The Fundamentals of Digital Forensics in Computer Reactive Security(Part 1).


kenneth okereaforINTRODUCTION

Computer security is a vast field that touches all aspects of data confidentiality, integrity and availability for suitably controlling access to data. Access control is only one of the ten domains of Information Systems Security categorized by the International Information Systems Security Certification Consortium (ISC) 2 which is responsible for certifying Information Systems Security professionals globally.

Out of the two aspects of security, the proactive comprises of detective, preventative and deterrent measures while the reactive deals with corrective, investigative, recovery and compensatory measures taken to guarantee a certain degree of data assurance. Most of what is studied today in computer security only emphasizes the proactive components. Owing to many factors, investigating root cause analysis and studying computer usages or file structures to determine exploitable trends have never been the norm in most environments.

This paper introduces the reactive part of computer security otherwise called computer forensics. It attempts to serve as an introduction into the vast field of computer forensics. While defining forensic science holistically and introducing such terms as digital evidence, chain of custody, event reconstruction and root cause analysis, attempt has been made to itemize the globally-accepted best practices and standards for performing digital analysis ethically.


Holistically speaking, forensics science (shortened to forensics) is the scientific study and art of investigative techniques used to help in solving crimes by analyzing biological or chemical evidence at a crime scene. It is an interdisciplinary science relating to or dealing with the application of scientific knowledge to legal problems, especially in relation to the detection of crime. Forensic analysis is the process of understanding, recreating, and analyzing events that have previously occurred. Using evidence found at a crime scene the incident can be reconstructed to determine what happened, and possibly find more clues.

To achieve this, forensic specialists come together with their different forms of evidence such as photos, sketches, remnants, blood stains, recorded sound tracks and other useful items gathered from the crime scene to paint a vivid picture which makes it possible to retrace a crime that took place. In typical circumstances, evidence is processed in a crime lab.


Forensics is a huge interdisciplinary field that captures the attention of law enforcement agents, security corporations and intelligence groups around the world. Notably FBI is at the forefront of promoting the application of all branches of forensics.  This is probably because of the growing need to unravel seemingly-insoluble crime cases. As at today, there are more than 94 sub-divisions of Forensic Science known. A few of them include:

  • Genetic forensics is the organized analysis of the (DioxyriboNucleicAcid) DNA, a nucleic acid that contains the genetic instructions (or codes) used in the development and functioning of all known living organisms and some viruses. The main role of genetic forensics is the investigation and scrutiny of the long-term information stored in DNA molecules. The DNA segments that carry these genetic codes are called genes. Genetic forensics therefore involves the analysis and interpretation of the genes.
  • Forensic dactyloscopy is the study of fingerprints as a means of unraveling a high profile crime.
  • Forensic pathology is a field in which the principles of medicine and pathology are applied to determine a cause of death or injury in the context of a legal inquiry. Forensic pathology is usually a follow-up to a coroner’s investigation report.
  • Forensic toxicology is the study of the effect of drugs and poisons on/in the human body. These include analysis of the effects of both ingested and inhaled drugs and poison.
  • Forensic podiatry is an application of the study of foot, footprint or footwear and their traces to analyze scene of crime and to establish personal identity in forensic examinations.
  • Forensic astronomy uses methods from astronomy to determine past celestial constellations for forensic purposes.
  • Forensic Ballistics is the study of projectiles in the usage of gun shots, bombs, fire arms, long range missiles as a means of legally identifying their cause, origin, and impact of attack, damage or death.
  • Forensic metabolism deals with the analysis of the effects of consumed food, alcohol, drinks and inhaled air to unravel the cause of death in homicide and suicide cases.
  • Oracle forensics examines the ways in which a forensic examiner or cyber security incident responder may look for evidence in those places and technologies designed by Oracle Database Management System (DBMS) for disaster recovery purposes, and the various actions the attacker may have taken.
  • Computational forensics concerns the development of algorithms and software to assist forensic examination.
  • Criminalistics is the application of various sciences to answer questions relating to examination and comparison of biological evidence, trace evidence, impression evidence (such as impressions, and tyre tracks), controlled substances, and tool mark examination, and other evidence in criminal investigations.
  • Forensic video analysis is the scientific examination, comparison, and evaluation of video clips, digital animation and other motion pictures in legal matters.


Anything found on a crime scene that has the potential to give a clue to reconstruction is known as evidence. Also know in some quarters as artifact, trace or trail, evidence is anything that can be used to track the cause of crime. In typical murder cases, the splash pattern of blood stain is an evidence, so are hair strands on abandoned wrist watches. In some cases highly sophisticated form of inference is employed to deduce action from perfume fragrances.

When evidence appears in the form of computer data or resides in computer media or electronic repository, it is regarded as digital evidence. As an example a computer-generated bank statement may be regarded as digital evidence in a litigation involving financial crime or falsification of financial record. In this case admissibility of the digital evidence in a law court becomes a matter of local jurisdiction norms.

Similarly, call logs and sms queues in a cell phone or PDA can become digital evidence in matters of telephone threat crimes.


In Forensic studies, a widely-used technique of investigation is the replay of an event; this is also called reconstruction or recreation.

Reconstruction is the process of restoring something to an earlier state. In Forensic practice, reconstruction is an attempt to understand in details how certain events took place or happened, given a crime scene.

Crime scene reconstruction is the use of scientific methods, physical evidence, deductive reasoning, and their interrelationships to gain explicit knowledge of the series of events that surround the commission of a crime.  It is somewhat synonymous to reverse engineering whereby the cause is retrieved by working back through the effect (result).

Reconstruction is a very methodical and principled approach towards objectively understanding a crime using evidences found at a crime scene, hence the incident can be reconstructed to determine what happened, and possibly find more clues.

In the process of reconstructing an event, every item or info that shares any relationship with the subject under investigation is taken as a potential source of evidence. This is why a crime scene is usually cordoned off to prevent a possible damage, loss or interference with evidence.  Cordoning off is usually the first stage of evidence isolation. Specifically in computer forensics, cordoning is achieved through isolation of the digital media being investigated.


Performing forensic examination is a very tedious process that involves adherence to global best practices. These best practices are followed in a specific sequence starting from the gathering of evidence through the point of tendering evidence in court. The entire process during which the object(s) of investigation is/are kept secure without tampering is called chain of custody. In other words, chain of custody is the summation of all the activities and processes that are conducted from inception till the conclusion of a forensic analysis.

It is a process used to maintain and document the chronological history of evidence, and it represents the record of a sample, including its collection, preservation, transportation, transfers, analysis and final disposal as method of keeping track of who has handled a piece of evidence, when, and for what purpose. Chain of evidence is very vital in ensuring that evidence is not damaged or altered in any way while investigation goes on.

Effective chain of custody involves the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, both physical and electronic. This also includes the policies and procedures that govern the collection, handling, storage, transportation, testing, analysis and submission of evidence.

Because evidence can be used in court to convict persons of crimes, it must be handled in a very careful manner to avoid later allegations of tampering or misconduct which can compromise the case of the prosecution toward acquittal or to overturning a guilty verdict upon appeal. The idea behind recording the chain of custody is to establish that the alleged evidence is in fact related to the alleged crime, rather than having, for example, been planted fraudulently to make someone appear guilty.


This is the process of carrying out a thorough review of a disaster, problem, a crime or crisis in order to identify the elements of its cause, study the impacts of its effects on the system, set up measures to mitigate these effects and finally recommend possible solutions to prevent its reoccurrence. Root cause analysis is one of the many goals of forensic examination. Performing a forensic exercise will help to establish a pattern which the adversary might have followed to perpetrate a crime, or to identify the human or systemic error that could have led to a damage, a crash or a failure.

Kenneth Okereafor
Kenneth U.Okereafor. (MSc. Computer Security, BSc. Computer Information Systems, HND Electronic/Telecoms Engineering, IEEE) is a well-experienced Computer Information Systems Security Professional. Chartered through the Computer Professionals (Registration Council) of Nigeria (CPN), he has facilitated numerous computer technology deployments and capacity building initiatives on data security, biometric authentication systems, digital forensics, green computing, access control technologies, cyber terrorism control, application vulnerability analysis, IT risk analysis and mitigation, and System Development Life Cycle (SDLC) management. In addition to being a valedictorian, Kenneth has received national and international awards of IT excellence and enjoys membership of and recognition by, reputable professional bodies and research institutes including: • Institute of Electrical and Electronics Engineers (IEEE) • Nigeria Computer Society (NCS) • Computer Professionals (Registration Council) of Nigeria (CPN) • Global Network for CyberSolutions (GNC) • Information Technology Association of Nigeria (ITAN) • Digital Bridge Institute (DBI) • United Nations Global Alliance for ICT and Development (UN-GAID) • World Information Technology and Services Alliance (WITSA) • International Multilateral Partnership Against Cyber Threats (IMPACT) • Nigeria Institute of Management (NIM) Kenneth may be reached on NITELKEN@YAHOO.COM

    ICT Development in Nigeria: 2010 in Review, 2011 in View

    Previous article

    Africa’s Leading Mobile Event Holds

    Next article


    Leave a reply

    Your email address will not be published. Required fields are marked *