Analysis in computer forensics. The last step is analysis. The detailed review of the data begins when the investigator has finished the initial assessment and has an idea of the information being sought, such as spreadsheets, e-mails, an author, or a date range in which the document was produced. This information can be used to create search terms for the rest of the data.
Analysis In Computer Forensics
The forensic software’s primary task is handling the metadata and any nonstandard files, such as e-mail mailboxes, archive files, backup files, databases, scripts, and files created with software other than the company’s base software package.
Archive files, e-mail files, and registry data must be reviewed by comprehensive forensic software, which can preserve the integrity of the data while allowing the investigator to search and review the contents of an archive or zip file. Simply opening an archive file and reviewing its contents may destroy the file’s integrity or unleash a virus that can destroy other evidence.
Example:
In an initial assessment, the investigator may find that the subject has a spreadsheet in which the relevant information is referred to by initials rather than the full business name. For e-mail, there is no easy way to review the files without the risk of altering the metadata or compromising data integrity.
For example, an e-mail program may have a particular e-mail listed as “unread.” Once an investigator or auditor opens the e-mail for review, this tag will change, and so will any information the program may keep, such as received date, opened date, and reviewed date. Computer forensics programs solve this issue by breaking container files, such as mailboxes and archive files, into smaller components, like individual e-mails and associated attachments, for review and analysis while preserving data integrity.
The metadata contained within the computer file can be as crucial as the time and date stamps of the file captured by the operating system. The metadata of Excel workbooks and Word files can contain important information, such as who reviewed the document and what changes were made.
This information can be useful at trial and for determining who may be responsible for the fraud. Metadata reviews also can lead to new leads or lines of investigation to follow.
Suppose an auditor believes that a suspect might have used a previously mentioned device, such as a thumb drive. In that case, they should mention this to the computer forensics professional. The registry and log files of a Windows-based computer can be reviewed to determine if other devices were connected to the computer.
Final Thoughts
Examiners can respond to the forensic request once they have cycled through these steps a sufficient number of times. They are now in the Forensic Reporting stage. This is the stage at which examiners document their findings so that the requester can understand and apply them to the case. Although forensic reporting is beyond the scope of this article, its significance cannot be overstated. Examiners’ findings are best communicated to the requester through the final report.
Forensic reporting is critical because the forensic process is only as valuable as the information examiners provide to the requester. Following the reporting, the requester conducts case-level analysis, in which he or she interprets the findings in the context of the entire case (possibly in collaboration with examiners).
