Computer forensic investigation is the process of detecting hacking and other related cybercrime attacks and properly extracting evidence to report the crime, as well as conduct audits to prevent future attacks.
Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including (but not limited to) fraud, theft of trade secrets and theft or destruction of intellectual property. Investigators can draw on an array of methods for discovering information that resides in a computer system or recovering deleted, encrypted or damaged file information.
Securing and analyzing electronic evidence is a central theme in an ever-increasing number of conflict situations and criminal cases. Electronic evidence is critical in the following situations:
- Disloyal employees.
- Computer break-ins.
- Possession of pornography.
- Breach of contract.
- Industrial espionage.
- E-mail fraud.
- Disputed dismissals.
- Web page defacements.
- Theft of company documents.
A computer forensics investigator is responsible for recovering data from computers that can be used in the prosecution of a criminal or in gathering evidence of a crime.
But contrary to public perception, a computer forensics investigation might include equipment beyond the normal computer, including cell phones, video recorders, thumb drives, BlackBerries, PDAs and MP3 players.
Computer forensics enables the systematic and careful identification of evidence in computer-related crime and abuse cases. This might range from tracing the tracks of a hacker through a client’s systems to tracing the originator of defamatory e-mails to recovering signs of fraud.
Many computer forensics investigators are law enforcement officers or are employed by police departments. In smaller cities, however, they might be private computer experts whom the local police force uses on an as-needed basis. Computer forensic investigators might be required to testify in court to explain their role in the evidence-gathering process and to detail the evidence-recovery procedure used in that case.
The need for forensics investigators is becoming very important. With the growth in the general digital forensics area, the need for a good solution for investigators is on the rise.
One common trend among law enforcement agencies is that corporations worldwide try not to report any computer abuse to which they might have been subject.
Why? According to a recent CSI/FBI report, this is because most of them are concerned that any such report may lead to a leak, and as a result, they might be susceptible to attack from their competitors in the court of public opinion. They are also concerned that the negative publicity might hurt their stock prices.
What is the Solution?
One possible answer is to hire internal computer-hacking forensics investigators. The fact that a corporation has an internal team that is trained and certified to deal with the art of computer forensics will significantly reduce the risk of employees trying to prey on their internal systems. Another benefit is that internally trained and certified personnel will cost a corporation much less than a typical investigation by a consultant.
A computer forensic investigator might be called in if the information for which the authorities are looking has been hidden on or erased from a computer. Despite being deleted, the investigator can retrieve all or part of the evidence using specialized recovery programs and the computer’s hard drive.
Forensics investigators also can work to crack or decode encryption programs that prevent information stored on the computer from being accessed. This information might be pictures, documents or other sources such as spreadsheets or databases.
Computer forensics investigators also must have good working knowledge of computer construction, as well as hard drive processes and data recovery. They have to have a great deal of patience and should be willing to work for long or odd hours to try to recover information from computers that might have been erased or damaged. Understanding networking, encryption and computer crime is also important to this career.
To prepare a person to be a forensics investigator is no easy task. There are many sides to a good investigator, from analytical skills to technical knowledge.
Potential investigators should study and understand the crimes or incidents they will be investigating. For instance, they ought to have good working knowledge of ethical hacking skills and possess the Certified Ethical Hacker certification, which is just one of many that will aid in creating the most well-rounded investigator.
There are quite a few certifications available, but those who seek to become computer forensics investigators must be able to distinguish between vendor-neutral and vendor-based certifications. Both will help create the best forensic investigator.
EC-Council offers a vendor-neutral computer hacking forensic investigator program that prepares individuals to become forensics investigators. But upon the completion of this certification, candidates should pursue some of the specialized vendor-based certification that will allow them to be adequately certified and trained in products and techniques.
For instance, Paraben Corp. offer multiple tiers of training associated with the seizure, analysis and presentation of data associated with mobile devices. Although this is a vendor-based certification, it still contributes to crucial skills that forensic investigators will need.
Additionally, there are many other vendors that have proprietary software or equipment, including Guidance Software, which both law enforcement agencies and corporations use a great deal.
Before individuals attempt any of these trainings, however, they should possess critical information about networking, ethical hacking and a deep understanding of forensics tools and procedures.
Jay Bavisi is the president of EC-Council. He can be reached at editor (at) certmag (dot) com.