The Application of Computer Forensics


A

Anonymous

Guest
#1
Everyone seems to think of criminal cases, or perhaps civil litigation when the topic of computer forensics arises. But what other areas is this science regularly used in?

I ask partly from a career perspective, but also from general interest.
 
A

Anonymous

Guest
#2
How about work issues, such as harrasment or constructive dismissal. I'd say there was a fair amount of use of it in the insurance industry too.

And of course our good old friend, data recovery, following a crash or other event or problem.

Countless scenarios really.
 

antiwire

New Member
Aug 30, 2004
3
0
#3
Forensic uses

<t>Computer forensic techniques could also be useful in the event of a security breach. Gathering as much information about an exploit that was used or a setup that was flawed will always help in the search of the intruder(s). The same information can be used to secure the holes and to determine how much damage was done to the system. Very useful in that type type of situtation. Has anyone been put into this position before? I am very interested in how it was handled.</t>
 
Sep 2, 2004
70
6
#4
"Gathering as much information about an exploit that was used or a setup that was flawed will always help in the search of the intruder(s). "
This is true, but remember, many investigations are non-litigious in nature...they are intended to find out what happened and how, not to prosecute someone. This is the approach I take when addressing Windows systems in my book, "Windows Forensics and Incident Recovery".

In a nutshell, data collection is easy...what's hard is analyzing the data, and understanding what it's telling you. Running various tools on a potentially compromised system is simple...anyone can pipe the output to the A:\ drive, a mapped or thumb drive, or to a socket. However, how many people can go through the collected data and either find out what happened, or determine where else they need to look?

I think "forensics" doesn't have to mean "unplug the system and make a bit-level image of the drive", b/c when you do that, you end up loosing a great deal of valuable volatile data. For example, let's say you shut down a Windows system that's been running for, say, two weeks. You find files for SubSeven on the system, with last access times of a week ago. The last access times were updated when the program was loaded into memory and executed...but the process could have been shut down a couple of hours later. How do you know that at the time the incident occurred, that program was still active *and* used to commit the compromise?

Just some thoughts...

H. Carvey
 

Dayu

New Member
Apr 21, 2005
6
0
#6
To clear the truth is the only duty for investigators

<r>Computer Forensics should not be limited in data-collection, documentation, and etc.<br/>
We should pay more attentions on the digital forensic analysis of certain cases.<br/>
To clear the truth is the only duty for investigators.<br/>
<br/>
Dayu Kao<br/>
Taiwan<br/>
<COLOR color="red"><s></s><e></e></COLOR> <E>:p</E></r>
 
A

Anonymous

Guest
#7
Computer Forensics is formally defined as:

“The gathering and analysis of digital information in an authentic, accurate and complete form for presentation as evidence in a civil proceeding or a court of law”

Digital Evidence is defined by the Scientific Working Group for Digital Evidence (SWGDE, U.S. DOJ) as:

“Any information of probative value that is either stored or transmitted in binary form”

I think this concisely sums up what CF is and what it can be applied to.
 

keatron

New Member
Sep 10, 2006
18
0
#8
keydet89 said:
"Gathering as much information about an exploit that was used or a setup that was flawed will always help in the search of the intruder(s). "
This is true, but remember, many investigations are non-litigious in nature...they are intended to find out what happened and how, not to prosecute someone. This is the approach I take when addressing Windows systems in my book, "Windows Forensics and Incident Recovery".

In a nutshell, data collection is easy...what's hard is analyzing the data, and understanding what it's telling you. Running various tools on a potentially compromised system is simple...anyone can pipe the output to the A:\ drive, a mapped or thumb drive, or to a socket. However, how many people can go through the collected data and either find out what happened, or determine where else they need to look?

I think "forensics" doesn't have to mean "unplug the system and make a bit-level image of the drive", b/c when you do that, you end up loosing a great deal of valuable volatile data. For example, let's say you shut down a Windows system that's been running for, say, two weeks. You find files for SubSeven on the system, with last access times of a week ago. The last access times were updated when the program was loaded into memory and executed...but the process could have been shut down a couple of hours later. How do you know that at the time the incident occurred, that program was still active *and* used to commit the compromise?

Just some thoughts...

H. Carvey
Solid advice and by the way, a good book. I have it in my collection.
 

selil

New Member
Sep 11, 2006
258
0
#10
Forensic science is about finding the truth as in evidentiary proof. In none of the other branches of forensic science do you find so many people willing to muck about building tools that aren’t first based on a science. Computer Forensics is about finding the criminal or civil evidence in a case/situation. To do so the greatest tool an investigator can have is a superlative thinking mind. A finely trained mind can be used anywhere in a business.

The tools of computer forensics can be used for incident response, audit and control, verification and validation, information assurance and security, and much more. Looking for HIPPA or FERPA violations is one example of audit. Perhaps looking for information or hidden channel communications for privacy. K-anonymity is hardly considered by companies, but a substantial risk and computer forensics has many key tools for finding that kind of data leakage.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu