What Is Computer Forensics and How Does It Work?
Finding and analyzing evidence helps to answer questions about a crime and build a case that leads to a conviction. Computer forensics is the process of retrieving data from digital devices, such as smartphones, tablets and other computer systems, to use as evidence of illegal activity.
“The dramatic increase in computer-related crime requires prosecutors and law enforcement agents to understand how to obtain electronic evidence stored in computers,” according to the U.S. Department of Justice.
Computer forensics can be incorporated in a variety of investigations, from white-collar crime to murder cases. Digital data can be manipulated in many ways, which is why computer forensics must continually evolve to meet the needs of investigators. As criminals figure out new ways to hide or destroy information, computer forensics investigators work to create innovative ways to recover data. As a result, learning new techniques is an ongoing part of working in computer forensics.
How Does Computer Forensics Work?
Investigative practices used in computer forensics vary based on the specific case. However, the process often begins with a search warrant being issued for a particular computer or digital device. The warrant outlines the parameters of a search, restricting investigators to particular categories of information and data.
The Department of Justice has outlined specific guidelines regarding the seizing and searching of information from computers and other electronic devices for use in criminal probes.
Once a warrant has been issued, securing the evidence and ensuring a clear chain of command are among the first priorities for a computer forensics team. Failure to take these precautions can result in a judge ruling that evidence obtained during the search is inadmissible in a court case.
The length and complexity of an investigation is dictated by the volume of evidence, among other factors. Additionally, if a computer system has been tampered with before being seized an investigator’s work can become more complicated. Similarly, an investigation may take more time if it involves the retrieval of encrypted or password-protected information.
Computer Forensics Investigation Terminology
Like any other profession, computer forensics has its own terminology. Here are some of the terms and phrases commonly used in this field:
- Random-access memory (RAM) – A type of computer storage that allows memory to be accessed at random instead of sequentially
- Encryption – Converting data into an encoded format that prevents it from being read by unauthorized personnel
- Preservation – Copying files and information on a computer system in order to preserve the original data
- Persistent data – Information stored on a computer’s hard drive or other removable storage device; this data should remain after a system has been shut down
- Volatile data – Information stored in memory-based locations such as RAM or a computer’s cache; this data does not remain when a system has been shut down
- Hash numbers – Hash numbers or values are used to verify that original computer data has not been changed and can be authenticated
Anti-forensics pertains to methods and tools that can hamper computer forensics investigations. Hiding, changing or deleting information are common tactics in anti-forensics efforts.
Cyber criminals aren’t the only participants in anti-forensics. Programmers may create these tools so that consumers can maintain the privacy of their data. Regardless of the underlying purpose of anti-forensics, it can lengthen and complicate a computer forensics investigation.