Computer forensics

Assuming acquisition goes smoothly, the next stage of forensic examination is identification.

This is largely about placing facts into context. For example, at a physical level, a note is made of how many hard disks are present in the computer and which was configured as the boot disk.

At the logical level, the partitioning arrangement on the disks and the file systems on them can perhaps reveal the level of knowledge possessed by the computer’s owner.

Identifying the file system is also important in interpreting the layout of the disk and the behaviour of files as they are created, moved and deleted.

The evaluation stage of the process is concerned with locating and evaluating evidence. Here, the strategy used by the forensic analyst will depend on a number of factors, including the alleged crime, the number of exhibits and whether the suspect is in custody, on bail or not yet arrested.

For a forensic computer analyst undertaking work for a criminal prosecution, the presentation stage of the work is ultimately destined for an audience of lay people in a court of law. Much of the data found on a computer is stored in a raw format, and interpreting the information will usually be beyond the technical knowledge and experience of the jury and other people in court.

A key task for the analyst, then, is to interpret the data and present it without opinion, using only facts and probabilities to add weight to any significant evidence. A forensic scientist must be prepared to be questioned and defend their findings in court, in addition to explaining them clearly.

Inside the criminal mind
To prove a person’s guilt under UK law, many offences require evidence to show that they both committed the act of which they are accused and intended to do so. In legal terminology, this distinction is known by the Latin terms actus reus meaning a guilty act and mens rea, a guilty mind. These are terms you may have come across if you’ve done jury service. Computer forensics can help prove both.

For example, imagine that a business has recently been hacked and the police have identified a suspect from the IP addresses in the firewall logs, tracing the IP address back, via the ISP, to a particular person.

Now, suppose confidential company files are found during an examination of the suspect’s computer. This provides evidence of actus reus. By investigating the suspect’s internet history on the computer, a forensic analyst discovers a number of Google searches that were carried out just prior to the offence, using the search phrase ‘hacking firewalls’.

The analysis also shows that the user went through a further four pages of results from Google, before visiting the site http://insecure.org and downloading the file nmap-4.11.setup.exe. This website and tool are network security related, so the activity is indicative of their thinking process, or mens rea.