Hiding in the Cloud: 4 Things You Didn’t Know About Computer Forensics

Crime scenes don’t always exist on the physical plane, here on Earth. Crime scenes don’t need blood spatter and bullet casings. Some of the biggest criminals ever convicted have been proven by evidence collected from deep within the collective memories of multitudes of silicon memory chips, out of sight, out of touch, yet extremely informative.


1. You can find it everywhere, across all kinds of cases.

In July 2013, five Russian hackers were caught after hacking into Visa, J.C. Penny & Co., JetBlue, Nasdaq and other major companies, ultimately stealing $300,000,000 from accounts. Each criminal had a certain expertise: two hacked into networks, one mined the opened networks for data, another built an anonymous web presence for cover and the last one sold stolen credit cards, passwords, identity numbers and distributed the profits through a network of offshore banks. There were no witnesses.

In 2004, Scott Peterson was convicted for the murder of his wife Laci and unborn child. The case was strengthened when his internet search history was shown to the jury, including searches for the purchase of a small boat (which he bought), boat launch locations (which he used), and San Francisco bay tides (which were critical for disposing of a body). Scott claimed he was fishing on Christmas Eve, 2002 when his wife suddenly disappeared. Her body washed up in April.

Computer-stored child pornography, cyber bullying, blackmail, identity theft and an assortment of scams and cons are perpetrated by millions of keystrokes all over the world – every single day.


2. It encompasses a large range of techniques and devices.

Forensic computer analysis is the investigation and acquisition of computer stored digital media using acceptable forensic practices to identify, locate, recover, preserve, analyze and present evidentiary facts (and opinions about all these discovered materials). These digital files include all media such as text files, photographs, video, calendar entries, email, text messages as well as trends found in media such as browser histories, credit card and banking records, telephone records, GPS data from smartphones, and almost any other computer stored record.

While computer forensics uses many of the same tools as data recovery to find files when a computer is broken, damaged or corrupted, a forensic examination of a hard drive or other storage device will include a lot of paperwork, creating logs and validating that the data is accurate as to what was recovered. Experts then create an evidence custody log and verify that found data has not been compromised by the process. The examination is generally done on an exact duplicate copy of the storage device in question, so that the original files are not changed, new time stamps are not added to opened files, and the arrangement of data is kept intact.


3. Computer evidence multiplies — and fast.

Computer files can be spread among servers all over the world. Evidence can be stored on personal computers, back up files, smart phones, and other devices.  This means that information that is created on one computer might be backed up on another, attached to an email, stored in off-site storage servers like the ‘cloud’, linked to a smart phone or tablet computer – all can be used to verify and validate the original files and provide pieces to a puzzle. The trail to finding where data went is contained on the host computer.

Erasing a file or a hard drive does not completely eliminate digital information. It may not be accessible through conventional methods, but the code strings pertaining to a message, document, folder or other computer created file can still be recovered. Erasing or trashing a file only eliminates the access link to it from that computer, and until that area on the hard drive is written over by new data, it can still be read by special recovery software.

Some social sites keep records of your data in perpetuity. Closing your account does not allow one to eliminate his or her data. Putting information on social sites simply relieves one of the opportunities to control it.


4. Search warrants for digital evidence: the keys to the kingdom.

When a computer is suspected of containing data of interest to law enforcement, a search warrant will be issued.  Generally, these warrants include notice to email servers, search engines, storage companies, banks, social media sites…  all of these can provide information beyond your password.

Once a warrant is secured, the search may also include surveillance of a computer without the owner’s knowledge. Files being created by a suspect will also be updated on a mirrored computer drive overseen by investigators. Entry to your devices is quite simple; investigators can access all of your files if you are connected to a WiFi network.  Most smart phones are always looking for WiFi networks to log onto, which opens the door to all of the data stored on that phone. And little programs sent to that phone can transfer control of it to the ‘hacker’, even when it goes out of range and attaches to another WiFi network.


Your Turn: What other kinds of digital evidence haven’t we covered in this article? Are you a cyber crime fighter with intriguing information on other cases? Let us know in the comments. We’d love to hear from you.



Leave a Reply