Private Investigations: What is Computer Forensics?

Since the computer and the Internet were invented, it has made our lives easier. The computer has great benefits, especially when it comes to forensics and the gathering of evidence, a field which is also known as computer forensics. Many private investigators offer computer forensic services.

Computer forensic science pertains to information found in computers and digital storage medias to use as evidence in court against a presumptive criminal. The mission is to identify, preserve, recover, analyze and present facts about digital data, and had been most often used in investigating a wide variety of computer crimes, and can also be used in civil proceedings. e-Investigations International offers computer forensic services as well.

A private investigator who specializes in computer forensics examines a hard drive for evidence.
A private investigator who specializes in computer forensics examines a hard drive for evidence.

Since the Internet is widely used nowadays and creating a fake online identity is such an easy thing to do, the emergence of computer forensics began to protect people from cyber-crimes like hacking, identity theft and cyber-bullying. Computer forensic investigation involves recovering and investigating digital evidence that can be used in court.

As criminals become more technically inclined, more crimes will continue to be committed online. And, naturally, if you are the victim of a cyber-crime, your first instinct would be to find out who has done this to you. And the perfect person to hire for this job? Why, a private investigator, or course! While the investigator him or herself is probably not the person who will be doing the forensic analysis, contacting a PI is probably the easiest and most consumer-friendly way of hiring a computer forensics specialist.

Famous investigations involving computer forensics

Many people have been convicted in court with the help of computer forensics and private investigative work. Some of the more popular cases would be:

Dennis Rader: also known as the BTK Killer who had been convicted of numerous serial killings that happened for almost seventeen years. Investigators cracked this case with the use of a floppy disk that was sent to the police department, the Metadata (data which is embedded in files or stored externally from a separate file that contains information about the file, the author, date of creation and so on) within the files contains and author’s name ‘Dennis’ and a location at “Christ Lutheran Church” that helped lead to his arrest.

Joseph Duncan III: a spreadsheet on his computer contains plans to commit crimes that were used against him in court that showed premeditation of crime and was convicted to death penalty.

Sharon Lopatka: hundreds of emails on her computer led investigators to her killer, Robert Glass.

Dr. Conrad Murray: Michael Jackson’s doctor who was partially convicted due to the digital information that the investigators found on his computer that shows medical information pertaining to lethal dosage of Propofol.

Computer forensics: The standard process

In conducting a computer forensic investigation, there are standard processes that are usually followed, they are:

  • Acquisition
  • Examination
  • Analysis
  • Reporting

Though with the advanced technology nowadays, CF still faces issues when it comes to investigating cybercrimes and other crimes involving computers, may it be hardware or software. What usually happen is due to technical, administrative and legal problems. To understand clearly, further details will be discussed about the issues that investigators faced.

Technical issues

One of the major problems in conducting a CF investigation is when a technical issue occurs. A technical issue usually happens when the computer was accidentally or automatically shut down that hinders the investigators to retrieve or copy data from the prospect’s computer for evidence or due to:

Encryption

Let’s face it. Encrypted data’s are impossible to open without the correct password or keys. Investigators who handle the case usually have problems in retrieving evidence with encrypted computers. Acquiring data through live acquisition is impossible or quite hard to do.

Live acquisition is the process where the investigator or examiner would run a small program in the suspect’s computer to copy the data to the investigators storage device. By doing so, the investigator will have to make changes in the suspect’s computer which are not done on his presence, however, the evidence that will be found in the suspect’s computer are considered admissible in court.

Going back to encryption, in retrieving data from the suspect’s computer, the investigators have to consider that passwords or keys might be located on the other computers that he had access to, or it could be stored in the volatile memory (also known as RAM) of the computer which is usually lost upon the computers shut down.

Increasing storage space

In copying or acquiring data from the suspect’s computer, an ample space for the investigators storage device must be considered because the stored information in the suspect’s computer are larger or greater than the investigators storage device sometimes or perhaps due to the fact that the stored media and multimedia files holds a large amount of storage space.

New technologies

With the evolving technology today, new computer devices, software, hardware and operating systems are emerging to compete with the latest technology. And honestly speaking, no single investigator is an expert in all areas of CF. In order for the investigators to deal with the situation, they have to be prepared and able to test and conduct experiments with the behavior of technology nowadays, especially when they haven’t experienced this situation before.

Anti-forensics

Anti-forensics is a practice where in someone is trying to contravene CF analysis. There are ways to do anti-forensics, it could be through encryption, over-writing of information that makes it unrecoverable, modification of files in metadata and even ingeniously disguising files. Rest assured, anti-forensic tools had been improperly used or the individual isn’t knowledgeable about the program that hinders him in doing such act.

Legal issues

There are certain issues that lead to legal actions, one of which that an investigator is charged with legal actions by the suspect himself in doing CF investigations without his knowledge or consent. An example of which, is acquiring evidence through live acquisition, a subject that had been discussed above in encryption.

One of the reasons is by accessing the suspect’s computer that has an installed program called “Trojan Defense”. The Trojan Defense got its idea that happened during the Greek War, as told by the story in Greek Mythologies wherein the warriors hid inside the wooden Trojan Horse that was taken to the city they siege. Just like the Trojan Horse, The Trojan Defense has been a computer code that is disguised as benign, however contains a malicious purpose and contains hidden information.

With the help of a competent opposing lawyer, it is arguable by law that certain documents or evidence are caused by a Trojan Defense that leaves no trace on the suspect’s computer and supplied with the help of a competent computer analyst.

Administrative issues

Administrative issues can also hinder CF investigations. One of which is due to standards and the ability or competence in doing the job. To further explain:

Acceptable standards

Unlike other types of investigation, computer forensics has complex guidelines and standards that the investigators have to consider and must follow, though only a few are universally accepted. The reason why standards have to be imposed is because of:

  • The bodies that set the standards are tied to particular legislations
  • The aims of the standards are EITHER by law enforcement of commercial forensics, BUT NEVER in both
  • The authors of the standards are not accepted by their peers; or
  • Due to high fees in joining for professional bodies that dissuades the practitioners in practicing CF

Competency to practice CF

There is no qualifying body in certain jurisdiction to check the integrity and competence of the investigators in CF. There are cases that someone can present themselves as CF professionals that may result in questionable CF examination results that leads to an overall negative view.

In doing a computer forensics investigation, there are certain techniques to master the art of CF, however, the techniques we’ll be discussing is used in law enforcement.

Cross-drive analysis

The technique involves combining hard storage devices that can lead to single evidence. Though still on the process, this technique can be used to identify social networks and do anomaly detection.

Live analysis

It’s basically the same as Live Acquisition, wherein the investigators copy the suspect’s files from the computer by making changes in the program and installing a file to copy to the investigators storage device.

Deleted files

This technique involves the recovery of deleted files with the use of modern forensic software that can do the job easily. Though most operating systems and file systems do not permanently erase data from the computer, the investigators can reconstruct deleted files from physical disk that meticulously search for known file heads in the disks images and deleted materials.

Stochastic forensics

Using this technique, the investigator reconstructs digital activities and codes from the suspect’s computer, and analyzing the emergent properties. This method is widely used to detect and investigate insider date theft, by someone who had a technical authority to access the data from the software and hardware of a computer.

Steganography

This technique involved hiding data in an image, for example, a pornographic picture or any given image that the suspect doesn’t want to be discovered. What the investigators do to decode this image is that they compare the hash of the original image to the files that was encrypted, though the image may appear exactly the same, however the hash is different.

Nowadays, due to the advancing technology CF investigations are needed, most especially in decoding evidence that may help in court. There are now available certifications in CF, namely:

  • ISFCE Certified Computer Examiner
  • Digital Forensics Investigation Professional (DFIP)
  • IACRB Certified Computer Forensics Examiner

There are also institutions that offer programs and certificates for CF, such as:
The International Association of Computer Investigative Specialists (IACIS) – Offering certified computer forensics examiner (CFCE) programs.

There are certain companies as well that offers proprietary certificates on their products, and they are:
Guidance Software – they offer (EnCE) certificates on their product tool EnCase
AccessData – they offer (ACE) certificates on their product tool FTK
PassMark Software – they offer (OCE) certificates for their product tool named OSForensics
X-Ways Software Technology – offering (X-PERT) certificates for their software product named X-Ways Forensics

Though there are no college courses for computer forensics, these certificates and courses can assure the victims and those individuals who need the help of the private investigators that they have the competency to solve the case.