Computer forensics is a branch of digital forensic science associated with investigations to recover, identifying and analysing data stored in digital devices (PC, iPhone, CDs, etc), the process a computer forensics investigation follows resembles that of data recovery but the evidence is subject to guidelines to document an audit trail and preserve the extracted data so that it can be used in a court of law if necessary.
Computer forensic experts are the people who have been trained in extracting and analysing evidence from digital media , a computer forensics expert should be able to tell what happened, how it happened and who/what was involved, computer forensic experts take part in child pornography investigations, identity fraud cases, malicious hacking incidents, etc. To become a computer forensic expert it is necessary to have a background in computer science, some universities offer certification in computer forensics, you will also need work experience as a computer forensics analyst or IT Security (i.e. internship).
How to Perform Computer Forensics and Data Recovery
OSForensics is a collection of computer forensics tools, some of them used by law enforcement, providing you with information about computer configuration and activities.
After creating a case with OSForensics you will be able to see the computer’s recent activities like connected USB devices, recently browsed websites or downloaded images, another option allows you to recover passwords stored in the browser, if a file has been erased by Windows this forensic tool can recover it as long as it has not been overwritten, a time line lets you see a graph with a good overview of what and when it happened, the results can be exported in CSV or HTML format for further processing, e.g. printing, email.
The OSFMount tool allows you to mount all kind of disk images ( .iso, .bin, .nrg, .sdi, .vmd,etc) and view them without having to burn it to a CD-Rom. The Mismatch File Search tool can scan the hard disk searching for files which default extension has been changed in order to disguise them, for example renaming a .jpg file as .txt (which can be reversed), the Mistmatch File Search tool will look at the file headers bytes where the file type is specified and make sure it corresponds with the file extension it represents.
The Memory Viewer allows you to view the computer RAM memory running processes while the computer is on, useful to find malware in RAM if you detect anomalies. Another very useful feature is the indexing of files, OSForensics can search a hard drive much quicker than the built-in Windows search and show a preview with thumbnails inside a pane. Keyword and date filtering search are on the menu just like email messages indexing, Microsoft Outlook, Thunderbird, Windows live mail, Eudora and many others are all supported (.pst, .mbox, .msg, .eml, .dbx), email message headers with the sender’s IP, can be viewed.
OSForensics can run on a live system but a real computer expert will avoid doing so until the hard drive has been cloned first, a running operating system changes data while functioning, e.g. timestamps, running malware, logs. The first thing a computer forensic expert does before seizing a compromised system is to pull the machine’s plug off the wall to cut the power as logging off a computer using the shut down process will modify many logs and processes.
OSForensics free version main features
- Memory viewer and dumper
- Raw disk viewer
- Verify & create hash values
- Disk imaging & drive zeroing
- Install and run from USB stick
- Collect system information, settings, environment
This free forensics software can be copied to a USB device to be used onsite, it will make for a good tool in triage cases quickly determining if a digital device has anything of interest that justifies taking it away to the lab. OSForensics makes for a great appliance for those wanting to get in the computer forensics field and learn on their own, the free version has some missing features but still useful.
Typical law enforcement agencies computer forensics software like Encase is much more complex to use, with no free version and very expensive for an individual, beginners should start learning with a cut down version such as this one.
Note: You can download example rainbow tables and hash sets from the OSForensics website (password cracking).
Wil
That’s the LAST thing a Forensic Examiner will do is pull the plug. The potential loss of volatile data is too risky to pull the plug without first acquiring a live acquisition of the suspect computer