Forensics, or forensic science, is the application of scientific methods to resolve or shed light on legal issues. It has a number of subdivisions; forensic medicine involves the examination of the human body (living or dead) for purposes of answering legal questions or gathering evidence for a criminal or civil action. Forensic accounting involves the examination of financial records for the same purpose. And computer forensics, as the name indicates, involves the examination of computer systems and data for legal purposes.
A forensic pathologist is a medical doctor first, who then specializes in pathology, with forensics being a subspecialty. Similarly, a forensic accountant has a broad education in general accounting principles before focusing on the legal field. Ideally, then, a computer forensics expert will be trained in computer science before specializing in forensics. However, in the real world there has been deviation from this pattern. The computer field is much less regulated than medicine or accounting, and one doesn't have to be licensed or meet any particular educational standards in order to hang out a shingle as a "computer expert." Many are self-taught or learned their skills through on-the-job training. And many of those working in computer forensics were initially trained in law enforcement - police officers or general evidence technicians who developed an interest in digital evidence. Others were IT professionals or IT security personnel (with or without formal training) who became interested in the evidentiary nature of digital data.
The point? There are many different starting points for becoming a computer forensics expert.
It helps to have a computer science degree, but that's not a requirement. You do need either formal training or a number of years of experience in the industry. It also helps to have law enforcement training, but again, that's not always necessary. However, if you'll be working for/with law enforcement agencies, you'll need to have a clean criminal history. Even if you only plan to work on civil cases, if you'll be testifying in court, anything in your background that can be used to damage your credibility will be seized upon by the opposing attorney.
Whether you start out on the IT side or the law enforcement side, to be a good computer forensics expert, you should have certain personal characteristics. As with any investigative specialist, you should have a curious nature - one that leads you to want to dig and ask questions and keep at it until you figure out the answers. You should be organized, as you'll be dealing with a lot of information and you must be able to recognize patterns and see correlations. You need to have excellent observation skills, and be capable of seeing both the minute details and the "big picture." And you must be objective, so that you can draw conclusions that aren't influenced by your preconceptions or prejudices. Finally, you need to be able to meticulously document your findings and often, to be able to present them to others (attorneys, judges, juries) who don't have your specialized knowledge, so you need both good writing skills and good speaking skills.
Regardless of whether you're self-trained or formally educated, you need a good basic understanding of computer science, networking protocols, operating systems and software, and IT security issues. Beyond that, you need to master the software and tools you'll use to collect the evidence and discover hidden data. You also must understand the law as it pertains to evidentiary data, rules of evidence and what must be done to preserve the chain of custody and the integrity of the evidence. You'll need to know about search warrants, exigent circumstances, and probable cause for seizing digital evidence.
Depending on the agency for which you work, you may or may not need to be a sworn law enforcement officer to work as a computer forensics examiner. If you are required to be sworn, you'll have to go through the law enforcement training academy and meet all the qualifications (including physical fitness and firearms training) that other law enforcement officers must meet.
What the job entails
In the criminal justice system, a computer forensics expert's primary task is examining computers and devices to discover and collect evidence to convict or exonerate a person accused of a crime (or in some cases, to determine whether a crime has in fact occurred and the nature of that crime). You might be called to the scene of the crime or the location of the equipment that's suspected of being involved in a crime, to take custody of the computer equipment. First responders should be educated in how to preserve the evidence before your arrival. For example, they should know not to shut down or unplug a running computer or to attempt to examine it themselves. Some criminals "booby trap" their systems with software that will erase incriminating files if a particular sequence of keystrokes isn't entered at a particular time. At the very least, shutting down the system will lose any data that's in RAM.
The sooner you - the forensics expert - can take charge of the system, the less likely important evidence will be lost. Often, however, the computers will be brought to you at the lab. Then you'll have to work with what you have: first and foremost, the information on the hard drive. Your first step in dealing with that evidence, whether in the field or in the lab, will be to make a disk image. This is an exact, bit-level duplicate of the disk. You want each physical sector of the disk to be copied so the data is distributed in exactly the same way as on the original.
There are several ways to make a bit-level copy of a disk, depending upon where you are and what equipment you have available:
- Remove it from the suspect computer and attach it to another computer, preferably a forensics workstation.
- Attach another disk to the suspect computer and make the copy.
- Use a standalone imaging device.
- Use a network connection to transfer the contents of the disk to another computer or forensics workstation.
You should use imaging software that's made specifically for law enforcement forensics work, such as EnCase Forensic from Guidance Software. In addition to image creation, such software includes analysis and reporting features. You can find out more about EnCase here.
If you're called to the field to take custody and begin processing digital evidence, of course you don't want to overlook data storage locations external to the suspect computer(s). That could include external hard drives, USB thumb drives, flash memory cards, CDs and DVDs, backup tapes, network attached storage devices, smart phones, tablets, etc. Even the memory cards in a digital camera, digital picture frame, GPS unit or other consumer device might contain evidence. It's also important, if you are involved with executing the search warrant, that digital storage devices are easily disguised. Thumb drives, in particular, are made in all sorts of designs to look like toys, pens, even food. This web site shows some of the creatively designed flash drives that are out there.
Once you have all the evidence collected and have made bitstream copies of the drives, you will examine those copies rather than the original disks. That way, you won't introduce changes to the originals during your examination. For example, if you examine the original, you will change some of the timestamps when you open files.
You will use various tools to analyze the contents of the files you've copied. For instance, there are tools such as Evidor that will search for keywords - not just in the regular files but also in the paging file, unallocated space, and slack space (the unused space within a disk cluster). You can use tools such as Ontrack to recover files and file fragments that have been deleted and to repair files such as Word documents and zipped files.
There are also tools that will sort and organize the contents of a disk to make it easier for you find what you're looking for (for example, in a child pornography case you might be looking primarily for graphic images and videos). These utilities can sort by file header rather than file extension, so that even if the criminal has tried to disguise the files by changing their extensions, you can still find them. Other tools can decode data and time values that are embedded in files, to help you discover the accurate timestamps when the criminal has changed the timestamps displayed with the file.
Although the majority of the personal computer market consists of Windows machines, you will also encounter suspect computers that run Linux/UNIX or Mac operating systems. There are tools that allow you to copy files from one operating system to another. The Coroner's Toolkit is a collection of tools for examining UNIX systems.
Documenting and presenting your findings
The job of a computer forensics expert doesn't end when the digital evidence has been obtained and analyzed. You must then document your findings in the form of one or more reports that detail not only what you found, but how you found it. It's important that you be able to articulate the process and procedures you followed so there will be no doubt that the evidence was legally obtained, that its integrity was preserved throughout the process, and that there was no opportunity for it to be tampered with. In police work, there is a well known axiom: If it's not in the report, it didn't happen. Whether or not you are a sworn officer, this applies to your forensics report, as well.
Finding and documenting the evidence well is half the battle, but in order to obtain a conviction (or acquittal, if you work on the side of the defense), that evidence must be presented in court. In some instances, your written report may be entered into evidence alone but most of the time, someone must testify to its veracity and explain it, in layperson's terms, to the judge and/or jury. That someone is likely to be you, so another skill you must develop is the ability to clearly give an oral presentation of your findings. For more information about testifying in court, see my article, "Testifying as an expert witness in computer crimes cases."Summary
Forensics is not quite as exciting as it's made to seem on TV; forensics examiners rarely hunt down criminals themselves or put themselves in the line of fire, and forensic evidence doesn't often magically appear at the last moment during a trial to save the day and win the case. However, forensics is an important part of the investigative process and the computer forensics expert often has the satisfaction of having contributed significantly to putting the guilty behind bars - or even better, to exonerating the innocent.
Computer forensics isn't limited to criminal cases, though. It's also an important factor in the outcome of many civil lawsuits, and there are job opportunities for those with computer forensics skills in both the public and private sector. As technology advances and as computers and digital data permeate more areas of our lives - including those involving crimes and civil disputes - this is likely to be a growth field in the future.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.