Some Computer Forensics Basics
by Allen Butler
- Computer Forensics in a Nutshell
Computer forensics are examinations of computers made during a criminal
investigation. When police look into the files and data on a computer during an
investigation, they are using computer forensics. It is obvious that you would
want to look at a suspect's computer if they are involved in a hacking or
industrial espionage case where the computer is being actively used to commit
the crime, but these are not the only sorts of cases where computer forensics is
used. Even if a murder case or a theft where a suspect used a computer could
have information on it that is important to the case. You never know where you
might find the information that you need for a case, and so investigators look
at everything they can find.
- What Computer Forensics Investigators Look At
There are three basic kinds of data that a computer forensics investigator will
look at when examining a computer: saved data, meta data and deleted data.
The first thing that a computer forensics investigator will do before examining
this data is to make a copy of the hard drive. Even just looking at a file can
sometimes change the data or meta data, and it is important that none of the
original information is tampered with when using it in a criminal investigation.
Making a copy of the computer's hard drive allows the investigator to go through
all of the data without having to worry that he is tampering with potential
Saved data is any data that is normally accessible on a hard drive. It is all
the data that is saved onto the hard drive. This includes things like documents,
imagages, internet logs, program files, etc. This is the easiest data to look
at, because it involves no special working to access these files. Sometimes
files might be hidden within multiple folders or using confusing file names, so
the examination will need to be thorough to make sure anything important to the
case is found. Files can also sometimes be password protected, which makes it
more difficult for an investigator to open them to read them. Computer forensics
investigators are trained to get around these kinds of blocks.
Meta data is information that accompanies saved data. It is the information that
tells you about the saved dat, like when a file was created, when it was last
modified and when it was last accessed. This tells us when something was made,
when the person who created the file was using it and if he had made any changes
to it. This can be useful as it can help put a timeline to the data the
investigator is looking at, and match up information for use with the case.
Deleted data is data that has not been saved on the computer or has been deleted
from the computer. You can't access this information just through normal use of
the computer. It requires special software or special methods to go into the
hard drive and look at it.
When a file is deleted from a computer, it isn't actually removed from the hard
drive. The file is kept in the same place as it always was. What is really
happening is that the computer is being told that this file does not exist, and
it will act as if it doesn't. You can't look at the file if you are just looking
through the saved data, because the computer doesn't see it as saved data.
However, if you skip over what the computer thinks about the data, and only look
at the raw data, you will be able to see the file still there.
There are some difficulties with this, though. Because the computer doesn't
think that the file is there any more, it has no problem putting new data where
the deleted data was. If this happens then the file will be erased and you will
no longer be able to look at it. Sometimes the new data doesn't completely write
over the deleted data though, and an investigator can sometimes still see traces
of the deleted data on the hard drive. It is similar to when you tape over an
old VHS tape, sometimes the old show or whatever you had taped before will pop
up every now and then because the new taping isn't total. These traces can give
the investigator an idea of what the computer user had deleted, and can
sometimes give cues as to why it was deleted.
- Computer Forensics Growing
As computers continue to become more important in America, computer forensics
will continue to grow as well. Looking at data can lead to information that
would never be found through other methods of investigation, and it proves very
useful in a number of different criminal cases.
About the Author - Allen Butler is a freelance writer who specializes in
internet content. If you need quality content written fast, he has the
dedication and the ability to deliver. If you would like a free sample article,
e-mail him at firstname.lastname@example.org
He can write on most any subject matter, and will have your sample back to you
within 24 hours.
Back To Top