Type to search

Beginner’s Guide to Computer Forensics


Beginner’s Guide to Computer Forensics



Computer forensics is the exercise of gathering, analyzing, and reporting virtual statistics in a legally admissible way. It may be used to detect and prevent crime and in any dispute where evidence is stored digitally. Computer forensics has comparable examination levels to other forensic disciplines and faces similar troubles.

Try Know

About this guide

This manual discusses pc forensics from a neutral attitude. It isn’t related to particular rules or intended to sell a specific organization or product and isn’t always written in bias of both law enforcement or commercial computer forensics. It is geared toward a non-technical target market and presents a high-stage view of laptop forensics. This manual uses the time period “pc,” but the standards practice to any tool capable of storing digital information. Where methodologies have been mentioned, they are furnished as examples only and do not constitute tips or advice. Copying and publishing the entire or a part of this text is licensed completely beneath the phrases of the Creative Commons – Attribution Non-Commercial three. Zero licenseComputer

Uses of pc forensics

There are few areas of crime or dispute where laptop forensics can not be implemented. Law enforcement companies have been among the earliest and heaviest customers of laptop forensics and consequently have often been at the leading edge of trends within the discipline. Computers may additionally represent a ‘scene of a crime, as an instance with hacking [ 1] or denial of service attacks [2] or they may preserve evidence within the shape of emails, internet history, files, or other documents applicable to crimes inclusive of homicide, kidnap, fraud and drug trafficking. It isn’t always simply the content of emails, documents, and other documents that may be of interest to investigators and the ‘meta-information [3] associated with the one’s documents. A computer forensic exam may also monitor whilst a document was first regarded on a computer, when it was ultimately edited, closing saved or revealed, and which person executed these moves.



More lately, industrial enterprises have used pc forensics to their benefit in a selection of instances together with;

Intellectual Property robbery
Industrial espionage
Employment disputes
Fraud Investigations
Matrimonial problems
Bankruptcy investigations
Inappropriate e-mail and internet use inside the location of the painting
Regulatory compliance
For evidence to be admissible, it must be reliable and not prejudicial, which means that admissibility has to be at the forefront of a laptop forensic examiner’s mind in any respect level of this technique. One set of recommendations that have been extensively common to assist in this is the Association of Chief Police Officers Good Practice Guide for Computer-Based Electronic Evidence or ACPO Guide. Although the ACPO Guide is aimed toward United Kingdom regulation enforcement, its predominant standards apply to all pc forensics in the legislature. The 4 main principles from this manual were reproduced beneath (with references to regulation enforcement eliminated):

No action needs to trade facts hung on a pc or garage media which may be ultimately relied upon in court docket.

In instances in which someone reveals it important to access original records hung on a computer or storage media, that character needs to be able to do so and provide evidence explaining the relevance and the implications of their movements.

An audit path or another report of all tactics carried out to computer-primarily based digital evidence should be created and preserved. An independent 0.33-party must be capable of examine those strategies and acquire the same end result.

The man or woman in the research price has normal responsibility for ensuring that the regulation and these concepts are adhered to.
In summary, no modifications should be made to the unique, but if you get entry to/adjustments, the examiner must realize what they’re doing and record their movements.

Live acquisition

Principle 2 above may also raise the query: In what situation would modifications to a suspect’s laptop with a pc forensic examiner aid be vital? Traditionally, the computer forensic examiner could copy (or accumulate) statistics from a tool that becomes off. A write-blocker[4] might be used to make an actual bit for bit copy [5] of the authentic garage medium. The examiner could work then from this replica, leaving the authentic demonstrably unchanged.

However, occasionally it isn’t always viable or applicable to exchange a laptop off. For example, it won’t be viable to switch a laptop off if doing so could bring about massive financial or different losses for the proprietor. It won’t be desirable to switch a pc off if it might suggest that probably precious evidence may be misplaced. In each of these situations, the pc forensic examiner could want to perform a ‘live acquisition’ which would involve going for walks a small program on the suspect’s laptop with a view to reproduction (or collect) the records to the examiner’s difficult force.

By going for walks this kind of application and attaching a destination pressure to the suspect pc, the examiner will make adjustments and/or additions to the state of the laptop, which was now not present earlier than his moves. Such actions could remain admissible so long as the examiner recorded their moves, became privy to their impact, and changed into capable of providing an explanation for their movements.

Stages of an exam

For the functions of this text, the laptop forensic exam procedure has been divided into six tiers. Although they’re supplied in their traditional chronological order, it is important to be bendy at some point in an examination. For instance, all through the evaluation level, the examiner may additionally find a new lead that might warrant similar computer systems being tested and imply a go back to the assessment degree.


Forensic readiness is an important and every now and then overlooked level within the examination method. In commercial pc forensics, it could include instructing customers about gadget preparedness; as an example, forensic examinations will offer stronger proof if a server or PC’s built-in auditing and logging systems are all switched on. For examiners, there are many areas where prior enterprise can help, which includes training, normal testing and verification of software and equipment, familiarity with legislation, coping with sudden troubles (e.G., what to do if child pornography is present throughout a commercial job) and making sure that your on-web page acquisition kit is whole and in operating order.


The assessment degree consists of receiving clear instructions, threat evaluation, and allocation of roles and assets. For example, risk analysis for law enforcement may encompass assessing the chance of physical hazard on entering a suspect’s assets and how first-rate to address it. Commercial organizations additionally want to be privy to health and safety problems, whilst their assessment would additionally cover reputational and financial risks of accepting a particular task.


The main part of the gathering degree, acquisition, has been introduced above. If an acquisition is to be done on-site in preference to in a pc forensic laboratory, this degree might include figuring out, securing, and documenting the scene. Interviews or meetings with employees who can also preserve facts that may apply to the exam (that can encompass the end-users of the laptop and the supervisor and individual answerable for offering pc offerings) would generally be carried out at this level. The ‘bagging and tagging’ audit path would begin here by sealing any substances in precise tamper-glaring bags. Consideration also desires to receive to securely and properly transporting the material to the examiner’s laboratory.


The analysis relies upon the specifics of every job. The examiner usually provides feedback to the consumer in the course of analysis. From this speech, the evaluation might also take a distinct path or be narrowed to unique regions. The analysis must be correct, thorough, impartial, recorded, repeatable, and completed within the time scales to be had and sources allotted. There is myriad equipment to be had for pc forensics analysis. Our opinion is that the examiner ought to use any tool they feel cozy with so long as they can justify their preference. The main requirements of a laptop forensic device are that it does what it is meant to do, and the most effective manner for examiners to make certain of that is for them to regularly check and calibrate the equipment they use before evaluation takes place. Dual-device verification can affirm end result integrity in the evaluation course (if with the tool ‘A’ the examiner unearths artifact ‘X’ at place ‘Y,’ then device ‘B’ must replicate those outcomes.)


This degree generally includes the examiner producing a based record on their findings, addressing the factors in the initial instructions at the side of any next instructions. It would also cover any other data which the examiner deems relevant to the research. The file should be written with the end reader in mind; in many cases, the record reader might be non-technical, so the terminology should well know this. The examiner must also be organized to take part in meetings or smartphone meetings to discuss and tricky on the document.Forensics


Along with the readiness degree, the assessment level is often left out or ignored. This may be because of the perceived costs of doing work that isn’t always billable or the need ‘to get on with the next task.’ However, a review degree incorporated into every exam can help save cash and lift the fine level by making future examinations extra efficient and time-powerful. A review of an examination may be simple, brief, and can begin in the course of any of the above ranges. It may also include a fundamental ‘what went wrong and how can this be progressed’ and a ‘what went well and how it’s incorporated into future examinations. Feedback from the instructing birthday party should additionally be sought. Any classes learned from this stage should be implemented to the next exam and fed into the readiness degree.

Issues going through computer forensics
The problems facing pc forensics examiners can be broken down into 3 wide classes: technical, legal, and administrative.

Encryption – Encrypted documents or tough drives cannot be possible for investigators to view without the appropriate key or password. Examiners ought to bear in mind that the key or password may be stored somewhere else on the pc or on any other laptop which the suspect has had to get right to entry too. It could also reside in the risky memory of a pc (referred to as RAM [6] that’s usually lost on pc close-down; every other reason to do not forget using stay acquisition techniques as outlined above.

Increasing garage area –

Storage media holds ever more amounts of information which for the examiner method, their analysis computer systems want to have sufficient processing strength and available storage to correctly address looking and analyzing extensive amounts of records.

New technologies –

Computing is an ever-changing place, with new hardware, software, and running systems being continuously produced. No single computer forensic examiner can be an expert in all areas, though they’ll regularly be expected to examine something which they haven’t treated before. To deal with this case, the examiner should be prepared and capable of checking and testing the behavior of new technologies. Networking and sharing know-how with other pc forensic examiners is also very beneficial on this recognition as it’s probable someone else might also have already encountered the same issue.

Anti-forensics –

Anti-forensics is the practice of attempting to thwart computer forensic analysis. This may also include encryption, over-writing facts to make it unrecoverable, the amendment of files’ meta-facts, and file obfuscation (disguising files). As with encryption above, the proof that such methods were used can be saved somewhere else on the laptop or on some other pc that the suspect has had to get right to entry. In our revel in, it’s miles very uncommon to see anti-forensics gear used efficiently and regularly sufficient to definitely difficult to understand either their presence or the presence of the evidence they were used to cover.

Legal troubles

Legal arguments may confuse or distract from a computer examiner’s findings. An example here would be the ‘Trojan Defence.’ A Trojan is a piece of laptop code disguised as benign, however, which has a hidden and malicious purpose. Trojans have many uses and consist of key-logging [7], uploading and downloading documents, and installing viruses. A legal professional can be capable of arguing that moves on a computer had been now not performed by a user but had been automated utilizing a Trojan without the consumer’s understanding; such a Trojan Defence has been correctly used even if no hint of a Trojan or different malicious code turned into discovered on the suspect’s pc. In such cases, an able opposing attorney, supplied with evidence from a equipped computer forensic analyst, should be able to disregard such an argument.

Accepted requirements –

There are a plethora of standards and guidelines in laptop forensics, few of which seem universally frequent. This is due to some of the reasons inclusive of general-putting our bodies being tied to specific legislation, requirements being aimed either at regulation enforcement or business forensics however no longer at each, the authors of such requirements now not being widespread with the aid of their peers, or excessive joining fees dissuading practitioners from collaborating.

Fitness to practice –

There may be no qualifying body to test the competence and integrity of pc forensics experts in many jurisdictions. In such instances, anybody may present themselves as a computer forensic professional, which may bring about laptop forensic examinations of questionable great and a poor view of the career as an entire.

Resources and further reading

There does now not seem like an awesome amount of cloth masking computer forensics that’s aimed at a non-technical readership. However, the subsequent hyperlinks at links at the bottom of this web page may additionally show to be of interest proved to be of the hobby:


1. Hacking:

modifying a pc in the way that changed into no longer first supposed so one can gain the hacker’s goals.

2. Denial of Service assault:

a try to prevent valid users of a computer system from accessing that system’s data or services.

3. Meta-statistics:

at a primary stage, meta-facts are information about statistics. It may be embedded inside files or saved externally in a separate document and may include facts about the file’s writer, layout, introduction date, and so on.

4. Write blocker:

a hardware tool or software application prevents any information from being changed or added to the storage medium being examined.

5. Bit copy:

a bit is a contraction of the term ‘binary digit’ and is the fundamental computing unit. A bit reproduction refers to a sequential reproduction of each bit on a storage medium, which incorporates the medium’s invisible areas to the user.

6. RAM:

Random Access Memory. RAM is a computer’s brief workspace and is unstable; because of this, its contents are misplaced whilst the pc is powered off.

7. Key-logging:

the recording of keyboard input giving the capability to read a consumer’s typed passwords, emails, and different exclusive records.

Jacklyn J. Dyer

Friend of animals everywhere. Problem solver. Falls down a lot. Hardcore social media advocate. Managed a small team training dolls with no outside help. Spent high school summers creating marketing channels for Elvis Presley in Minneapolis, MN. Prior to my current job I was donating wooden trains in Hanford, CA. Spent the 80's getting my feet wet with accordians in Jacksonville, FL. Spent the 80's writing about crayon art in Africa. Managed a small team getting to know inflatable dolls in Gainesville, FL.