Computer Forensics
According to the TechTarget web site, “Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.”
Here at UHCL, we have expanded the term a bit to include any computer investigative process whether we suspect that it involves the commission of a crime or not.
When might forensic technology be used?
Forensic techniques are used when:
- It is suspected that an individual is involved in the commission of a crime
- When it is suspected that a computer is compromised
- When a device is lost or stolen and a backup of the computer’s hard drive is available. In this specific case, we would copy the backed up files onto a comparable computer to determine if the computer's hard drive contains any information that is protected by law or contract.
What kinds of forensic tools are available?
There are a number of tools that are used in forensic activities including software that can:
- Make “forensic copies” of a computer’s hard drive to ensure that the data being analyzed
is in the same state as when the forensic process began.
Important Note: Making a forensic copy of the hard drive works hand in hand with “chain of evidence” procedures to confirm that the data has not been altered in case prosecution is pursued. - Recover deleted data (both full and partial files) from a hard drive – even beyond the time that the recycle bin was emptied. See the Deleting Data page to learn what makes data recovery tools effective.
- Anti-virus/anti-malware software that can find evidence of known attacks
- Security Information and Event Management (SIEM) software that can analyze patterns in the security logs across multiple technologies to determine if a possible cyberattack is in progress or to reconstruct sequences of events
What are the key steps in performing a forensic analysis?
If a computer is compromised, quick action must be taken to preserve the “state” of the device.
First, the user of the device must immediately:
- Unplug it from the network
- Power the computer down
- Contact the Information Security Office through the OIT Support Center at extension 2828 or supportcenter@uhcl.edu
Next, the Information Security Office will:
- Make one or more forensic copies of the data by:
- Removing the hard drive from the unit
- Plugging the hard drive into another device as a secondary hard drive
- Copying the hard drive’s contents into a storage device that becomes read-only after the data is transferred
- Physically securing the forensic copy, e.g., placing it is a sealed package that is signed by the person who made the copy
- Use the forensic analysis and anti-malware software to look for evidence of a compromise on the hard drive
- Investigate attack paths by analyzing computer and network log data
- Bring in the University Police Department immediately if criminal activity is suspected