Aviva Directory » Computers & Internet » Systems & Hardware » Data Storage Devices » Computer Forensics

Also known as computer forensic science, computer forensics is a branch of digital forensic science relating to the identification, preservation, recovery, analysis, and presentation of facts about evidence found in computers and digital storage devices.

Forensic science includes techniques to capture data that may be useful in reports that are admissible as evidence in court for several crimes, such as child pornography, copyright violations, espionage, extortion, keylogging, malware attacks, money laundering, piracy theft, spoofing, virus attacks, and many others.

The infamous BTK serial killer killed ten people over a period of about twenty years, beginning with a family of four in 1974. By 2004, the murders were considered a cold case. Then, the killer began a series of communications with the media and police that eventually led to his arrest in 2005. Among the evidence that led to his arrest was a floppy disk that contained a letter from the killer, who did not identify himself. Computer forensic investigators found a deleted Microsoft Word file on the disk that contained metadata indicating that the last person to have edited the file was "Dennis" along with a link to Christ Lutheran Church, where Dennis Rader served as president of the church council.

The scope of forensic analysis might vary from information retrieval to a reconstruction of events, a common technique being the recovery of deleted files. As most operating systems don't fully erase deleted data, investigators are often able to retrieve this data and reconstruct it. More complex techniques might involve the detection of steganography, which is a method of hiding data within a digital image, and cross-drive analysis, which is used to correlate data found on multiple hard drives.

When a computer is still powered up, information stored solely in RAM may be recovered. Once a machine is powered down, RAM data may be lost. However, RAM can be analyzed for prior content after a loss of power because the electrical charge stored in the memory takes time to dissipate, and holding unpowered RAM at low temperatures can help to preserve residual data, improving the chances for recovery. Other techniques can be used to move a live, running computer without powering it down or allowing it to go to sleep accidentally. RAM data may also be saved to disk.

Forensic computer scientists use a variety of open-source and commercial software tools for computer forensics investigation.

Computer forensics certifications include the ISFCE Certified Computer Examiner, Digital Forensics Investigation Professional, IACRB Certified Computer Forensics Examiner, Certified Cyber Forensics Professional, and Certified Computer Forensic Examiner, as well as proprietary certifications issued by commercial-based forensic software companies, indicating proficiency with specific software tools.

Topics related to computer forensics are the focus of resources listed in this category.



Recommended Resources

Search for Computer Forensics on Google or Bing