Beginner’s Guide to Computer Forensics

Computer Forensics

Beginner’s Guide to Computer Forensics


Computer forensics is the practice of collecting, analyzing and reporting digital information in a legally acceptable manner. It can be used in crime detection and prevention and in any dispute where evidence is stored digitally. Computer forensics has comparable examination stages to other forensic disciplines and faces similar problems.

About this guide

This guide discusses computer forensics from a neutral perspective. It is not associated with any particular law or intended to promote any particular company or product and is not written in the bias of law enforcement or commercial computer forensics. It is aimed at a non-technical audience and provides a high-level view of computer forensics.

This guide uses the term “computer”, but this concept applies to any device capable of storing digital information. If methodologies have been mentioned, they are only examples and do not constitute recommendations or suggestions. Copying and publishing all or part of this article is licensed solely under the terms of the Creative Commons – Attribution Non-Commercial 3.0 license.

Use of computer forensics

There are some areas of crime or dispute where computer forensics cannot be applied. Law enforcement agencies have been among the earliest and heaviest users of computer forensics and as a result are often at the forefront of developments in the field. Computers can become a ‘crime scene’, for example by means of hacking

[1] or denial of service attacks

[2] or they can store evidence in the form of emails, internet history, documents or other files relevant to crimes such as murder, kidnapping, fraud and drug trade. It is not only the content of emails, documents, and other files that may be of interest to investigators, but also the ‘meta-data’

[3] associated with those files. A computer forensic examination can reveal when a document first appeared on a computer, when it was last edited, when it was last saved or printed, and which user performed this action.

Recently, commercial organizations have used computer forensics to their advantage in various cases such as;

Intellectual Property Theft
Industrial espionage
Job disputes
Fraud investigation
Marriage problems
Bankruptcy investigation
Inappropriate use of email and internet at work
Compliance with regulations


For evidence to be admissible, it must be reliable and harmless, meaning that at all stages of this process, acceptance must be at the forefront of the computer forensic examiner’s mind. One set of guidelines that has been widely accepted to assist in this regard is the Association of Chiefs of Police Good Practice Guidelines for Computer Based Electronic Evidence or the ACPO Guidelines for short.

While the ACPO Guidelines are aimed at UK law enforcement, their main principles apply to all computer forensics in any legislature. The four main principles of this guide are reproduced below (with law enforcement references removed):

No action can alter data stored on computers or storage media that can then be relied on in court.

In circumstances where a person feels the need to access original data stored on a computer or storage medium, that person must be competent to do so and be able to provide evidence explaining the relevance and implications of their actions.

Audit trails or other records of all processes applied to computer-based electronic evidence should be created and maintained. An independent third party should be able to check the process and achieve the same result.

The person in charge of the investigation has the overall responsibility to ensure that these laws and principles are complied with.

In short, no changes should be made to the original, but if access/changes are required, the examiner should know what they did and log their actions.

Direct acquisition

Principle 2 above may raise the question: Under what circumstances is alteration of a suspect’s computer by a computer forensic examiner necessary? Traditionally, a computer forensic examiner would make a copy of (or obtain) information from a turned off device. A write-blocker[4] will be used to make an exact bit-by-bit copy [5] of the original storage medium. The proofer will work later from this copy, leaving the original unchanged.

However, sometimes it is not possible or desirable to turn off the computer. Shutting down the computer may not be possible if doing so will result in substantial financial or other loss to the owner. It may not be desirable to shut down the computer if it means that potentially valuable evidence may be lost.

In both of these circumstances the computer forensic examiner will need to perform a ‘direct acquisition’ which will involve running a small program on the suspect’s computer to copy (or acquire) data to the examiner’s hard drive.

By running the program and attaching the destination drive to the suspect’s computer, the examiner will make changes and/or additions to the state of the computer that did not exist prior to his actions. Such actions will remain acceptable as long as the examiner records their actions, is aware of their impact and is able to explain their actions.

Inspection stage

For the purposes of this article, the computer forensics examination process has been divided into six stages. Although presented in the usual chronological order, the duration of the examination must be flexible. For example, during the analysis phase the examiner may find new clues that will ensure the computer is further examined and mean a return to the evaluation phase.


Forensic readiness is an important and sometimes overlooked stage in the examination process. In commercial computer forensics it can include educating clients about system readiness; for example, a forensic examination will provide stronger evidence if internal auditing and server or computer logging systems are fully enabled.

For examiners, there are many areas where previous organizations can help, including training, regular testing and verification of software and equipment, understanding of the law, dealing with unforeseen issues (for example, what to do if child pornography is present during commercial work). ) and make sure your on-site acquisition kit is complete and functioning properly.


The evaluation phase includes receiving clear instructions, risk analysis and allocation of roles and resources. A risk analysis for law enforcement may include an assessment of the likelihood of a physical threat entering a suspect’s property and the best way to deal with it. Commercial organizations also need to be aware of health and safety issues, while their evaluation will also include the reputational and financial risks of accepting a particular project.


The main part of the collection stage, the acquisition, was introduced above. If the acquisition will take place on-site rather than in a computer forensics laboratory then this stage will include identifying, securing, and documenting the scene.

Interviews or meetings with personnel who may have information relevant to the examination (which may include computer end users, and managers and persons responsible for providing computer services) are usually conducted at this stage. The ‘bag and tag’ audit trail will start here by sealing any material in a unique tamper-proof bag. Consideration should also be given to transporting the material safely and securely to the examining laboratory.


The analysis depends on the specifications of each job. The examiner usually provides feedback to the client during the analysis and from this dialogue the analysis can take a different path or be narrowed down to a specific area. The analysis must be accurate, thorough, impartial, recordable, repeatable, and completed within the time scale available and the resources allocated.

There are a myriad of tools available for computer forensic analysis. We argue that examiners should use whatever tool they feel comfortable with as long as they can justify their choice. The main requirement of computer forensics tools is that they do what they are intended to do and the only way for examiners to ensure this is for them to regularly test and calibrate the tools they are using before any analysis is carried out.

Verification of multiple tools can confirm the integrity of the results during analysis (if with tool ‘A’ the examiner finds an artifact ‘X’ at location ‘Y’, then tool ‘B’ should replicate these results.)


This stage usually involves examiners producing a structured report on their findings, discussing the points in the initial instructions along with subsequent instructions. It will also include any other information that the examiner deems relevant to the investigation.

Reports should be written with the end reader in mind; in most cases the reader of the report will be non-technical, so the terminology must acknowledge this. Examiners should also be prepared to participate in telephone meetings or conferences to discuss and elaborate on the report.


Along with the readiness stage, the review stage is often overlooked or ignored. This may be due to the perceived cost of doing unbilled work, or the need ‘to move on to the next job’. However, the review phase that goes into each inspection can help save money and improve quality levels by making future inspections more efficient and time effective.

Review checks are simple, fast, and can be initiated during any of the above stages. This may include basic ‘what went wrong and how can this be fixed’ and ‘what went well and how it can be incorporated into future exams’. Feedback from instructors should also be sought. Any lessons from this stage should be applied to the next exam and put into the readiness stage.

Problems facing computer forensics

The problems facing computer forensic examiners can be broken down into three broad categories: technical, legal and administrative.

Encryption – Encrypted files or hard drives are impossible for investigators to see without the correct key or password. Investigators should consider that keys or passwords may be stored elsewhere on the computer or on other computers that the suspect has access to. It can also reside in the computer’s volatile memory (known as RAM[6] which is usually lost when the computer is turned off; another reason to consider using direct acquisition techniques as outlined above.

Increases storage space – Storage mediums store larger amounts of data which for examiners means that their analysis computers need to have sufficient processing power and available storage to handle searching and analyzing large amounts of data efficiently.

New technologies – Computing is an ever-changing field, with new hardware, software and operating systems constantly being produced. No single computer forensic examiner can be an expert in all areas, although they are often expected to analyze something they have never done before. To deal with this situation, examiners must be prepared and able to test and experiment with the behavior of new technologies. Networking and sharing knowledge with other computer forensic examiners is also very useful in this regard as it is likely that others are experiencing the same problem.

Anti-forensics – Anti-forensics is the practice of trying to thwart computer forensics analysis. This may include encryption, redundant writing of data to make it unrecoverable, modification of file meta-data and obfuscation of files (incognito files). Like the encryption above, evidence that the method used could be stored elsewhere on the computer or on another computer that the suspect has access to. In our experience, it is rare to see anti-forensic tools used properly and often enough to completely obscure their existence or the existence of evidence being used to conceal.

Law problem

Legal arguments can confuse or distract from the computer examiner’s findings. An example here is ‘Trojan Defense’. A Trojan is a piece of computer code that masquerades as harmless but has a hidden and malicious purpose. Trojans have many uses, and include key-logging [7], file uploading and downloading and virus installation. An attorney may be able to argue that actions on the computer are not performed by the user but are automated by the Trojan without the user’s knowledge; The Trojan defense was successfully used even when no traces of Trojan or other malicious code were found on the suspect’s computer. In such a case, a competent opposing attorney, supplemented by evidence from a competent computer forensics analyst, should be able to refute the argument.

Accepted standards – There are a large number of standards and guidelines in computer forensics, some of which appear to be universally accepted. This is due to a number of reasons including standard setting bodies being bound by certain laws, standards aimed at law enforcement or commercial forensics but not both, those standard setters not being accepted by their peers, or high joining fees. prevent practitioners from participating.

Fitness to practice – In many jurisdictions there are no qualifying bodies to check the competence and integrity of computer forensics professionals. In such cases anyone can present themselves as a computer forensics expert, which can result in a computer forensics examination of dubious quality and a negative view of the profession as a whole.

Resources and further reading

There doesn’t seem to be much material covering computer forensics aimed at non-technical readers. However the following link in the link at the bottom of this page may prove interesting proving interesting:


1. Hacking: modifying a computer in a way that was not originally intended for the benefit of the hacker.
2. Denial of Service attacks: attempts to prevent legitimate users of a computer system from having access to information or services of that system.
3. Meta-data: at a basic level meta-data is data about data. It can be embedded within a file or stored externally in a separate file and may contain information about the file’s creator, format, creation date, and so on.
4. Write blocker: hardware or software application that prevents any data from being changed or added to the checked storage media.
5. Bit copy: bit stands for the term ‘binary digit’ and is the basic unit of computing. Bit copy refers to a sequential copy of each bit on a storage medium, covering areas of the media that are ‘invisible’ to the user.
6. RAM: Random Access Memory. RAM is the computer’s temporary workspace and is volatile, meaning its contents are lost when the computer is turned off.
7. Key-logging: recording of keyboard input that provides the ability to read user-typed passwords, emails, and other confidential information.