What is computer forensics? | Definition from TechTarget

[Pelican Press 0]

What is computer forensics? | Definition from TechTarget

What is computer forensics (cyber forensics)?

Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation and maintain a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.

Computer forensics — which is sometimes referred to as cyber forensics, computer forensic science, or digital forensics — essentially is data recovery with legal compliance guidelines to make the information admissible in legal proceedings.

Digital forensics starts with the collection of information in a way that maintains its integrity. Investigators then analyze the data or system to determine if it was changed, how it was changed and who made the changes.

Real-world case studies of computer forensics

Computer forensics has been used by law enforcement agencies and in ********* and civil law since the 1980s to collect evidence. Some notable cases include:

• Apple trade secret theft. In 2018, a ******** engineer was convicted of downloading Apple’s trade secrets from confidential company databases after investigators reviewed his activity on Apple’s network. The engineer, named Xiaolang Zhang, at Apple’s autonomous car division announced his retirement and said he would be moving back to China to take care of his elderly mother. He told his manager he planned to work at an electronic car manufacturer in China, raising suspicion. According to a Federal Bureau of Investigation (FBI) affidavit, Apple’s security team reviewed Zhang’s activity on the company network and found, in the days prior to his resignation, he downloaded trade secrets from confidential company databases to which he had access. He was indicted by the FBI in 2018.
• Enron. In 2001, computer forensic analysts examined terabytes of data to understand and find evidence of Enron’s complex ****** scheme. The scandal was a significant factor in the passing of the Sarbanes-Oxley Act of 2002, which set new accounting compliance requirements for public companies.
• This is the hidden content, please

  • Sign In
  • or
  • Sign Up
  trade secret theft. Anthony Scott Levandowski, a former executive of both Uber and
  This is the hidden content, please

  • Sign In
  • or
  • Sign Up
  , was charged with 33 counts of trade secret theft in 2019. From 2009 to 2016, Levandowski worked in
  This is the hidden content, please

  • Sign In
  • or
  • Sign Up
  ’s self-driving car program, where he downloaded thousands of files related to the program from a password-protected corporate server. He departed from
  This is the hidden content, please

  • Sign In
  • or
  • Sign Up
  and created Otto, a self-driving truck company, which Uber bought in 2016, according to The New York Times. Levandowski pleaded guilty to one count of trade secrets theft and was sentenced to 18 months in prison and $851,499 in fines and restitution.
  This is the hidden content, please

  • Sign In
  • or
  • Sign Up
  in January 2021.
• Larry Thomas. Thomas shot and ******* Rito Llamas-Juarez in 2016. Thomas was later convicted with the help of hundreds of
  This is the hidden content, please

  • Sign In
  • or
  • Sign Up
  posts he made under the fake name of Slaughtaboi Larro. One of the posts included a picture of him wearing a bracelet that was found at the ****** scene.
• Michael Jackson’s ******. Investigators used metadata and medical documents from Conrad Murray’s iPhone to conclude that Murray, Michael Jackson’s doctor, prescribed lethal amounts of medication to Jackson (who ***** in 2009).
• Mikayla Munn. Munn drowned her newborn baby in the bathtub of her Manchester University dorm room in 2016. Investigators found
  This is the hidden content, please

  • Sign In
  • or
  • Sign Up
  searches on her computer containing the phrase “at home *********,” which were used to convict her.

******* is just one of the many types of ****** computer forensics can aid in combating. Learn how forensic

This is the hidden content, please

• Sign In
• or
• Sign Up

.

Why is computer forensics important?

As computers and other data-collecting devices are used more frequently everywhere, digital evidence — and the forensic process used to collect, preserve and investigate it — has become more important in solving ******* and other legal issues. Computer forensics plays a role in identifying and preserving digital evidence and also helps ensure its integrity when presented in court cases.

The goal of computer forensics is to perform a structured investigation and maintain a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.

The average person never sees much of the information modern devices collect. For instance, the computers in cars continually collect information on when a driver brakes, shifts and changes speed without the driver being aware. However, this information can prove critical in solving a legal matter or a ******, and computer forensics often plays a role in identifying and preserving that information.

Digital evidence isn’t just useful in solving digital-world *******, such as data theft, network breaches and illicit online transactions. It’s also used to solve physical-world *******, such as burglary, ********, hit-and-run accidents and *******.

Of course, its use isn’t always tied to a ******. The forensic process is also used when the goal is data recovery: to gather data from a crashed server, ******* drive, or reformatted operating system (OS), and in situations where a system has unexpectedly stopped working.

Businesses often use a multilayered data management, data governance and network security strategy to keep proprietary information secure. Having data that’s well managed and safe can help streamline the forensic process should that data ever come under investigation.

As the world becomes more reliant on digital technology for the core functions of life, cybercrime is rising. As such, computer forensic specialists no longer have a monopoly on the field. See how the

This is the hidden content, please

• Sign In
• or
• Sign Up

to keep up with increasing rates of cybercrime.

Six steps to building resilient digital asset protection.

Use cases for digital forensics

Digital evidence is useful in ********* investigations, particularly in solving cybercrime and digital-world *******, such as data theft, network breaches and illicit online transactions. It’s also used to solve physical-world *******, such as burglary, ********, hit-and-run accidents, and even *******.

Businesses and governments also use computer forensics to find information related to a system or network compromise, and then use these discoveries to identify and prosecute cyberattackers. In addition, they can use digital forensic experts and processes to facilitate data recovery in the event of a system or network ******** caused by a natural or other disaster.

Digital forensics are also used in civil litigation cases (******, divorce), and to investigate cases of intellectual property theft.

Types of computer forensics

There are various types of computer forensic examinations, including:

• Database forensics. The examination of information contained in databases, both data and related metadata.
• Email forensics. The recovery and analysis of emails and information contained in email platforms, such as schedules and contacts.
• Malware forensics. Sifting through code to identify possible malicious programs like ******* horses or ransomware and analyzing their payload.

Computer forensics can detect evidence of a range of malware types on a system.

• Memory forensics. Collecting information stored in a computer’s RAM and cache.
• Mobile forensics. Examining mobile devices to retrieve and analyze information such as contacts, incoming and outgoing text messages, pictures, and video files.
• Network forensics. Looking for evidence by monitoring network traffic, using tools such as a firewall or intrusion detection system.

How does computer forensics work?

Forensic investigators typically follow standard procedures, which vary depending on the context of the forensic investigation, the device being investigated or the information investigators are looking for. In general, these procedures include the following three steps:

1. Data collection. Forensic examiners search hidden folders and unallocated disk space on a digital device for copies of deleted, encrypted or damaged files, make a digital copy — i.e., forensic image — of the device’s storage media, and then lock the original device in a secure facility. The investigation is conducted on the digital copy. They might also use publicly available information for forensic purposes, such as social media posts or charges logged in a payment application, such as public Venmo charges for purchasing ******** products or services displayed on the Venmo website.

3. Analysis. Investigators analyze digital copies of storage media in a sterile environment to gather the information for a case using various tools including Basis Technology’s Autopsy for hard drive investigations and the Wireshark network protocol analyzer. A mouse jiggler is useful when examining a computer to keep it from falling asleep and losing volatile memory data that is lost when the computer goes to sleep or loses power. Discovered evidence is carefully documented in a findings report and verified with the original device in preparation for legal proceedings.
4. Presentation. The investigators present their findings in a legal proceeding, where it might be used to determine the result. In a data recovery situation, the investigators present what they could recover from a compromised system.

When data is scanned as part of a forensic imaging process, a write blocker is put in place so the data and the drive it’s on can’t be altered. The data is then scanned and formatted for storage and analysis.

Often, multiple tools are used in computer forensic investigations to validate the results they produce. Learn how a researcher at Kaspersky Lab in Asia

This is the hidden content, please

• Sign In
• or
• Sign Up

for remotely collecting malware evidence without compromising system integrity.

Techniques used in computer forensics

Forensic investigators use a myriad of techniques and applications to examine digital copies of compromised devices. They search hidden folders and unallocated disk space for copies of deleted, encrypted or damaged files. Any evidence found on the digital copy is carefully documented in a finding report and verified with the original device in preparation for legal proceedings that involve discovery, depositions or actual litigation.

Computer forensic investigations use a combination of techniques and expert knowledge. Some common techniques include the following:

• Reverse steganography. Steganography is a common tactic used to hide data inside any type of digital file, message or data stream. Computer forensic experts reverse a steganography attempt to hide data inside any type of digital file, message or data stream by analyzing the file’s data
  This is the hidden content, please

  • Sign In
  • or
  • Sign Up
  . If a cybercriminal hides important information inside an image or other digital file, it might look the same before and after to the untrained eye, but the underlying hash or string of data that represents the image will change. So doing this might show if the image has changed, which will show if important information is hidden inside it.
• Stochastic forensics. With stochastic forensics, investigators analyze and reconstruct digital activity without the use of digital artifacts, which are unintended alterations of data that occur from digital processes, such as changes to file attributes during data theft. Artifacts include clues related to a digital ******, such as changes to file attributes during data theft. The technique is frequently used to investigate insider data breaches since insiders often don’t leave behind digital artifacts.
• Cross-drive analysis. This technique correlates and cross-references information on multiple computer drives to clarify similarities and provide context. Events that raise suspicion are compared with information on other drives to look for similarities and provide context. This is also known as anomaly detection. This is also known as anomaly detection.
• Live analysis. A running device is analyzed from within the OS using system tools on the computer. The analysis looks at volatile data, which is often stored in cache or RAM.
• Deleted file recovery. Also known as file carving or data carving, this technique involves searching a computer system and memory for fragments of files that were partially deleted in one place but left traces elsewhere on the machine. The analysis looks at volatile data, which is often stored in cache or RAM. Many tools used to extract volatile data require the computer to be in a forensic lab to maintain the legitimacy of a chain of evidence.

Computer forensics careers and certifications

Computer forensics has become its own area of scientific expertise, with accompanying coursework and certification. The

This is the hidden content, please

• Sign In
• or
• Sign Up

for a computer forensic analyst is $101,612, according to

This is the hidden content, please

• Sign In
• or
• Sign Up

. Some examples of cyber forensic career paths include the following:

• Forensic engineer. These professionals deal with the collection stage of the computer forensic process, gathering data and preparing it for analysis. They help determine how a device *******.
• Forensic accountant. This position deals with ******* involving money laundering and other transactions made to cover up ******** activity.
• Cybersecurity analyst. This position deals with analyzing data once it has been collected and drawing insights that can later be used to improve an organization’s cybersecurity strategy.

A bachelor’s degree — and, sometimes, a master’s degree — in computer science, cybersecurity or a related field are required of computer forensic professionals. There are several certifications available in this field, including the following:

• International Association of Computer Investigative Specialists’ Certified Forensic Computer Examiner. This
  This is the hidden content, please

  • Sign In
  • or
  • Sign Up
  focuses primarily on validating the skills necessary to ensure business follows established computer forensic guidelines.
• EC-Council’s Computer Hacking Forensic Investigator. This
  This is the hidden content, please

  • Sign In
  • or
  • Sign Up
  assesses an applicant’s ability to identify intruders and collect evidence that can be used in court. It covers search and seizure of information systems, working with digital proof and other cyber forensics skills.
• International Society of Forensic Computer Examiners’ (ISFCE) Certified Computer Examiner. This forensic
  This is the hidden content, please

  • Sign In
  • or
  • Sign Up
  program requires training at an authorized boot camp training center, and applicants must sign the ISFCE Code of Ethics and Professional Responsibility.

Learn more about the tools and techniques required in a cloud computing forensics investigation. Also, read about the patchwork of organizations that work together to combat international cybercrime. Explore how digital forensics and incident response combine to detect, investigate and respond to cybersecurity events.

This is the hidden content, please

• Sign In
• or
• Sign Up

#computer #forensics #Definition #TechTarget

This is the hidden content, please

• Sign In
• or
• Sign Up