In 2015 an Israeli corruption network integrated by police men and top prosecutors like Ruti David was uncovered while dropping and plating fake charges against citizens who paid or refused to pay bribery. When a key policeman, Ronal Fisher, was detained his cell phone was confiscated for further research, Fisher’s phone was encrypted and the Israeli police was unable, for a long time, to unencrypt the content harming the investigation and resulting in the soon release of corrupt officers. Here is where computer forensics come into the game in order to analyze and recover any information compatible with the evidence.
The aim of computer forensics is to reconstruct events in a device in order to collect evidence or traces of it to support or deny a claim before a court. That’s why the main task computer forensic agents do is to recover data, also deleted or encrypted data. The difference between the software used by a computer forensics agent and a regular user recovering lost data is the audit log documenting the procedure and events in a legally acceptable format, in some cases the agents record the whole process in video but the task itself is among the easiest since when we delete information from a hard disk we are not removing the data but marking the sector as free to store new information, until the new information doesn’t reach the disk sector the information can be restored, to avoid this we must wipe our data rather than just removing it.
Computer Forensics is even able to recover unsaved data stored in the RAM memory, that’s why there are tools to work on device images and on live sessions, this second method is known as Live Analysis and is the first step when the device to research is turned on.
More modern methods like Stochastic Forensics allow us to know if data was leaked by identifying timestaps related to an activity like copying a file, something impossible before since instructions like copying don’t leave traces in the system.
Computer forensics are in practice mainly about recovering and decrypting data but also allows to detect compromising elements within a system such as malwares, malicious code or hacking attacks against a device.
When the Argentinian prosecutor Alberto Nisman was murdered hours before being expected to present charges against the ex president, computer forensic agents found remote intrusive connections to his personal computer leading the investigation against his own computer aide.
Kali Linux, the most popular Linux distribution for security tasks comes with the most powerful and popular tools to carry out computer forensics tasks without need for previous knowledge. Since Kali can be launched as live cd/usb it is a great option to explore these tools I will present in the next article.
I hope you found this introduction to computer forensics useful. Keep following LinuxHint for more tutorials and updates on Linux.
