Computer Forensics Software

A Backup Article Contributed by Melissa Larose

Computer Forensics Software

Computer forensics software is not the same software applications you find on your home or business computer. Computer forensics software has a set of requirements imposed upon by law. In order to be accepted as evidence in a court of law these software programs must treat evidence in a particular manner.

Computer Forensics Deals with Integrity

If you have ever been in court during a trial or even watched Court TV, you will remember that evidence is handled in a particular manner. It is handled as such to insure the integrity of the evidence. When integrity is not held the evidence can decay, be tampered with, go missing, or become inadmissible and invalid due to damage incurred after the fact.

Computer forensics teams must treat their evidence in a similar manner and for the same reasons. But this is not such an easy task. Think about the inner workings of a computer. Background processes are logged, user logins are logged, deleted files are never really deleted to a degree, and unless the hardware is physically damaged everything that happens on a computer is traceable. Well now this sounds like great news for computer forensics experts. Their job is to locate evidence of computer crimes and it seems that the computer is just chock full of information.

Now for the sticky part, how do you keep the integrity of that information when the nature of the system is to record?

Computer Forensics Maintains Integrity

The software the computer forensics specialist's use was developed to maintain the evidence in its found state. How does it do this? It simply makes copies of the evidence as found. There are no recording of file time openings and closing, nor information attached to files that identify date and user. This software does not open the file as if to change it opens the file to make an exact copy. So you can see that this software is very different in its nature when you compare it to a word processing application.

Computer forensics software is there only to examine sort of like a copy machine makes a copy but does not change the copy in any way, say the date, or the authors name. Everything stays just as it was found.

Computer Forensic Software Help Examine

Once a specialist is faced what can often be volumes of files to search through, he needs tools to assist in the search actual location of pertinent files. Depending on the nature of the crime a computer forensics expert will know locations, logs, and file names that are usually associated with the crime. Computer forensics software toolkits provide tools that do not interfere with the files but instead allow the specialist to look into thee files without disturbing them.

Some of these tools include full text indexing, advanced search capability for Internet text and images files, the ability to find binary patterns, view hundreds of file types, and the overall ability to auto-recover previously deleted files and partitions. Almost all the software allow audit logs and case findings reports to be generated.