Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Management Information Systems, 13TH ED.
MANAGING THE DIGITAL FIRM
Kenneth C. Laudon ● Jane P. Laudon
continued
Learning Track 3: Computer Forensics
For thirty years, a serial murderer known as the BTK killer (standing for bind, torture, and kill)
remained at large in Wichita, Kansas. e BTK killer first struck in 1971 with the murder of four
members of a Wichita family in their home and committed his last in this early period murder in
What Is Computer Forensics?
Computer forensics is the scientific collection, examination, authentication, preservation, and anal-
ysis of digital data so that the information can be used as evidence in a court of law. Both local and
federal law enforcement agencies use computer forensics to gather evidence for criminal cases or to
obtain more information about a suspect. Large corporations may hire a computer forensics expert
to monitor employee computer activities to make sure employees are not leaking sensitive or criti-
cal company information or using company computer resources in harmful ways.
Computer forensics can be an indispensable tool in divorce cases where one party may be trying to
conceal or secretly transfer wealth, or there is suspicion of infidelity or other conduct that would
Chapter 8: Securing Information Systems
Chapter 8 Learning Track 3 2
continued
to erase data was downloaded and used to remove items from the hard drive shortly before the
computer was turned over to the forensic examiner. e forensic examiner additionally determined
that the financial records that had been provided by the spouse had been generated by a program
version that was not in use at the time the records were purportedly created. As a result, the court
concluded that the records had been modified and imposed a sanction against the spouse that had
provided the records.
Computer forensics requires specialized expertise and tools that go beyond the normal data
collection preservation techniques employed by end users and information systems departments.
Digital Evidence
Digital evidence consists of any information stored or transmitted in digital form that can be
used in court for either criminal or civil cases. Digital evidence can be found in e-mail, voice mail,
instant messaging, Web browsing histories, digital photographs and video, computer disk drives,
CDs, DVDs, USB storage devices, iPods and MP3 players, smart phones, cell phones, pagers, photo-
copiers, fax machines, and Global Positioning System (GPS) tracks.
E-mail is now a primary means of communication and a major source of digital evidence. is
evidence may be found in the body of the e-mail or in an attachment. E-mail data may be stored on
Chapter 8 Learning Track 3 3
continued
Obtaining Digital Evidence
Like any other piece of evidence used in a legal case, the information obtained by a computer
forensics investigation must follow the standards of admissible evidence in a court of law. ose
presenting electronic evidence must be able to demonstrate the reliability of the computer equip-
ment, the manner in which the basic data were initially entered, measures taken to ensure the
accuracy of the data as entered, the method of storing the data, precautions taken to prevent its
loss, and the accuracy and reliability of the computer programs used to process the data.
e computer forensics investigator needs to document all work done to a computer and all infor-
mation found. An investigator who uses a faulty procedure may invalidate all the digital evidence
collected. To make sure evidence is not lost, destroyed, or compromised, the following guidelines
should be followed:
2. Handle the original evidence as little as possible to avoid changing data.
4. Establish and maintain a chain of custody.
5. Never exceed personal knowledge
Unless it is completely unavoidable, digital evidence should not be analyzed using the same
machine from which it was collected. Instead, forensic image copies of the contents of computer
storage devices (primarily hard drives) are made.
If a machine is suspected of being used for illegal communications, such as terrorist trac, impor-
tant information may not be stored on the hard drive. Several Open Source tools are available to
Chapter 8 Learning Track 3 4
information may help a forensic investigation by showing, for example, whether someone tried to
uninstall a program.
It is possible that the expert trying to analyze a live computer system will make changes to the
contents of the hard drive. During each phase of the analysis, the forensic examiner needs to iden-
tify the information that will be lost when the system powers down, balancing the need to poten-
tially change data on the hard drive with the evidentiary value of the perishable data.
TABLE 1 Digital Forensic Software Tools
Software tool Description
EnCase Forensics Comprehensive tool capable of performing both file imaging and analy-
sis, and analyzing and documenting multiple e-mail formats.
DCFLdd Open source tool that is often used to create bit-stream image files of
Mailbag Assistant Tools for searching, organizing, and analyzing e-mail in many different
formats.
IsoBuster Data recovery tool for examining CDs and DVDs. Works with multiple
CD and DVD file formats and CD image files. Is capable of viewing and
accessing data on CDs and DVDs from both open and closed sessions,
thereby displaying data which may not be readily accessible by other
Chapter 8 Learning Track 3 5
continued
Paraban Device Seizure Provides deleted data recovery and full data dumps of certain cell phone
models
SMART Software utility that can acquire data from digital devices and clone it to
any number of images and devices simultaneously. Able to recover
Careers in Computer Forensics
Computer forensics is a blossoming field, given the increasing amount of public discussion and
legislation aimed controlling computer crime, identity theft, data leakage, and data protection. e
A computer forensics investigator is responsible for collecting and evaluating data stored or
encrypted on digital media or for recovering data that have been deleted from a computer device.
e investigator is also charged with securing the data and ensuring they are not accidentally
damaged during an investigation. Once the investigation is complete, the computer forensics inves-
tigator will write a detailed report describing the findings of the investigation. Computer forensics
investigators work with law enforcement agencies, large corporations, or consulting firms or they
operate on their own as freelance consultants to businesses that do not need or cannot afford a
full-time computer forensics professional.
Chapter 8 Learning Track 3 6
continued
e two most common certifications for computer forensics investigators are the Certified
Information Systems Security Professional (CISSP) and the Certified Computer Examiner (CCE).
e CISSP is offered by the International Information Systems Security Certification Consortium,
or ISC. To be certified, individuals must pass a six-hour CISSP examination. Candidates for the
Digital Forensic Degree Programs
Many computer forensics professionals acquire expertise while on the job in law enforcement and
computer security positions, but formal education is becoming more necessary as a requirement
for these positions. ere are computer forensics certificate programs for people who already have
some career knowledge. People with no law enforcement or security background can pursue an
associates’ degree, a bachelors’ degree or a masters degree programs in computer forensics. For
e associate’s degree in computer forensics is a two year study program that includes courses in
cybercrime, intrusion detection systems, and legal basics, along with courses in technical writing,
algebra, and public speaking.
e bachelor’s degree in computer forensics is a four-year program providing computer forensics
knowledge along with general education. Graduates typically take courses in criminal law, comput-
Chapter 8 Learning Track 3 7
Master’s degree programs in computer forensics are typically pursued by law enforcement and
computer security professionals who have already earned bachelor’s degrees. ese programs
