How does Computer Forensics help me?

If you are hacked and have files added or taken from your computer, they leave a trail of evidence behind. Forensics follow the trail and gather evidence for legal proceedings. Signature analysis is a way of determining if the file type or extension has been changed to try and hid a file. To discover if this has happened, an investigator simply compares the hexadecimal code in the header or footer of a file with the name of the file to verify if they match. Signature analysis is necessary because the file extension can easily be altered and computer file systems will not disclose the true nature of the file (Craiger, 2006).

One popular and effective tool to compare signatures of files with file names to determine if it has been altered is called EnCase by Guidance. It automatically compares file type extensions against a table of known hexadecimal codes for files that use ISO or ITU-T standards. EnCase has proven itself vital enough to be used in court as official evidence (Encase helps scotland yard combat computer crime, 2003).

An intruder is likely to change the name of a file in order to hide it in plain sight. This will allow the attacker to leave malicious files behind for later use. For example, changing the name of an Excel, Quicken or Money financial record in a money laundering case to hide the evidence of illegal activity.

References:

Craiger, J. P. (2006). Computer forensics procedures and methods. In H. Bidgoli (Ed.), Handbook of information security (Vol. 2). New York, NY: John Wiley & Sons. 

Encase helps scotland yard combat computer crime. (2003). Computing & Control Engineering, 14(1), 5. Retrieved from http://ezproxy.umuc.edu/login?url=http://search.ebscohost.com.ezproxy.umuc.edu/login.aspx?direct=true&db=a9h&AN=9700945&site=eds-live&scope=site