Monday 23 July 2012

Computer Forensics: Evidence Types

Computer forensics is a growing field, and has become a specialist area for many technical professionals working with computing technology. There are more security threats than ever before within the digital world, and their techniques vary. In order for investigations to be carried out and ultimately for attackers to be held responsible, computer forensics examinations need to be able to find any type of evidence they can.

Email

Emails are the source of many malicious activities such as spreading viruses, phishing attacks and other illegal activity. As well as being accessible via the user's email account, emails are stored on an email server. The email server is owned and operated by the provider of an email account, and access to it will typically have to be carried out through them.

In addition to accessing active email messages, it is sometimes possible to retrieve emails that the user has deleted, as a copy may be stored on the server.

Data

There are many different types of computer data that can serve as evidence in an investigation. Computer files such as documents, programs and media items including images, audio and video may all be considered evidence depending on the investigation.

These files may be found stored on personal computers, on machines such as Web servers, and on external storage devices such as flash drives, USB sticks and portable hard drives. The most readily available type of data evidence is that which is still in active use within a functioning operating system.

Archived Data

Data comprising forensic evidence may be stored in archived form. This can be kept within a functioning computer's internal storage, or on an external drive. Archived files can include virtually any type of data, including documents, programs and multimedia items.

The process of archiving data normally involves compressing it in size and saving it in an archived format, such as ZIP, TAR or RAR. In order to access the data contained within such files, they must be decompressed by a compatible program. Decompression is typically not troublesome if a common format has been used.

Encrypted Data

In addition to being archived and possibly compressed, data evidence may be stored in an encrypted form. This occurs when a user has used a digital security utility. In a common scenario, the user encrypts a file with a digital signature, using a key that prevents the file from being accessed by anyone who is not in possession of the required decryption key.

Digital forensics experts are continually developing ways to access data that has been encrypted using such techniques.

Deleted Data

Data that has been deleted by its user can often still be accessed. When a file is deleted on a standard operating system, it is typically still stored in some form, so that it can be accessed in case of accidental deletion.

This principle is observed across many types of operating system, both on consumer computers and on advanced machines such as Web servers. This means that digital forensic examinations can often locate information that has been deleted from its original location. If data evidence has become corrupted, it may require complex processing to retrieve anything useful.

Related Links

The Computer Forensic Examination Process
E-Evidence Information Center - Home
Deleted Files - Computer Evidence Computer Forensic Analyst - Computer Forensic Examination
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)