Summary of Introduction to Computer Forensics
2025, April 09
1. What is Forensic Science?
- Forensic = Legal
- Forensic Science = Scientific method to investigate past events (e.g., crimes) for court use
- Examples:
- Forensic Pathology (injury/disease)
- Forensic Biology (DNA, blood)
- Computer Forensics (focus of this course)
2. What is Computer Forensics?
The science of collecting, preserving, analyzing, and presenting digital evidence from devices like computers, USBs, phones.
Used in:
- Civil cases (ex: copyright)
- Criminal cases (ex: hacking, fraud)
- Corporate cases (ex: email abuse)
3. Why It’s Needed?
- Digital files can be:
- Hidden, deleted, encrypted
- Spread across different devices and platforms
- Criminals keep evolving tricks, so forensic investigators must stay updated.
4. Related Fields
- Network Forensics: Tracks how attackers entered a network.
- Data Recovery: Recovers lost files (different from forensics – just recovery, not legal evidence).
5. Investigation Triad
3 Main Security Teams in Companies:
| Team | Purpose |
|---|---|
| 1. Vulnerability Assessment | Test systems for security holes |
| 2. Network Intrusion Response | Detect attacks and respond |
| 3. Computer Investigations | Analyze evidence after an incident |
6. Challenges in Computer Forensics
- Data may be:
- Encrypted
- Hidden in virtual machines
- Stored in old/unsupported systems
- Requires updated tools and training.
7. Must-Know Terminologies
- Litigation: Legal process in court (civil/criminal)
- Evidence: Proves truth (can be incriminating or exculpatory)
- Affidavit: Written statement for getting court’s permission (like a warrant)
- Case Law: Past legal cases used to guide current ones
- Chain of Custody (CoC): Tracks evidence handling – if broken, evidence is invalid
- Integrity: Evidence must not be altered
- Investigation: A formal process to find the truth
8. Methodology
- Methodology = Step-by-step way to do forensic work.
- Examples:
- DOJ (Dept. of Justice)
- DFRWS
- ADFM
- IDIP
- EDIP
✅ All aim for: Identify → Collect → Analyze → Present
9. Public vs Private Cases
| Type | Who Handles? | Example |
|---|---|---|
| Public | Govt. (Police, Court) | Hacker stealing money from a bank |
| Private | Companies/Organizations | Employee misusing office email for harassment |
10. Public Case Flow
- Complaint – Someone reports wrongdoing
- Investigation – Evidence is collected
- Prosecution – Case goes to court using your report
11. Forensic Investigator’s Role
You are the computer detective:
- Analyze devices (Windows, Mac, Linux, mobiles)
- Prepare reports
- Sometimes, testify in court
- Should have Level 3 expertise in forensics
12. Setting Up a Forensic Workstation (Practical)
- Special PC used only for investigations
- Safe from internet or external tampering
- Tools like: FTK, EnCase, Autopsy, etc.
- (Lab handout will be given – just mention you’ll follow lab guide)
13. Professional Ethics
You must:
- Be unbiased (don’t take sides)
- Be trustworthy (keep things private)
- Be technically skilled (know multiple systems)
- Keep learning (stay updated)
14. Top Certifications (Name 2-3 if asked)
- CHFI (EC-Council)
- GCFE, GCFA (SANS)
- CCE (ISFCE)
- EnCE (EnCase Certified Examiner)
15. Laws & Cybercrime
- Laws keep changing with technology.
- Cyber laws vary by country.
- Example in UAE:
- aecert.ae
- tra.gov.ae
Quick Revision Flash Points:
- Forensics = Legal + Scientific method
- Digital Forensics = Evidence from computers/devices
- Chain of Custody = Unbroken track record
- Exculpatory Evidence = May prove innocence
- Affidavit = Written request for warrant
- Public vs Private: Court vs Company cases
- Investigation Triad = 3 teams (Security, Detection, Investigation)
- Set up a special forensic workstation for analysis
- Be ethical, skilled, and unbiased