Forensic computing refers to the use of technology as an investigative method with which to retrieve and substantiate digital data and media. Just as a medical examiner might determine time of death or how the deceased came in contact with poison, computer forensics relates to an examination of stored electronic data and how and when it got there. In fact, the only difference is that the forensic computing investigator is more likely to draw conclusions from dissecting a hard drive rather than a cadaver. In addition, careful handling and preservation of a potential “crime scene,” and the evidence collected from it, is at the core of every investigation.
It might be tempting to think it’s easy to gather information from a computer’s hard drive simply by viewing its contents onscreen, but this is far from the case. It’s might be even more tempting to believe that deleting a file or an email erases all traces of it, yet another incorrect assumption. In fact, forensic computing technicians are trained to locate hidden files where “breadcrumbs” of such files remain indefinitely. For that matter, some types of computer files leave traces behind known as “ghost files” long after they’ve been deleted. Basically, any time electronic data is created, archived, or disseminated, it can usually be traced and recovered.
The obvious roadblock to a computer forensics investigator is getting around use- created passwords that protect files and related information from being accessed. This is usually only a temporary situation, however. Not only does computer forensics training provide insight into cracking usernames and passwords, but also teaches the investigator how to get clues from encryption keys, random memory, and even from the person who created them.
There are many circumstances in which computer forensic services may be needed, with a great number being related to criminal or civil cases. For example, individuals suspected of possessing or distributing child pornography are often discovered through forensic computing techniques, many times after using online peer-to-peer networking services. In another scenario, an employer may wish to collect evidence from an employee’s computer in preparation for terminating and prosecuting the individual for embezzlement or breach of confidentiality.
Forensic computing often involves the protection and prevention of digital data corruption too. In fact, some technicians train to work in a specialized field of computer forensics to debug applications or detect unauthorized intrusions, such as database forensics and firewall forensics. In recent years, forensic computing has become particularly important in matters of international security. In fact, highly trained agents routinely observe and track Internet usage and communications that may be related to terrorist traffic.