Introduction to Computer Forensics




                       Gediminas Tamenas


Introduction to Computer Forensics

Essay will address how, electronic evidence and technique in computer forensics work. Also it will be discussing how does computer forensics works and what steps does it requires to keep all the data secure, what tools its requires to recover lost data. This will allow the reader to get clear idea what “Computer Forensics” job is about and what they do. The main purpose of forensics is to search and analyze computer system to find and evidence for suspects that can be use in court. Computer Forensics also involves preservation, identification, extraction and most important documentation of what evidence they have collected in form of magnetically, optically or electronically stored, collected data. (Robin Bryant, 2008) Most of the techniques that investigators use in crime scene has digital counterparts, but also there is some unique aspects to computer investigation. Some say that using computer evidence in court against the criminal is not really good idea, because it’s easy to change computer data, and to check how the data been used in a crime scene. (John Sammons, 2012)

Forensic technologies are designed to prepare and extract evidence from a seized computer system. The basic method of preserving, detecting and obtaining the electronic evidences was described in. This extraction is performed in such a manner to satisfy the requirements of the courts. Typically, the data that resides on the fixed drive of a system has been erased or otherwise altered in order to protect incriminating information. First of all the investigator has to ensure that system is secure and all the data is safe. This means that investigator has to make sure that unauthorized individuals will not go near or get hold and use that particular computer or it storage devices which are most important in the search. Investigators has to find every file on the computer that can be used in court, even encrypted files, or files which are protected, hidden or even deleted but not yet overwritten files, investigators has to make cop of all files that is on suspects computer in case it gets lost, this includes all kinds of files that are on computers hard drive or any external drives.( Michael G. Solomon and K Rudolph, 2011) But this is not done yet, investigator has to try recovering all data that is possible using special applications can detect deleted data and recover it, such as: SystemWorks Pro 2003 (GHOST 2003 & DiskEdit) (included in the FRED System), Norton Ghost, DriveSpy, Image, PDWipe, PDBlock, PART (included in the FRED System), DriveSpy, PDWipe, PDBLock, AccessData - The Ultimate Toolkit: (FTK, PRTK, DNA, etc.) (Bill Nelson,2007) This method will allow as collect maximum amount of data against the suspect. If there is any hidden or protected files there are programs which lets investigator to encrypt and see all files that are hidden from other users. Most computer users who doesn’t have that much experience don’t know that, if they browse online or download something, some files still stay in the system if you delete history or downloaded files, such as “Cookies, App Data, Plug Ins and even Password.” That’s why investigator need to access and analyze special areas in computer memory, because it has some parts that normally inaccessible as I say before to collect some data that user might don’t know about or forgotten to delete. Most important step for investigator that he has to do is to document every step that they are making and provide proof that they collected all information from suspect’s computer without loosening, changing or damaging it.( Marie-Helen Maras, 2012) Investigator can collect bunch of evidence, that can be useful, but if investigator doesn’t submit proper evidence that is required, evidence may be not admissible.  All these steps are very important, but if investigator does not compete first step “Making sure that computer is Secure” investigator will not be allowed to start the investigation or the evidence they found might not be admissible.(Harlan Carvey, 2012) Some criminals also found a different way to hide files from computer forensics team and make more difficult to found evidence, some criminals use computer program called “Anti-Forensics” so detectives have to be aware of that program and carefully found the way how to disable the application before doing any investigation, so will allow accessing all data. (Robert C. Newman, 2007)

Join now!

Electronic evidence is any object or piece of information or file that can be relevant to the crime being investigation. Different types of evidence exist to found good information or bad, to prove or disprove a piece of information. There are many types of evidence that can be collected such as – documentary, demonstrative, physical, direct and communicational and hearsay evidence. But first before you start collecting any evidence it is very important to know that there are few categories of evidence. Without taking this in consideration you may find that evidence that you spend maybe few weeks and ...

This is a preview of the whole essay