DATA FIRST COMPUTER FORENSICS
Computer forensics (IT & Digital Forensics) is the practice in which a certified forensic examiner collects, analyses and reports on digital information found on any device capable of storing data digitally and when such data is required as admissible evidence. Through expert skill and in-depth analysis of the information found, Digital Forensics can determine who did what and when they did it.
Uses for Forensics
Computers and other digital storage devices can hold key evidence that can implicate or exonerate parties involved in legal or criminal cases. Not only do they hold evidence in the form of documents, media, browsing history, emails and images pertaining to crimes committed but they hold a multitude of 'metadata' that can reveal when a user carried out certain actions like creating, modifying, deleting or printing documents as well as actions performed on all other types of information of interest to investigators.
Commercially or personally, you can use computer forensics for a variety of cases:
- Employment disputes
- Intellectual property cases
- Bankruptcy inquiries
- Inappropriate internet, email or computer usage
- Matrimonial/Divorce investigations
Types of Data
Digital Forensics is a multifaceted discipline that is usually used to obtain proof of criminal activity, breach of contract and illegal activities. This process requires the acquisition of three main categories of data and file recovery, the categories are:
- Active: The files and programs you and I can see during general usage. Because this is the most blatant information, it's also the easiest to collect.
- Archival: All stored or backed-up data. These take many forms and can comprise of CD's/DVD's, floppies (they're still out there), backup tapes, servers and a multitude of hard drives.
- Latent: Generally when people think that something is deleted...it really isn't. Through specialized data recovery software and years of experience, a technician has to decipher information that has been partially overwritten or recover deleted files. The acquisition of this data is time consuming but not impossible and that's why you need nerds like us to go through the information for you.
Process of Acquiring Data
- Digital Forensic investigations have to be conducted by certified computer forensic examiners that have access to secure labs and licensed equipment to prevent the admonishment of the finding in court and the tampering or destruction of evidence.
- Physical safety of the data and item itself. Making sure it's locked in a secure location.
- Examiners don't tamper with the original information or media. A bit-for-bit copy is made that mirrors the original exactly. The original source is never altered.
- All the information is catalogued. This includes all varieties of information (Active, Archival and Latent) as well as recovered, encrypted and all information attempted to be concealed or destroyed.
- Encrypted and password protected files are hacked and cracked to reveal the information within.
- Most data logs are also recoverable and are always included during collection.
- All collected information is evaluated for relevance and interpreted to discover whether the data can be used as possible evidence.
- Although a majority of Digital Forensics seeks out signs of guilt to prove someone did something (inculpatory evidence), we do get cases where we are asked to find proof of innocence (exoneratory evidence).
- A written report is submitted to the client (or legal council) with the unbiased finding and additional comments.
- A testimony can be provided during depositions, trials or any legal proceeding if a personal testament is needed.