Sunday, October 19, 2008

Computer Forensics – Different strokes for different folks.

Now that I am back from a little R&R, I thought I would spend a few words talking about the different kinds of computer forensics and their applications. Mostly because I see a lot of posts on different forums from folks wanting get started in the field and would like to try and share some information about what computer forensics is in its three major forms.

Computer forensics can be broadly broken into three areas: Live forensics, post-mortem forensics and e-discovery.

Live forensics, which goes by the moniker incident response or network forensics, is about responding to a breach of security in an operating network or computer and capturing data for forensic analysis from that environment “live”.

A subset of live forensics is the capturing of data from an operating computer to preserve “volatile” data. Data that disappears when the computer is turned off, such as the content of the computer’s memory, the part of the computer that temporarily stores information for use during that computing session. Memory should not be confused with storage.

But in general live forensics deals with capturing data about a network intrusion or internal security breach.

To properly perform incident response work, aka live forensics, the analyst must have an excellent knowledge of network security, OSI layers, intrusion methods, data leakage, and network operating systems. Your purpose in the majority of these types of cases is finding out where a network is compromised, halting the attack and documenting the method and type of attack for possible legal action.

Incident response is the purview of network security professionals and anyone wishing to get into this field should obtain education and training in the various network security specialties.

Post-mortem computer forensics is performing a data autopsy on a “dead” system. Dead in this case meaning a computer that has been powered down, not that the computer is broken.

In the case of post-mortem computer forensics, the focus is on data recovery and analysis of stored information that resides on the computer hard drives or other types of permanent storage devices.

Post-mortem computer forensics is probably what most people have in mind when thinking about computer forensics. This is the kind of stuff you see in a lot of criminal and civil cases that involve the recovery of documents and emails and such that are used to establish user activity as it relates to a divorce or a child pornography or theft case. Post-mortem forensics figured prominently in the Scott Peterson, BTK killer, Neil Entwistle , Julie Amero and the Michael Jackson cases to name just a few.

Production of recovered e-mail, internet searches, internet maps and other information were used in these cases in some form or another.

E-discovery is another field of computer forensics that involves capturing and analyzing large amounts of data, mostly in large cases involving dozens to hundreds of computers. The focus of e-discovery is the production of relevant documents more than the recovery of deleted or hidden data. In an e-discovery case, there may be thousands of documents that must be tagged, indexed and checked for proper disclosure prior to allowing the production to be seen by either side to protect attorney-client privileges.

In many cases, improperly exposing documents that have not been reviewed has not prevented them from being entered into evidence.

E-discovery tends to be very expensive and requires specialized software to capture the documents and to then analyze, sort and produce those documents for the parties involved in a manageable form.

One of the current trends is to outsource e-discovery to off shore firms in India to reduce the costs of these types of analyses. That in itself presents some real challenges to litigators and should be approached with caution.

So there you have three major division of computer forensics, each a specialty in its own right, requiring unique tools and skills for the analyst.


  1. I accidently deleted a comment from A Voice of Sanity so I am retyping it here.

    Post-mortem forensics figured prominently in the Scott Peterson ... cases to name just a few.

    How exactly?

  2. And to reply to this comment in particular:

    Here is a link to a case study done on the Scott Peterson case computer forensics by FTK.

  3. Thanks. I looked at this but it's really a puff for the software used. So far all that anyone has ever proven is that Peterson had four sexual encounters with Frey. That was not in doubt by the time the prosecution began and in fact there are reports that one detective, Brocchini, bragged after the trial that he had known about them before he ever went to the home on Covena, putting the lie to his own statements.

    What the 'forensics' in this case did was confuse the jury by implying that there was evidence somewhere of homicide on Peterson's part. None was offered. In fact a recent study of the case and its costs led to the conclusion that $11 million was spent to convict him. This included 20,000 hours of police time and 20,000 hours of prosecutors' time. This is extraordinary, particularly because at the end all the prosecution had was suggestions of bad character. Not a single piece of evidence, valid under the laws of California, was ever offered and yet a conviction was still obtained.

    Some jurors said that while the defense offered a highly paid, razzle-dazzle defense they were not fooled by it. It seems they were fooled by the prosecution which spent over an order of magnitude more and still had nothing.

  4. I read all of the computer forensics testimony last night. Quite frankly, I can see how it would confuse a jury since it apparently confused the expert witnesses providing the testimony.

    I have no way on knowing if the defense had a computer forensics expert on their team, but it did not appear like it from the examination of the experts for the prosecution.

    All in all, I thought the testimony was very poor, along with the organization of the questioning by the attorneys on both sides.

    I can't see how a jury could follow it at all.

  5. Nice article!

    I understand that it is not always easy to clearly categorize an activity so that it belongs to just one area. You mentioned network forensics as being "Live forensics". I would agree with you when it comes to using IDS's etc., but there is also the activity of analyzing captured network traffic (in pcap files) with a network forensic analysis tool (such as the open source tool NetworkMiner or any of the commercial ones).

    I would argue that performing that type of off-line analysis of a pcap file is more of "post-mortem forensics" than "live forensics". Would you agree, or have I misunderstood your categorization?

  6. At the risk of abusing a medical term, I would categorize analysis of captured data from a live system or network of more as performing pathology on a biopsy. Analysing part of a live system in the lab, so to speak.

    Where post-mortem forensics is analysis of a complete system, in a dead state. More like a complete autopsy.


I have moderated my comments due to spam.