Forensic Analysis of Computer Hard Drives

History

• The first organized hard drive forensic team started in 1984. The FBI Magnetic Media Program--later, the Computer Analysis and Response Team--shifted the focus on forensic analysis from a mere curiosity to an actual law enforcement function. Today, with increased cyber crime and terrorism, hard drive forensic analysis remains of peak interest to law enforcement agencies worldwide.

Considerations

• Hard drive and computer system forensics requires a number of careful steps to make a successful analysis. Forensic analysts are required to ensure their actions are legal according to all jurisdictions under which they fall. For example, obtaining a search warrant or the proper permission from a system owner is required to avoid prosecution under Federal Computer Crime Law.

  Preserving data and preventing hardware damage to the target system is a top priority for forensic analysts. Forensic tools, both hardware and software, provide fail-safe measures against data corruption and establish a chain of custody for the forensic analysis.

Misconceptions

• Some people view computer forensic analysis as invasive or sneaky. While the purpose of hard drive forensic examinations is to uncover hidden data or to detect illicit behavior, analysts must conduct their searches in a legal and ethical manner. Using the correct hardware and software tools according to established procedure, hard drive forensic analysis leaves the data unchanged and undamaged on the hard disk. Conducting a forensic audit of a system without permission or warrant is illegal and punishable with severe penalties in civil and criminal court.

Procedures and Tools

• Software and hardware forensic tools of the trade are essential to establishing a proper forensic chain of custody and ensuring data integrity. Common tools forensic analysts use include write blockers to prevent data corruption, data copiers that allow analysis of an exact copy of the data (preserving the original), software analysis suites, logging tools and data integrity mangers, and pattern matching programs that look for specific text in the binary data on the hard drive. Other specialized tools include applications to extract images from a drive, to decrypt encrypted files or to audit specific logs, such as Internet log files.

Legal Ramifications

• Forensic examinations are governed by many laws to ensure proper procedures are followed and to ensure privacy for innocent subjects. Common legal pitfalls for forensic examinations include a weak chain of custody (failure to adequately document who has the evidence at a given time), corrupted or mishandled data, bias and a failure to utilize proper tools correctly.

  A forensic analyst, like any good investigator, always must remain neutral, providing accurate and correct reports of the facts and withholding subjective judgment on the case.