When we see crime scenes on television, we often see cops leaving with computers; we sometimes read in the newspapers that police have confiscated computers and those of us who read crime thrillers know that bugs and listening devices are planted and industrial espionage is committed via electronic and computer equipment.
Well, that build-up was just to introduce the topic of computer forensics, computer investigation or electronic forensics and especially the evidence collection in the investigation process.
Definition of Computer Forensics
A simple definition is that computer forensics, “is the art and science of applying computer science to aid the legal process. Although plenty of science is attributable to computer forensics, most successful investigators possess a nose for investigations and for solving puzzles, which is where the art comes in.” Chris L.T. Brown, Computer Evidence Collection and Preservation, 2006.
What is Computer Forensics?
Computer Forensics World answers the question, what is computer forensics?
"There are a number of slightly varying definitions around. However, generally, computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded."
Standards of Admissible Evidence
Computer forensics requires specialized knowledge, expertise and tools that go above and beyond the normal data collection and preservation techniques available.
It is important to understand that like any other piece of evidence used in a case, the information generated as the result of a computer forensics investigation has to follow the standards of admissible evidence.
When are Computer Forensic Experts Called In?
Some of the reasons that could trigger a computer forensics investigation:
- Criminal fraud and deception cases
- Employee internet abuse
- Unauthorized disclosure of corporate information and data (accidental and intentional)
- Industrial espionage
- Damage assessment (following an incident)
Judd Robinns – Computer Forensics Expert Talks about Evidence Collection
Judd Robinns is a computer forensics expert and an expert witness who testifies in court on these matters. Robbins explains what steps a computer forensic specialist would take to identify and attempt to retrieve possible evidence that may exist on a computer system. During an investigation, the computer forensic expert:
- Protects the subject computer system during the forensic examination from any possible alteration, damage, data corruption, or virus introduction
- Discovers all files on the subject system. This includes existing normal files, deleted yet remaining files, hidden files, password-protected files, and encrypted files
- Recovers all (or as much as possible) of discovered deleted files
- Reveals (to the extent possible) the contents of hidden files as well as temporary or swap files used by both the application programs and the operating system
- Accesses (if possible and if legally appropriate) the contents of protected or encrypted files
- Analyzes all possibly relevant data found in special (and typically inaccessible) areas of a disk
- Prints out an overall analysis of the subject computer system, as well as a listing of all possibly relevant files and discovered file data
- Provides expert consultation and/or testimony, as required
The Integrity of the Evidence Collection
Computer forensics will play an increasingly larger role in our lives as our environment becomes more computerized, but the true test of results will lie in integrity of the evidence collection.
Sources:
July 2002 edition of "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations” for the US Department of Justice requirements for Computer Forensics and electronic evidence processing.
Computer Forensics World
 |
 |
 |
