Computer Forensics

What is computer forensics?

Computer forensics is the collection, preservation, analysis, and court presentation of computer-related evidence.  Just as individuals leave DNA evidence, fingerprints and other trace evidence, so modern computer programs leave temporary files, cookies, records of sites visited, email received and sent, files downloaded, images processed and user actions.  With the majority of documents today being created in electronic form, a complete and thorough investigation must also involve collection and the correct handling of digital evidence.  

The objective of a forensic investigation might be improper use of company computers, recovery of lost or deleted data, criminal investigation, computer tampering, or espionage.  Tools exist for the collection, preservation, examination and presentation of the activities and file records of personal computers.  Properly performed, a forensic analysis of computer data can be worth many times the cost of the investigation.  In a criminal investigation, the evidence collected could be the difference between conviction and acquittal.  In the case of intrusion detection in the Windows environment, the ability to discover the trace history of the intruder can be crucial to the identity, location and apprehension of the perpetrator.  In espionage cases it can be determined to what extent proprietary or confidential information has been compromised.  Many times, the trace data can be recovered and preserved even though it was "deleted" in an attempt to avert detection.

Forensics can be applied to "post-mortem" analysis as well.  In the case of a computer "crash", analysis can determine whether the event was the result of innocent user error, a computer virus, hardware failure, or a malicious attack.  Recovery of important files can be a big part of the preservation aspect of the investigation.

Analysis tools in the hands of trained and experienced experts can be important in civil litigation or criminal prosecutions.  A competent expert testifying to the methods used and documentation of the forensic investigation validates the inclusion of the information at trial.

Copyright © 2001 by WindowMeister.com, All rights reserved.