In recent years, shows like CSI and others have made the general public aware of the concept of forensics – the use of science and technology to investigate and establish facts in criminal or civil courts of law (Source: www.dictionary.com). However, based on storytelling time constraints imposed on television shows and movies, certain processes and procedures are often oversimplified, enhanced, and expedited. As licensed private investigators, it is sometimes necessary to explain to clients or potential clients exactly what information can be obtained and how long the process will actually take. This is especially true in computer forensics, the acquisition, preservation, and analysis of information on computers and similar technologies.
Examining the contents of a hard drive or similar device first involves acquiring an image of the device in order to preserve the original data. In layman’s terms, this is essentially a copy of the hard drive that will be used during the analysis by the computer forensics examiner. The analysis is always conducted on the copy, never on the original device. The data is then processed by computer forensics software. Generally, the software first identifies intact files (such as operating system files, documents, pictures, etc.) and then evaluates the remaining file fragments. In some instances, these fragments can be assembled into recovered files, but in some instances, there is not enough information available to create a recovered file. This process often takes several hours depending on the amount of data involved.
After this process is complete, the data can be searched for information relevant to the case. This may include Internet history, email history (both Outlook and web-based), keyword searches, encrypted files, user passwords, and information about when files were created, modified, accessed, or deleted, along with many other kinds of information. As with the previous process, the time required to complete this step depends both on the amount of data being searched and the searches being conducted.
Although the type of information analyzed and produced in each case differs, the basic goal of computer forensics is to use proven software and procedures to gather and analyze data to create reproducible results. As with other scientific examinations, computer forensics requires the use of specialized tools and procedures that are standardized and consistent. Starting with original data, one computer forensics examiner should be able to follow a logical procedure and reproduce the results of another computer forensics examiner.
When selecting a computer forensics examiner, certifications, experience, and references are crucial. A competent computer forensics examiner should have a current certification, license, or degree in computer forensics. In some states, the computer forensics examiner must also be a licensed private investigator. This examiner should have experience with computer forensics or similar work, and if testimony in depositions or court may be required, the examiner should also have experience with the legal process. As with any service provider, references will show the successful completion of similar projects and may also provide information about what to expect from the examination process in general. For this type of work, it is important to select an expert.
Plan. Protect. Prosper.
Protus3 specializes in security system design, security consulting, corporate investigations and other investigative services. Partner with Protus3 and we will examine each situation to identify threats and develop solutions for your best outcome.