Computer forensics (commonly known as as computer forensic science) is really a branch of digital forensic science, relating to legal evidence present in computer systems and digital storage media. The aim of computer forensics would be to examine digital media forensically in a computer following normal disciplines with the objective of determining, protecting, recuperating, examining and evidencing details and opinions concerning the information.
Even though it is most frequently connected to the analysis of a multitude of computer crime, computer forensics could also be used in civil proceedings. The discipline involves similar techniques and concepts to file recovery, however with additional recommendations and practices designed to produce a legal audit trail.
Evidence from computer forensics research is generally exposed to the same constraints and practices of other digital evidence. It’s been used in many famous cases and it is becoming broadly recognized as reliable discipline within US and European court systems.
In brief it is the analysis of data contained within and produced with personal computers and computing products, typically within the interest of determining what went down, if a particular event happened, the way it happened, and who had been involved.
It is often carried out to follow a causation analysis of a computer which failed, was unsuccessfully used or perhaps is not operating correctly, in order to discover who accounted for the misuse of the laptop or computer systems, or possibly who committed a criminal offense utilizing a computer or against some type of computer system. This being stated, computer forensic techniques and methods are generally employed for performing computing research – again, within the interest of determining what went down, if this “thing” happened, the way it happened, and who had been involved.
Consider a murder situation or perhaps a situation of monetary fraud. Exactly what do the researchers involved in these instances have to determine? What went down, when it had happened, what trigger made it happen, and who had been involved.
Oftentimes, details are collected throughout some type of computer forensics analysis that’s not typically available or viewable to the average computer user, for example erased files and fragments of information that are available in the area allotted for existing files – known by computer forensic professionals as slack space. Special training in particular skills and sophisticated tools are essential to acquire this kind of information or evidence. Think about a situation in which the specific gun that fired a bullet must be recognized. These details couldn’t be readily determined just by any officer in a typical police force, so ballistics professionals with special abilities and tools are called for.
The greater technical definition to explain computer forensics or forensic computing within the vein laptop or computer crime or computer misuse is the following:
The upkeep, identification, extraction, interpretation, and documentation laptop or computer evidence, to incorporate the guidelines of evidence, legal processes, integrity of evidence, factual confirming from the information found, and supplying expert opinion inside a court or any other legal and/or administrative proceeding in regards to what was discovered.
Upkeep
When carrying out some type of computer forensics analysis, we should fit everything in easy to preserve the initial media and data. This typically involves creating a forensic image or forensic copy from the original media, and performing our analysis around the copy versus the initial.
Identification
The most common source of evidence can be found by examining the various data containers found in laptops or computers, for example hard disk drives, floppy disks, and log files. It is clear that some types of computer or hard disk are not possible to produce as evidence, but it is usually possible to produce a container of evidence.
Within the analysis phase, it concentrates on determining the available data that is really relevant to the investigation at hand, typically browsing through GBs of data, performing keyword searches, searching through log files, etc.
Extraction
Any evidence found highly relevant to the problem at hands will have to be copied from original source to a working copy media after which it can typically be saved to a different type of media in addition to being printed out.
Interpretation
This can be a major source of contentious argument. Almost anybody is capable of doing some type of computer forensics “analysis.” A few of the GUI tools available allow it to be very easy. Having the ability to find evidence is a factor, a chance to correctly interpret it’s another issue entirely. Entire libraries of documents could be produced giving examples of when computer forensics experts erred in the interpretation of a forensic analysis . We’ll cite an example.
Professionals for the prosecution in a recent case used a well known GUI tool that included a script for locating Internet internet search engine activity. Once they started the script, they found literally 100s and 100s of “searches” that allegedly had been carried out through the defendant. Therefore, they concluded that as the defendant had deliberately used certain kinds of information associated with these searches – the searches demonstrated intent.
Once the experts for that defense examined exactly the same evidence, they recognized that every single one of these simple “searches” was really a web link and never involved any searching whatsoever. Backlinks were created in the same way that would occur if a hyperlink had been clicked on. The way in which the hyperlinks on the webpage reacted was exactly where the GUI tool honed in on, because they were created much like fragments and Webpages that may be found to point internet search engine activity.
Professionals for that prosecution asserted their automated tool was would only record searches which had really been carried out. A large mistake. Theses experts didn’t have the technical abilities to authenticate their results, so that they relied entirely on the one automated tool.
This can lead to an essential lesson. A result from any tool ought to always be completely checked by someone experienced with the underlying technology to ascertain if what seems to be an offense really is.