1. What is Computer Forensics?
2. What is the objective of this?
3. To what ends?
4. What are the common scenarios?
5. How is a computer forensic investigation approached?
6. Is there anything that should NOT be done during an investigation?
7. I am interested in a career in this field. Where do I start?
8. What about training?
1. What is Computer Forensics?
There a number of slightly varying definitions around. However, generally, computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded.
2. What is the objective of this?
Usually to provide digital evidence of a specific or general activity.
3. To what ends?
A forensic investigation can be initiated for a variety of reasons. The most high profile are usually with respect to criminal investigation, or civil litigation, but digital forensic techniques can be of value in a wide variety of situations, including perhaps, simply re-tracking steps taken when data has been lost.
4. What are the common scenarios?
Wide and varied! Examples include:
- Employee internet abuse
- Unauthorized disclosure of corporate information and data (accidental and intentional)
- Industrial espionage
- Damage assessment (following an incident)
- Criminal fraud and deception cases
- More general criminal cases (many criminals simply store information on computers, intentionally or unwittingly)
- and countless others!
5. How is a computer forensic investigation approached?
It is a detailed science. However, very broadly, the main phases are sometimes considered to be: secure the subject system (from tampering during the operation); take a copy of hard drive (if applicable); identify and recovery all files (including those deleted); access/copy hidden, protected and temporary files; study 'special' areas on the drive (eg: residue from previously deleted files); investigate data/settings from installed applications/programs; assess the system as a whole, including its structure; consider general factors relating to the users activity; create detailed report. Throughout the investigation, it is important to stress that a full audit log of your activities should be maintained.
6. Is there anything that should NOT be done during an investigation?
Definitely. However, these tend to be related to the nature of the computer system being investigated. Typically though, it is important to avoid changing date/time stamps (of files for example) or changing data itself. The same applies to the overwriting of unallocated space (which can happen on re-boot for example). 'Study, don't change' is a useful catch-phrase.
7. I am interested in a career in this field. Where do I start?
This is a common question, with many answers. Perhaps a good starting point, however, is to complete the membership application form and read carefully the Membership Guide
8. What about training?
Again, one of the requirements for membership in CFIN is training. We, therefore, recommend that you enroll for the Digital and Computer Forensics training programme at one of our CFIN Accredited Training Centers.
Furthermore, we are presently building an electronic resource centre here at CFIN dedicated to education and training. In addition, CFIN provides to her members, the Computer Forensics Toolkit which can be used as a training and professional resource.
|
