Written by Phillip Russo – PPB Advisory National Director IT Forensics
The “F” word … we hear the term “forensic” everywhere these days- from television crime programs, such as CSI and in police reports or print media.
It can be applied in a variety of contexts, including:
- fingerprint analysis;
- DNA analysis;
- psychological analysis;
- forensic accounting; and
- IT Forensics.
The purpose of this paper is to explain what we mean by “IT Forensics”, what it involves, its relevance to legal practitioners and investigators and potential issues.
What is IT forensics?
IT Forensics, also known as digital and/or computer forensics, involves well-defined scientific procedures that are used for the collection of data from computers, mobile phones and other electronic mediums that store data.
The discipline includes the discovery, extraction, preservation, analysis and presentation of digital data. To ensure that IT forensic findings are admissible as evidence in court proceedings, specific procedures must be performed in a forensically sound manner to ensure no digital evidence is altered in the process. IT Forensics access digital artefacts that are normally hidden from the standard computer user.
An experienced IT forensics investigator can:
- Recover information from deleted or partially overwritten files;
- Determine modified times and dates of files;
- Identify originating IP addresses contained within emails;
- Identify registry passwords;
- Recover internet search terms;
- Trace USB device connections;
- Resolve printed document information;
- Authenticate network access times and dates against user names; and
- Analyse a variety of other data that may contain important evidence.
Information uncovered during IT forensic analysis, is often not only supplemental or supporting evidence but rather critical and / or exculpatory or inculpatory evidence.
A forensic analyst will need to complete a “live acquisition” and prepared to be challenged in court on the actions taken during the acquisition process, including their method of preservation and any affect on the acquired evidence, as well as any technical or forensic ramifications arising from the analyst’s actions.
The origins of IT forensics
IT Forensics was originally used for law enforcement and military but is now widely used in business environments to address commercial issues including:
- Intellectual property and identity theft;
- Ethical behaviours and business misconduct;
- Various fraudulent activities; and
- Wrongful dismissal;
- Other criminal matters.
The need to be able to forensically collect and correctly analyse computer related evidence has grown tenfold and has seen a dramatic increase in demand for computer forensic experts. At present, there are very few qualified IT Forensic professionals in Australia.
In truth, there is potential for IT Forensics to play a role in any investigation or litigious action that involves digital data.
While this has created a demand for qualified IT Forensic professionals, it has also resulted in people holding themselves out as experts who lack qualifications and experience.
Over the past ten years, IT Forensics has played a significant role in major investigations including:
- The investigation into a fake email implicating the then Prime Minister Kevin Rudd in a second hand car dealership scandal (Australia);
- The fall of Enron Corporation, an American energy company based in Houston, Texas (USA);
- The inquiry into the validation of the Blair Government report into the Iraq weapons of mass destruction (UK).
How should IT Forensics experts be selected?
What criteria should organisations apply when selecting and engaging computer forensics experts? Experience is the most important requirement. The more experienced, with 7 years or more, will often have a law enforcement background having worked in a Police Computer Crime Units or similar. This type of experience is likely to have included courtroom exposure and the evidentiary and witness processes which are important considerations when selecting an advisor. However this is not essential and a strong IT security background will also be favourable… To read more subscribe today!
