Computer Forensics

Overview

This paper will discuss the need for computer forensics to be practiced in an effective and

legal way, outline basic technical issues, and point to references for further reading. It

promotes the idea that the competent practice of computer forensics and awareness of

applicable laws is essential for today’s networked organizations.

This subject is important for managers who need to understand how computer forensics

fits as a strategic element in overall organizational computer security. Network

administrators and other computer security staff need to understand issues associated with

computer forensics. Those who work in corporate governance, legal departments, or IT

should find an overview of computer forensics in an organizational context useful.

What is Computer Forensics?

If you manage or administer information systems and networks, you should understand

computer forensics. Forensics is the process of using scientific knowledge for collecting,

analyzing, and presenting evidence to the courts. (The word forensics means “to bring to

the court.” ) Forensics deals primarily with the recovery and analysis of latent evidence.

Latent evidence can take many forms, from fingerprints left on a window to DNA

evidence recovered from blood stains to the files on a hard drive.

Because computer forensics is a new discipline, there is little standardization and

consistency across the courts and industry. As a result, it is not yet recognized as a formal

“scientific” discipline. We define computer forensics as the discipline that combines

elements of law and computer science to collect and analyze data from computer systems,

networks, wireless communications, and storage devices in a way that is admissible as

evidence in a court of law.

Why is Computer Forensics Important?

Adding the ability to practice sound computer forensics will help you ensure the overall

integrity and survivability of your network infrastructure. You can help your organization

if you consider computer forensics as a new basic element in what is known as a

“defense-in-depth”1 approach to network and computer security. For instance,

understanding the legal and technical aspects of computer forensics will help you capture

vital information if your network is compromised and will help you prosecute the case if

the intruder is caught.

What happens if you ignore computer forensics or practice it badly? You risk destroyingvital evidence or having forensic evidence ruled inadmissible in a court of law. Also, youor your organization may run afoul of new laws that mandate regulatory compliance andassign liability if certain types of data are not adequately protected. Recent legislationmakes it possible to hold organizations liable in civil or criminal court if they fail toprotect customer data.2Computer forensics is also important because it can save your organization money. Manymanagers are allocating a greater portion of their information technology budgets forcomputer and network security. International Data Corporation (IDC) reported that themarket for intrusion-detection and vulnerability-assessment software will reach 1.45billion dollars in 2006. In increasing numbers, organizations are deploying networksecurity devices such as intrusiondetection systems (IDS), firewalls, proxies, and thelike, which all report on the security status of networks.From a technical standpoint, the main goal of computer forensics is to identify, collect,preserve, and analyze data in a way that preserves the integrity of the evidence collectedso it can be used effectively in a legal case.Legal Aspects of Computer ForensicsAnyone overseeing network security must be aware of the legal implications of forensicactivity. Security professionals need to consider their policy decisions and technicalactions in the context of existing laws. For instance, you must have authorization beforeyou monitor and collect information related to a computer intrusion. There are also legalramifications to using security monitoring tools.Computer forensics is a relatively new discipline to the courts and many of the existinglaws used to prosecute computer-related crimes, legal precedents, and practices related tocomputer forensics are in a state of flux. New court rulings are issued that affect howcomputer forensics is applied. The best source of information in this area is the UnitedStates Department of Justice’s Cyber Crime web site.4 The site lists recent court casesinvolving computer forensics and computer crime, and it has guides about how tointroduce computer evidence in court and what standards apply. The important point forforensics investigators is that evidence must be collected in a way that is legallyadmissible in a court caseIncreasingly, laws are being passed that require organizations to safeguard the privacy ofpersonal data. It is becoming necessary to prove that your organization is complying withcomputer security best practices. If there is an incident that affects critical data, forinstance, the organization that has added a computer forensics capability to its arsenalwill be able to show that it followed a sound security policy and potentially avoidlawsuits or regulatory audits.

If system administrators possess the technical skills and ability to preserve criticalinformation related to a suspected security incident in a forensically sound manner andare aware of the legal issues related to forensics, they will be a great asset to theirorganization. Should an intrusion lead to a court case, the organization with computerforensics capability will be at a distinct advantage. For a more detailed discussion ofthese and related topics, see the document on which this paper is based, Nolan’sForensics Guide to Incident Response for Technical Staff, and other resources listed below.