According to the TechTarget web site, “Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.”
Here at University, we have expanded the term a bit to include any computer investigative process whether we suspect that it involves the commission of a crime or not.
When might forensic technology be used?
Forensic techniques are used when:
- It is suspected that an individual is involved in the commission of a crime,
- When it is suspected that a computer is compromised,
- When a device is lost or stolen and a backup of the computer’s hard drive is available. In this specific case, we would copy the backed up files onto a comparable computer to determine if the computer's hard drive contains any information that is protected by law or contract.
What kinds of forensic tools are available?
There are a number of tools that are used in forensic activities including software that can:
- Make “forensic copies” of a computer’s hard drive to ensure that the data being analyzed
is in the same state as when the forensic process began.
IMPORTANT NOTE: Making a forensic copy of the hard drive works hand in hand with “chain of evidence” procedures to confirm that the data has not been altered in case prosecution is pursued.
- Recover deleted data (both full and partial files) from a hard drive – even beyond the time that the recycle bin was emptied. See this site’s web page entitled “Deleting data so it is REALLY gone” to learn what makes data recovery tools effective.
- Anti-virus/anti-malware software that can find evidence of known attacks.
- Security Information and Event Management (SIEM) software that can analyze patterns in the security logs across multiple technologies to determine if a possible cyberattack is in progress or to reconstruct sequences of events.
What are the key steps in performing a forensic analysis?
If a computer is compromised, quick action must be taken to preserve the “state” of the device.
First, the user of the device must immediately:
- Unplug it from the network,
- Power the computer down,
- Contact the Information Security Office through the UCT Support Center at extension 2828 or firstname.lastname@example.org.
Next, the Information Security Office will:
- Make one or more forensic copies of the data by:
- Removing the hard drive from the unit,
- Plugging the hard drive into another device as a secondary hard drive,
- Copying the hard drive’s contents into a storage device that becomes read-only after the data is transferred,
- Physically securing the forensic copy, e.g., placing it is a sealed package that is signed by the person who made the copy,
- Use the forensic analysis and anti-malware software to look for evidence of a compromise on the hard drive,
- Investigate attack paths by analyzing computer and network log data.
- Bring in the University Police Department immediately if criminal activity is suspected.