The term Forensic Computing(TM) and its basic principles have been defined by many organisations, including the Australian Institute of Criminology and

Authors Avatar

Alice Briggs

P05267215

The term ‘Forensic Computing’ and its basic principles have been defined by many organisations, including the Australian Institute of Criminology and the International Organisation on Computer Evidence. Explain what Forensic Computer is and explain its basic principles. How might these change over the next 10 years?

‘The application of computer based technology to the investigation of computer based crime has given rise to the field of forensic computing.’ [7]    

 Forensic Computing is the principle of forensically and technologically analysing data found on a piece of computer hardware or software. Forensically speaking, the analysis requires the specialist to follow precise standards, such as any police officer or scenes of crime officer at a murder. Any crime scene has to follow several principles: preservation, identification, extraction, documentation and interpretation. [1, Kruse] Well in the case of forensic computing these five steps must always be followed but relating to computer evidence. The first major rule in collecting computer forensic evidence is that if the machine is turned off, do not turn it on at any point, the officer collecting the evidence is permitted to photograph, sketch and take any notes about the computer, such as the model. But the officer is prohibited to turn on the machine; this is because when the machine starts up previous information may be over-written. [2, lecture] If the computer is turned on when officers come to seize the equipment then a copy must be made of any running applications to a removable source such as a USB, the machine must then be turned off without saving anything and in the normal way.

The data within the computer/ laptop must be preserved by making a hard copy of all the data within the computer, even if this data is not relevant to the case at first glance, on later analysis this data will be excluded if it is found to be irrelevant to the case. To eliminate data files from the case in question each file must be vigorously analysed, by using several techniques such as Encase and steganography. All of the data examined is done so to discover the origins of the important data, the content of the data and the processing history of that data. For example when that file may have been changed [2, lecture notes].  ‘The actions taken by the forensic examiner after imaging are largely determined by the type of investigations they carry out and the forensic software used.’ [6]

Join now!

‘Encase is a series of forensic software products produced by Guidance software.’ [8] And as a software package Encase has several features such as;

  1. data acquisition
  2. the management of a forensic case
  3. the searching and analysis of evidence
  4. it allows documentation of evidence
  5. it produces documentation such as reports for courts [2]

‘Dependant on the software used, the image can then either be examined directly within the forensic software as a ‘virtual drive’ or a ‘clone’ of the original media made for the purposes of the examination.’ [6]

Steganography is also a technique which can ...

This is a preview of the whole essay