Computer forensics integrates the fields of computer science and law to investigate crime. For digital evidence to be legally admissible in court, investigators must follow proper legal procedures when recovering and analyzing data from computer systems. Unfortunately, laws written before the era of computer forensics are often outdated and cannot adequately assess the techniques used in a computer system search. The inability of the law to keep pace with technological advancements may ultimately limit the use of computer forensics evidence in court. Privacy advocates are growing especially concerned that computer searches may be a breach of a suspect’s human rights. Furthermore, as methods for encryption and anonymity grow more advanced, technology may be abused by helping criminals hide their actions. Ultimately, the role of technology in computer forensics may not reach its full potential due to legal boundaries and potential malicious intentions.
Computer forensics (also known as computer forensic science) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.
Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high-profile cases and is becoming widely accepted as reliable within U. S. and European court systems.
In court, computer forensic evidence is subject to the usual requirements for digital evidence. This requires that information be authentic, reliably obtained, and admissible.  Different countries have specific guidelines and practices for evidence recovery. In the United Kingdom, examiners often follow Association of Chief Police Officers guidelines that help ensure the authenticity and integrity of evidence. While voluntary, the guidelines are widely accepted in British courts [1, 101].
Computer forensics is the practice of collecting, analysing and reporting on digital data in a way that is legally admissible. It can be used in the detection and prevention of crime and in any dispute where evidence is stored digitally. Computer forensics follows a similar process to other forensic disciplines, and faces similar issues.
By running such a program and attaching a destination drive to the suspect computer, the examiner will make changes and/or additions to the state of the computer which were not present before his actions. However, the evidence produced would still usually be considered admissible if the examiner was able to show why such actions were considered necessary, that they recorded those actions and that they are to explain to a court the consequences of those actions [2, 244].
Today’s forensic examiners have become the victims of their own success. Digital storage devices such as hard drives and flash memory are such valuable sources of information that they are now routinely seized in many investigations. As a result, examiners simply do not have the time to analyze all the media that comes across their desks.
We have identified several uses for cross-drive analysis:
- Automatic identification of «hot» drives. With simple statistical techniques it is possible to automatically identify drives in a large collection that are likely to be of interest, and thus should be given higher priority.
- Improving single drive forensic systems. Data collected during the course of cross-drive analysis can be used to create smarter single-drive forensic tools for example, by developing a «stop list» of information that can be safely ignored by other forensic tools.
- Identification of social network membership. If several drives in a forensic repository are known to have been used by an organization under scrutiny for example, a terrorist organization then cross-drive analysis can be used to determine if a newly acquired piece of digital media was used by an organization who had contact with the organization in question.
- Unsupervised social network discovery. Given a collection of forensic images, cross-drive analysis can be used to automatically identify organizations that were not previously known [3, 84].
Today we have ten cool technologies used in forensic scienceat the present stage:
- Laser Ablation Inductively Coupled Plasma Mass Spectrometry (LA-ICP-MS): When broken glass is involved in a crime, putting together even tiny pieces can be key to finding important clues like the direction of bullets, the force of impact or the type of weapon used in a crime. Through its highly sensitive isotopic recognition ability, the LA-ICP-MS machine breaks glass samples of almost any size down to their atomic structure. Then, forensic scientists are able to match even the smallest shard of glass found on clothing to a glass sample from a crime scene. In order to work with this type of equipment in conjunction with forensic investigation, a Bachelor’s Degree in Forensic Science is usually necessary.
- Alternative Light Photography: For a forensic nurse, being able to quickly ascertain how much physical damage a patient has suffered can be the difference between life and death. Although they have many tools at their disposal to help make these calls quickly and accurately, Alternative Light Photography is one of the coolest tools to help see damage even before it is visible on the skin. A camera such as the Omnichrome uses blue light and orange filters to clearly show bruising below the skin’s surface. In order to use this equipment, you would need a MSN in Forensic Nursing.
- High-Speed Ballistics Photography: You might not think of it right away as a tool for forensic scientists, but ballistics specialists often use high-speed cameras in order to understand how bullet holes, gunshot wounds and glass shatters are created. Virtually anyone, from a crime scene investigator to a firearms examiner, can operate a high-speed camera without any additional education or training. Being able to identify and match bullet trajectories, impact marks and exit wounds must be done by someone with at least a Bachelor’s of Science in Forensic Science.
- Video Spectral Comparator 2000: For crime scene investigators and forensic scientists, this is one of the most valuable forensic technologies available anywhere. With this machine, scientists and investigators can look at a piece of paper and see obscured or hidden writing, determine quality of paper and origin and “lift” indented writing. It is sometimes possible to complete these analyses even after a piece of paper has been so damaged by water or fire that it looks unintelligible to the naked eye. In order to run this equipment, at least a Bachelors degree in Forensic Science or a Master’s Degree in Document Analysis is usually required.
- Digital Surveillance For Xbox (XFT Device): Most people don’t consider a gaming system a potential place for hiding illicit data, which is why criminals have come to use them so much. In one of the most ground-breaking forensic technologies for digital forensic specialists, the XFT is being developed to allow authorities visual access to hidden files on the Xbox hard drive. The XFT is also set up to record access sessions to be replayed in real time during court hearings. In order to be able to access and interpret this device, a Bachelor’s Degree in Computer Forensics is necessary.
- 3D Forensic Facial Reconstruction: Although this forensic technology is not considered the most reliable, it is definitely one of the most interesting available to forensic pathologists, forensic anthropologists and forensic scientists. In this technique, 3D facial reconstruction software takes a real-life human remains and extrapolates a possible physical appearance. In order to run this type of program, you should have a Bachelor’s Degree in Forensic Science, a Master’s Degree in Forensic Anthropology or a Medical Degree with an emphasis on Forensic Examination and Pathology.
- DNA Sequencer: Most people are familiar with the importance of DNA testing in the forensic science lab. Still, most people don’t know exactly what DNA sequencers are and how they may be used. Most forensic scientists and crime lab technicians use what’s called DNA profiling to identify criminals and victims using trace evidence like hair or skin samples. In cases where those samples are highly degraded, however, they often turn to the more powerful DNA sequencer, which allows them to analyze old bones or teeth to determine the specific ordering of a person’s DNA nucleobases, and generate a “read” or a unique DNA pattern that can help identify that person as a possible suspect or criminal.
- Forensic Carbon-14 Dating: Carbon dating has long been used to identify the age of unknown remains for anthropological and archaeological findings. Since the amount of radiocarbon (which is calculated in a Carbon-14 dating) has increased and decreased to distinct levels over the past 50 years, it is now possible to use this technique to identify forensic remains using this same tool. The only people in the forensic science field that have ready access to Carbon-14 Dating equipment are forensic scientists, usually with a Master’s Degree in Forensic Anthropology or Forensic Archaeology.
- Magnetic Fingerprinting and Automated Fingerprint Identification (AFIS): With these forensic technologies, crime scene investigators, forensic scientists and police officers can quickly and easily compare a fingerprint at a crime scene with an extensive virtual database. In addition, the incorporation of magnetic fingerprinting dust and no-touch wanding allows investigators to get a perfect impression of fingerprints at a crime scene without contamination. While using AFIS requires only an Associates Degree in Law Enforcement, magnetic fingerprinting usually requires a Bachelor’s Degree in Forensic Science or Crime Scene Investigation.
- Link Analysis Software for Forensic Accountants: When a forensic accountant is trying to track illicit funds through a sea of paperwork, link analysis software is an invaluable tool to help highlight strange financial activity. This software combines observations of unusual digital financial transactions, customer profiling and statistics to generate probabilities of illegal behavior. In order to accurately understand and interpret findings with this forensic technology, a Master’s Degree in Forensic Accounting is necessary [4, 29].
There are few areas of crime or dispute where computer forensics cannot be applied. Law enforcement agencies have been among the earliest and heaviest users of computer forensics and consequently have often been at the forefront of developments in the field.
Computers may constitute a ‘scene of a crime’, for example with hacking or denial of service attacks or they may hold evidence in the form of emails, internet history, documents or other files relevant to crimes such as murder, kidnap, fraud and drug trafficking.
However, sometimes it is not possible or desirable to switch a computer off. It may not be possible if doing so would, for example, result in considerable financial or other loss for the owner. The examiner may also wish to avoid a situation whereby turning a device off may render valuable evidence to be permanently lost. In both these circumstances the computer forensic examiner would need to carry out a «live acquisition» which would involve running a small program on the suspect computer in order to copy (or acquire) the data to the examiner’s hard drive [5, 22].
For computer forensics to progress, the law must keep pace with technological advancements. Clear and consistent legal procedures regarding computer system searches must be developed so that police and investigators can be properly trained. An International Code of Ethics for Cyber Crime and Cyber Terrorism should also be established to develop protocols for «obtaining and preserving evidence, maintaining the chain of custody of that evidence across borders», and «clearup any difference in language issues». Following these measures may be the first steps to resolving the technological and legal limitations afflicting computer forensics. Interpol, the International Criminal Police Organization, has developed a Computer Crime Manual with «training courses» and «a rapid information exchange system» that serves as a foundation for international cooperation. Lastly, the criminal abuse of technology can be limited by equipping the police department with state-of-the-art training and equipment for forensic analysis. Only then is the world safely prepared to face the future of technology. As one author predicts, «the next world war will be fought with bits and bytes, not bullets and bombs».
- Criminalistics. Textbook / Zhakishev Е. G., Isaev A. А., Naimanova G. H. — Almaty: «Zhety zhargy», 2006.- 520 p.
- Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. By Albert J. Marcella Jr. & Robert S. Greenfield Paperback / January 2012. — 343 p.
- Forensic feature extraction and cross-drive analysis. Simson L. Garfinkel, Center for Research on Computation and Society, Harvard University, Cambridge, MA 02139, USA.
- Segai M.Ya. Modern possibilities of forensic examination in the light of advances in science and technology. — Kiev, 1987. — 129 p.
- R. McKemmish, What is Forensic Computing? Australian Institute of Criminology Trends and Issues, Number 118, June 2009. — 71 p.