IN THIS ISSUE
Book Provides Essential Information on Computer Forensics
While computers and the Internet have made organizations and individuals more efficient, they have also made the entities more vulnerable to fraud, identity theft, and unwanted and unauthorized intrusions. Because of these new risks, organizations and individuals need to understand evidentiary, technical, and legal issues related to digital evidence. Computer Forensics: An Essential Guide for Accountants, Lawyers, and Managers by law professor Michael Sheetz provides an introduction to computer forensics in a non-technical manner.
The author, who has 20 years' experience in civilian and military law enforcement in the areas of white collar crime and high-tech investigation, begins with a history and definition of computer forensics in chapter one. According to Sheetz, computer forensics is the study of computers in a manner that is consistent with the rules of evidence and court rules of procedure. The chapter concludes with a history of computer evolution and a description of the hacker community.
In chapter two, the author provides a high-level description of computer processing (i.e., input, storage, processing, and output). A key point mentioned in this chapter is that many electronic devices today, such as cellular phones, MP3 players, iPods, fax machines, printers, USB storage sticks or thumb drives, and digital cameras, are computers with processing units and storage that may hold evidentiary materials.
After describing computer processing, Sheetz discusses the first two steps of the computer forensics process (i.e., reservation and collection of digital evidence) in chapter three. This chapter also discusses the legal concept of admissibility of evidence — a critical step in the computer forensic process — which states that if evidence is not properly preserved, it will not be admitted in court. Hence, the evidence to be presented must be the most reliable and readily available. Although the original source is preferred, steps should be taken to prove that all the evidence seized is not changed from the evidence presented in court. In addition, the author discusses the impact of power-on, boot-up; power-down, shut-down; and routine operating system function on digital evidence preservation.
Next, Sheetz discusses the aspect of analysis and recreation of digital evidence in chapter four. To this end, the author suggests some computer software tools to aid in the analysis process. Investigators typically use these tools on digital images or copies of the original storage devices, thereby preserving the original evidence.
Chapter five goes into more detail by providing information on the final steps of the computer forensics process (i.e., reporting and rendering the opinion). As Sheetz discusses, report writing is made easier if good documentation of the site is made at first contact by capturing details such as photos of the equipment and set up; making diagrams of component connections and cables; and placing tags on each wire, cable, or connector. Furthermore, the report should contain the following sections: an executive summary or abstract, a table of contents, a body or findings section, a conclusion, supporting documents, and appendices. Finally, the chapter discusses the different steps in the trial process (i.e., dispute or offense, complaint-pleading or indictment, service of process, plead or answer the complaint, pretrial motions filings, depositions and interrogatories, demands for production, and the trial).
These five chapters present the basic information on computer forensics. The next two chapters talk about how computers can be used to cause harm. More specifically, chapter six describes some of the threats to computer systems — from the outside and the inside of the organization — which can range from unauthorized use and theft of proprietary data (i.e., customer data, employee data, or intellectual property) to denial-of-access attacks and intentional destruction of equipment. This discussion is continued in chapter seven, which also talks about how computers can be used to cause harm. For instance, computers can be used to prepare a ransom note in an extortion crime or to create fake cash or cash equivalents. Computers also may contain evidence of other crimes, such as financial records of illegal activities, including the selling of drugs or bookmaking.
Chapter eight then describes how computers can be used for computer forensic examinations. The first essential step is to be sure you have proper authority to conduct the search. The author also introduces computer forensic tools and points out particular areas to examine for evidence, such as file storage areas, which may be overlooked during an investigation.
Finally, the book concludes with some of the concerns relating to the presentation of digital evidence in court. As Sheetz points out, while the computer forensic examiner may be highly technically trained and skilled, he or she must remember that the evidence is presented to a jury of peers who may not understand how a computer works. Sheetz also discusses the legal concept of evidence, by describing the various types of evidence and the legal requirements for each category, and provides information on some of the legal complications related to computer systems and some of the laws that attempt to address these issues.
Each chapter ends with a suggested reading list.
Computer Forensics: An Essential Guide for Accountants, Lawyers, and Managers provides a good introduction to the area of computer forensics. If you are not aware of the risks associated with the use of computers, then I would highly recommend you start with this book to get a good overview of the subject.
The editor would like to thank Michael S. Hines, OS/390 systems programmer with Purdue University's IT department, for reviewing this book.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.