||When the Lieutenant
on a television show--usually at a murder scene--says, “Get
forensics in here!” the viewer knows what to expect. Soon
the scene will be filled with technicians who will dust for fingerprints,
examine blood splatters, and determine bullet trajectories. Whether
or not this representation is accurate, we, the viewers, understand
the goal of such forensic activities.
||What then is “Computer Forensics?”
In this article we explain what computer forensics involves and
how it relates to the legal system. We review computer principles
as they impact forensic investigations; describe a proper forensic
investigation; and advise interested parties, such as attorneys
and information technology staff, of what they can do to secure
the best results from a forensic investigation of computer media.
What is Computer
||Computer forensics is a collection
of multi-faceted, multi-disciplined specialties that are used to
extract useful information from computer media.
When retained in a current or potential
legal matter, the computer forensic specialist helps determine
if a computer disk contains potential evidence. The specialist
also oversees the extraction of information from the computer
and evaluates the information for its evidentiary value. Throughout
the process, the forensics practitioner provides assurance of
chain of custody. The following examples illustrate the results
of some real world computer forensic investigations.
||Two partners in the
business of developing certain telecommunication services separated.
Within a few months, one of the partners formed a new company and
was marketing a product that was a virtual clone of the partnership
product. A computer forensic specialist compared the two products
and, using statistical techniques, showed that the partnership’s
computer code had indeed been used in the new product and that their
copyright had been infringed upon.
A group of employees of a high
tech company decided to raid the market share of their employer.
They formed another company, and using their employer's technology,
developed a product that competed directly with that of the employer,
all the while remaining as employees of the company! A computer
forensic analysis revealed that they had copied the employer’s
designs, charts, and specification documents, and showed the trail
of the documents as they moved from one conspirator’s computer
to the next.
Computer forensic analysis is often
useful in matters that, on the surface, seem unrelated to computers.
In one case, an alleged bomber had kept downloaded files that
described the bomb-making techniques he used. In another case,
a bitterly fought divorce and child custody dispute, one party
had scanned questionable pictures of herself into her company
computer and then attempted to delete them.
In all these cases--and many others--computer
forensics techniques were able to retrieve data that ultimately
played a pivotal role in the outcome of the case.