Basics of Computer Forensics

By: James Walsh

We use mobile phones, computers, and PDAs to communicate, learn, plan, and entertain ourselves. While these technological advancements are a boon to our society, they do pose some tough situations for us. At times, our communication might be confidential in nature. So, are your business and your business data safe? Instances of cyber crimes include industrial espionage, money laundering, unauthorized use of computer via computer hacking, blackmail, theft of intellectual property and trade secrets, destruction of information, financial frauds, or even sexual harassment.

Cases of cyber and digital crimes have given rise to specialized and advanced computer and digital forensics. Computer forensics involves investigation of the computer to analyse hidden, deleted, or existing data. These kinds of data can often prove to be extremely useful in finding useful legal evidence to support the forensic research. Computer forensic experts investigate computer as well as the data storage devices such as hard drives, USB drives, discs, and tapes. Investigating emails and logs also constitutes an important part of the forensic research. Computer forensic experts tend to identify sources of documentary evidence such as printouts or computer files or digital evidence such as transaction logs, emails, instant messages, or Internet browser histories.

It is interesting to observe how the computer forensic experts investigate the data. The experts look for all the saved files that may be organised in appropriate directories or files that may remain hidden in ambiguous directories. Some of these files may be hidden on purpose. There are times when cyber criminals attempt to hack the victimís computer system in order to gain access to the computer data. Certain cases of company blackmails have occurred wherein threatening mails were sent by an employee to his superior. In cases of industrial espionage, confidential files may be accessed illegally. These cases typically involve creating files and subsequently deleting them. However, when a file is deleted from a computer, it still exists. When the users delete files using standard methods, the contents of the file still remain intact but the deleted file is made invisible to the user by the operating system. Files are stored on the computerís hard disk. The data on the disk is arranged into clusters.

The computer keeps a track of the file and its location to find out the appropriate cluster. The files are kept in a directory and this directory contains location of the information block of the file. This information block is an important element in the forensic research because it contains time stamps. When a file is deleted, the directory, as well as the information block, reflects a deleted marker beside the file. With the help of advanced software tools available, these deleted files can be accessed and read. If these files have been overwritten by other files, these files can still be reconstructed. Recovery of deleted files is an integral part of the computer forensic research. The forensic experts also look at metadata as a part of their analysis. Metadata can provide vital information such as the date when a file was created, when the file was modified and when the file was last accessed. Metadata can also tell the forensic expert about the original owner of the file as well as other users of the file. This can prove especially beneficial if the victimized company or individual wants to track the members involved in a conspiracy.

Mobile telephones often contain evidence that can aid in the digital forensic research. Mobile telephones are increasingly being used by the criminals to carry out illegal activities such as spreading viruses and leaking confidential data. In fact, Samsung had banned the use of camera phones on its office premises to prevent cases of industrial espionage. There are times when texts are sent via mobile messaging service. The text messages are used by criminals to plan their activities. These text messages can prove very helpful for forensic experts in their investigation process. Forensic experts can recover even the deleted text messages from mobile phones. However, there are some complexities in recovering data from mobile phones because different mobile equipments require different techniques and procedures. The forensic experts take special precautions in handling evidence relating to mobile phones because the integrity of the evidence needs to be maintained. Due to this reason, the forensic experts ensure that the mobile phone does not remain connected to its host network after seizure so that the evidence is not contaminated.

Article Directory:

| More

James Walsh is a freelance writer and copy editor. For more information on computer crime and Computer Forensics see

Please Rate this Article


Not yet Rated

Click the XML Icon Above to Receive Data Recovery Articles Articles Via RSS!

Powered by Article Dashboard