Computer Forensics Defined
Computer forensics is a sub-category of digital forensic science. Computer forensics, in a specific sense, pertains to legal evidence latent in computer systems and digital storage media units. The goal of this field is to examine digital media and files in a sound matter with the aim of recovering, preserving, analyzing, and ultimately identifying facts concerning the underlying legal matter or situation.
The field of computer forensics is most often connected with the investigation of a wide variety of computer crimes. In an investigatory sense, the discipline of computer forensics will incorporate similar techniques and principles found in data recovery. However, the field of computer forensics will attach additional practices and guidelines which are implemented to create a legal audit trial.
The evidence gathered from a computer forensics investigation is typically subjected to the same protocol and practices of other digital evidence. The use of digital evidence, gathered from computer forensics, has been used in a number of high profile cases. As a result of the accuracy and the pertinent details it reveals, the use of computer forensics is quickly becoming a reputable and reliable source within European and American court systems.
The Establishment of Computer Forensics
In the early 1980s, computer systems were more accessible to consumers. As a result of this popularity, networks began to store personal information aligned with banking and identification purposes.
As computers facilitated transactions and consumer activity, they attracted criminals who were interested in committing fraud and tampering with personal information. During this time, the discipline of computer forensics emerged as a method to investigate and recover digital evidence used in court systems. In a more modern sense, computer forensics is used to investigate a wide variety of criminal activity, including fraud, child pornography, cyber stalking, cyber bullying, murder, and rape.
The information recovered from computer forensics is used to elucidate upon the current state of a digital artifact, such as a storage medium, a computer system, or an electronic document. Once the information is obtained, the scope of a forensic investigation can vary from a simple retrieval of information to reconstructing a complex series of events.
Computer Forensics used as Evidence
Evidence obtained through the implementation of computer forensics has been applied to criminal law cases since the early 1980s. In the court of law, information or evidence obtained from computer forensics is subject to the typical requirements for digital evidence, meaning the evidence obtained must be reliably obtained and admissible, as well as authenticated. In addition to these basic guidelines, various countries and jurisdictions have implemented specific guidelines and practices attached to the recovery of computer forensic evidence.
Computer Forensics Process
Computer forensic investigations typically follow the standard digital forensic process, which includes the acquisition of evidence through a computer platform, subsequent analysis and reporting. A number of techniques are used during computer forensics investigations, including cross-drive analysis, live analysis, and the studying of deleted files.
Cross-drive analysis refers to a forensic technique that correlates information present on multiple hard drives. The process can be used for identifying social networks or for performing anomaly detection. Live analysis is the process of examining computers within the operating system using a custom tool to extract the evidence.