What is Computer Forensics?

A computer or digital investigation is a process to answer questions about digital states and events. For example, a computer or digital investigation would be used to retrace steps taken when an important file has been inadvertently deleted or altered. A computer forensic examination, on the other hand, is a special case of a digital investigation where the procedures and techniques that are used will allow the results to be entered into a court of law.

Computer forensics (also known as digital forensics or cyber forensics) is a technological, systematic discovery, analysis and reconstruction of potential legal evidence or supportive evidence extracted from any element of computer systems, computer networks, computer media and computer peripherals. This evidence is then used in criminal and civil law cases, as well as internal corporate and human resources/employment proceedings.

There are two distinct components in computer forensics:

• Computer forensics, which deals with gathering evidence from computer media seized at the crime scene. This involves imaging storage media, recovering deleted files, searching slack and free space and preserving the collected information for litigation purposes.
• Network forensics (also called security forensics), which is the capture, recording and analysis of network events in order to discover the source of security attacks or other problem incidents.

Certified computer forensics specialists are used for a variety of purposes including but not limited to medical malpractice, family law, contract disputes, intellectual property disputes (including theft of or destruction of intellectual property and theft of or misappropriation of trade secrets and/or other confidential information), embezzlement, fraud (including accident, insurance, arson and workers' compensation fraud), as well as human resources/employment disputes (including allegations of wrongful termination, sexual harassment or discrimination). They also address the legal issues associated with electronic evidence, such as relevant case law, navigation of the discovery process, protection of privilege, and in general, working with federal and local law enforcement agencies, attorneys and other legal professionals.

The computer forensic examination involves the use of specialized techniques for recovery, authentication, preservation and analysis of electronic data - evidence or information which is magnetically stored or encoded - so that it can be presented in a manner that can withstand close scrutiny or a legal challenge. There are three types of data: active, archival and latent.

• Active data is what the operating system lists in its directory tree structure, such as data files, program applications and files used by the operating system. These files are visible to anyone who uses the computer and are the easiest data to obtain.
• Archival data is data that has been backed up and stored typically on storage mediums like backup tapes, CDs, floppies, removable hard drives and various other data devices.
• Latent (ambient) data is the hardest data to obtain. This is the data that requires the specialized assistance of certified computer forensics specialists. An example of latent data is a file that has been deleted or partially overwritten.

Computer forensics specialists investigate such data storage devices as hard drives and portable data devices (including USB drives, external drives, micro drives and other data devices) to identify sources of documentary or other digital evidence, preserve the evidence, analyze the evidence and present the findings.

A forensic examination of digital media goes far beyond normal data recovery techniques through tight controls and thorough documentation. But, it is very easy to lose important electronic evidence because the operating system will save new data on a hard drive by overwriting data that exists on the drive but is no longer needed by the operating system. This is why it's important for you to call us immediately at 619.291.SDCF (7323) if you suspect a security breach or other inappropriate use of your computers. We'll be right there to help in the recovery and litigation processes.