computer forensics Home Page    Information Security and Computer Network Forensics Expert
- English - Français- Deutsch - Español - 日本語 - 繁體中文 -

 Total Solutions for Computer Network Forensic  Request software testing  



Challenges of Computer Forensics and Network Forensics

By Samuel Amoah CCE, CEH, CEI, MCT, NPFAT

President, CFG Computer Forensics Inc.

Brampton. Ontario. Canada

Computer Forensics or Digital Forensics, as popularly called by many, is a science that helps apply criminal laws of a State/Country to crimes committed with a computer and its accessories, or in the process of the crime being committed; a computer might have been used in producing the criminal evidence. This technique involves the seizure of computer and its accessories, to collect digital evidence from the storage media containing data of interest.

This sounds simple right? Not so fast, I will say. The methodology involved in acquiring data from the computer requires due care and documentation, in order to keep the evidence unchanged throughout the course of processing, to the final evidence production stage. These actions are to keep the evidence in its pristine stage, as well as making the whole process followed, reproducible for anyone utilizing the same process arriving at the same conclusion. This is what makes it a science.

Technology is changing very fast, and the way computer users store data is equally changing. Storage media size and types keep changing, network bandwidth and speed have increased to allow easy transfer of data from local computer to different locations, and this poses a challenge to Computer forensic Examiners. Storage media Encryption technologies have also made it difficult for examiners to access data on a local machine which has been powered down, and the suspected user refusing to divulge his decryption key. Under such a situation, it will only take the intervention of the court of law to direct the release of decryption from suspect, or network acquisition of the partitions on the suspect's computer, while he is working on it. Again, this has its own challenges if the system password of the computer is unknown, or the examiner does not have administrator privilege on the target computer. The challenge posed by this problem is minimal when a corporate client machine is the target, as administrators have local administrator right on all client machines on a domain.

Network data acquisition has its draw back, as some tools utilized, install agents on the target machines to enable network connection. The agent installed hence changes the overall MD5 checksum of the drive, and examiner could face a challenge in court if actions taken are not clearly recorded and the changes done to the overall data are not enumerated. An agent on the target machine might be deemed a malware installation, which borders on a crime committed by examiner, hence causing the whole case to be thrown out of court.

There are instances that data on a drive might be corrupted and evidence cannot be obtained. Under such circumstances, an examiner might be compelled to format the drive, and use data recovery tools to recover files on drive. This is where reliance on the registry for events and their time stamps become crucial in trying to pinpoint when an instance occurred, e.g., which USB storage device was attached to the system and when I call this technique destroy and search, as opposed to the popular search and destroy concept used by the military in their combat operations. When this technique is utilized, the "goldmine" to harvest is the unallocated space. The "Simple file Carver tool", by Filesig, does a good job with data carving and every forensic examiner must have one in his arsenal of tools.

In conclusion, one can safely infer that as computer technology evolves, so must digital forensic practices evolve. For instance, the 512 Bytes default sector size for hard drives is changing to 4096 Bytes, which is going to change some of the ways we examine evidence on drives with respect to the definition of slack space and unallocated space. At this point, we are faced with the question of: What happens to the 1024 Bytes size of MFT on NTFS partitions? Are operating systems going to change to adapt to this situation? Are forensic tool vendors going to retool? All I can say for now is; Time will tell.My next article will be on cloud computing and Network Forensics. I will be back.
Samuel Amoah.
Certified Computer Examiner, Network Packet Forensics Examiner, Private Investigator.
Partner of Decision Group
Site Map © Copyright Decision Group