The essentials of computer forensics
Computer forensics, a rapidly growing field, is the use of hardware and software tools to recover the contents of a digital device for use as evidence in court.
The discipline essentially is the same from agency to agency. The basic functions include:
Secure the digital evidence. Seize the personal computers, cell phones, printers, personal digital assistants or other devices, and keep them in secure locations, such as evidence rooms.
- Create an identical replica of the digital information on the original hardware. Once this replica is created, the original evidence is not used again, to guard against claims of tampering.
- Using the replica copy, find and catalog all the files relevant to the investigation under way, including locating all visible files, deleted files and encrypted files.
- Recover data contained in all files, including by undeleting files, decrypting encrypted files and cracking passwords on protected files.
- Analyze all the data, looking for information that has bearing on the investigation at hand.
- Create reports and analyses that summarize findings and can be used in court.
- Maintain secure copies of the replica evidence, reports and analyses for a specified period of time, perhaps permanently.