Beginner’s Guide to Computer Forensics


Computer forensics is the practice of gathering, analyzing, and reporting on digital statistics in a legally admissible way. It can be used to detect and prevent crime and in any dispute wherein proof is saved digitally. Computer forensics has comparable examination degrees to other forensic disciplines and faces similar issues.

About this guide

This guide discusses laptop forensics from an impartial angle. It isn’t connected to unique rules or supposed to sell a selected business enterprise or product. It isn’t always written in the bias of either regulation enforcement or business pc forensics. It is geared toward a non-technical audience and provides an excessive-stage view of computer forensics. This guide uses the time period “computer”; however, the principles follow any device capable of storing virtual records. Where methodologies have been referred to, they may be supplied as examples only and do not represent recommendations or advice. Copying and publishing the entire or part of this newsletter is licensed completely under the Creative Commons’ terms – Attribution Non-Commercial three. Zero license

Uses of laptop forensics

There are few areas of crime or dispute where pc forensics cannot be implemented. Law enforcement groups were many of the earliest and heaviest computer forensics users and therefore have regularly been at the vanguard of traits within the field. Computers may additionally constitute a ‘scene of against the law,’ for instance with hacking [ 1] or denial of service assaults [2], or they may preserve proof within the form of emails, internet history, files, or different documents applicable to crimes such as murder, kidnap, fraud and drug trafficking. It is not just the content of emails, documents, and other documents which may be a hobby to investigators but also the ‘meta-information [3] associated with those files. A computer forensic exam may also display whilst a record first regarded on a computer, when it was ultimately edited when it became closing saved or revealed, and which user accomplished these actions.


More these days, industrial firms have used computer forensics to their benefit in a ramification of instances which include;

For evidence to be admissible, it ought to be dependable and not prejudicial, which means that admissibility must be at the leading edge of a laptop forensic examiner’s mind at all levels of this procedure. One set of suggestions that have been widely established to assist in that is the Association of Chief Police Officers Good Practice Guide for Computer-Based Electronic Evidence or ACPO Guide for quick. Although the ACPO Guide is aimed toward United Kingdom law enforcement, its important concepts apply to all pc forensics in something legislature. The 4 essential concepts from this manual were reproduced underneath (with references to law enforcement eliminated):

No movement has to alternate data hung on a computer or storage media which may be ultimately relied upon in court. In circumstances in which a person unearths, it is essential to get admission to unique records held on a laptop or garage media; that individual must be capable of doing so and providing evidence explaining the relevance and consequences of their moves.

An audit path or different report of all processes implemented to laptop-based electronic evidence must be created and preserved. An independent third-celebration has to be capable of study those procedures and attain identical results.

The person in charge of the research has a common obligation to ensure that the law and these principles are adhered to. In precise, no changes should be made to the unique. Still, if get admission to/modifications is vital, the examiner ought to understand what they’re doing and to document their movements.

Live acquisition

Principle 2 above may boost the query: In what situation could adjustments to a suspect’s laptop through a laptop forensic examiner be necessary? Traditionally, the laptop forensic examiner would make a copy (or acquire) records from a tool that becomes off. A write-blocker[4] might be used to make an actual bit for bit replica [5] of the authentic garage medium. The examiner would paintings than from this replica, leaving the original demonstrably unchanged.

However, sometimes it isn’t viable or applicable to interchange a pc off. It might not be feasible to switch a computer off if doing so might result in a full-size financial or different losses for the proprietor. It might not be proper to switch a pc off if it would imply that probably treasured evidence may be lost. On both these occasions, the pc forensic examiner might need to carry out a ‘live acquisition’ that might contain strolling a small software at the suspect’s laptop to reproduce (or gather) the examiner’s tough statistics force.


By strolling one of these programs and attaching a vacation spot pressure to the suspect computer, the examiner will make modifications and/or additions to the country of the pc, which had been now not present before his movements. Such movements could stay admissible so long as the examiner recorded their moves, become privy to their effect, and turned into capable of explaining their actions.

Stages of an exam

For the functions of this article, the computer forensic examination technique has been divided into six stages. Although they’re offered in their regular chronological order, it is important to be bendy at some stage in an exam. For instance, in the evaluation stage, the examiner may find a new lead that could warrant further computer systems being examined and suggest a return to the evaluation level.


Forensic readiness is a crucial and now and again not noted degree in the exam technique. Commercial computer forensics could encompass instructing customers about system preparedness; for example, forensic examinations will offer more potent evidence if a server or computer’s built-in auditing and logging systems are all switched on. For examiners, there are many regions wherein previous organization can assist, including schooling, ordinary testing, and verification of software program and equipment, familiarity with legislation, dealing with unexpected issues (e.G., what to do if baby pornography is a gift all through a commercial process) and making sure that your on-site acquisition package is whole and in running order.


The assessment stage includes receiving clear commands, hazard evaluation, and allocation of roles and resources. Risk evaluation for regulation enforcement can also evaluate the chance of bodily danger getting into a suspect’s belongings and how best to address it. Commercial firms also need to be privy to fitness and safety issues simultaneously as their evaluation could additionally cowl reputational and monetary dangers on accepting a particular challenge.


The principal part of the collection degree, acquisition, has been delivered above. If the acquisition is to be done on the on-web page as opposed to in a pc forensic laboratory, then this level might consist of identifying, securing, and documenting the scene. Interviews or conferences with employees who can also maintain data that may apply to the examination (that could include the end-users of the pc and the supervisor and man or woman chargeable for supplying computer services) might generally be executed at this level. The ‘bagging and tagging’ audit path could begin here using sealing any substances in specific tamper-evident baggage. Consideration also wishes to receive to securely and effectively transporting the fabric to the examiner’s laboratory.


The analysis depends on the specifics of each activity. The examiner generally gives comments to the customer through analysis, and from this talk, the evaluation may also take an exceptional direction or be narrowed to particular regions. Analysis ought to be accurate, thorough, independent, recorded, repeatable, and finished inside the time scales to be had and resources allotted. There are myriad tools to be had for laptop forensics evaluation. It is our opinion that the examiner should use any device they feel relaxed with so long as to justify their desire. The fundamental necessities of a laptop forensic tool are that it does what it is meant to do. The most effective way for examiners to make sure is for them to test often and calibrate the tools they use before evaluation takes area. Dual-tool verification can affirm result integrity throughout evaluation (if with the tool ‘A,’ the examiner reveals artifact ‘X’ at area ‘Y,’ then tool ‘B’ ought to mirror these consequences.)


This degree normally entails the examiner producing a structured file on their findings, addressing the preliminary instructions’ points, and any subsequent commands. It might additionally cover some other facts which the examiner deems applicable to the investigation. The document has to be written with the top reader in thoughts; in many cases, the record reader can be non-technical, so the terminology must be renowned for this. The examiner should also be prepared to participate in meetings or telephone conferences to discuss and complicated the file.


Along with the readiness stage, the review stage is frequently neglected or unnoticed. This can be because of the perceived costs of doing paintings that aren’t billable or the need ‘to get on with the next process.’ However, an overview stage included in every exam can help save cash and lift the extent of pleasantness by making destiny examinations greater green and time-effective. An evaluation of an examination can be easy, short, and may start for the duration of any of the above tiers. It can also consist of a fundamental ‘what went incorrect, and how can this be advanced,’ and a ‘what went nicely and how can it be included in future examinations.’ Feedback from the educating birthday celebration needs to be sought additionally. Any lessons learned from this stage should be implemented to the following examination and fed into the readiness level.

Issues facing laptop forensics

The troubles going through laptop forensics examiners may be broken down into 3 broad categories: technical, legal, and administrative.

Encryption – Encrypted files or tough drives may be impossible for investigators to view without the proper key or password. Examiners should consider that the key or password can be saved somewhere else on the laptop or on another laptop to which the suspect has had access. It can also live in the risky reminiscence of a computer (referred to as RAM [6] that is generally lost on laptop shut-down; some other cause to don’t forget the use of live acquisition techniques as mentioned above.

Increasing storage area – Storage media holds more amounts of data than ever. For the examiner, their analysis computer systems want to have sufficient processing strength and storage to deal with looking and analyzing giant quantities of statistics successfully.

New technology – Computing is an ever-converting area, with new hardware, software program, and working structures being constantly produced. No unmarried laptop forensic examiner can be an expert on all regions, even though they may frequently be anticipated to examine something they have not treated before. To address this case, the examiner needs to be organized and check and test recent technology’s behavior. Networking and sharing knowledge with different pc forensic examiners is also very beneficial because it’s probably someone else who can also have encountered identical difficulty.


Anti-forensics – Anti-forensics is the exercise of attempting to thwart computer forensic evaluation. This might also consist of encryption, the over-writing of information to make it unrecoverable, the change of documents’ meta-information, and report obfuscation (disguising files). As with encryption above, the evidence that such strategies were used may be stored somewhere else on the computer or on every other laptop to which the suspect has had an admission. In our revel in, it’s miles scarce to look anti-forensics equipment used efficiently and frequently enough to absolutely obscure either their presence or the presence of the evidence they have been used to cover.

You might also like