If you are one of those people who, like me, enjoy watching crime dramas on television, than you have most likely heard of the term “Computer Forensics.” Special Agent Timothy McGee from the show NCIS has a master’s in Computer Forensics from MIT. But what exactly does that entail?
After researching the field, I hope to pass on to you a little of what I have learned, including:
1. What is Computer Forensics?
2. What are the origins of Computer Forensics?
3. What data can be collected using Computer Forensics?
4. What techniques are used to collect this data?
5. What areas of law relate to Computer Forensics?
6. What is the RCFL, and where are the locations?
1. What is Computer Forensics?
Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts1. Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media.2 Normally Computer Forensics is associated with computer crimes, but the forensics can also be used in civil trials.
2. What are the origins of Computer Forensics?
During the 80’s when computers were becoming readily accessible to the individual, crimes solely using computers began to appear, including hacking. Computer Firensics was developed in order to recover and interpret digital evidence for use in court proceedings. Kruse and Heiser, authors of Computer Forensics, describe the field as being “more of an art than a science”3.
3. What data can be collected using Computer Forensics?
There are two typical types of data that can be collected by Forensic Analysts:
- Persistent data is preserved when the computer is turned off, so it is stored on a local hard drive or other medium.1
- Volatile data is lost when the computer is shut off. It is data stored in memory or that exists in transit and is located in registries, caches, and RAM.1
4. What techniques are used to collect this data?
There are three normal techniques used to collect data during investigations. These include Cross-drive analysis, Live analysis, and Deleted Files.
- Cross-drive analysis: this technique correlates information found on multiple hard drives. The process is still being researched.3
- Live analysis: the examination of computers from within the operating system.3
- Deleted files: the recovery or carving out of deleted files. Carving out of deleted data is searching for known file headers and reconstructing the deleted materials.3
5. What are the areas of law relating to Computer Forensics?
The Fourth Amendment of the Constitution applies to unreasonable search and seizure, while the Fifth Amendment protects against self incrimination. When these amendments were written, there weren’t problems with computers. Nowadays the principles in the amendments can be applied to Computer Forensics and how they are practiced.
There are three U.S. Statutory laws relating to Computer Forensics. These include the Wiretap Act, Pen Registers and Trap and Trace Devices Statute, and the Stored Wired and Electronic Communication Act.1
6. What is the RCFL, and where are the locations?
http://www.rcfl.gov/index.cfm Considered public information: http://www.rcfl.gov/DSP_Privacy.cfm |
RCFL is a forensics laboratory and training center devoted to the examination of digital evidence that supports criminal investigations including terrorism, child pornography, internet crime, etc. The RCFL combines federal, state, and local law enforcement agencies to seize and collect digital evidence at crimes scenes, conducting impartial exams of computer evidence, and testifying if needed. There are 16 different RCFL’s in the United States, with each serving different areas of the USA.4
http://www.rcfl.gov/DSP_P_locations.cfm Considered public information: http://www.rcfl.gov/DSP_Privacy.cfm |
Hopefully I have been able to give you a little more insight to the world of Computer Forensics! Next time you sit down to enjoy your favorite crime drama, (preferably NCIS), you will understand where the investigators are coming from when referring to Computer Forensics. :)