 Home |
|
|
|
|
|
|
|
|
What is Computer Forensics? |
Computer forensics
is an emerging discipline that focuses on the gathering of evidence
(often as part of formal investigations) from computers and computer
networks. Such evidence may consist of actual files (e.g. an illegal
image) or the traces of a user's activities that are left in the activity
logs of operating systems, browsers, databases, web proxies, or network
firewalls, etc. The discipline requires a detailed technical knowledge
of the relationship between a computer's operating system and the supporting
hardware (e.g. hard disks), and between the operating system and system/application
programs and the network. Similarly, knowledge of cryptographic and
steganographic techniques is needed where data has been encrypted and/or
obfuscated to make it inaccessible and/or hidden. Finally, and critically,
all evidence gathering must proceed in a manner that ensures that the
evidence is admissible in a court of law, and can be documented and
presented in an intelligible manner.
 |
To
quote Sir Arthur Conan Doyle, author of the famous Sherlock Holmes
stories published between 1887 and 1927:
"in
solving a problem of this sort, the grand thing is to be
able to reason backwards. That is a very useful accomplishment,
and a very easy one, but people do not practise it much.
In
the everyday affairs of life it is more useful to reason
forward, and so the other comes to be neglected. There are
fifty who
can reason synthetically for one who can reason analytically." |
|
Computer systems are increasingly complex, and analysing their parts, like the disk or memory image, may not readily reveal all available information. This calls for a new approach (one that removes the expectation of certainty) i.e. to attempt to recreate the computer system and its immediate environment by reproducing the collected images in a controlled way, and observe its behaviour. This has the potential to provide a valuable insight into the dynamic relationship of the investigated system with the outside computer networks, as well as the specific setups and functions of the system itself. The evidence obtained this way is not a physical object, like a hard disk, but resembles more a visit to the crime scene. The advantage is that this process can be repeated any number of times without any further damage to the evidence already collected.
We propose to expand the Computer Forensics definition to include collection of hardware and software details of the investigated computer system with the aim to recreate the environment being investigated as closely as possible. It has to be accepted that it is not possible to copy the computing environment completely, nor to recreate it later in a completely faithful way.
|
Western
Digital Hard
Drive |
Kruse and Heiser
note that “Computer
forensics involves the preservation, identification, extraction,
documentation and interpretation of computer data.” [from "Computer
Forensics: Incident Response Essentials", see Books
And Journals page]. In summary, and paraphrasing
McKemmish in his report
to the Australian
Institute
of Criminology, computer forensics encompasses four key elements:
the identification of digital evidence, the preservation of digital
evidence,
the analysis of digital evidence, and the presentation of digital evidence.
Broucek & Turner
note in Forensic
Computing, Developing a Conceptual Approach for an Emerging
Academic Discipline that this is a nascent
discipline that draws to varying degrees from a number of other disciplines
including
computer
science and law, and to a lesser extent information systems
and the social sciences.
Most fundamental of these is computer science, with the key technical
areas being: Operating Systems,
Systems Programming and Administration,
Computer Security (including cryptography and steganography),
Networking.
Concomitant with the above technical base, there exists an essential
requirement to be familiar with computer law, investigative
techniques, and how digital evidence must be gathered, documented, and
presented.
To clarify a few
common misconceptions: first, computer forensics is not the
use of computers within forensic science.
Such use is made up of all those activities where forensic scientists
employ computers to assist them in their work. Such tasks include:
the processing and analysis of traditional forensic data be it
physical, chemical, or biological in nature; the use of computers
to support
forensic databases; and the use of computers to cross-reference
different sources of forensic evidence. Proper term to descibe them is "forensic computing". These are all worthy tasks
but are
not the focus of this major. Second,
though computer forensics is often related to computer security
it is none the less distinct. It is quite possible for criminal
activity
(in the eyes of the law) to require forensic analysis without there
having been any breach of traditional computer security. Finally,
it is worth noting that a number of synonyms for computer forensics
exist, sometimes used incorrectly;
these include "forensic computing", "digital forensics",
and even "data recovery" in some circles.
See Online
Materials section:
"Publications About Computer Forensics, General" for more.
|
300447 Computer Forensics Workshop, University of Western Sydney, Australia |
University of Western Sydney, School of Computing and Mathematics offers Bachelor of Computer Science degree, This course provides students with a thorough and in-depth technical understanding of modern networked computer systems - how they work and the principles that govern them. Based on this solid foundation students have the opportunity to learn the practical skills needed to design, develop and integrate the networked computer systems required by today's large companies and organisations. In addition to normal studies, students in their final year underake an industrially oriented team project in order to put their knowledge into practice and learn valuable team and project management skills. Graduates of this course are well prepared to enter the IT sector and take on technically challenging roles in a variety of areas including networking and web technologies, application development, systems programming, IT security and computer forensics. The Bachelor of Computer Science degree has been structured to accommodate Computer Forensics Major. A compulsory unit for this major is 300447 Computer Forensics Workshop, which is also available to practising computing professionals as a non-award unit of study. For more details see "Computer Forensics Workshop" link on the top of this page.
|
To contact
the Computer Forensics Group send email to: computerforensics@scm.uws.edu.au
|