Talk:Computer forensics

From Wikipedia, the free encyclopedia

	Computer forensics is within the scope of the Law Enforcement WikiProject. Please Join, Create, and Assess. Remember, the project aims for no vandalism and no conflict, if an article needs attention regarding vandalism or breaches of wikiquette, please add it to the article watch list.
Start	This article has been rated as start-Class on the quality scale.

Contents 1 Probably shouldn't be merged 2 Plagurism alert 3 Chassis to Case 4 Informative article or guide? 5 Prevention 6 External links 7 Unreferenced 7.1 Software 7.2 Shutdown directions 8 Article 9 Merge 10 Anyknow actually know the subject? 11 Overwriting deleted files on a hard drive 12 Fair use rationale for Image:Xd-memory-card-comparison.jpg 13 Forensic examination is not limited to law enforcement

[edit] Probably shouldn't be merged

Computer forensics is an emerging discipline, but there are colleges that offer computer forensics alone as a major. Therefore, as a unique field of study, I believe that it is worth a whole wikipedia article

68.20.26.58 04:14, 28 August 2007 (UTC)

[edit] Plagurism alert

[1]

So, who's ripped off who here? The copyright date suggests he's ripped off us.

[edit] Chassis to Case

Would anyone care if chassis is changed to case or maybe terminal? I can't say I've ever heard a computer case called a chassis.

worldtravller

I wouldn't call it a terminal - too ambiguous. If chassis is not acceptable, then case would be ok imo, but what's wrong with chassis - it's perfectly clear.

Try BaseUnit or data store 82.33.11.157 20:53, 11 June 2006 (UTC)jago25_98

Not that it matters much since the current iteration of this article is in question, however, I think using "chassis" is perfectly fine. Thomas Matthews 05:48, 16 August 2006 (UTC)

To my mind a Chassis is what a machine is built on and hold a stucture together, like the chassis of a vehicle and a case is what covers the machine. So to me there is a slight difference. Ron Barker Ron Barker 10:28, 27 May 2007 (UTC)

Routing and serving hardware of the 'blade' variety have the blades in a chassis. To me the connotations are a bit more structural than the usual 'personal' computer case, so I understand the objection. Style or taste question? 85.178.102.243 00:18, 19 September 2007 (UTC)

[edit] Informative article or guide?

This entry reads more like a how-to guide for the aspiring forensic analyst then an explanatory article about the subject. There's no background, history, examples of where such issues have arisen and been applied, etc.

That was exactly my thought- this is not an encylopedia article. It is also very PC centric, with no mention of Mac, Linux, servers or printers. The forensics sections of Laser printer and Computer printer should be moved here, expanded and compared to the section in Typewriter. Scanners should also be mentioned. --Gadget850 19:22, 19 October 2005 (UTC)

Agreed. This needs editing by someone who knows the subject in a way that keeps the content, which is great, but adjusts the tone to make it more encyclopedic. Are the original editors still hanging around the article I wonder? Coyote-37 14:31, 21 October 2005 (UTC)

It's not encyclopedia material at all, it should be moved to wikibooks. A wikibook howto on computer forensics would be perfect for this material. Night Gyr 09:51, 5 November 2005 (UTC)

I concurr --Gadget850 11:19, 5 November 2005 (UTC)

It definately needs work on stuffy wording and removing on gratuitous vendor references. EG. the vendor mention next to the first occurence of crypto filesystems is completely gratuitous. I would favour extracting a vendor-free overview with 'function' items and moving platform specific addressing of the items to their own sections. Also, it can probably be edited down to half the volume for the same content. 85.178.102.243 00:26, 19 September 2007 (UTC)

[edit] Prevention

How about information about how to make it as difficult as possible for someone to recover such information.

   I would recommend creating a seperate article under the title Anti-Forensics, and providing a link.

It would be more applicable for the article to be forensic formatting or data recovery prevention as these are a more technical description. Anti-Forensics sounds a bit made up. —Preceding unsigned comment added by 172.189.101.180 (talk) 17:26, 14 November 2007 (UTC)

[edit] External links

Many seem to confuse WP with a web directory. I checked the external links section, and here's my opinion. These are commercial link and pretty useless in this context (some disguise that fact better than others).

• www.sectorforensics.co.uk Computer Forensics Investigators
• www.forensicexams.org is a portal for computer forensic examiners to share information and ideas.
• www.infosecinstitute.com/courses/computer_forensics_training.html InfoSec Institute Computer Forensics Training Hands on training and certification
• df.intelysis.com Intelysis Corp. Canada's Leading Digital Forensics Firm
• www.tkmtechnologies.com TKM Technologies Computer forensics company with news and articles
• www.data-recovery-reviews.com/computer-forensics-training.htm Computer forensics training What is computer forensics?
• www.ibasuk.com Ibas UK Computer Forensics Computer forensics company
• www.securestandard.com/Incident_Handling/Forensics SecureStandard Directory of forensics whitepapers.
• www.ecodatarecovery.com/forensic.html Forensic Investigation: Who needs forensics?
• www.forensical.com Computer Forensics Investigations
• www.securityuniversity.net/classes_anti-hacking_forensics.php Anti-Hacking for Computer Forensics
• www.krollontrack.com/ Kroll Ontrack (Computer Forensics company)
• www.t3i.com/services/Information-Forensics/infoforensics.asp T3i (Computer Forensics company)
• www.silverseal.net/computerForensics.htm SilverSEAL Corporation Computer Forensics Investigations

Here's a bunch that could be useful if the sites were not way too small:

• www.forensicfocus.com Forensic Focus Computer forensics news, information and community
• www.computerforensicsworld.com Computer Forensics World Community of computer forensic professionals
• computer-forensics.safemode.org Computer Forensics Wiki

These could be sort of useful, but neither looks like a must-have:

• www.bleepingcomputer.com/forums/tutorial24.html Windows Forensics: Have I been Hacked?
• www.forensics.nl Forensics.nl Forensics Research, Tools and Presentations

So I basically nuked the complete external links section and renamed "Other Sources of Reading" to "External links". Algae 17:18, 20 December 2005 (UTC)

• www.forensicswiki.org
• www.computerlegalexperts.com (Computer Forensics / Computer Expert Witness Services) - Personal note: Computerlegalexperts.com does perform Pro Bono work for the community.

[edit] Unreferenced

I've slapped an unreferenced tag in the article because it reads like a DIY manual, and there is only one reference - to an article about breaking hash functions. Please cite your sources. Thanks. -- zzuuzz ^(talk) 23:01, 4 April 2006 (UTC)

This is one of the most dreadful articles I have ever read on Wikipedia. Is is factually incorrect and misleading.

It would be useful if you could briefly explain which parts are inaccurate/misleading, so that they :can be properly checked and removed if neccessary.

66.227.95.240 18:52, 8 November 2006 (UTC)

[edit] Software

Moved to discussion. There are COUNTLESS software products for CF. Every vendor that pops along is now adding their product in here. It is getting way out of hand, and wiki is NOT a directory of software.

I have therefore shifted the current ruck of product to this page. If we left it, it would get longer and longer and longer, and eventually consume the article, becoming a random directory of questionable commercial tools.

• Encase EnCase Forensic by Guidance Software.
• ILook ILook Investigator by Department of the Treasury.
• The Sleuth Kit Open source disk and file system analysis software.
• Open Source Forensics Reference site with lists of open source analysis tools.
• Forensic Toolkit Forensic Toolkit by Access Data.
• EMail Detective Forensic Software by Hot Pepper Technology.
• Helix Live Linux CD Incident Response & Forensics tools including Autopsy and The Sleuth Kit by E-Fense
• Windows Forensic Toolchest (WFT) Live Incident Response & Forensics tool for Windows by Fool Moon Software
• Webtracer Webtracer, forensic analysis of internet resources, by 4IT.
• X-Ways Forensics commercial software

[edit] Shutdown directions

The table recommending different shutdown procedures seems to be made up, there's no references or any of the like. Naturally there are reasons for and against pulling the plug vs. shutting down, but none of them are introduced. However, listening to all the best practices I have heard (ie. forensics experts live or in web discussions, police instructions) there really is no reason to not pull the plug with any modern file system. This seems like a hobby project of someone. Nice at that, but not too expertly informed and definetly not encyclopedic. --Tmh 16:45, 10 January 2007 (UTC)

Agreed, the table really stands out as a poor data set in this article. Many of the references in the section are no longer considered accurate or desirable (such as changing data on hard drives should be avoided at all costs). I have committed a major change to that section to attempt to remove most of the "how to" steps and just cover the general facts in an encyclopedic form. Rurik 15:34, 11 January 2007 (UTC)

[edit] Article

Article makes no mention of;

• MRU lists.
• Search with a text string.

Some software maybe can export evidence reports to HTML or PDF. Some software maybe can have "skin color" detection, to detect humans in image files on the disks.

No mention of CBIR (Content Based Image Retrieval)

[edit] Merge

I just wanted to comment on this idea, as mooted today. I think it is a particularly bad one. The tool list is taking no harm away on its own. Bring in here and the problem of link spamming will multiply. We are fairly clean at present.

If people want to see a chunk of links to software, they can simply hop to that page. Why bring it in here, which is primarily an information page? It makes no sense from a practical viewpoint, as far as I can see.

That is an option but they are two different topics and it would be practicl but silly beacuse they are seperate subject and need seperate pages.

[edit] Anyknow actually know the subject?

Is anyone who actually work with computer forensics involved in this article? I reads a lot like someone just guessing. Also a complete lack of references. --Apoc2400 04:58, 19 March 2007 (UTC)

Yes. I work in computer forensics, and I was responsible for this comment: "This is one of the most dreadful articles I have ever read on Wikipedia. Is is factually incorrect and misleading.". I'm glad that other people appear to agree with me.

After over a year since I did some clean up, I'm going to try and clean this up even more. I removed all of the e-mail sections just now, as they do not fit into the overall focus of computer forensics. There are many areas like email that are, or were, explained in too much depth and should be trimmed heavily back. --edit-- just realized I misspelled the edit a bit, s/now/not Rurik (talk) 15:53, 29 March 2008 (UTC)

I know a little, (from an amateur interest in file systems and hardware), enough to sift out some chaff today. Still needs work though, much redundancy remains. On focus: the topic is fairly general, (I see it as related to reverse engineering and honorable hacking, of interest and use to most computer experts), but the current article seems biased in favor of its admittedly important law enforcement applications, as though it were an advocacy tract for an emerging professional subclass. It's better we describe what's out there, not professional ideals, hopes, or what "should be". --AC (talk) 06:53, 1 May 2008 (UTC)

[edit] Overwriting deleted files on a hard drive

I have seen a lot of forensic science shows in which investigators were able to recover deleted data from hard drives. Wouldn't a countermeasure be to write a small program to continue appending to a file until all free disk were used up? A two- or three- line batch file could easily accomplish this with the copy command. What do you think? 71.63.88.166 02:01, 29 October 2007 (UTC)

There are many such programs. For real-time action on *nix systems, one could link 'rm' to srm, albeit at the cost of some system speed.--AC (talk) 08:53, 7 June 2008 (UTC)

To prevent recovery its best to overwrite every single bit of hard drive at least 8 times, which still doesn't completely guarantee safety. In military cases this is usually done in the 1000's. This can be applied to single files as well but depending on the file system backups can still exist. —Preceding unsigned comment added by 172.189.101.180 (talk) 17:30, 14 November 2007 (UTC)

That might be the computer forensics equivalent of the Y2K scare. There's little evidence that multiple overwrites are necessary for deletion, or that reading overwritten data is feasible. Daniel Feenberg's Can Intelligence Agencies Read Overwritten Data? A response to Gutmann. provides a skeptical overview. --AC (talk) 08:53, 7 June 2008 (UTC)

[edit] Fair use rationale for Image:Xd-memory-card-comparison.jpg

Image:Xd-memory-card-comparison.jpg is being used on this article. I notice the image page specifies that the image is being used under fair use but there is no explanation or rationale as to why its use in this Wikipedia article constitutes fair use. In addition to the boilerplate fair use template, you must also write out on the image description page a specific explanation or rationale for why using this image in each article is consistent with fair use.

Please go to the image description page and edit it to include a fair use rationale. Using one of the templates at Wikipedia:Fair use rationale guideline is an easy way to insure that your image is in compliance with Wikipedia policy, but remember that you must complete the template. Do not simply insert a blank template on an image page.

If there is other fair use media, consider checking that you have specified the fair use rationale on the other images used on this page. Note that any fair use images lacking such an explanation can be deleted one week after being tagged, as described on criteria for speedy deletion. If you have any questions please ask them at the Media copyright questions page. Thank you.

BetacommandBot (talk) 07:59, 15 January 2008 (UTC)

[edit] Forensic examination is not limited to law enforcement

The big mistake in the current world is that the word "forensic" limits the topic to evidence preservation for law enforcement purposes! There are many examples in the digital world of forensic activities which do not relate to the matter of law enforcement.

Rather, forensic techniques are often used within the digital world to ensure that why a process failed (or succeeded) so that appropriate changes can be effected. Forensic techniques are also used for data recovery, a process that frequently (more often than not) has nothing to do with "evidence" preservation; rather it is data preservation.

Further, if one examines those sciences which use their knowledge to recover knowledge of the past you will find that their techniques are forensically correct; anthropology being a good example.

Let us first understand the basic term of forensics before we try to described its inner workings!

Bob (talk) 13:09, 7 June 2008 (UTC)