In the not too distant past, computers were monolithic devices which required a separate and specific climate controlled environment, and technicians with a specialized skill set to maintain them and make use of them. Only governments and large corporations could own them and pay the professionals who could communicate with them.
Now, computers are an ubiquitous part of life, and calculators and gaming systems have more computing power and data storage capacity than the early, giant computers.
Because computers are so prevalent, the amount of personal, corporate and government data stored on various devices increases with every passing minute. Security measures don’t always keep up with the latest technology, and digital media is often part of crime investigations. The critical nature of much of this data has created the need for a new science called digital forensics or sometimes, computer forensics.
Digital forensics is a branch of forensic science that includes the recovery, investigation and analysis of data found on digital devices such as computers, smart phones and media storage devices in such a manner that the results will be allowed to be entered as evidence in a court of law. In the private sector, it can be used to discover the nature and extent of an unauthorized network intrusion.
One goal is to preserve evidence in its most original form while performing a structured investigation. The process often includes the seizure, forensic imaging, and analysis of digital media, and the production of a report on the findings. This structured investigation needs to maintain a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it. There also needs to be a clear chain of custody for confidence that the data has not been tampered with or compromised. Data gathering incorrectly done can alter or corrupt the data being collected, rendering it useless to the investigation.
The first step is to preserve the crime scene by making a copy of all memory and hard disks. This preserves the state of the device, and allows it to be put back into use. After the data is preserved, the investigation for evidence can commence.
A computer forensics expert must show skills and experience by earning at least one of the major certifications in computer forensics. A competent examiner can recover deleted files, analyze Internet data to determine websites that were visited from a certain computer even in when the browser history and cache may have been deleted.
A computer forensics expert is also able to recover communications sent via chat or instant messenger. While performing the analysis, the expert can also recover deleted images and email messages. In the modern world of mobile Internet devices, a competent computer forensics expert will also be able to recover deleted data from mobile phones, including deleted text messages, call logs, emails, and the like.
During Digital Forensic investigations, specific steps and procedures requiring an added level of technical expertise must be followed to access, preserve, and analyze the data and to eliminate any risk of spoliation. Only trained professionals, who also possess IT knowledge, should be trusted to handle this process. This ensures that the data can be admitted by a legal team as evidence in a court of law.