Beginner’s Guide to Computer Forensics

9 Mins read

Computer forensics is the practice of collecting, analyzing, and reporting on digital information in a way Graet Gossip that is legally permissible. It can be used to detect and prevent crime and in any dispute where evidence is stored digitally. Computer forensics has comparable examination stages to other forensic disciplines and faces similar issues.

About this guide
This guide discusses computer forensics from a neutral perspective. It is not linked to particular legislation or intended to promote a specific company or product and is not written in bias of either law enforcement or commercial computer forensics. It is aimed at a non-technical audience and provides a high-level view of computer forensics. This guide uses the term “computer“, but the concepts apply to any device capable of storing digital information. Where methodologies have been mentioned, they are provided as examples only and do not constitute recommendations or advice. Copying and publishing the whole or part of this article is licensed solely under the terms of the Creative Commons – Attribution Non-Commercial 3.0 license.

Uses of computer forensics
There are few areas of crime or dispute where computer forensics cannot be applied. Law enforcement agencies have been among the earliest and heaviest users of computer forensics and, consequently, have often been at the forefront of developments in the field. Computers may constitute a ‘scene of a crime’, for example, with hacking [ 1] or denial of service attacks [2], or they may hold evidence in the form of emails, internet history, documents, or other files relevant to crimes such as murder, kidnap, fraud, and drug trafficking. It is not just the content of emails, documents, and other files which may interest investigators but also the ‘meta-data’ [3] associated with those files.

Computer Forensics


A computer forensic examination may reveal when a document first appeared on a computer, when it was last edited, when it was later saved or printed, and which user carried out these actions.

More recently, commercial organizations have used computer forensics to their benefit in a variety of cases, such as;

  • Intellectual Property Theft
  • Industrial espionage
  • Employment disputes
  • Fraud investigations
  • Forgeries
  • Matrimonial issues
  • Bankruptcy investigations
  • Inappropriate email and internet use in the workplace
  • Regulatory compliance

For evidence to be admissible, it must be reliable and not prejudicial. At all stages of this process, admissibility should be at the forefront of a computer forensic examiner’s mind. One set of guidelines widely accepted to assist is the Association of Chief Police Officers Good Practice Guide for Computer-Based Electronic Evidence, or ACPO Guide for short. Although the ACPO Guide is aimed at United Kingdom law enforcement, its main principles apply to all computer forensics in whatever legislature. The four main principles from this guide have been reproduced below (with references to law enforcement removed): No action should change data held on a computer or storage media that may be subsequently relied upon in court.

When a person finds it necessary to access original data held on a computer or storage media, they must be competent to do so and give evidence explaining the relevance and implications of their actions. An audit trail or record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. The person in charge of the investigation ensures that the law and these principles are adhered to. In summary, no changes should be made to the original; however, if access/changes are necessary, the examiner must know what they are doing and record their actions.

Live acquisition

Principle 2 above may raise the question: In what situation would changes to a suspect’s computer by a computer forensic examiner be necessary? Traditionally, the computer forensic examiner would make a copy (or acquire) information from a device that is turned off. A write-blocker[4] would create an exact bit-for-bit copy [5] of the original storage medium. The examiner would work then from this copy, leaving the original demonstrably unchanged.

However, sometimes it is not possible or desirable to switch a computer off. Switching a computer off may not be possible if doing so would result in considerable financial or other loss for the owner. Switching a computer off may not be desirable if doing so would mean that potentially valuable evidence may be lost. In both these circumstances, the computer forensic examiner would need to carry out a ‘live acquisition’, which would involve running a small program on the suspect computer to copy (or acquire) the data to the examiner’s hard drive.

By running such a program and attaching a destination drive to the suspect computer, the examiner will make changes and additions to the state of the computer which were not present before his actions. Such actions would remain admissible as long as the examiner recorded their efforts, was aware of their impact, and could explain them.

Stages of an examination
For this article, the computer forensic examination process has been divided into six stages. Although they are presented in their usual chronological order, it is necessary during an examination to be flexible. For example, during the analysis stage, the examiner may find a new lead that would warrant further computers being examined and would mean a return to the evaluation stage.

Forensic readiness is an important and occasionally overlooked stage in the examination process. Commercial computer forensics can include educating clients about system preparedness; for example, forensic examinations will provide stronger evidence if a server or computer’s built-in auditing and logging systems are switched on. For examiners, there are many areas where a prior organization can help, including training, regular testing, and verification of software and equipment, familiarity with legislation, dealing with unexpected issues (e.g., what to do if child pornography is present during a commercial job), and ensuring that your on-site acquisition kit is complete and in working order.

The evaluation stage includes receiving clear instructions, risk analysis, and allocating roles and resources. Risk analysis for law enforcement may include an assessment of the likelihood of physical threat entering a suspect’s property and how best to deal with it. Commercial organizations also need to be aware of health and safety issues, while their evaluation would also cover the reputational and financial risks of accepting a particular project.

The main part of the collection stage, acquisition, has been introduced above. If the purchase is made on-site rather than in a computer forensic laboratory, this stage would include identifying, securing, and documenting the scene. Interviews or meetings with personnel who may hold information relevant to the examination (which could consist of the end users of the computer and the manager and person responsible for providing computer services) would usually be carried out at this stage. The ‘bagging and tagging’ audit trail would start here by selling any materials in unique tamper-evident bags. Consideration must also be given to securely and safely transporting the material to the examiner’s laboratory.

The analysis depends on the specifics of each job. The examiner usually provides feedback to the client during the examination, and from this dialogue, the study may take a different path or be narrowed to specific areas. The research must be accurate, thorough, impartial, recorded, repeatable, and completed within the timescales available and resources allocated. There are myriad tools available for computer forensics analysis. We believe the examiner should use any tool they feel comfortable with as long as they can justify their choice. The main requirements of a computer forensic tool are that it does what it is meant to do, and the only way for examiners to be sure of this is to test and calibrate the tools they use before analysis regularly. Dual-tool verification can confirm the result in integrity during analysis (if with the tool ‘A’ the examiner finds artifact ‘X’ at location ‘Y’, then tool ‘B’ should replicate these results.)

This stage usually involves the examiner producing a structured report on their findings, addressing the points in the initial and subsequent instructions. It would also cover any other information the examiner deems relevant to the investigation. The report must be written with the end reader in mind; in many cases, the reader of the message will be non-technical, so the terminology should acknowledge this. The examiner should also be prepared to participate in meetings or telephone conferences to discuss and elaborate on the report.

The review stage is often overlooked or disregarded along with the readiness stage. This may be due to the perceived costs of doing work that is not billable or the need ‘to get on with the next job“. However, a review stage incorporated into each examination can help save money and raise quality by making future tests more efficient and time effective. A review of an investigation can be simple, quick, and begin during any of the above stages. It may include a basic ‘what went wrong and how can this be improved’ and a ‘what went well and how can it be incorporated into future examinations’. Feedback from the instructing party should also be sought. Any lessons learned from this stage should be applied to the next examination and fed into the readiness stage.

Issues facing computer forensics
Computer forensics examiners’ issues can be broken down into three broad categories: technical, legal, and administrative.

Encryption – Encrypted files or hard drives can be impossible for investigators to view without the correct key or password. Examiners should consider that the key or password may be stored elsewhere on the computer or another computer the suspect has access. It could also reside in the volatile memory of a computer (known as RAM [6] which is usually lost on computer shut-down; another reason to consider using live acquisition techniques as outlined above.

Increasing storage space – Storage media holds ever greater amounts of data which for the examiner means that their analysis computers need to have sufficient processing power and available storage to deal with searching and analyzing enormous amounts of data efficiently.

New technologies – Computing is an ever-changing area, constantly producing new hardware, software, and operating systems. No computer forensic examiner can be an expert in all areas, though they may frequently be expected to analyze something they haven’t dealt with before. To deal with this situation, the examiner should be prepared and able to test and experiment with the behavior of new technologies. Networking and sharing knowledge with other computer forensic examiners is also very useful, as it’s likely, someone else may have already encountered the same issue.

Anti-forensics – Anti-forensics is the practice of attempting to thwart computer forensic analysis. This may include encryption, overwriting data to make it unrecoverable, modifying files’ metadata, and obfuscation (disguising files). As with encryption above, the evidence that such methods have been used may be stored elsewhere on the computer or another computer the suspect has accessed. In our experience, it is rare to see anti-forensics tools used correctly and frequently enough to obscure their presence or the evidence they were used to hide.

Legal issues
Legal arguments may confuse or distract from a computer examiner’s findings. An example here would be the ‘Trojan Defence’. A Trojan is a piece of computer code disguised as something benign with a hidden and malicious purpose. Trojans have many uses, including key-logging [7], uploading and downloading files, and installing viruses. A lawyer may be able to argue that actions on a computer were not carried out by a user but were automated by a Trojan without the user’s knowledge; such a Trojan Defence has been successfully used even when no trace of a Trojan or other malicious code was found on the suspect’s computer. In such cases, a competent opposing lawyer, supplied with evidence from a qualified computer forensic analyst, should be able to dismiss such an argument.

Accepted standards – There are many standards and guidelines in computer forensics, few of which appear universally accepted. This is due to several Sons inc, including standard-setting bodies being tied to particular legislations, standards being aimed either at law enforcement or commercial forensics but not at both, the authors of such standards not being accepted by their peers, or high joining fees dissuading practitioners from participating.

Fitness to practice – In many jurisdictions, there is no qualifying body to check the competence and integrity of computer forensics professionals. In such cases, anyone may present themselves as a computer forensic expert, which may result in computer forensic examinations of questionable quality and a negative view of the profession as a whole.

Resources and further reading
There does not appear to be a great amount of material covering computer forensics which is aimed at a non-technical readership. However, the following links at the bottom of this page may prove to be of interest:

1. Hacking: modifying a computer in a way that was not originally intended to benefit the hacker’s goals.
2. Denial of Service attack: an attempt to prevent legitimate computer system users from accessing that system’s information or services.
3. Meta-data: at a basic level, metadata is data about data. It can be embedded within files or stored externally in a separate file and may contain information about the file’s author, format, creation data, etcn.
4. Write blocker: a hardware device or software application that prevents any data from being modified or added to the storage medium being examined.
5. Bit copy: bit is a contraction of the term ‘binary digit’ and is the fundamental computing unit. A bit copy refers to a sequential copy of every bit on a storage medium, which includes areas of the medium ‘invisible’ to the user.
6. RAM: Random Access Memory. RAM is a volatile computer’s temporary workspace, meaning its contents are lost when the computer is powered off.
7. Key-logging: the recording of keyboard input, giving the ability to read a user’s typed passwords, emails, and other confidential information.

887 posts

About author
Falls down a lot. Extreme beer maven. Coffee trailblazer. Hardcore twitter geek. Typical zombie fanatic. Skydiver, foodie, band member, International Swiss style practitioner and front-end developer. Producing at the nexus of aesthetics and intellectual purity to craft an inspiring, compelling and authentic brand narrative. Let's chat.
Related posts

How to Become a Computer Programmer in 2022

4 Mins read
A report published by the Future Foundation says that as the world increasingly relies on technology for most things in life, people…

How To Install Networking Computers Windows 10

6 Mins read
How To Install Networking Computers Windows 10? Windows 10 is one of the most used OS in the world. It provides amazing…

3 Definitions of Computer Software You Need to Know

3 Mins read
If you want to get into the computer software business, there are a few terms you need to know. Here are three…