Has your computer been used in a crime? We'll tell you how to find out.

Page 1  2  3
When someone asks me what I do, I say "computer forensics." I invariably get a quick "that's interesting," accompanied by a hesitant look, followed by "what is that?" Today I'll answer this question by explaining how computer forensics works to preserve, identify, extract, document, and interpret computer data and tell you what to do if you think your computer's been involved in a crime.

Computer misuse tends to fall into two main categories: Either a computer is used to commit a crime or the computer itself is the target of a crime. The steps for searching for clues remains the same.

Collect the evidence
The hunt for digital clues is often more of an art than a science, but like any discipline, we follow clear and well-defined methodologies and procedures. Most people assume that we just dive into a computer, digging for clues. In reality, the first step is to painstakingly preserve all the digital evidence found at a crime scene. Investigators need to act fast because logs and other electronic data do not last long.

If you think your computer's been used in a crime, don't boot off the original evidence hard drive to "look around." Every time an operating system is booted, data is deleted and stored on the hard drive. You may lose valuable evidence and reduce the value of the drive as legal evidence.

Investigators will have time to examine the evidence later as long as it's collected when it's still available. An important investigation is not the appropriate time to learn how to properly search a hard drive. Let an expert do it.

Collection of the evidence must be carefully performed and well-documented to avoid later accusations of evidence tampering.

Copy the hard drive
Qualified professionals make a forensic image (exact copy) of all the drives on the computer. The copy of the hard drive will include deleted files, hidden data, and areas of the hard drive that "normal" backup software doesn't copy.

Documentation of all aspects of the investigation is essential. Original evidence is collected and safeguarded, tagged and stored securely, before an investigator begins looking for incriminating data using a copy of the original evidence.

Search for clues
Forensic experts use hardware and software to search for clues on the hard-drive copies. Useful evidence may exist in a lot of different areas, both obvious and obscure. Investigators may comb through:
  • Email
  • Temp files
  • Recycle Bin
  • Recently linked files
  • Files in the print spool area
  • Internet history
  • Registry
  • Unallocated space -- free space on the hard drive
  • File slack -- free space between the end of the logical file and the end of physical file (cluster)


Here's a list of resources that can help you learn more about computer forensics and the tools of the trade.

Warren Kruse is a cybercrime expert and author of "Computer Forensics: Incident Response Essentials," available at Amazon.com. Email him at wgkruse@computer-forensic.com.

Page 1  2  3