Let's Talk About Computer Forensics
What Is Computer Forensics?
It is important to note that this is an opinion piece based on study and experience, so many security experts have different views on the subject of hacking, IT security and forensics. Much of the theory is based from the perspective of preventing or at least making attacks harder, which involves mainly equipment such as firewalls, intrusion detections systems; i.e. the HIDs V. NIDS focus. What we’re discussing here is going back after an attack or perceived attack to determine what occurred. Like most forensics, we look at the evidence and determine the most likely scenarios. Essentially computer forensics is examining technology for evidence. Computer forensics isn’t just about computer crimes, in fact it is most often used to collect evidence of other crimes, everything from harassment to child molestation cases have been proven and substantiated by evidence collected from computers. Law enforcement has become increasingly dependent upon information available via the computer and internet to investigate cases. Computer forensics can also be used by employers after incidents with employees. A disgruntle employee can destroy, steal or share information that should otherwise be private.
Computer forensics in its initial stages begins with collecting evidence, these days it after a murder or incident, it starts with gathering the suspect or victims social media activities. There are times when this can help create a timeline of events. In the setting of an employer investigating an employee, it then starts with the employees e-mail communications and sites visited while the employee was on the network. Technology wise, this requires technology that backs up and stores those e-mails for retrieval. Another way to view employee activity is check the network logs. Quite often these hold information such as IP addresses and even the websites that these employees visit. Much of the basic computer forensic work for companies is left up to Systems Administrators. There weren’t very many tools in the past, but now there are tools such as SAN Sift, Pro-Discover basic, Votality and many others. There are also some open source tools available such as The Sleuth Kit (Linux) + Autopsy (Windows). These are programs mainly meant to examine files, while other programs such as WireShark are designed to capture network traffic. The computer forensics industry is constantly changing and evolving to keep up with new technologies and new criminal and hacking capabilities. It a technology that will remain for many, many years to come.
Image is from DLG Investigators