A computer forensics investigator is responsible for solving computer crimes. Their job is to provide evidence and testify in court.
Their goal is to prove that a criminal is guilty or that somebody in a civil lawsuit did something wrong. The end game of an investigation is always to appear in court with solid evidence against the defendant.
The process itself is not complicated, but accuracy is paramount. You must understand a few major key concepts:
For a computer forensics investigator, there is a right answer. You must follow a common process, which means that if two people are on the same case they will end up with the same result every time. They will extract the same data, calculate the same hash values and come to the same conclusion based on the evidence. Here are a few things that happen:
Most likely, if a person is suspected of doing something their property won’t just be taken without a search warrant, so a prosecutor must go to the judge to obtain one. The warrant defines parameters and limits on what people can search for, what is in the scope of the investigation and other limits. If an investigator finds something outside of the scope, they may have to acquire a new warrant for a different investigation. For example, if I open documents looking for financial fraud and come across an image of child porn whose name and extension have been changed, I can’t necessarily do or say anything about it.
After a search warrant is obtained, imaging occurs. Imaging is the process of gathering original evidence. This is usually done by removing the hard drive from a suspect’s computer and using special tools to make a bit by bit image of everything on that drive. Many people think this is a copy of the drive, but technically is it duplicating the suspect’s device so it counts as original data.
A hash is a mathematic algorithm that is run on a file and results in a fingerprint, just like we might take when we dip our fingers in ink and put them to paper. Every time a document has the exact same content, it will have the exact same hash. Generally, the hash is completely unique because it is unlikely that two pictures or text files or videos are bit by bit copies. However, in cases such as child pornography the hash of discovered images is run against a database of known hashes and if it is a match then we know what it is. A hash can be run on a file, folder, entire drive or the entire operating system.
Therefore, if the hash value changes, it is proof the evidence has been changed and the entire case may be thrown out of court.