>Computer Forensics BasicsFebruary 11, 2011 at 11:59 pm | Posted in Article, computer and high technology | Leave a comment
>Computer Forensics in a Nutshell
Computer forensics are examinations of computers made during a criminal investigation. When police look into the files and data on a computer during an investigation, they are using computer forensics. It is obvious that you would want to look at a suspect’s computer if they are involved in a hacking or industrial espionage case where the computer is being actively used to commit the crime, but these are not the only sorts of cases where computer forensics is used. Even if a murder case or a theft where a suspect used a computer could have information on it that is important to the case. You never know where you might find the information that you need for a case, and so investigators look at everything they can find.
– What Computer Forensics Investigators Look At
There are three basic kinds of data that a computer forensics investigator will look at when examining a computer: saved data, meta data and deleted data.
The first thing that a computer forensics investigator will do before examining this data is to make a copy of the hard drive. Even just looking at a file can sometimes change the data or meta data, and it is important that none of the original information is tampered with when using it in a criminal investigation. Making a copy of the computer’s hard drive allows the investigator to go through all of the data without having to worry that he is tampering with potential evidence.
Saved data is any data that is normally accessible on a hard drive. It is all the data that is saved onto the hard drive. This includes things like documents, imagages, internet logs, program files, etc. This is the easiest data to look at, because it involves no special working to access these files. Sometimes files might be hidden within multiple folders or using confusing file names, so the examination will need to be thorough to make sure anything important to the case is found. Files can also sometimes be password protected, which makes it more difficult for an investigator to open them to read them. Computer forensics investigators are trained to get around these kinds of blocks.
Meta data is information that accompanies saved data. It is the information that tells you about the saved dat, like when a file was created, when it was last modified and when it was last accessed. This tells us when something was made, when the person who created the file was using it and if he had made any changes to it. This can be useful as it can help put a timeline to the data the investigator is looking at, and match up information for use with the case.
Deleted data is data that has not been saved on the computer or has been deleted from the computer. You can’t access this information just through normal use of the computer. It requires special software or special methods to go into the hard drive and look at it.
When a file is deleted from a computer, it isn’t actually removed from the hard drive. The file is kept in the same place as it always was. What is really happening is that the computer is being told that this file does not exist, and it will act as if it doesn’t. You can’t look at the file if you are just looking through the saved data, because the computer doesn’t see it as saved data. However, if you skip over what the computer thinks about the data, and only look at the raw data, you will be able to see the file still there.
There are some difficulties with this, though. Because the computer doesn’t think that the file is there any more, it has no problem putting new data where the deleted data was. If this happens then the file will be erased and you will no longer be able to look at it. Sometimes the new data doesn’t completely write over the deleted data though, and an investigator can sometimes still see traces of the deleted data on the hard drive. It is similar to when you tape over an old VHS tape, sometimes the old show or whatever you had taped before will pop up every now and then because the new taping isn’t total. These traces can give the investigator an idea of what the computer user had deleted, and can sometimes give cues as to why it was deleted.
– Computer Forensics Growing
As computers continue to become more important in America, computer forensics will continue to grow as well. Looking at data can lead to information that would never be found through other methods of investigation, and it proves very useful in a number of different criminal cases.