What is Computer Forensics?
When an unauthorized incident occurs against your network, such as an attacker breaking though your network's defenses, an appropriate response is required. The response to the intrusion includes using forensic science to properly respond to the event.
Forensic science, or forensics, is the application of science to problems that are of interest to the legal profession and deals mainly with the recovery and analysis of evidence. Computer forensics attempts to retrieve information that can be used in pursuit of the attacker or criminal.
Computer forensics is also called digital forensics because its uses techniques to identify, collect, examine and preserve information or evidence, which is magnetically stored or encoded.
When your team responds to a criminal event that requires an examination using computer forensics, there are generally four basic steps that are followed.
- Secure the crime scene
- Collect and preserve evidence
- Establish a chain of custody
- Examine evidence
The first step in reacting to a computer forensics incident is for the first responders to secure the crime scene. The response team should document the physical surroundings of the computer or electronic device that is suspected of containing digital evidence. This includes photographing the area from different angles before anything is touched and labeling cables connected to the computer.
Additionally, the team should interview anyone who had access to the computer and take custody of the entire computer along with the keyboard, external memory devices, and peripherals.
Since digital evidence is easily altered or destroyed, only properly trained computer evidence specialists should process computer evidence in order to ensure that integrity is maintained and the data obtained can withstand scrutiny in a court of law.
The computer forensics team should capture any data that may be lost when the computer is turned off including:
- RAM contents
- Current network connections
- Logan sessions
- Network configurations
- Open files
After the volatile data is preserved the team should create a mirror image backup of the hard drive. A mirror image backup, or bit-stream backup, is an evidence-grade backup that is admissible in court and must be done in a controlled manner by trained professional.
Establishing the chain of custody documents who had access to the evidence and when. Serial numbers should be recorded and the evidence should be kept under strict control at all times.
Finally, after the mirror image is created and the original system is secured, then the mirror image is examined to reveal evidence.
All data should be investigated for clues including:
- Word processing documents
- Spreadsheets
- Emails
- Caches
- Cookies
- Meta data
- Database entries
Additional sources of hidden clues may come from RAM Slack or Drive Slack. When Windows computers use memory to process data information that has been created, viewed, modified, downloaded, or copied it may still be available.