Computer Forensics is the use of specialized techniques for recovery, authentication and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data or authentication of data by technical analysis.
What is Computer Forensics?
There are a number of slightly varying definitions. In basic terms, computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded.
What is the objective of this?
The objective is to provide digital evidence of a specific or general activity.
To what ends?
A forensic investigation can be initiated for a variety of reasons. The most high profile are usually with respect to criminal investigation, or civil litigation, but digital forensic techniques can be of value in a wide variety of situations, including perhaps, simply re-tracking steps taken when data has been lost.
What are the common scenarios?
Scenarios are wide and varied. Examples of these include:
•Employee internet abuse (common, but decreasing) •Unauthorized disclosure of corporate information and data
(accidental and intentional)
•Industrial espionage •Damage assessment (following an incident) •Criminal fraud and deception cases •More general criminal cases (many criminals simply store
information on computers, intentionally or unwittingly)
•And countless others!
How is a computer forensic investigation approached?
It's a detailed science. The main phases are usually:
•Secure the subject system (from tampering during the
•Take a copy of hard drive (if applicable) •Identify and recover all files (including those deleted) •Access/copy hidden, protected and temporary files •Study 'special' areas on the drive (eg: residue from
previously deleted files)
•Investigate data/settings from installed applications/programs •Assess the system as a whole, including its structure •Consider general factors relating to the user's activity •Create a detailed report
Throughout the investigation it is important to stress that a full audit log of your activities should be maintained.
Is there anything that should NOT be done during an investigation?
Definitely, however these tend to be related to the nature of the computer system being investigated. Typically though, it is important to avoid changing date/time stamps (of files for example) or changing data itself. The same applies to the overwriting of unallocated space (which can happen on re-boot for example). 'Study don't change' is a useful catch-phrase.
US-IL Investigations Inc. has an expert computer forensics team. Please call today for a free consultation.