Computer forensics is simply the application of disciplined investigative techniques in the automated environment and the search, discovery, and analysis of potential evidence. It is the method used to investigate and analyze data maintained on or retrieved from electronic data storage media for the purposes of presentation in a court of law, civil or administrative proceeding. Evidence may be sought in a wide range of computer crime or misuse cases. Computer forensics is rapidly becoming a science recognized on a par with other forensic sciences by the legal and law enforcement communities. As this trend continues, it will become even more important to handle and examine computer evidence properly. Not every department or organization has the resources to have trained computer forensic specialists on staff.
Computer evidence has become a fact of life for essentially all law enforcement agencies and many are just beginning to explore their options in dealing with this new venue. Almost overnight, personal computers have changed the way the world does business. They have also changed the world’s view of evidence because computers are used more and more as tools in the commission of traditional crimes. Evidence relative to embezzlement, theft, extortion and even murder has been discovered on personal computers. This new technology twist in crime patterns has brought computer evidence to the forefront in law enforcement circles.
Forensic science has been defined as œany science used for the purposes of the law… [Providing] impartial scientific evidence for use in the courts of law, and in a criminal investigation and trial.
According to Marcus Ranum, œNetwork forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.
We expand on these definitions to define computer forensics as:
œComputer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.
These activities are undertaken in the course of a computer forensic investigation of a perceived or actual attack on computer resources. Evidence might be required for a wide range of computer crimes and misuses.
Multiple methods of
- Discovering data on computer system.
- Recovering deleted, encrypted, or damaged file information.
- Monitoring live activity.
- Detecting violations of corporate policy.
Information collected assists in arrests, prosecution, termination of employment, and preventing future illegal activity.