Computer Forensics - an Explanation
A Backup Article Contributed by Ashley Lister
Computer Forensics - an Explanation
Computer forensics is the use of computer investigation and analysis techniques for determining potential legal evidence.
Who Uses Computer Forensics?
Computer forensic evidence can be used by a wide variety of people. Criminal prosecutors can make good use of computer forensics where incriminating documents have been stored on a PC (or in any electronic format). Civil litigators, insurance companies, corporations, law enforcement officers and even private individuals can call on the services of computer forensics experts if they have a need to prove a point by the use of material that has been stored on a computer of any description.
Why Do They Use Computer Forensics?
Evidence might be sought in a very wide range of computer crime cases or computer misuse cases. These can include fraud, the theft of trade secrets, an infringement of intellectual property as well a whole host of other crimes. Many of these crimes rely heavily on information that has been stored on a computer and it used to be the case that culprits could evade detection and prosecution by simply pressing a delete key and banishing every trace of their wrongdoings.
Computer forensics have changed that situation. Nowadays, in any case where information has been stored on a computer, and there is a chance of it being retrieved so it can benefit the prosecution or defence of an argument or court case, computer forensics could and should be used.
How Do They Use Computer Forensics?
Computer forensics specialists can use a variety of methods to retrieve data that resides on a computer system. They are able to recover deleted files, break encryption codes to access "hidden" data and even employ special utilities to repair "damaged" files.
Initially a computer will be isolated and handled carefully so as not spoil any evidence that might be contained on its system. All files will then be discovered and logged, including the regular system files, existing files, documents and spreadsheets, hidden files, encrypted files and those files that have been deleted yet still remain on the system.
Whenever and wherever it is possible, the encrypted files will be accessed and the deleted files will be retrieved. All of this has to be done within the grounds of what is legally acceptable to the rights of the computer user.
In the final stages of computer forensics an overall analysis is made of the hard drive and this includes those "unused" sectors, clusters and partitions where no information is currently stored. These are studied with meticulous care in case they have previously contained incriminating evidence that has since been deleted. A print out of the computer forensic specialist's finding is made and it is not uncommon for the specialist to appear in court and provide expert testimony.
In a world where it seems that damning evidence could be destroyed in a single strike of the delete key, it is comforting to know that there are experts in the field of computer forensics who are able to retrieve so much.
