Computer investigation and analysis techniques that involve the identification, preservation, extraction, documentation, and interpretation of computer data to determine potential legal evidence.
The digital age has produced many new professions , but one of the most unusual is computer forensics. Computer forensics deals with the application of law to a science. The New Shorter Oxford English Dictionary defines computer forensics as 'the application of forensic science techniques to computer-based material.' In other words, forensic computing is the process of identifying, preserving , analyzing, and presenting digital evidence in a manner that is acceptable in a legal proceeding. At times, it is more science than art; other times, it is more art than science.
Although it is similar to other forms of legal forensics, the computer forensics process requires a vast knowledge of computer hardware and software in order to avoid the accidental invalidation or destruction of evidence and to preserve the evidence for later analysis. Computer forensic review involves the application of investigative and analytical techniques to acquire and protect potential legal evidence; therefore, a professional within this field needs to have a detailed understanding of the local, regional, national, and sometimes even international laws affecting the process of evidence collection and retention. This is especially true in cases involving attacks that may be waged from widely distributed systems located in many separate regions .
The process whereby electronic documents are collected, prepared, reviewed, and distributed in association with legal and government proceedings .
Computer forensics can also be described as the critical analysis of a computer hard disk drive after an intrusion or crime. This is mainly because specialized software tools and procedures are required to analyze the various areas where computer data is stored, after the fact. Often this involves retrieving deleted data from hard drives and servers that have been subpoenaed in court or seized by law enforcement. During the course of forensic work, you will run into a practice that is called electronic discovery . Electronic discovery produces electronic documents for litigation. Items included in electronic discovery include data that is created or stored on a computer, computer network, or other storage media. Examples of such are e-mail, word-processing documents, plaintext files, database files, spread- sheets, digital art or photos, and presentations. Electronic discovery using computer forensics techniques requires in-depth computer knowledge and the ability to logically dissect a computer system or network to locate the desired evidence. It may also require expert witness testimony to explain to the court the exact method or methods by which the evidence was obtained.
Computer forensics has become a popular topic in computer security circles and in the legal community. Even though it is a fascinating field, due to the nature of computers, far more information is available than there is time to analyze, and a key skill is to know when to stop looking. This is a skill that comes with time and experience. For now, let's look at the major concepts behind computer forensics. The main emphasis is on recovery of data. To do that you must:
Identify the evidence
Determine how to preserve the evidence
Extract, process, and interpret the evidence
Ensure that the evidence is acceptable in a court of law
All of these concepts are discussed in great detail throughout this book. Because computer-based information is fragile and can be easily planted, rarely is the simple presence of incriminating material the evidence of guilt. So as you can see, electronic information is easy to create and store, yet computer forensics is a science that requires specialized training, experience, and equipment.
A computer forensics examiner might be called upon to perform any of a number of different types of computer forensics investigations.
We have all heard of or read about the use of computer forensics by law enforcement agencies to help catch criminals. The criminal might be a thief who was found with evidence of his crime when his home or office computer was searched, or a state employee who was found to have stolen funds from public accounts by manipulating accounting software to hide funds transfers.
Most of us know that computer forensics is used every day in the corporate business world to help protect the assets and reputation of large companies. Forensics examiners are called upon to monitor the activities of employees ; assist in locating evidence of industrial espionage; and provide support in defending allegations of misconduct by senior management.
Government agencies hire computer forensics specialists to help protect the data the agencies maintain. Sometimes, it's as simple as making sure IRS employees don't misuse the access they have been granted to view your tax information by periodically reviewing their activities. Many times, it's as serious as helping to defend the United States by protecting the most vital top secret information by working within a counter intelligence group .
Every day, divorce attorneys ask examiners to assist in the examination of personal computers belonging to spouses involved in divorce proceedings. The focus of such investigations usually is to find information about assets that the spouse may be hiding and to which the other spouse is entitled.
More recently, defense attorneys have asked forensic examiners to reexamine computers belonging to criminal defendants. Computer forensics experts have even been asked to reexamine evidence used in a capital murder case that resulted in the defendant receiving a death sentence . Such reexaminations are conducted to refute the findings of the law enforcement investigations.
Although each of these areas seems entirely unique, the computer forensics examiner who learns the basics, obtains appropriate equipment, follows proper procedures, and continues to educate himself or herself will be able to handle each of these investigations and many other types not yet discussed. The need for proper computer forensics investigations is growing every day as new methods, technologies, and reasons for investigations are discovered .