UK Business Directory | Promote Your Business

Different aspects of computer forensics

At a basic level, computer forensics is the analysis of information contained within and created with computer systems and computing devices, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved. This can be for the purpose of performing a root cause analysis of a computer system that had failed or is not operating properly, or to find out who is responsible for misuse of computer systems, or perhaps who committed a crime using a computer system or against a computer system. This being said, computer forensic techniques and methodologies are commonly used for conducting computing investigations - again, in the interest of figuring out what happened, when it happened, how it happened, and who was involved.

Think about a murder case or a case of financial fraud. What do the investigators involved in these cases need to ascertain? What happened, when did it happen, how did it happen, and who was involved. In many cases, information is gathered during a computer forensics investigation that is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files - known by computer forensic practitioners as slack space. Special skills and tools are needed to obtain this type of information or evidence. Think of a case where the specific firearm that fired a bullet needs to be identified. This information could not be readily ascertained by just any member of law enforcement, so ballistics professional with special skills and tools is needed. The more technical definition we use at CyberSecurity Institute to describe computer forensics or forensic computing in the vein of computer crime or computer misuse is as follows: The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found. Let's break this definition down. Preservation When performing a computer forensics analysis, we must do everything possible to preserve the original media and data.

Typically this involves making a forensic image or forensic copy of the original media, and conducting our analysis on the copy versus the original. Identification In the initial phase, this has to do with identifying the possible containers of computer related evidence, such as hard drives, floppy disks, and log files to name a few. Understand that a computer or hard drive itself is not evidence - it is a possible container of evidence. In the analysis phase, this has to do with identifying the information and data that is actually pertinent to the situation at hand. Sifting through Gigabytes of information, conducting keyword searches, looking through log files, etc.