Talk:Computer forensics: Difference between revisions

	Law Enforcement Start‑class
This article is within the scope of the WikiProject Law Enforcement. Please Join, Create, and Assess.Law EnforcementWikipedia:WikiProject Law EnforcementTemplate:WikiProject Law EnforcementLaw enforcement articles Start This article has been rated as Start-class on Wikipedia's content assessment scale. ??? This article has not yet received a rating on the importance scale.

Computer forensics is an emerging discipline, but there are colleges that offer computer forensics alone as a major. Therefore, as a unique field of study, I believe that it is worth a whole wikipedia article

68.20.26.58 04:14, 28 August 2007 (UTC)[reply]

[1]

So, who's ripped off who here? The copyright date suggests he's ripped off us.

Would anyone care if chassis is changed to case or maybe terminal? I can't say I've ever heard a computer case called a chassis.

worldtravller

I wouldn't call it a terminal - too ambiguous. If chassis is not acceptable, then case would be ok imo, but what's wrong with chassis - it's perfectly clear.

Try BaseUnit or data store 82.33.11.157 20:53, 11 June 2006 (UTC)jago25_98[reply]

Not that it matters much since the current iteration of this article is in question, however, I think using "chassis" is perfectly fine. Thomas Matthews 05:48, 16 August 2006 (UTC)[reply]

To my mind a Chassis is what a machine is built on and hold a stucture together, like the chassis of a vehicle and a case is what covers the machine. So to me there is a slight difference. Ron Barker Ron Barker 10:28, 27 May 2007 (UTC)[reply]

Routing and serving hardware of the 'blade' variety have the blades in a chassis. To me the connotations are a bit more structural than the usual 'personal' computer case, so I understand the objection. Style or taste question? 85.178.102.243 00:18, 19 September 2007 (UTC)[reply]

This entry reads more like a how-to guide for the aspiring forensic analyst then an explanatory article about the subject. There's no background, history, examples of where such issues have arisen and been applied, etc.

That was exactly my thought- this is not an encylopedia article. It is also very PC centric, with no mention of Mac, Linux, servers or printers. The forensics sections of Laser printer and Computer printer should be moved here, expanded and compared to the section in Typewriter. Scanners should also be mentioned. --Gadget850 19:22, 19 October 2005 (UTC)[reply]

Agreed. This needs editing by someone who knows the subject in a way that keeps the content, which is great, but adjusts the tone to make it more encyclopedic. Are the original editors still hanging around the article I wonder? Coyote-37 14:31, 21 October 2005 (UTC)[reply]

It's not encyclopedia material at all, it should be moved to wikibooks. A wikibook howto on computer forensics would be perfect for this material. Night Gyr 09:51, 5 November 2005 (UTC)[reply]

I concurr --Gadget850 11:19, 5 November 2005 (UTC)[reply]

It definately needs work on stuffy wording and removing on gratuitous vendor references. EG. the vendor mention next to the first occurence of crypto filesystems is completely gratuitous. I would favour extracting a vendor-free overview with 'function' items and moving platform specific addressing of the items to their own sections. Also, it can probably be edited down to half the volume for the same content. 85.178.102.243 00:26, 19 September 2007 (UTC)[reply]

How about information about how to make it as difficult as possible for someone to recover such information.

   I would recommend creating a seperate article under the title Anti-Forensics, and providing a link.

It would be more applicable for the article to be forensic formatting or data recovery prevention as these are a more technical description. Anti-Forensics sounds a bit made up. —Preceding unsigned comment added by 172.189.101.180 (talk) 17:26, 14 November 2007 (UTC)[reply]

Many seem to confuse WP with a web directory. I checked the external links section, and here's my opinion. These are commercial link and pretty useless in this context (some disguise that fact better than others).

• www.sectorforensics.co.uk Computer Forensics Investigators
• www.forensicexams.org is a portal for computer forensic examiners to share information and ideas.
• www.infosecinstitute.com/courses/computer_forensics_training.html InfoSec Institute Computer Forensics Training Hands on training and certification
• df.intelysis.com Intelysis Corp. Canada's Leading Digital Forensics Firm
• www.tkmtechnologies.com TKM Technologies Computer forensics company with news and articles
• www.data-recovery-reviews.com/computer-forensics-training.htm Computer forensics training What is computer forensics?
• www.ibasuk.com Ibas UK Computer Forensics Computer forensics company
• www.securestandard.com/Incident_Handling/Forensics SecureStandard Directory of forensics whitepapers.
• www.ecodatarecovery.com/forensic.html Forensic Investigation: Who needs forensics?
• www.forensical.com Computer Forensics Investigations
• www.securityuniversity.net/classes_anti-hacking_forensics.php Anti-Hacking for Computer Forensics
• www.krollontrack.com/ Kroll Ontrack (Computer Forensics company)
• www.t3i.com/services/Information-Forensics/infoforensics.asp T3i (Computer Forensics company)
• www.silverseal.net/computerForensics.htm SilverSEAL Corporation Computer Forensics Investigations

Here's a bunch that could be useful if the sites were not way too small:

• www.forensicfocus.com Forensic Focus Computer forensics news, information and community
• www.computerforensicsworld.com Computer Forensics World Community of computer forensic professionals
• computer-forensics.safemode.org Computer Forensics Wiki

These could be sort of useful, but neither looks like a must-have:

• www.bleepingcomputer.com/forums/tutorial24.html Windows Forensics: Have I been Hacked?
• www.forensics.nl Forensics.nl Forensics Research, Tools and Presentations

So I basically nuked the complete external links section and renamed "Other Sources of Reading" to "External links". Algae 17:18, 20 December 2005 (UTC)[reply]

• www.forensicswiki.org
• www.computerlegalexperts.com (Computer Forensics / Computer Expert Witness Services) - Personal note: Computerlegalexperts.com does perform Pro Bono work for the community.

I've slapped an unreferenced tag in the article because it reads like a DIY manual, and there is only one reference - to an article about breaking hash functions. Please cite your sources. Thanks. -- zzuuzz ^(talk) 23:01, 4 April 2006 (UTC)[reply]

This is one of the most dreadful articles I have ever read on Wikipedia. Is is factually incorrect and misleading.

It would be useful if you could briefly explain which parts are inaccurate/misleading, so that they :can be properly checked and removed if neccessary.

66.227.95.240 18:52, 8 November 2006 (UTC)[reply]

I'm an expert in this area and will consider cleaning this up.Simsong (talk) 04:36, 6 July 2008 (UTC)[reply]

Software

Moved to discussion. There are COUNTLESS software products for CF. Every vendor that pops along is now adding their product in here. It is getting way out of hand, and wiki is NOT a directory of software.

I have therefore shifted the current ruck of product to this page. If we left it, it would get longer and longer and longer, and eventually consume the article, becoming a random directory of questionable commercial tools.

• Encase EnCase Forensic by Guidance Software.
• ILook ILook Investigator by Department of the Treasury.
• The Sleuth Kit Open source disk and file system analysis software.
• Open Source Forensics Reference site with lists of open source analysis tools.
• Forensic Toolkit Forensic Toolkit by Access Data.
• EMail Detective Forensic Software by Hot Pepper Technology.
• Helix Live Linux CD Incident Response & Forensics tools including Autopsy and The Sleuth Kit by E-Fense
• Windows Forensic Toolchest (WFT) Live Incident Response & Forensics tool for Windows by Fool Moon Software
• Webtracer Webtracer, forensic analysis of internet resources, by 4IT.
• X-Ways Forensics commercial software

Shutdown directions

The table recommending different shutdown procedures seems to be made up, there's no references or any of the like. Naturally there are reasons for and against pulling the plug vs. shutting down, but none of them are introduced. However, listening to all the best practices I have heard (ie. forensics experts live or in web discussions, police instructions) there really is no reason to not pull the plug with any modern file system. This seems like a hobby project of someone. Nice at that, but not too expertly informed and definetly not encyclopedic. --Tmh 16:45, 10 January 2007 (UTC)[reply]

Agreed, the table really stands out as a poor data set in this article. Many of the references in the section are no longer considered accurate or desirable (such as changing data on hard drives should be avoided at all costs). I have committed a major change to that section to attempt to remove most of the "how to" steps and just cover the general facts in an encyclopedic form. Rurik 15:34, 11 January 2007 (UTC)[reply]

Article makes no mention of;

• MRU lists.
• Search with a text string.

Some software maybe can export evidence reports to HTML or PDF. Some software maybe can have "skin color" detection, to detect humans in image files on the disks.

No mention of CBIR (Content Based Image Retrieval)

I just wanted to comment on this idea, as mooted today. I think it is a particularly bad one. The tool list is taking no harm away on its own. Bring in here and the problem of link spamming will multiply. We are fairly clean at present.

If people want to see a chunk of links to software, they can simply hop to that page. Why bring it in here, which is primarily an information page? It makes no sense from a practical viewpoint, as far as I can see.

That is an option but they are two different topics and it would be practicl but silly beacuse they are seperate subject and need seperate pages.

Is anyone who actually work with computer forensics involved in this article? I reads a lot like someone just guessing. Also a complete lack of references. --Apoc2400 04:58, 19 March 2007 (UTC)[reply]

Yes. I work in computer forensics, and I was responsible for this comment: "This is one of the most dreadful articles I have ever read on Wikipedia. Is is factually incorrect and misleading.". I'm glad that other people appear to agree with me.

After over a year since I did some clean up, I'm going to try and clean this up even more. I removed all of the e-mail sections just now, as they do not fit into the overall focus of computer forensics. There are many areas like email that are, or were, explained in too much depth and should be trimmed heavily back. --edit-- just realized I misspelled the edit a bit, s/now/not Rurik (talk) 15:53, 29 March 2008 (UTC)[reply]

I know a little, (from an amateur interest in file systems and hardware), enough to sift out some chaff today. Still needs work though, much redundancy remains. On focus: the topic is fairly general, (I see it as related to reverse engineering and honorable hacking, of interest and use to most computer experts), but the current article seems biased in favor of its admittedly important law enforcement applications, as though it were an advocacy tract for an emerging professional subclass. It's better we describe what's out there, not professional ideals, hopes, or what "should be". --AC (talk) 06:53, 1 May 2008 (UTC)[reply]

I have a PhD in this area. We also run a wiki devoted to this subject (http://www.forensicswiki.org/). My feeling is that this entry should be edited down and much of the content moved there. Simsong (talk) 04:37, 6 July 2008 (UTC)[reply]

I have seen a lot of forensic science shows in which investigators were able to recover deleted data from hard drives. Wouldn't a countermeasure be to write a small program to continue appending to a file until all free disk were used up? A two- or three- line batch file could easily accomplish this with the copy command. What do you think? 71.63.88.166 02:01, 29 October 2007 (UTC)[reply]

There are many such programs. For real-time action on *nix systems, one could link 'rm' to srm, albeit at the cost of some system speed.--AC (talk) 08:53, 7 June 2008 (UTC)[reply]

To prevent recovery its best to overwrite every single bit of hard drive at least 8 times, which still doesn't completely guarantee safety. In military cases this is usually done in the 1000's. This can be applied to single files as well but depending on the file system backups can still exist. —Preceding unsigned comment added by 172.189.101.180 (talk) 17:30, 14 November 2007 (UTC)[reply]

That might be the computer forensics equivalent of the Y2K scare. There's little evidence that multiple overwrites are necessary for deletion, or that reading overwritten data is feasible. Daniel Feenberg's Can Intelligence Agencies Read Overwritten Data? A response to Gutmann. provides a skeptical overview. --AC (talk) 08:53, 7 June 2008 (UTC)[reply]

A bigger problem is the spare sectors on the hard drives. They are handled automagically by the disks, when a data sector can not be rewritten without ECC errors. So even if every - visible - sector is overwritten, there may be untouched spare sectors remaining with original data. --Zyxxel (talk) 20:27, 29 June 2008 (UTC)[reply]

There are two kinds of spare sectors: those that have been used, and those that haven't. "Untouched spare sectors" would be the second kind, and therefore contain no user data, while spares in use would be overwritten. Therefore spare sectors would not be a problem.

Perhaps you meant sectors that went bad and were replaced by spares. Bad sectors would tend to be hard to read, if they're not already unreadable. If it were possible to restore or copy them, (with something like spinrite let's say), they'd be somewhat randomly distributed and it's unclear whether there'd be enough of them to be useful, though in theory any sector might hold some crucial password. On the other hand, if something like 'spinrite' could read and restore those, it follows that a similar method could overwrite them as well; perhaps some util already does that? --AC (talk) 07:10, 4 July 2008 (UTC)[reply]

The big mistake in the current world is that the word "forensic" limits the topic to evidence preservation for law enforcement purposes! There are many examples in the digital world of forensic activities which do not relate to the matter of law enforcement.

Rather, forensic techniques are often used within the digital world to ensure that why a process failed (or succeeded) so that appropriate changes can be effected. Forensic techniques are also used for data recovery, a process that frequently (more often than not) has nothing to do with "evidence" preservation; rather it is data preservation.

Further, if one examines those sciences which use their knowledge to recover knowledge of the past you will find that their techniques are forensically correct; anthropology being a good example.

Let us first understand the basic term of forensics before we try to described its inner workings!

Bob (talk) 13:09, 7 June 2008 (UTC)[reply]

I completely agree and that's why stuff is being removed. Simsong (talk) 05:30, 10 July 2008 (UTC)[reply]

While I agree that many people use "forensic techniques" the definition of forensics is "science applied for a legal purpose." I mean, Data recovery professionals use a lot of the same programs/techniques, but it's not really "forensics." I may be splitting hairs here though. I agree that a major re-write is needed though. While the data recovery article needs help too...I think it can help make this one better. Wikiwikikid (talk) 21:14, 18 August 2008 (UTC)[reply]

Currently the page Digital Forensics redirects to this page Computer Forensics. I think that it should go the reverse way. The research community really seems to be standardizing on the "Digital Forensics" term as being more inclusive.

What do others think?Simsong (talk) 19:57, 6 September 2008 (UTC)[reply]

I agree 100%. In fact the article mentions non-computer related digital equipment such as Obvious sources include computers, cell phones, digital cameras, black boxes, and so on.--DrRisk13 (talk) 13:59, 11 October 2008 (UTC)[reply]