Forensics is the methodical gathering and analysis of evidence to establish facts for presentation in a legal proceeding.

What is Computer Forensics?

Computer Forensics or IT Forensics is a branch out of the forensics umbrella that involves the investigation of computers, computer networks, related equipment and also data storage media by means of specialized techniques to discover evidence that may be used to identify if it has been used to commit crime or unauthorized activities.

Who needs or who uses Computer Forensic Services?

Typically a police force or a specialized branch of a police force makes use of computer forensics to investigate a cyber crimes or any crime that may have evidence that has been stored, transmitted or received in a computer system.

More often, the people who engage in computer forensic services are companies that have encountered a breach in data security in a network or organizations that want to investigate a certain employee that may have broken some company policies such as leaking confidential information by means of a computer such as email or even something as trivial as playing computer games during operating hours.

What is done in a Computer Forensic Investigation?

Computer Forensic Investigation involves methodological steps such as acquisition of computer equipment as evidence artefacts and preserving the evidence so that the evidence is not tampered with and does not change throughout the investigation.

The computer forensic investigation also involves the discovery and analysis of relevant data of which all processes and findings are documented meticulously for presentation.

What should you look for in a Computer Forensic Investigator?

A good forensics investigator would have gone through proper training to know how to handle evidence properly and ensure that evidence does not deteriorate during investigation and also be aware of the necessary steps to documentation. The investigator must also have the necessary skill sets to succeed in a computer forensics investigation.

These skills cannot be attained overnight. A computer forensic investigator must have years of experience with a variety of computer systems environment such as DOS, Windows, UNIX and Mac. Computer crimes and breaches usually occur in unforeseen and unexpected situations and in many cases require the discovery of data that are not meant to be accessed.
Investigator Impartiality

The computer forensic investigator must remain neutral under all circumstances. The investigator cannot work on a case having judged the suspect’s guilt or innocence. This is to ensure that no evidence is left out because of the way the investigator feels about the situation. All evidence must be collected and analyzed.

The investigator must also report any forensic findings that are a result of wrong doing especially if they break the law. This ensures that the investigator’s credibility especially when presenting a report or testifying in court.

Evidence Control and Documentation

If anything can be singled out as the most important criteria in computer forensics, evidence control and documentation tops the list. It is absolutely critical to note all the actions and chain of custody during an investigation or the forensic investigation will lose its credibility altogether. Documentation on what evidence is collected and who is holding on to it and what is being done to it must be documented meticulously from the point of acquisition.

The chain of custody is a documentation that lists who has access to the evidence and when. The chain of custody must be signed for by the investigator and a witness. This is particularly important because if the challenging party argues that the evidence is tampered with and there is a lapse or absence in the chain of custody, the investigator will not be able to refute the fact that the evidence might have changed.

The evidence must never be worked on directly to ensure that the evidence remains intact. All tools, processes and methodologies used in an investigation must be documented such that if repeated, will reap similar results. This is also to ensure credibility. Times, dates and events are examples of things that need to be documented.

Computer Forensics Laboratory

A laboratory to conduct computer forensic investigation must be well equipped to be successful in data extraction, discovery and analysis.

The forensics lab can be in a form of a small room or even be of an entire building. It depends on what kind of forensic activity is being conducted and also the volume of forensic investigations that the lab has to cater to.

Some countries such as the United States has nationally recognized certifications to ensure the quality of the lab, e.g. American society of crime lab directors / laboratory accreditation board. If possible, it is best to get the lab to be certified.

The security of the forensics laboratory is of extreme importance. It must be secure against physical threats such as intrusion, theft and even natural disasters. There must be some kind of access control to ensure that unauthorized persons do not enter. A log book may be in place to note who is in and out of the lab at any particular time.

It is best that the computer forensics lab do not have any windows. If there are any windows, it must be sealed. The exact location of evidence artefacts stored in the lab must not be revealed as an extra precaution from theft. It is also good to avoid or limit having false ceilings and floors so intruders don't have space to hide anything if not themselves in them.

There should only be one entrance or exit into the lab also for obvious reasons. We definitely do not want intruders to be leaving from the other door when we're coming in through one. Access control is also much easier when there is only one entrance.

Good physical locks are necessary when maintaining a good forensics lab. It will be fancy to have a biometric security system in place but most importantly, the lab must not be easily broken into. Sometimes a combination of type of locks can be installed to ensure this.

Uncommon to physical security recently are closed circuit television (CCTV) to track entries or break-ins. That, together with 24 hour monitored alarm systems that notifies the authorities of a breach automatically can also serve as an added security feature to your computer forensics laboratory.

If possible the lab should also be placed in a building surrounded by a fence or have security guards present.

Different forensics lab setup in different types of vicinity has different security needs. The more secure your lab is will also boost your customers' trust and confidence in your ability to conduct a proper computer forensic investigation.