Signature analysis and Computer Forensics

Computer Forensics is a process of using scientific knowledge to collect, analyze and present digital evidence to court or tribunals. Since files are the standard persistent form of data on computers, the collection, analysis and presentation of computer files as digital evidence is of utmost essential in Computer Forensics. However, data can be hidden behind files and can be enough to trick the naked eye. Therefore, a more comprehensive data analyzing method called file signature analysis is needed to support the process of Computer Forensics. This method is articulated in details in this article and discussed. Introduction Computer Forensics is the process of using scientific knowledge to collect, analyse and present data to courts. This process involves the preservation, identification, extraction and documentation of computer evidence stored in the form of magnetically, optically or electronically stored media. Steps in forensic process include: 1. Creating an exact physical copy of the digital media e.g. the computer hard disk. This is often called bitwise image 2. Load image to an empty or formatted hard disk 3. Secure the original media in a sealed container 4. Mark and retrieve data of evidential value 5. Present evidence in a readable form for court or tribunal Step 4 involves the examination of the image and the search for evidence. With millions of files being stored on a computer, there is a need for methods to reduce the search space for the forensic examiners and spot out suspicious files. This is where signature analysis is used as part of the forensic process. A signature analysis is a process where files, their headers and extensions are compared with a known database of file headers and extensions in an attempt to verify all files on the storage media and discover those which may be hidden. In order to fully understand the usefulness of signature analysis, this article gives an introduction to the structure of computer files and how such files can be hidden. Then, a demonstration would be articulated to show how signature analysis can be used to defeat such data hiding techniques. Understanding the structure of a file Since data are stored on computers as files, all of these files must be searched and examined as if they were files in an office for the purpose to gather digital evidence. In order to understand the process of