Computer forensics

Think of a TV programme with a crime scene and there are usually some common components – a body, a bloodstained weapon and a couple of glasses covered in fingerprints for a murder, perhaps.

But what of the computer sitting in the corner? Could this contain evidence of contact between the victim and their killer?

Increasingly, you’ll see the computer bagged as evidence too, in shows like CSI or Without a Trace.

The relatively new field of computer forensics is, like other forensic sciences, becoming a popular area for study at the moment, and not just because of the TV. With virtually everyone using a computer, demand for forensic analysts and the availability of post-graduate courses for those who want to learn about computer forensics are both on the increase.

The use of forensic evidence from computers and other digital devices has become a common feature in investigating many crimes. No longer are computers simply seen as tools to commit a crime such as fraud; they can now bear witness to events leading up to other crimes, such as research and planning, or email exchanges between the suspect and victim.

The digital post-mortem
In a criminal investigation, procedure and documentation are the two most important factors that determine how an examination is conducted. The forensic analyst works methodically through a process that can be split into four broad stages – acquisition, identification, evaluation and presentation.

Acquisition is concerned with the forensically sound capture and preservation of digital and physical evidence, which is paramount for the investigation. The computer and its hard drives are crime scenes in their own right and must be secured and preserved, so once the computer has been seized, every sector of the hard disk has to be captured to produce a forensically sound copy.

You can’t just rush in and connect the disk from a seized computer to a forensic computer to examine it – Windows may write data to the drive as soon as it detects it. The problems don’t stop there either; as soon as you access files or folders on the disk their associated Last Access dates and times will be updated, potentially destroying valuable information.

Even if this sort of mistake is avoided, there is a good chance virus checking software on the forensic computer will almost certainly try to check the disk, quarantining any suspect files it finds. To sidestep these difficulties, forensic examiners use a piece of equipment called a hardware write-blocker, which is designed to stop all write commands reaching the hard disk, effectively rendering it a read-only device.

There are several forensic software tools available that can produce a complete copy of the disk in a series of files. Some products, such as Encase from Guidance Software, and the FTK Imager from Accessdata generate and embed a Message Digest 5 (MD5) hash – a sort of digital fingerprint – into these files. This can be regenerated at any subsequent time, and used to validate the integrity of the copy being examined, showing that it has not been tampered with.