a legally admissible way. It may be used to detect and prevent crime and in any dispute where evidence is stored digitally. Computer forensics has comparable examination levels to other forensic disciplines and faces similar troubles.

Try to Know

About this guide

This manual discusses PC forensics from a neutral attitude. It isn’t related to particular rules or intended to sell a specific organization or product and isn’t always written in bias of both law enforcement or commercial computer forensics. It targets a non-technical target market and presents a high-stage view of laptop forensics. This manual uses the period “PC,” but the standards practice to any tool capable of storing digital information. Where methodologies have been mentioned, they are furnished as examples only and do not constitute tips or advice. Copying and publishing the entire or a part of this text is licensed completely beneath the Creative Commons – Attribution Non-Commercial three phrases. Zero license


Uses of PC forensics

There are few areas of crime or dispute where laptop forensics can not be implemented. Law enforcement companies have been among the earliest and heaviest customers of laptop forensics and, consequently, have often been at the leading edge of trends within the discipline. Computers may additionally represent a ‘scene of a crime, as an instance with hacking [ 1] or denial of service attacks [2], or they may preserve evidence within the shape of emails, internet history, files, or other documents applicable to crimes inclusive of homicide, kidnap, fraud, and drug trafficking. It isn’t always simply the content of emails, documents, and other documents that may interest investigators and the ‘meta-information [3] associated with the one’s documents. A computer forensic exam may also monitor when a record was first regarded on a computer, when it was ultimately edited, closed, saved, or revealed, and which person executed these moves.


More lately, industrial enterprises have used PC forensics to their benefit in a selection of instances together with;

Intellectual Property robbery
Industrial espionage
Employment disputes
Fraud Investigations
Matrimonial problems
Bankruptcy investigations
Inappropriate email and internet use inside the location of the painting
Regulatory compliance
For evidence to be admissible, it must be reliable and not prejudicial, which means that admissibility has to be at the forefront of a laptop forensic examiner’s mind in any respect level of this technique. One set of recommendations that have been extensively common to assist in this is the Association of Chief Police Officers Good Practice Guide for Computer-Based Electronic Evidence or ACPO Guide. Although the ACPO Guide is aimed at United Kingdom regulation enforcement, its predominant standards apply to all PC forensics in the legislature. The 4 main principles from this manual were reproduced below (with references to regulation enforcement eliminated):

No action needs to trade facts hung on a PC or garage media, which may be ultimately relied upon in court docket.

When someone reveals it is important to access original records hung on a computer or storage media, that character needs to be able to do so and provide evidence explaining the relevance and the implications of their movements.

An audit path or another report of all tactics carried out to computer-primarily based digital evidence should be created and preserved. An independent 0.33 party must be capable of examining those strategies and acquiring the same end result.

The man or woman in the research price ensures that the regulation and these concepts are adhered to.
In summary, no modifications should be made to the unique, but if you get entry to/adjustments, the examiner must realize what they’re doing and record their movements.

Live acquisition

Principle 2 above may also raise the query: In what situation would modifications to a suspect’s laptop with a PC forensic examiner aid be vital? Traditionally, the computer forensic examiner could copy (or accumulate) statistics from a tool that becomes off. A write-blocker[4] might be used to make a bit-for-bit copy [5] of the authentic garage medium. The examiner could work then from this replica, leaving the authentic demonstrably unchanged.

However, exchanging a laptop isn’t always viable or applicable. For example, switching a laptop off won’t be attainable if doing so could bring about massive financial or different losses for the proprietor. Switching a PC off won’t be desirable if it might suggest that precious evidence may be misplaced. In each of these situations, the PC forensic examiner could want to perform a ‘live acquisition’, which would involve walking with a small program on the suspect’s laptop and viewreproducing (or collecting) the records to the examiner’s difficult force.

By going for walks with this kind of application and attaching a destination pressure to the suspect PC, the examiner will make adjustments and/or additions to the state of the laptop, which was not present earlier than his moves. Such actions could remain admissible as long as the examiner recorded their moves, became privy to their impact, and became capable of explaining their movements.

Stages of an exam

For the functions of this text, the laptop forensic exam procedure has been divided into six tiers. Although they’re supplied in their traditional chronological order, it is important to be bendy at some point in an examination. For instance, all through the evaluation level, the examiner may find a new lead that might warrant similar computer systems being tested and imply a return to the assessment degree.


Forensic readiness is an important and every now-and-then overlooked level within the examination method. Commercial PC forensics could include instructing customers about gadget preparedness; for example, forensic examinations will offer stronger proof if a server or PC’s built-in auditing and logging systems are all switched on. For examiners, there are many areas where prior enterprise can help, which includes training, normal testing and verification of software and equipment, familiarity with legislation, coping with sudden troubles (e.g., what to do if child pornography is present throughout a commercial job) and making sure that your on-web page acquisition kit is whole and in operating order.


The assessment degree consists of receiving clear instructions, threat evaluation, and allocating roles and assets. For example, risk analysis for law enforcement may encompass assessing the chance of physical hazard on entering a suspect’s assets and how to address it. Commercial organizations additionally want to be privy to health and safety problems, while their assessment would cover the reputational and financial risks of accepting a particular task.


The main part of the gathering degree, acquisition, has been introduced above. If an investment is made on-site in preference to a PC forensic laboratory, this degree might include figuring out, securing, and documenting the scene. Interviews or meetings with employees who can also preserve facts that may apply to the exam (that can encompass the end-users of the laptop and the supervisor and individual answerable for offering PC offerings) would generally be carried out at this level. The ‘bagging and tagging’ audit path would begin here by sealing any substances in precise tamper-glaring bags. Consideration also desires to securely and properly transport the material to the examiner’s laboratory.


The analysis relies upon the specifics of every job. The examiner usually provides feedback to the consumer duringf the study. From this speech, the evaluation might also take a distinct path or be narrowed to unique regions. The research must be correct, thorough, impartial, recorded, repeatable, and completed within the time scales to be had and sources allotted. There is myriad equipment to be had for PC forensics analysis. We think the examiner should use any tool they feel cozy with so long as they can justify their preference. The main requirements of a laptop forensic device are that it does what it is meant to do, and the most effective way for examiners to ensure that is for them to regularly check and calibrate the equipment they use before evaluation takes place. Dual-device verification can affirm end result integrity in the evaluation course (if with the tool ‘A’ the examiner unearths artifact ‘X’ at home ‘Y,’ then device ‘B’ must replicate those outcomes.)


This degree generally includes the examiner producing a based record on their findings, addressing the factors in the initial instructions at the side of any next instructions. It would also cover any other data the examiner deems relevant to the research. The file should be written with the end reader in mind; the record reader might be non-technical in many cases, so the terminology should be this well. The examiner must also be organized to participate in meetings or smartphone meetings to discuss and work on the document.



The assessment level is often left out or ignored, along with the readiness degree. This may be because of the perceived costs of doing work that isn’t always billable or the need ‘to get on with the next task.’ However, a review degree incorporated into every exam can help save cash and lift the fine by making future examinations more efficient and time-powerful. A review of an investigation may be simple, brief, and can begin during any of the above ranges. It may also include a fundamental ‘what went wrong and how can this be progressed’ and a ‘what went well and how it’s incorporated into future examinations. Feedback from the instructing birthday party should additionally be sought. Any classes learned from this stage should be implemented to the next exam and fed into the readiness degree.

Issues going through computer forensics
The problems facing PC forensics examiners can be broken down into 3 wide classes: technical, legal, and administrative.

Encryption – Encrypted documents or tough drives cannot be possible for investigators to view without the appropriate key or password. Examiners should bear in mind that the key or password may be stored somewhere else on the PC or on any other laptop the suspect has had to get right to enter. It could also reside in the risky memory of a PC (referred to as RAM [6] that’s usually lost on PC close-down; every other reason to do not forget to use stay acquisition techniques as outlined above.

Increasing garage area –

Storage media holds ever more amounts of information. For the examiner method, their analysis computer systems want sufficient processing strength and available storage to correctly address looking and analyzing extensive records.

New technologies –

Computing is an ever-changing place, with continuously producing new hardware, software, and running systems. No computer forensic examiner can be an expert in all areas, though they’ll regularly be expected to examine something they haven’t treated before. To deal with this case, the examiner should be prepared and capable of checking and testing the behavior of new technologies. Networking and sharing know-how with other PC forensic examiners is also very beneficial in this recognition as it’s probable someone else might also have already encountered the same issue.

Anti-forensics –

Anti-forensics is the practice of attempting to thwart computer forensic analysis. This may also include encryption, overwriting facts to make them unrecoverable, the amendment of files’ meta-facts, and file obfuscation (disguising files). As with encryption above, the proof that such methods were used can be saved somewhere else on the laptop or on some other PC that the suspect has had to get right to entry. In our revel, it’s very uncommon to see anti-forensics gear used efficiently and regularly sufficient to difficult to understand either their presence or the presence of the evidence they were used to cover.

Legal troubles

Legal arguments may confuse or distract from a computer examiner’s findings. An example here would be the ‘Trojan Defence.’ However, a Trojan is a piece of laptop code disguised as benign, which has a hidden and malicious purpose. Trojans have many uses, consisting of key-logging [7], uploading and downloading documents, and installing viruses. A legal professional can be capable of arguing that moves on a computer had been not performed by a user but had been automated utilizing a Trojan without the consumer’s understanding; such a Trojan Defence has been correctly used even if there is no hint of a Trojan or different malicious code turned into discovered on the suspect’s pc. In such cases, an able opposing attorney, supplied with evidence from an equipped computer forensic analyst, should be able to disregard such an argument.

Accepted requirements –

There are many standards and guidelines in laptop forensics, few of which seem universally frequent. This is due to some of the reasons inclusive of general-putting our bodies being tied to specific legislation, requirements being aimed either at regulation enforcement or business forensics however no longer at each, the authors of such conditions now not being widespread with the aid of their peers, or excessive joining fees dissuading practitioners from collaborating.

Fitness to practice –

There may be no qualifying body to test the competence and integrity of PC forensics experts in many jurisdictions. In such instances, anybody may present themselves as a computer forensic professional, which may bring about laptop forensic examinations of questionable great and a poor view of the career as an entire.

Resources and further reading

There does now not seem like an awesome amount of cloth masking computer forensics aimed at a non-technical readership. However, the subsequent hyperlinks links at the bottom of this web page may additionally show to be of interest proved to be of the hobby:


1. Hacking:

Modifying a PC in a way that is no longer first supposed so one can gain the hacker’s goals.

2. Denial of Service assault:

A try to prevent valid computer system users from accessing that system’s data or services.

3. Meta-statistics:

At a primary stage, meta-facts are information about statistics. It may be embedded inside files or saved externally in a separate document, including facts about the file’s writer, layout, introduction date, etc.

4. Write blocker:

A hardware tool or software application prevents any information from being changed or added to the storage medium being examined.

5. Bit copy:

A bit is a contraction of the term ‘binary digit’ and is the fundamental computing unit. A bit reproduction refers to a sequential copy of each bit on a storage medium, which incorporates the medium’s invisible areas to the user.

6. RAM:

Random Access Memory. RAM is a computer’s brief workspace and is unstable; its contents are misplaced while the PC is powered off.

7. Key-logging:

The recording of keyboard input allows reading a consumer’s typed passwords, emails, and different exclusive records.

Jacklyn J. Dyer

Friend of animals everywhere. Problem solver. Falls down a lot. Hardcore social media advocate. Managed a small team training dolls with no outside help. Spent high school summers creating marketing channels for Elvis Presley in Minneapolis, MN. Prior to my current job I was donating wooden trains in Hanford, CA. Spent the 80's getting my feet wet with accordians in Jacksonville, FL. Spent the 80's writing about crayon art in Africa. Managed a small team getting to know inflatable dolls in Gainesville, FL.