It's Evident


Cyber Forensics: Part I
by Dr. Susan Zucker, Director of Technology and Distance Education

Background: It wasn’t too long ago that computer data storage was limited to cassette tapes. In the 1970’s, important files were stored on these tapes until 160k floppy disk drives became available, which offered ample space at the time. Only computer “geeks” experienced the joy that having greater storage brought, because only they were using computers then. It was beyond imagination that five megabyte hard disk drives of the early 80’s would eventually evolve into multiple-gigabyte storage; or that floppy diskette storage would eventually exceed two megabytes; let alone the advent of portable flash memory devices. Things sure have changed (Anderson).

Advances in technology leading to greater data storage capacity, the development and popularity of the Internet, and the huge increase in the number of computer users have led to a plethora of cyber crime. To combat this problem, the field of cyber forensics has developed. Cyber forensics focuses not on traditional offline computer forensic technology but on real-time, online evidence such as tracking emails and instant messages as they are sent as well as virtually all other forms of computer related communications (Gallegos). This is quite a feat given the billions of communications that take place around the world at any given time.

Cyber forensics consists of two components – computer forensics and network forensics. Computer forensic science is the discipline of acquiring, preserving, retrieving, analyzing, reconstructing, and presenting data that has been processed electronically and stored on computer media including networks. This discipline relates to investigations by law enforcement agencies for use in a court of law. The methods used must be technologically robust to ensure that all probative information is recovered, that original evidence is unaltered, and that no data were added to or deleted from the original collection. Computer forensic science is an extremely hot topic and is widely used among all industries. It will continue to play a large role in society as computer technology continues to emerge (Gallegos).

Generally, computer forensics investigations are performed after the crime or event occurred, as are investigations in traditional medical forensics. Files that have been lost or deleted by accident may be recovered by a forensic computer expert. Information potentially valuable to criminal or civil cases in a court of law are identified and collected using investigative techniques. Law enforcement employs forensic science experts to (Gallegos):
  • assist pre-search warrant preparations and post-seizure handling of the computer equipment;
  • help support individuals’ claims of sexual harassment, wrongful termination, or age discrimination;
  • aid insurance companies in mitigating costs where possible fraud in accidents, arson and workman’s compensation cases occur;
  • help corporations discover and confirm evidence related to embezzlement, sexual harassment, theft or misappropriation of trade secrets, and other internal/confidential information.
Network forensics, on the other hand, involves gathering digital evidence, which can be transient and not preserved with permanent storage media distributed across large-scale, complex networks. Network forensics is a more technically challenging area of cyber forensics in that it deals primarily with in-depth analysis of computer network intrusion evidence. This is particularly difficult because current commercial intrusion analysis tools are inadequate to deal with today’s networked, distributed environments (Computer Forensics).

During an investigation: In the not too distant past, computer forensics was mostly related to data dumps, where every keystroke that had been logged on a computer in a series of eight digits, all of them zeroes and ones, was printed out. It took cases of paper to print the data, which were then converted into the hexadecimal number system and translated by a computer analyst (Solving Crime with Computer Forensics).

Today, a computer is taken into custody during an investigation to prevent evidence tampering. Files that had been encrypted, hidden, or protected are investigated. Documenting evidence or retrieving files requires the copying of files in specific ways to recover lost or deleted files to prevent modification of the computer system and the original files. Methodical investigation of the hardware and software of a system is often crucial. Critical information systems and infrastructures rely on forensic examinations and postmortem analysis being performed almost continually in a networked, distributed environment. This is essential to continued functioning of critical information systems and infrastructures. Clearly, computer forensics has evolved significantly (Feldman and Giordano).

Computers are used to commit crimes in several ways. They can be used:
  • as a repository or database, to house acquired information or the criminal can create a database to easily run queries or to extract desired information from a large data list;
  • to connect to other networks to steal and store valuable information;
  • to conduct illegal business; e.g. financial, drug, slave, and pornographic business deals (Gallegos).
Evidence and Computers: Criminal prosecutors use computer forensics to find incriminating documents in homicides, financial fraud, drug and embezzlement record keeping, and child pornography. Personal and business records found on computer systems are used as evidence in civil cases involving fraud, discrimination, divorce and harassment.

The importance of the evidence trail may be as important as the evidence itself in cyber forensics. The sensational murder trial of O. J. Simpson exemplifies how the inability to provide a seamless chain of custody and unquestionable evidence can severely damage the prosecution's case (Solving Crime with Computer Forensics).

Criminal evidence must be tracked from collection through disposition. Chain of custody is often crucial to the outcome of a prosecution and must be processed properly and legally. This process involves not only carefully handling evidence, but thoroughly documenting movement from one pair of hands to the next. The investigative process is made more difficult as the numbers of people involved in the case increase. Care and due diligence are important to ensure that date/times are not changed on a file. The computer forensic expert must keep a detailed log of the investigation especially since the person who collects the evidence is sometimes not the forensic specialist, and not all evidence is sent to the lab. Tracking individual cases becomes more complicated when there is an overload of cases (Computer Forensics). Law enforcement increasingly relies on digital imaging systems and computer information management to aid in the apprehension of criminals. Imaging systems are comprised of computers, thermal or laser printers, special software, cameras – standard and digital, and other peripherals. One of the problems in the O.J. trial was that photographs and videos of the crime scene did not corroborate consistently with verbal testimony. Another problem was that each item of physical evidence was handled by at least three people from collection to testing time and inadequate logs were kept (Solving Crime with Computer Forensics).

In the battle against malicious hackers, cyber forensic functions are used to support objectives which include but are not limited to: timely cyber attack containment, perpetrator location and identification, damage mitigation, and recovery initiation in the case of a crippled, yet still functioning, network. However, few, if any, forensic tools are available to assist in preempting the attacks or locating the perpetrators (Feldman and Giordano).

Standard intrusion analysis requires that many sources of data evidence including intrusion detection systems, firewall logs, audit trails, and network management information be examined. Included in cyber forensic investigations are transient and other elements frequently overlooked such as contents and state of memory; registers; basic input/output system; input/output and serial receive buffers; and L2 and front and back side system caches (Feldman and Giordano).

The Department of Defense cyber forensic investigations include evaluation and in-depth examination of data related to both the trans- and post-cyber attack periods. Among the key objectives are rapid discovery of evidence, estimation of potential impact of the malicious activity on the victim, and assessment of the intent and identity of the perpetrator. Real-time tracking of potentially malicious activity is especially difficult when the pertinent information has been intentionally or maliciously hidden, destroyed, or modified in order to elude discovery (Feldman and Giordano).

The Information Directorate, in partnership with the National Institute of Justice and under the auspices of the NLECT (National Law Enforcement and Corrections Technology Center), is designed to test new ideas and prototype tools. A new paradigm, CFX-2000 (Computer Forensics Experiment 2000), was developed as a result of this partnership to transition cyber forensic technology from military R & D laboratories to law enforcement. CFX-2000 examined the possibility of accurately determining the motives, intent, targets, sophistication, identity, and location of cyber criminals and cyber terrorists by deploying an integrated forensic analysis framework. The execution of CFX-2000 required the development of a simulated realistic complex cyber crime scenario exercising conventional, as well as R & D prototype, cyber forensic tools (Feldman and Giordano).

The NLECTC assembled a diverse group of computer crime investigators from the Department of Defense and federal, state, and local law enforcement to participate in the CFX-2000 exercise hosted by the New York State Police’s Forensic Investigative Center. The results of CFX-2000 verified that it is possible to ascertain the intent and identity of cyber criminals. As electronic technology continues its explosive growth, researchers need to continue vigorous R & D of cyber forensic technology in preparation of cyber reconnaissance probes and attacks (Feldman and Giordano).

Conclusion: Cyber crime has been happening for about 50 years – since computers have been used in production. Evidence gathered from computers is subject to the same standards as evidence gathered from any other type of crime scene; it must be authentic, accurate, complete, convincing to juries, and admissible (conforms to common law and legislative rules). This is to ensure that evidence gathered from suspected computer-related crimes is credible. Cyber crime will continue to increase as the number of computer users increases. To combat this trend, local and national law enforcement agencies must maintain and improve techniques used in cyber forensics.


Anderson MR, Security & Law Enforcement Risks, Portable USB Devices Security, Armor Forensics, Located at: Security & Law Enforcement Risks, Portable USB Devices Security (last visited Dec. 26, 2006)

Computer Forensics, Located at: Computer Forensics (last visited Dec. 26, 2006)

Cyber Forensics, AFRL's Information Directorate, Information Grid Division, Defensive Information Warfare Branch, Rome NY, Located at: Cyber Forensics (last visited Dec. 26, 2006)

Feldman J and Giordano JV, TECH CONNECT, Reference document IF-00-16, Located at: TECH CONNECT (last visited Dec. 26, 2006)

Gallegos F, Computer Forensics: An Overview, Volume 6, 2005, Located at: Computer Forensics: An Overview (last visited Dec. 26, 2006)

Hosmer C, Gordon G, Hyde C, Grant T. Cyber Forensics 2000. Proceedings, 1st Annual Study of the State-of-the-Art in Cyber Forensics.

Solving Crime with Computer Forensics – Computer Resources Page, Located at: Solving Crime with Computer Forensics (last visited Dec. 26, 2006)

Yang J, Government Jabs at Cyber Crime, July 22, 2001, Located at: Government Jabs at Cyber Crime (last visited Dec. 26, 2006)