Computer forensics is the science of obtaining information from computers and digital media. This information is usually intended to be used as legal evidence. The aim of the computer forensic analyst is twofold. First, he or she must retrieve data from the computer discs and other digital media in question. Then the data must be stored. It must be stored in a manner that is safe and that allows the analyst to affirm that it was found on the original device. A computer forensics specialist must be expert in both the technology of data recovery and the legal aspects of evidence handling.
Computer forensics is a relatively new science. Before the 1980s, there were no personal computers and therefore no computer crimes. Now computers figure in a wide variety of illegal activity, both directly and in the form of an information storage medium.
There are some crimes in which computers are directly involved. One of these is hacking into corporate and government websites. Hackers may try to obtain information like customer’s credit card or bank account information. They may try to embarrass government agencies and prevent the access of citizens by shutting down websites or posting false information. Another crime is that of abuse in chat rooms and social media sites. This may take the form of bullying, encouraging others to attack a person or spreading false information about someone to damage their reputation.
In other crimes, the computer is not used in committing the crime itself. It is used to store information that may be used as evidence of the crime. This might include journals of criminal activity, spread sheets with financial information or emails.
Another category of computer crime might be considered to be one in which the computer is not absolutely necessary for the crime, but makes it much easier and more likely to be committed. Crimes of this nature might include storing child pornography or attempting to solicit meetings with minors.
Data Recovery Techniques
The main mission of the computer analyst is data recovery. There are several techniques that might be used:
Live Recovery – If the computer is seized while it is still running, or is shut down but operational, live recovery may be used. This may involve searching the hard drive of the computer using the installed operating system or third-party software.
Deleted File Recovery – Many people do not realize that when files are deleted from a computer, they are seldom actually removed from the hard drive. When the delete function is used, all this does is remove the file’s location from the computer’s file location list. Software is available to recover these files in most cases. Even if the hard drive has been erased, the data is often still there.
Steganography – This is an interesting method of hiding data in which the information is mixed into an image. The data may also be intermixed with the coding of a computer file.
Computer forensics is a fascinating science. Its practitioners must be part computer expert, part evidence handling specialist and part detective.