Editing Computer forensics (section)

== Forensic process ==
{{Main article|Digital forensic process}}
[[File:Portable_forensic_tableau.JPG|thumb|A portable Tableau [[Forensic disk controller|write blocker]] attached to a [[Hard disk drive|hard drive]]]]
Computer forensic investigations typically follow the standard digital forensic process, consisting of four phases: acquisition, examination, analysis, and reporting. Investigations are usually performed on static data (i.e., [[Disk imaging#Hard drive imaging|acquired images]]) rather than "live" systems. This differs from early forensic practices, when a lack of specialized tools often required investigators to work on live data.

=== Computer forensics lab ===
The computer forensics lab is a secure environment where electronic data can be preserved, managed, and accessed under controlled conditions, minimizing the risk of damage or alteration to the evidence. Forensic examiners are provided with the resources necessary to extract meaningful data from the devices they examine.<ref>{{Cite web |title=Chapter 3: Computer Forensic Fundamentals - Investigative Computer Forensics: The Practical Guide for Lawyers, Accountants, Investigators, and Business Executives [Book] |url=https://www.oreilly.com/library/view/investigative-computer-forensics/9781118235225/OEBPS/9781118235225_epub_c03.htm |access-date=2022-03-04 |website=www.oreilly.com |language=en}}</ref>

=== Techniques ===
Various techniques are used in computer forensic investigations, including:

; Cross-drive analysis
: This technique correlates information found on multiple [[Hard drive|hard drives]] and can be used to identify [[social networks]] or detect anomalies.<ref>{{Cite journal |last=Garfinkel |first=Simson L. |date=2006-09-01 |title=Forensic feature extraction and cross-drive analysis |journal=Digital Investigation |series=The Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS '06) |language=en |volume=3 |pages=71–81 |doi=10.1016/j.diin.2006.06.007 |issn=1742-2876 |doi-access=free}}</ref><ref>{{Cite journal |last1=David |first1=Anne |last2=Morris |first2=Sarah |last3=Appleby-Thomas |first3=Gareth |date=2020-08-20 |title=A Two-Stage Model for Social Network Investigations in Digital Forensics |url=https://dspace.lib.cranfield.ac.uk/bitstream/1826/15732/4/Two-Stage_Model_for_Social_Network_Investigations_in_Digital_Forensics-2020.pdf |journal=Journal of Digital Forensics, Security and Law |volume=15 |issue=2 |doi=10.15394/jdfsl.2020.1667 |issn=1558-7223 |s2cid=221692362 |doi-access=free}}</ref>

; Live analysis
: The examination of computers from within the operating system using forensic or existing [[sysadmin tools]] to extract evidence. This technique is particularly useful for dealing with [[Encrypting File System|encrypting file systems]] where encryption keys can be retrieved, or for imaging the logical hard drive volume (a live acquisition) before shutting down the computer. Live analysis is also beneficial when examining networked systems or cloud-based devices that cannot be accessed physically.<ref>https://espace.curtin.edu.au/bitstream/handle/20.500.11937/93974/Adams%20RB%202023%20Public.pdf?sequence=1&isAllowed=y</ref>

; Deleted files
: A common forensic technique involves recovering deleted files. Most [[Operating system|operating systems]] and [[File system|file systems]] do not erase the physical file data, allowing investigators to reconstruct it from the physical [[Disk sector|disk sectors]]. Forensic software can "carve" files by searching for known file headers and reconstructing deleted data.

; [[Stochastic forensics]]
: This method leverages the stochastic properties of a system to investigate activities without traditional digital artifacts, often useful in cases of [[data theft]].

; [[Steganography]]
: Steganography involves concealing data within another file, such as hiding illegal content within an image. Forensic investigators detect steganography by comparing file hashes, as any hidden data will alter the hash value of the file.

=== Mobile device forensics ===
; Phone logs
: Phone companies typically retain logs of received calls, which can help create timelines and establish suspects' locations at the time of a crime.<ref name=":02"/>

; Contacts
: Contact lists are useful in narrowing down suspects based on their connections to the victim.<ref name=":02"/>

; Text messages
: Text messages contain timestamps and remain in company servers, often indefinitely, even if deleted from the device. These records are valuable evidence for reconstructing communication between individuals.<ref name=":02"/>

; Photos
: Photos can provide critical evidence, supporting or disproving alibis by showing the location and time they were taken.<ref name=":02"/>

; Audio recordings
: Some victims may have recorded pivotal moments, capturing details like the attacker's voice, which could provide crucial evidence.<ref name=":02"/>

=== Volatile data ===
Volatile data is stored in memory or in transit and is lost when the computer is powered down. It resides in locations such as registries, cache, and RAM. The investigation of volatile data is referred to as "live forensics."

When seizing evidence, if a machine is still active, volatile data stored solely in [[Random access memory|RAM]] may be lost if not recovered before shutting down the system. "Live analysis" can be used to recover RAM data (e.g., using Microsoft's [[COFEE]] tool, WinDD, [[WindowsSCOPE]]) before removing the machine. Tools like CaptureGUARD Gateway allow for the acquisition of physical memory from a locked computer.{{Citation needed|reason=Add a source describing which versions of Windows CaptureGUARD can unlock and under which circumstances.|date=December 2020}}

RAM data can sometimes be recovered after power loss, as the electrical charge in memory cells dissipates slowly. Techniques like the [[cold boot attack]] exploit this property. Lower temperatures and higher voltages increase the chance of recovery, but it is often impractical to implement these techniques in field investigations.

Tools that extract volatile data often require the computer to be in a forensic lab to maintain the chain of evidence. In some cases, a live desktop can be transported using tools like a [[mouse jiggler]] to prevent sleep mode and an [[uninterruptible power supply]] (UPS) to maintain power.

Page files from file systems with journaling features, such as [[NTFS]] and [[ReiserFS]], can also be reassembled to recover RAM data stored during system operation.

=== Analysis tools ===
{{see also|List of digital forensics tools}}
Numerous open-source and commercial tools exist for computer forensics. Common forensic analysis includes manual reviews of media, Windows registry analysis, password cracking, keyword searches, and the extraction of emails and images. Tools such as [[Autopsy (software)]], [[Belkasoft Evidence Center X]], [[Forensic Toolkit]] (FTK), and [[EnCase]] are widely used in digital forensics.