Think you’ve completely erased that e-mail or photo on your computer or cell phone? Think again. Everything a user does on a computer leaves a trace. Evidence of computer activity is stored in many places on the hard drive, some obvious and some very obscure. Information about network access is potentially logged on many computers throughout the local network and global Internet. Cell phones contain information about who you've called and who's called you. Digital tracks are everywhere.

Digital forensics -- a broad term sometimes used synonymously with computer forensics, network forensics, and cyberforensics -- is the acquisition, discovery, collection, analysis, and reporting of evidence found on computers and networks. This field integrates aspects of criminal justice, computer science, and computer forensics techniques.

Forensics has come to the public forefront in the last five years due to a number of events, including 9/11, the ever-increasing number of computer and network security incidents, and the emergence of a cabinet-level Department of Homeland Security and Presidential Plan to Secure Cyberspace. Even absent these events, an increased number of criminals employ computers and networks as the means of committing a crime and/or the storage of information and records about their criminal activity. Furthermore, Internet-based frauds, identity theft, white collar crime, and other cyber-based crimes are on the rise.

Computer forensics is a rapidly growing field for the simple reason that computers and the Internet are the fastest growing technology used for criminal activity. As computers become smaller, lighter, cheaper, and easier to use, they appear at nearly every crime scene that police investigate. Some activities, such as illegal gambling and unauthorized access to computers have been given new life because of the pervasiveness of computers and the Internet. The cybercrime scene, of course, becomes routers, servers, and packets on the Internet and it is extremely difficult to take the snapshot of the Internet that is required for a methodical analysis.

Evidence can be found in almost any type of computing device -- although the term computer needs to be viewed broadly. Digital devices include not merely the obvious desktop and laptop computers, but routers, servers, cell phones, cameras, personal digital assistants (PDAs), and more. Furthermore, there are many different types of digital media that must be handled, all with different connection types and different file systems. 

Computers are nearly ubiquitous today. Common digital devices include (clockwise from upper left): desktop computers, enterprise routers, rack-based servers, laptops, PDAs, residential routers, cameras, and cell phones.

Digital forensics examiners need to acquire information from many different types of media, as shown here. Media types include (left-to-right, top row): "Swiss Army Knife USB memory stick, USB memory stick watch, compact disc (CD), USB thumb drive; (middle row): ZIP disk, laptop hard drive, desktop internal hard drive, USB memory stick pen; (bottom row): floppy disk, memory expansion card, memory card, and cell phone SIM card.

  Traditional forensic science generally involves comparing a known sample with an unknown sample, such as comparing a latent fingerprint or DNA sample from a crime scene with a suspect's fingerprint or DNA. Computer forensics and the investigation of crimes in cyberspace are different; here we examine the evidence surrounding an event to reconstruct what actually happened. In addition, the crime scene is global and constantly changing when computers and networks are involved, a big difference from the traditional crime scene where police would merely throw yellow tape around a room to secure the evidence. Forensic computing is a cross between traditional forensic techniques with traditional investigative techniques.

The computer forensics process follows these basic steps:

• Preserve the media - Computer forensics analysis is not performed on the original media except under the most extraordinary circumstances because of the potential of accidentally making a change to the original evidence. The copy also needs to be made in such a way that the original information is not altered in any way and that it can be authenticated as containing the same information as the original; this is generally accomplished using a mathematical formula known as a hash function, which can provide a digital fingerprint of a file, directory, or hard drive. This process is known as imaging a drive.

• Extract evidence - Based upon the guidelines of the investigation and/or a search warrant -- the cyber examiner needs to determine what kind of information on the computer is pertinent to the case. Clues as to what to search for will depend upon the type of case; spreadsheets, for example, would be highly relevant to a business fraud case, while images are important for a case of suspected child pornography, and chat and e-mail logs are of use to a case of cyberstalking. Keywords, such as pertinent phrases, slang words, names, locations, etc. must be provided to the computer examiner by the investigator on the case.

• Analyze computer media - The actual analysis of evidence and/or the root cause of the event is the most time-consuming aspect of the process. It is important to note that the information retrieved from the computer can either be incriminating or exculpatory. In addition, the examiner has to look at the entirety of the medium because information can be hidden anywhere.

• Document results - The results of a computer forensics exam must be documented thoroughly, particularly if the examination is being performed for legal purposes. Everything must be written down, from the configuration of the computer and BIOS settings to each and every step taken by the forensic examiner and any pertinent evidence that is found. All computer equipment, media, peripherals, or other items seized must be logged and photographs should be taken of external and internal connections, if possible. The handling of the evidence also has to be carefully logged to demonstrate that no tampering occurred.

The computer forensics examiner has a variety of tools -- hardware tools to physically connect to the digital media; software tools with which to acquire, search, organize, and report on the information; and network-based tools with which to obtain information about Internet-attached networks, domains, network traffic, e-mail, and more.

The use of forensic analysis tools and investigative techniques is not of relevance just to the law enforcement community and other public sector organizations such as the military, federal government, and intelligence community. Indeed, the private sector represents an area of significant growth. Many private companies, for example, have a digital forensics expert on their information security staff to investigate computer security incidents internal to their network and to perform audit functions in order to ensure compliance with government and industry laws, regulations, and best practices. Computer forensics skills are also used by large law firms, private companies offering third-party forensics analysis in criminal or civil trials, and data recovery services.

In the past, the pioneering work in digital forensics has been by computer scientists and law enforcement professionals with an interest in computers -- often not working together. Over time, we see that the best computer crime examiners are computer-savvy individuals who understand technology and people who like to solve puzzles and problems. Despite what we see on TV and read in the papers, computer and network forensics requires knowledge of how to conduct an investigation rather than just looking at the computer and expecting the incriminating information to jump out at you; every examination will differ.

Computer forensics examiners must possess an array of skills with which to recreate the activities under investigation. They must certainly be technically knowledgeable, and enjoy troubleshooting and solving puzzles. They must be aware of the legal constraints and organizational polices that guide what they can and cannot do. In an ever-changing field, they must be willing to constantly learn about new technologies and laws. They must be able to communicate the process and results of their analysis in both written and oral form, with particular attention paid to presenting very technical information to often non-technical audiences. Finally, they must also possess and demonstrate a high degree of honesty and integrity.

• B.S. degree in computer forensics or information security if interested in examiner and analysts positions; computer science, computer engineering, electrical engineering, or related fields with courses in computer forensics are recommended for those with an interested in designing and developing forensics tools
• Graduate course work related to management are recommended for career advancement

For more information about undergraduate education, see Champlain College's Computer & Digital Forensics Web site at http://digitalforensics.champlain.edu/. For additional general information about cyberforensics, see Gary Kessler's Cybercrime and Cyberforensics-related URLs at http://www.garykessler.net/library/forensicsurl.html.

Gary C. Kessler is an associate professor, Program Director of the Computer & Digital Forensics major, and Director of the Center for Digital Investigation at Champlain College in Burlington, Vermont. Champlain College offered one of the first undergraduate degree programs in digital forensics and cybercrime in the U.S., as well as the first digital forensics program to be offered completely online. Gary is a technical adviser to the Vermont Internet Crimes Against Children (ICAC) and Internet Crimes Task Forces, a  member of the High Technology Crime Investigation Association (HTCIA) and High Tech Crime Consortium (HTCC), and on the editorial boards of the Journal of Digital Forensics Practice and the Journal of Digital Forensics, Security, and Law. He can be reached at gary.kessler@champlain.edu.