This field of computer forensics has various aspects, and it is not characterized with one particular procedure. To put it in layman language, computer forensics is the examination of finding out what happened, how it happened, when did it happen, and who has his/her involvement.
These investigators who are responsible for forensic investigation follow a basic set of procedures: After setting apart the device physically in order to ensure that it cannot be accidentally adulterated, investigating team makes a digital copy of the media storage of the device. Once after the backup of the original media, it is sealed in a safe or any other secure facility to keep up its primeval condition. All investigation is carried out on the copy which is digital by nature.
What are the common scenarios for this?
There are many scenarios in which computer forensics come into play. Some of them are:
- Damage Assessment
- Unauthorized disclosure of corporate data and information
- Employee Internet Abuse
- Industrial Espionage
- Criminal fraud and deception cases
- More general criminal cases.
Being in computer forensics, there are three types of data that are important – latent, archival, and active.
- Active Data is one such data which we can currently see. This can include files used by operating systems, programs and data files. This type of data is easy to obtain.
- Archival Data is one such data for which you’ve already taken a backup and have restored it. Perfect examples of this – CDs, tapes, floppies, or complete drives.
- Latent Data is one such data for which you require specialized tools to access it. A basic example of this could be – Information that has been partially overwritten or completely deleted.
What are the different types of data for which you may require a forensic expert?
- Saved Files – These files are viewable on the computer. It is usually a non-interfering task to retrieve these files
- Deleted Files – As the word suggests, these are the ‘Deleted’ files. They are either situated in the ‘Trash’ or require special software or application to ‘find and restore’ the files.
- Temporary Files – These files are created by browsing the internet, some kind of backup software, working on a document, or during the installation of the software.
- Meta Data – This data us basically is blended with the details of the document or the file like modification date of the document, date of creation and last accessed. You may also be able to gather some old information such as the creator of the file and also the information about those who have accessed the file even once. This generally a mix process. It can be an intrusive or non-intrusive ask to recover these files.
If you feel that there is a problem, the best to do is to act immediately because the computer evidence is elusive and can be easily destroyed. It is better to get some information rather than risking the probable consequences. It will be a wise decision to look for confidential advice from a Certified Forensic Examiner before concluding a solution. Taking care of this situation on your own can be very risky which can have many unethical after effects.