Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<str<strong>on</strong>g>Five</str<strong>on</strong>g> <strong>on</strong> <strong>Forensics</strong><br />
© 2002-2008 <strong>Craig</strong> <strong>Ball</strong> All Rights Reserved<br />
comprise <strong>on</strong>ly .003% of the total. Magnetic storage is by far the largest medium for storing<br />
informati<strong>on</strong> and is the most rapidly growing, with shipped hard drive capacity doubling every<br />
year.<br />
Single hard drives now hold a gigabyte of data and sell for less than forty cents per gigabyte, a<br />
two-thousand-fold price drop in just a few years time. By way of comparis<strong>on</strong>, if the automobile<br />
industry were as efficient, you could buy a new car for less than you paid for your last haircut!<br />
Computer <strong>Forensics</strong><br />
Computer forensics is the identificati<strong>on</strong>, preservati<strong>on</strong>, extracti<strong>on</strong>, interpretati<strong>on</strong> and presentati<strong>on</strong><br />
of computer-related evidence. It sounds like something any<strong>on</strong>e who knows his way around a<br />
computer might be able to do, and in fact, many who offer their services as computer forensic<br />
specialists have no formal forensic training or certificati<strong>on</strong>--which is not to say they can’t do the<br />
job well, but it certainly makes it hard to be c<strong>on</strong>fident they can! There are compelling reas<strong>on</strong>s to<br />
hire a formally trained and experienced computer forensic specialist. Far more informati<strong>on</strong> is<br />
retained by a computer than most people realize, and without using the right tools and<br />
techniques to preserve, examine and extract data, you run the risk of losing something<br />
important, rendering what you do find inadmissible, or even being charged with spoliati<strong>on</strong> of the<br />
evidence.<br />
The cardinal rules of computer forensics can be expressed as the five As:<br />
1. Admissibility must guide acti<strong>on</strong>s: document everything that is d<strong>on</strong>e;<br />
2. Acquire the evidence without altering or damaging the original;<br />
3. Authenticate your copy to be certain it is identical to the source data;<br />
4. Analyze the data while retaining its integrity; and,<br />
5. Anticipate the unexpected.<br />
These cardinal rules are designed to facilitate a forensically sound examinati<strong>on</strong> of computer<br />
media and enable a forensic examiner to testify in court as to their handling of a particular piece<br />
of evidence. A forensically sound examinati<strong>on</strong> is c<strong>on</strong>ducted under c<strong>on</strong>trolled c<strong>on</strong>diti<strong>on</strong>s, such<br />
that it is fully documented, replicable and verifiable. A forensically sound methodology changes<br />
no data <strong>on</strong> the original evidence, preserving it in pristine c<strong>on</strong>diti<strong>on</strong>. The results must be<br />
replicable such that any qualified expert who completes an examinati<strong>on</strong> of the media employing<br />
the same tools and methods employed will secure the same results.<br />
After reading this paper, you may know enough of the basics of computer forensics to c<strong>on</strong>duct a<br />
rudimentary investigati<strong>on</strong>; but recognize that c<strong>on</strong>ducting a computer forensic investigati<strong>on</strong><br />
without the assistance of a qualified expert is a terrible idea. Experiment <strong>on</strong> an old system if<br />
you’d like, but leave real evidence to the experts.<br />
Computer forensics focuses <strong>on</strong> three categories of data:<br />
<strong>Page</strong> 9