Beginner’s Guide to Computer Forensics


Computer forensics is the practice of collecting, analyzing and reporting on digital information in a manner that is legally permissible. It can be used for the detection and prevention of crime and in any dispute where evidence is stored digitally. Computer forensics have comparable stages of investigation with other forensic disciplines and face similar problems.

About this guide

This guide discusses computer forensics from a neutral perspective. It is not linked to specific legislation or is intended to market a particular company or product and is not written in bias by neither law enforcement nor commercial computer forensics. It is aimed at a non-technical audience and provides a high level of computer forensics. This guide uses the term “computer”, but the concepts apply to any device capable of storing digital information. Where methodologies are mentioned, they are given as examples only and do not constitute recommendations or advice. Copying and publishing all or part of this article is licensed exclusively under the terms of the Creative Commons Attribution Non-Commercial 3.0 License

Application of computer forensics

There are few areas of crime or discrepancies where computer forensics cannot be used. Law enforcement agencies have been among the earliest and heaviest users of computer forensics and have therefore often been at the forefront of developments in the field. Computers can constitute a ‘scene of a crime’, for example with hacking [ 1] or attacks on denial of service [2] or they may contain evidence in the form of emails, internet history, documents or other files relevant to crimes such as murder, kidnapping, fraud and drug trafficking. Not only the content of emails, documents and other files that may be of interest to investigators, but also ‘metadata’ [3] associated with these files. A forensic examination of the computer may reveal when a document first appeared on a computer, when it was last edited, when it was last saved or printed, and which user performed these actions.

Recently, commercial organizations have used computer forensics to their advantage in a number of cases, such as;

  • Intellectual property theft
  • Industrial espionage
  • employment Disputes
  • Fraud Investigation
  • forgeries
  • marriage Problems
  • bankruptcy Studies
  • Inappropriate use of email and internet in the workplace
  • Compliance with legislation


For evidence to be admissible, it must be reliable and non-judgmental, which means that the admissibility at every stage of this process must be at the forefront of a computer forensic examiner’s mind. One set of guidelines that has been widely accepted to help with this is the Association of Chief Police Officers Guide to Good Practices for Computer Based Electronic Evidence or ACPO Guide Cards. Although the ACPO Guide is aimed at UK law enforcement, the most important principles apply to all computer forensics regardless of the legislature. The four main principles of this guide are outlined below (with references to law enforcement removed):

  1. No action should alter data contained on a computer or storage media that can subsequently be relied on in court.
  2. In cases where a person finds it necessary to access original data contained on a computer or storage media, that person must be competent to do so and be able to provide evidence explaining the relevance and consequences of their actions.
  3. An audit trail or other record of all processes used for computer-based electronic documentation must be created and maintained. An independent third party must be able to investigate these processes and achieve the same result.
  4. The person responsible for the investigation has the overall responsibility to ensure compliance with the law and these principles.

In the summary, no changes to the original should be made, but if access / changes are necessary, the examiner must know what they are doing and record their actions.

Live acquisition

Principle 2 above may raise the question: In what situation would changing a suspect’s computer by a computer forensic technician be necessary? Traditionally, the forensic computer will make a copy (or acquire) information from a device that is turned off. A notepad[4] would be used to make an exact bit for bit copy [5] of the original storage medium. The examiner then worked from this copy, leaving the original demonstrable unchanged.

However, it is sometimes not possible or desirable to turn off a computer. It may not be possible to turn off a computer if this is done to a significant financial or other loss to the owner. Turning off a computer may not be desirable if it does cause potentially valuable evidence to be lost. In either of these circumstances, the forensic censor computer would have to perform a “live acquisition” which would involve running a small program on the suspected computer to copy (or acquire) the data to the censor’s hard drive.

By running such a program and attaching a destination drive to the suspected computer, the investigator makes changes and / or additions to the computer’s condition that were not present before his actions. Such actions would remain admissible as long as the examiner recorded their actions, was aware of their impact and was able to explain their actions.

examination Stages

For the purpose of this article, computer forensic investigation process has been divided into six steps. Although presented in their usual chronological order, it is necessary during a study to be flexible. For example, in the analysis stage, the examiner may find a new lead that would warrant additional computers being examined and would mean a return to the evaluation phase.


Forensic emergency preparedness is an important and occasionally overlooked step in the investigation process. In commercial computer forensics, this may include education of clients about systems readiness; Eg. forensic examinations will provide stronger evidence if a server or computer’s built-in audit and logging systems are all turned on. For examiners, there are many areas where pre-organization can help, including training, regular testing and verification of software and equipment, familiarity with legislation, handling unexpected issues (such as what to do if child pornography is present during a commercial job) and ensure that your on-site procurement kit is complete and in working order.


The evaluation phase includes receiving clear instructions, risk analysis and allocation of roles and resources. Law enforcement risk analysis may include an assessment of the likelihood of physical threat of intrusion into a suspect property and how to best deal with it. Commercial organizations also need to be aware of health and safety issues, while their evaluation also covers the reputation and financial risks of accepting a particular project.


The main part of the collection stage, acquisition, is introduced above. If acquisition is to be performed on site rather than in a computer forensic laboratory, this step will include identifying, securing and documenting the scene. Interviews or meetings with staff that may contain information that may be relevant to the study (which may include end users of the computer and the manager and person responsible for providing computer services) will usually be conducted at this stage. The audit trail ‘bagging and tagging’ would start here by sealing any material in unique sabotage-true bags. Safe and secure transport of the material to the examiner’s laboratory must also be taken into account.


Analysis depends on the details of the individual job. The examiner usually provides feedback to the client during the analysis, and from this dialogue, the analysis may go a different route or be narrowed to specific areas. The analysis must be accurate, thorough, impartial, recorded, repeatable and completed within the available time scales and resources allocated. There are countless tools available for computer forensic analysis. In our opinion, the examiner should use any tool they feel comfortable with as long as they can justify their choice. The most important requirements for a computer forensic tool are that it does what it is intended to do, and the only way for examiners to be sure of this is that they regularly test and calibrate the tools they use before analysis occurs. Duplication confirmation can confirm the result integrity during the analysis (if with tool ‘A’ the examiner finds artifact ‘X’ at site ‘Y’, tool ‘B’ must repeat these results.)


This step usually involves the examiner preparing a structured report on their findings and addressing the points in the introductory instructions along with any subsequent instructions. It will also cover all other information that the examiner considers relevant to the examination. The report should be written with the end reader in mind; in many cases, the reader of the report will be non-technical, so the terminology should acknowledge this. The examiner must also be prepared to attend meetings or telephone conferences to discuss and elaborate on the report.


Along with the emergency phase, the review phase is often overlooked or ignored. This may be due to the perceived cost of performing non-billable work or the need to “move on to the next job”. However, a review phase incorporated into each study can help save money and raise the quality level by making future studies more efficient and time-efficient. A review of a study can be simple, quick and can begin at any of the above stages. It can include a basic ‘what went wrong and how can this be improved’ and a ‘what went well and how can it be integrated into future research’. Feedback from the instructing party should also be sought. Any lessons learned from this step should be used for the next study and brought into the emergency phase.

Problems facing computer forensics

The problems that computer forensic examiners face can be divided into three broad categories: technical, legal, and administrative.

encryption – Encrypted files or hard drives may be impossible for investigators to see without the correct key or password. Examiners must consider that the key or password may be stored elsewhere on the computer or on another computer to which the suspect has had access. It may also reside in the volatile memory of a computer (known as RAM) [6] usually lost by computer connection; another reason to consider using live acquisition techniques as described above.

Increase storage space – Storage media contains ever-increasing amounts of data, which for the examiner means that their analysis computers must have sufficient processing power and available storage space to effectively handle the search and analysis of huge amounts of data.

New technologies – Computing is an ever-changing area where new hardware, software and operating systems are constantly being produced. No forensic examiners can be experts in all areas, although they are often expected to analyze something that they have not addressed before. To deal with this situation, the examiner must be prepared and able to test and experiment with the behavior of new technologies. Networking and sharing knowledge with other computer forensic investigators is also very useful in this regard, since it is likely that someone else has already encountered the same problem.

Anti-Forensics – Anti-crime technology is the process of trying to thwart computer forensic analysis. This may include encryption, overwriting data to make it non-recoverable, changing file metadata, and file disruption (file disguising). As with the encryption above, the evidence that such methods have been used can be stored elsewhere on the computer or on another computer to which the suspect has had access. In our experience, it is very rare to see anti-forensics tools used properly and often enough to completely hide their presence or the presence of the evidence they were used to hide.

Legal issues

Legal arguments can confuse or distract a computer examiner’s results. An example here would be ‘Trojan Defense’. A trojan is a piece of computer code that is disguised as something benign, but which has a hidden and malicious purpose. Trojans have many uses and include key logging [7], uploading and downloading files and installing viruses. A lawyer might argue that actions on a computer were not performed by a user, but were automated by a trojan without the user’s knowledge; such a Trojan Defense has been used successfully even when no trace of a Trojan or other malicious code was found on the suspected computer. In such cases, a competent opposing attorney, provided with evidence from a competent computer forensic analyst, should be able to reject such an argument.

Accepted standards – There are a plethora of standards and guidelines in computer forensic medicine, few of which appear to be universally accepted. This is due to a number of reasons, including standardization bodies that are bound by specific legislation, standards aimed at either law enforcement or commercial forensics, but not on both, the authors of such standards not accepted by their peers, or high affiliation fees discouraged. practitioners from participating.

Fitness to practice – In many jurisdictions, there is no qualifying body to check the competence and integrity of computer forensics professionals. In such cases, anyone can present themselves to a computer forensic expert, which can result in computer forensic studies of questionable quality and a negative outlook on the profession as a whole.

Resources and further reading

There does not appear to be a large amount of material covering computer forensics aimed at a non-technical readership. However, the following links are at links at the bottom esta page may prove to be of interest:

Word list

1. Hacking: modifying a computer in a way that was not originally intended to benefit the hacker’s goals.

2. Denial of Service Attempt: An attempt to prevent legitimate users of a computer system from accessing that system’s information or services.

3. Metadata: At the base level, metadata is data about data. It can be integrated into files or stored externally in a separate file and can contain information about the file’s author, format, creation date and so on.

4. Write Block: A hardware device or software application that prevents data from being changed or added to the storage medium being examined.

5. Bit copy: bit is a contraction of the term ‘binary digit’ and is the basic computing device. A bit copy refers to a sequential copy of each bit on a storage medium which includes areas of the medium ‘invisible’ to the user.

6. RAM: Random access memory. RAM is a temporary work area of ​​a computer and is volatile, which means that content is lost when the computer is turned off.

7. Key logging: recording keyboard input that allows a user to enter passwords, e-mails and other confidential information.