Now that I am back from a little R&R, I thought I would spend a few words talking about the different kinds of computer forensics and their applications. Mostly because I see a lot of posts on different forums from folks wanting get started in the field and would like to try and share some information about what computer forensics is in its three major forms.
Computer forensics can be broadly broken into three areas: Live forensics, post-mortem forensics and e-discovery.
Live forensics, which goes by the moniker incident response or network forensics, is about responding to a breach of security in an operating network or computer and capturing data for forensic analysis from that environment “live”.
A subset of live forensics is the capturing of data from an operating computer to preserve “volatile” data. Data that disappears when the computer is turned off, such as the content of the computer’s memory, the part of the computer that temporarily stores information for use during that computing session. Memory should not be confused with storage.
But in general live forensics deals with capturing data about a network intrusion or internal security breach.
To properly perform incident response work, aka live forensics, the analyst must have an excellent knowledge of network security, OSI layers, intrusion methods, data leakage, and network operating systems. Your purpose in the majority of these types of cases is finding out where a network is compromised, halting the attack and documenting the method and type of attack for possible legal action.
Incident response is the purview of network security professionals and anyone wishing to get into this field should obtain education and training in the various network security specialties.
Post-mortem computer forensics is performing a data autopsy on a “dead” system. Dead in this case meaning a computer that has been powered down, not that the computer is broken.
In the case of post-mortem computer forensics, the focus is on data recovery and analysis of stored information that resides on the computer hard drives or other types of permanent storage devices.
Post-mortem computer forensics is probably what most people have in mind when thinking about computer forensics. This is the kind of stuff you see in a lot of criminal and civil cases that involve the recovery of documents and emails and such that are used to establish user activity as it relates to a divorce or a child pornography or theft case. Post-mortem forensics figured prominently in the Scott Peterson, BTK killer, Neil Entwistle , Julie Amero and the Michael Jackson cases to name just a few.
Production of recovered e-mail, internet searches, internet maps and other information were used in these cases in some form or another.
E-discovery is another field of computer forensics that involves capturing and analyzing large amounts of data, mostly in large cases involving dozens to hundreds of computers. The focus of e-discovery is the production of relevant documents more than the recovery of deleted or hidden data. In an e-discovery case, there may be thousands of documents that must be tagged, indexed and checked for proper disclosure prior to allowing the production to be seen by either side to protect attorney-client privileges.
In many cases, improperly exposing documents that have not been reviewed has not prevented them from being entered into evidence.
E-discovery tends to be very expensive and requires specialized software to capture the documents and to then analyze, sort and produce those documents for the parties involved in a manageable form.
One of the current trends is to outsource e-discovery to off shore firms in India to reduce the costs of these types of analyses. That in itself presents some real challenges to litigators and should be approached with caution.
So there you have three major division of computer forensics, each a specialty in its own right, requiring unique tools and skills for the analyst.