How Computer Forensics Analysts Work
How Computer Forensics Analysts Work
Thanks to television shows most of us already have an idea of what forensics is. Although some scenes are not depicted correctly (examining specimens are more exhausting and mentally draining due to the constant demand for paying attention to details, they don’t look as easy as they are in television with swooping camera angles) they have given us an idea on what they do in collecting evidence.
Computer forensics is part of this investigation. Due to the higher incidence of cyber crimes they are now an essential part of the legal process.
We already have an idea on what they do. However a computer forensics job entails a lot of procedures and expertise. Like any other evidence electronic data can also be fragile and damaged. There are certain steps to be followed to ensure that the data will be collected without being tampered.
A day in the work of a computer forensic analyst
The first thing that an analyst will do is to secure the data and the machine. The data can never be analyzed in the same system that it came from so exact copies are made. Usually the data in a hard drive is duplicated to extract the information needed.
The collection process starts when the analyst examines the surroundings of the machine. Other physical evidence such as notes, disks and printouts are also taken. Photographs of the surroundings are also taken. The area is also examined for portable storage devices.
If the computer system is still operating the information will be collected by examining its applications. Computers that are used for illegal communications may not have all of the data stored in the hard drive. Information stored in Random Access Memory will be lost if the computer is shut down so this step is important.
Open source tools are used to analyze on live computers. Analysts can also obtain an image of mapped drives and encrypted containers while they are on. The data from network connections are captured first, then running applications, and lastly from the Random Access Memory.
The computer is then shut off carefully in a way that it will not loose any data. The method used will depend in the computer and the operating system it uses. If proper shut down is made volatile data can be lost. Pulling the plug is not advisable either because it may corrupt the file system and loose important data.
The analyst then inspects for trap and photographs the configuration of the system. A diagram will also be made including serial number and markings.
The analyst then makes an exact duplicate of the hard drive called Imaging. They often use hard drive duplicators or software imaging tools. This is done in sector levels to make bit-stream copies of ever part that is accessible to the user which can store data.
The original hard drive is then installed with a hardware write protection and sent to a secure storage. After making a complete and accurate copy the duplicated data can now be analyzed for evidence. Analysts use algorithm to make sure that the imaging process is verified. Two algorithms are generally used in this process.
The analyst then renders his opinion then documents everything that was done. A report is made that contains all the findings of the analyst and whether or not it has been used in an illegal activity or criminal act.