Computer Forensics

Computers are often used in crime, whether to plot a terrorist attack, contact children for sexual abuse, commit bank or credit card fraud, or other crimes. Some crimes cannot actually be committed without a computer, such as hacking into company records. Others are just made easier by using a computer, such as sexual predators who can anonymously search for under-age victims on Internet chat sites. Whatever role the computer played, the machine can be seen as a crime scene in its own right. The police will often seize a computer if they suspect it holds evidence of an illegal act. They will then take it to a specialized forensic laboratory for examination. Computer forensics is a relatively new area of forensic science and one that requires considerable expert knowledge of operating systems, computer hardware and software, and the workings of the Internet.

As with any other crime scene, suspects leave behind trace evidence of their actions when using computers to commit a crime. Gathering evidence from a computer can be challenging, but valuable, because every operation that an individual carries out on a computer leaves behind a record that is usually dated. However, computer traces can also be fragile and, without the proper approach, files containing valuable evidence can be lost. Since 1990, guidelines on computer forensics have evolved by using the input of authorities around the world.

Generally the investigator is careful to do nothing that would alter the original data on the computer. Usually this means taking a copy of the hard disk for investigation, rather than the original data. Should it be necessary to look at original data, experts are consulted and only they are permitted access to data stored on hard drives. All processes involving the investigation of computer-based evidence is carefully recorded and examined and reproduced by an independent third party.

The first step in the forensic examination of a computer is to determine the condition of the computer, noting whether it is turned on, plugged in, connected to a network, or to the Internet. Then, modem or network connections should be unplugged so the computer's owner cannot access the machine remotely to destroy evidence. Note-taking and photography are used to record all the connections and any screen display. The computer is usually turned off by simply pulling the plug, as some computer criminals will manipulate the usual orderly shutdown process to destroy evidence. The next task is to create two physical backups of the hard drive, one for analysis and the other for evidence.

Further investigation of a computer crime scene involves looking at many different components and data, including compact disks (read only, read-write, and write-only), hard disks, and digital video disks. A hard disk is divided into various segments. Unallocated space on the hard disk, for instance, can be a rich source of forensic information as this is where files that the suspect believes deleted may be stored. Passwords and identifications sometimes appear in a part of the hard disk called slack space. Retrieving this kind of information may require specialist forensic software and, if the suspect is a computer expert, he or she may be one step ahead of the forensic investigator.

The Internet is another important source of evidence. Investigators will track a suspect's e-mail messages, their contributions to newsgroups, bulletin boards, and chat rooms. The websites accessed by a suspect can also be valuable evidence, especially when sexual crime is involved. Web browsers such as Netscape® and MS Internet Explorer® create cache files to improve performance. These show which sites have been visited recently. Although they are difficult to view, there are utilities that can allow their contents to be revealed, showing if a suspect has been indulging in incriminating use of the Internet, such as visiting child pornography, or terrorist or racist web sties.

Computer forensics can provide key evidence in both civil and criminal investigations. For example, sometimes employees from a large organization want to break away and set up a rival company. To do this, a dishonest employee could break into the organization's network and steal information about clients. In many cases, the suspects have been taken by surprise when a manager called in a computer forensic expert to examine their machines. Inappropriate use of the Internet in the workplace, for instance to access pornographic websites, can also be uncovered by this type of investigation. Computer forensics is one of the most challenging branches of forensic science. It is not just computer technology that moves fast, but also the criminals who exploit it. Keeping up or even outpacing them can be a source of satisfaction to the computer forensic expert.