back to top

We’ve updated our privacy notice and cookie policy. Learn more about cookies, including how to disable them, and find out how we collect your personal data and what we use it for.


Novice's Overview Of Computer System Forensics

Computer system forensics is the practice of gathering, analysing and reporting on digital info in a way that is legally admissible. It can be utilized in the detection and avoidance of criminal activity and in any disagreement where proof is stored digitally. Computer system forensics has comparable examination phases to other forensic disciplines and faces similar problems.

Posted on


Computer system forensics is the practice of gathering, analysing and reporting on digital info in a way that is legally admissible. It can be utilized in the detection and avoidance of criminal activity and in any disagreement where proof is stored digitally. Computer system forensics has comparable examination phases to other forensic disciplines and faces similar problems.

About this guide

This guide talks about computer system forensics from a neutral viewpoint. It is not connected to specific legislation or intended to promote a particular company or item and is not written in bias of either police or industrial computer system forensics. It is focused on a non-technical audience and provides a top-level view of computer forensics. This guide uses the term "computer system", but the principles apply to any device capable of storing digital details. Where methodologies have been discussed they are provided as examples only and do not constitute suggestions or advice. Copying and publishing the whole or part of this post is certified exclusively under the regards to the Creative Commons - Attribution Non-Commercial 3.0 license

Uses of computer forensics

There are couple of locations of criminal activity or conflict where computer system forensics can not be applied. Law enforcement agencies have actually been among the earliest and heaviest users of computer forensics and consequently have often been at the forefront of developments in the field. Computers may make up a 'scene of a crime', for instance with hacking [1] or rejection of service attacks [2] or they may hold proof through e-mails, internet history, files or other files relevant to criminal activities such as murder, abduct, fraud and drug trafficking. It is not just the content of emails, documents and other files which might be of interest to investigators however likewise the 'meta-data' [3] connected with those files. A computer system forensic assessment might expose when a document initially appeared on a computer, when it was last modified, when it was last conserved or printed and which user carried out these actions.

More recently, industrial organisations have actually utilized computer forensics to their benefit in a range of cases such as;

•Intellectual Property theft

•Industrial espionage

•Employment disagreements

•Scams examinations


•Matrimonial issues

•Personal bankruptcy investigations

•Inappropriate e-mail and internet usage in the work place

•Regulative compliance


For evidence to be admissible it should be reputable and not prejudicial, implying that at all phases of this procedure admissibility need to be at the leading edge of a computer forensic examiner's mind. One set of standards which has been extensively accepted to assist in this is the Association of Chief Police Officers Good Practice Guide for Computer Based Electronic Proof or ACPO Guide for brief. Although the ACPO Guide is focused on United Kingdom law enforcement its primary principles are applicable to all computer forensics in whatever legislature. The 4 main concepts from this guide have been replicated below (with references to police removed):.

No action ought to alter information held on a computer system or storage media which might be consequently relied upon in court.

In situations where an individual finds it needed to access original data hung on a computer system or storage media, that person must be skilled to do so and have the ability to give evidence discussing the importance and the implications of their actions.

An audit path or other record of all processes applied to computer-based electronic proof must be produced and preserved. An independent third-party should have the ability to examine those processes and accomplish the very same outcome.

The person in charge of the investigation has overall obligation for making sure that the law and these principles are followed.

In summary, no changes should be made to the original, however if access/changes are essential the examiner needs to know exactly what they are doing and to tape their actions.

Live acquisition

Concept 2 above may raise the question: In what circumstance would modifications to a suspect's computer system by a computer forensic examiner be essential? Traditionally, the computer forensic inspector would make a copy (or acquire) info from a gadget which is turned off. A write-blocker [4] would be utilized to make a specific bit for bit copy [5] of the initial storage medium. The inspector would work then from this copy, leaving the initial demonstrably the same.

Nevertheless, sometimes it is not possible or desirable to change a computer off. It may not be possible to change a computer system off if doing so would result in considerable financial or other loss for the owner. It may not be preferable to change a computer system off if doing so would suggest that potentially important evidence may be lost. In both these situations the computer forensic inspector would need to carry out a 'live acquisition' which would include running a little program on the suspect computer in order to copy (or acquire) the information to the inspector's disk drive.

By running such a program and attaching a destination drive to the suspect computer, the examiner will make changes and/or additions to the state of the computer system which were not present before his actions. Such actions would remain acceptable as long as the examiner tape-recorded their actions, understood their effect and had the ability to discuss their actions.

Phases of an assessment

For the purposes of this post the computer forensic evaluation procedure has been divided into 6 stages. Although they exist in their typical chronological order, it is essential during an examination to be versatile. For example, throughout the analysis stage the inspector may find a new lead which would necessitate additional computer systems being analyzed and would imply a return to the evaluation stage.


Forensic readiness is a crucial and periodically neglected phase in the examination process. In commercial computer system forensics it can consist of educating clients about system preparedness; for instance, forensic examinations will supply stronger evidence if a server or computer's integrated auditing and logging systems are all switched on. For examiners there are numerous areas where prior organisation can help, consisting of training, regular testing and confirmation of software and equipment, familiarity with legislation, handling unexpected concerns (e.g., exactly what to do if child pornography exists throughout a business job) and ensuring that your on-site acquisition kit is complete and in working order.


The examination stage includes the receiving of clear instructions, threat analysis and allotment of functions and resources. Danger analysis for police might include an evaluation on the likelihood of physical danger on going into a suspect's property and how finest to deal with it. Commercial organisations likewise need to be aware of health and wellness concerns, while their examination would likewise cover reputational and financial threats on accepting a specific job.


The main part of the collection stage, acquisition, has actually been presented above. If acquisition is to be carried out on-site instead of in a computer system forensic lab then this phase would include recognizing, securing and recording the scene. Interviews or meetings with personnel who may hold information which could be appropriate to the assessment (which could consist of the end users of the computer system, and the supervisor and person responsible for offering computer services) would normally be performed at this stage. The 'bagging and tagging' audit trail would start here by sealing any materials in special tamper-evident bags. Consideration likewise has to be given to firmly and safely transferring the material to the inspector's laboratory.


Analysis depends upon the specifics of each task. The examiner usually offers feedback to the client throughout analysis and from this discussion the analysis might take a different course or be narrowed to particular locations. Analysis needs to be accurate, comprehensive, unbiased, taped, repeatable and finished within the time-scales readily available and resources assigned. There are myriad tools available for computer system forensics analysis. It is our opinion that the examiner ought to use any tool they feel comfy with as long as they can validate their option. The main requirements of a computer system forensic tool is that it does exactly what it is indicated to do and the only method for inspectors to be sure of this is for them to frequently evaluate and adjust the tools they utilize prior to analysis takes place. Dual-tool confirmation can confirm result integrity throughout analysis (if with tool 'A' the inspector discovers artefact 'X' at area 'Y', then tool 'B' ought to replicate these results.).


This stage normally involves the examiner producing a structured report on their findings, dealing with the points in the initial instructions together with any subsequent guidelines. It would likewise cover any other details which the inspector deems relevant to the examination. The report needs to be composed with completion reader in mind; oftentimes the reader of the report will be non-technical, so the terms should acknowledge this. The examiner needs to likewise be prepared to participate in conferences or telephone conferences to discuss and elaborate on the report.


Together with the preparedness phase, the review stage is often neglected or ignored. This may be due to the perceived costs of doing work that is not billable, or the need 'to get on with the next task'. However, a review phase incorporated into each assessment can assist in saving cash and raise the level of quality by making future assessments more effective and time effective. An evaluation of an evaluation can be simple, quick and can begin during any of the above phases. It may include a basic 'exactly what went wrong and how can this be enhanced' and a 'exactly what went well and how can it be included into future examinations'. Feedback from the instructing party should also be looked for. Any lessons learnt from this phase needs to be applied to the next evaluation and fed into the readiness phase.

This post was created by a member of BuzzFeed Community, where anyone can post awesome lists and creations. Learn more or post your buzz!