As a part of her daily morning routine at office, Sheila opened her inbox and checked her messages. Going through them she found one familiar message. She’d been receiving such explicit messages for a long time, and even though she knew who sent them, there didn’t seem to be anything she could do about it. The guy was one of the top brass in her company. Talking to a friend about this, she discovered that a lot more female employees had been receiving these messages from the same guy. They filed a complaint with the HR, but how was anyone going to prove that this guy was guilty?
This is where computer forensics comes into the picture. The people in HR called in a forensics company and an image of the suspect’s workstation was taken. Also because they needed to check his email an image of the server was also lifted. An examination of these images showed them that the person in question was indeed responsible for the harassment of several women employees and he was immediately suspended.
Computer forensics involves the collection and analysis of data from computers or mobile phones or any other magnetic storage devices so that the same data can be admitted as evidence in a court of law. This branch of science can be used to uncover a number of cyber crimes some of which are mentioned below:
- Inappropriate internet usage
- Illegal data copying
- Identity or credit card thefts
- Harassment
- Pornography
- Industrial espionage
- Unauthorized web page manipulation
- Mobile phone crimes
- Computer hacking etc.
While working on a suspect’s machine, a copy of the hard drive should be made first, and the forensic testing should be done on the copy. Otherwise there are chances that valuable evidence maybe lost or altered. Also the copy should be made preferably on new media to prevent contamination of data.
Copying of data is usually done one bit at a time. It should also be made sure that the copy is safe from tampering. Forensic testing maybe very costly, but when done properly, it provides compelling evidence, and that makes it cost-effective in the long run. In spite of all this there are chances that the legality of the testing itself might be questioned. Questions might arise as to how the evidence was gathered or if it was legal to access the workstation or storage facility in question. So, it is always best to maintain a log of how and when the system was used and to make sure nothing is changed on the files in the system.
When there is evidence of a system being hacked, the primary objective should be to first contain the attack and try to restrict the hacker’s access. The next step would be to try and locate, and if possible identify the suspect. After that it would be legal action depending of course on the fact if the evidence collected is admissible in court. Steps should also be taken for damage control and recovery and put in more security to stop further attacks.
However, even as methods for forensic testing become more complex, hackers and other cyber criminals seem to find out more ingenious ways to cover their tracks. But, there are always tracks. Usually, even if the incriminating data has been deleted, there are ways for restoring it. Forensic experts search even the empty spaces for evidence. A few of the methods used by cyber criminals are more secure deletion, storing data on remote devices, to which only they have access and more recently something called steganography.
Steganography is something similar to cryptography. While cryptography involves encrypting data, steganography involves hiding data so that nobody, except a person who has access can see the data. While there are legal uses for steganography, like digital watermarks, it is being used more for smuggling out information disguised as something simple like an email. Or it could be stored on the system itself, like hiding it in an official sounding file on the operating system itself. To counter the adverse effects of Steganography, a method called Steganalysis has been invented. Steganalysis is a method that can discover if steganography has been used on a particular file. If it has, then Steganalysis can find the presence of hidden data. However, it can only destroy the data. It is of no use if you want to know what the hidden message was.
Forensics can also be used on mobile phones to assist in criminal investigations. Almost all mobile phones nowadays have GPRS, which can enable the authorities to pinpoint a suspect’s location using his phone. Also a suspect’s phone can reveal a lot of vital clues. For example, there were a number of people suspected of being involved in a huge scam, but the identity of their boss was still a question mark. The police caught hold of the phones of all the suspects and checked if there was any particular number that all these phones dialed often and using this they found the leader. In another case, the murderer had sent messages from the victim’s cell phone and made it look as if the victim had sent them. However, after a careful analysis of the messages, the police found that they were very different from the ones actually sent by the victim; that is they discovered different linguistic patterns and thus were able to establish that the murderer and not the victim had sent those messages and were able to convict him.
Forensic science has come a long way from using a magnifying glass and lifting fingerprints. The more sophisticated the crime, the greater the growth of this science. It can be effectively used in uncovering a lot more crimes and resolving them.