Basic Computer Forensics and Techniques

This write-up talks about the emerging field of computer forensics in computing industry, what forensic science is, and the forensic investigation techniques involved.
ScienceStruck Staff
Last Updated: Jul 4, 2018
Computer forensics is a detailed and scientific study, research, and implementation of computer science subjects for the purpose of gathering digital evidence in cases of cyber crimes or for other scientific research purposes.
According to a legal perspective, a government authorized computer forensic agent can investigate computer systems and networks and after application of series of technical steps involved, and reach at digital evidence.
Digital evidence is just the same as any other evidence, but the difference is it exists in the digital form, like computer data, disks, printed documents, etc.
Computer forensic techniques help provide a methodological and systematic approach to gathering information on computer systems and networks, which could be cryptic and hidden, and which would otherwise be extremely hard to get through normal routine access to computer resources.
Normally, a computer system or network on which forensic science techniques are to be applied, hides the data or garbles the data through encryption, steganography, or other technical methods.
The process of first analyzing the system, gathering important data fragments which are prevalent over the system, and interpreting it with the use of certain mechanisms and tools, is the process which is called computer forensics. Here are some basic computer forensic techniques.
For Computer Networks
Packet Sniffing
Sniffing, literally, means to sense something, and it means the same here as well. Data flows through the network lines; pulling out critical data packets from these networks is called packet sniffing. This data may contain usernames or passwords, sent and received emails, or any data that flows through the network.
IP Address Tracing
Internet Protocol address tracing means to trace an IP address right down to its real address. IP address tracing involves reverse address look up, which means, counting the number of servers that lie between source and destination. These are referred to as hops.
One of the lowest address during the tracing process we get is the ISP server. The target IP address is then checked with the ISP and ownership information can be gathered with the help of it.
Email Address Tracing
By analyzing email headers, one can know where an Email came from. Email headers consist of the source machine IP address which could be used for an IP trace. Email headers also consist of important details, such as the real email server from which the email originated, the date and time, and other such minute details.
For Computer Systems
File Structure
For a physical computer system, the file structure is analyzed and a look is kept for suspicious files which are scattered in every nook and corner of the system. Some of these files may be encrypted, garbled, or hashed with some algorithms.
Such files are then processed and decrypted for gathering digital evidence. Generally, this task is achieved with the use of automated tools and utilities, but manual interference also plays an important part.
Storage Media
Storage media might be in the form of physical or removable disks. These disks might have been erased (formatted) and it can become almost impossible to recover data from it. However, with the help of advanced utilities and data recovery tools this is possible.
Every time data is recovered, it is not necessary that it would be in proper form, so it is seen that whatever data fragments are gathered, are put up together to form formidable digital evidence material.
It is the art of hiding information in images, sounds, or any other file format than the routine format. An information hidden into an image file is difficult to catch and this can lead to vast propagation of the material through the Internet. Steg-analysis and decryption techniques are applied to get the data back to its original form.
Prints are printouts which are taken from a computer printer device. Most computer forensic experts forget to concentrate on these printouts. These printouts are taken such that at first glance they are not visible to the naked eye.
They would either be too microscopic or would be garbled for deception. So while evaluation and gathering of digital evidence, analyzing printouts becomes a very important aspect and should not be neglected or handled carelessly.
Tools of the Trade
Some of the most common tools of the trade use in computer forensics are:
  • Hex Editors
  • Disassemblers
  • Disk Analyzers
  • Decryptors
  • Packet Sniffers
  • DNS Tools
Computer forensic science is a field which is gaining heavy momentum across the world due to rise in cyber crime, and will continue to rise at a tremendous pace in the coming decade.