Computer forensics facts for kids

Kids Encyclopedia Facts

Forensic science
Part of a series on

Physiological Anthropology Biology Bloodstain pattern analysis Dentistry DNA phenotyping DNA profiling Entomology Epidemiology Limnology Medicine Palynology Pathology Podiatry Toxicology
Social Psychiatry Psychology Psychotherapy Social work
Criminalistics Accounting Body identification Chemistry Colorimetry Election forensics Facial reconstruction Fingerprint analysis Firearm examination Footwear evidence Forensic arts Profiling Gloveprint analysis Palmprint analysis Questioned document examination Vein matching Forensic geophysics Forensic geology
Digital forensics Computer exams Data analysis Database study Malware analysis Mobile devices Network analysis Photography Video analysis Audio analysis
Related disciplines Electrical engineering Engineering Fire investigation Fire accelerant detection Fractography Linguistics Materials engineering Polymer engineering Statistics Traffic collision reconstruction
Related articles Crime scene CSI effect Perry Mason syndrome Pollen calendar Skid mark Trace evidence Use of DNA in forensic entomology
Outline Category
v t e

Media types used for computer forensic analysis: a Fujifilm FinePix digital camera, two flash memory cards, a USB flash drive, a 5GB iPod, a CD-R or DVD recordable, and a Mini CD.

Computer forensics is like being a digital detective! It's a special part of digital forensics that looks for clues found on computers and other digital devices. The main goal is to carefully examine digital information. This helps to find, save, get back, look at, and share facts about digital evidence.

This field is often used to investigate many types of computer crime. But it can also be used in civil cases, which are legal disagreements between people or groups. Computer forensics uses similar methods to data recovery. However, it has extra rules to make sure the evidence can be used in court.

Evidence from computer forensics investigations follows the same rules as other digital evidence. It has been used in many important cases. Courts in the U.S. and Europe accept it as reliable.

What is Computer Forensics?
- Cybersecurity vs. Computer Forensics
How Digital Evidence is Used
The Forensic Process
- Computer Forensics Lab
- Techniques Used
  - Mobile Device Forensics
  - Volatile Data
Jobs in Computer Forensics
- Digital Forensics Analyst
Training and Certifications
See also

What is Computer Forensics?

In the early 1980s, personal computers became more common. This led to them being used more often in crimes, like fraud. At the same time, new "computer crimes" appeared, such as cracking (breaking into software). Computer forensics started as a way to find and investigate digital evidence for court cases.

Since then, computer crime has grown a lot. The FBI reported many internet crimes in 2020. This field also helps in civil cases, like gathering information for Electronic discovery.

Computer forensics uses special skills to understand a digital artifact. This could be a computer system, a storage device like a hard disk or CD-ROM, or an electronic document like an email or a picture. The investigation can be simple, like finding information. Or it can be complex, like figuring out a series of events. Experts say computer forensics involves saving, finding, taking out, documenting, and understanding computer data. It's seen as a mix of art and science, needing both flexibility and deep knowledge.

Cybersecurity vs. Computer Forensics

People often confuse computer forensics with cybersecurity. Cybersecurity is about stopping problems and protecting data before they happen. Computer forensics, however, is more about reacting after something has happened. It involves tracking down and figuring out what went wrong.

Usually, system security involves two teams: cybersecurity and computer forensics. They work together. The cybersecurity team creates systems to protect data. If these systems fail, the computer forensics team steps in. They recover the data and investigate the intrusion or theft. Both areas need a good understanding of computer science.

How Digital Evidence is Used

In court, digital evidence from computer forensics must meet certain rules. It needs to be real, found in a reliable way, and allowed to be used. Different countries have their own rules for finding evidence. In the United Kingdom, examiners often follow guidelines that help make sure evidence is real and complete. These guidelines are widely accepted in British courts.

Computer forensics has been used as evidence in criminal law cases since the mid-1980s. Here are some well-known examples:

BTK Killer: Dennis Rader was found guilty of several killings. Near the end of his crimes, Rader sent letters to the police on a floppy disk. Hidden information within these documents pointed to an author named "Dennis" at "Christ Lutheran Church." This clue helped lead to Rader's arrest.
Joseph Edward Duncan: A spreadsheet found on Duncan's computer showed he had planned his crimes. Prosecutors used this to prove he thought about the crimes beforehand.
Sharon Lopatka: Hundreds of emails on Lopatka's computer helped investigators find her killer, Robert Glass.
Dr. Conrad Murray: Dr. Conrad Murray, the doctor for the late Michael Jackson, was partly found guilty because of digital evidence on his computer. This evidence included medical documents showing dangerous amounts of a medicine called propofol.

The Forensic Process

A portable Tableau write blocker attached to a Hard Drive

Computer forensics investigations usually follow a set process. This includes getting the data, examining it, analyzing it, and then writing a report. Investigations are done on copies of data, not usually on live, running computers. This is different from how things were done in the past. Back then, there weren't as many special tools, so investigators often worked directly on live computers.

Computer Forensics Lab

A computer forensics lab is a safe and protected place. Here, electronic data can be managed, kept safe, and accessed in a controlled way. There is a much lower risk of damaging or changing the evidence in a lab. Computer forensic experts have the right tools to get important data from the devices they are examining.

Techniques Used

Many techniques are used during computer forensics investigations. These include:

Mobile Device Forensics

Phone Logs: Phone companies often keep records of calls. These can help create timelines and show where people were when a crime happened.
Contacts: Contact lists can help narrow down who might be involved. This is because of their connections to the victim or suspect.
Text Messages: Messages have timestamps and often stay on company servers forever, even if deleted from the phone. This makes them important records of communication that can help solve cases.
Photos: Pictures can be very important. They can either support or disprove an alibi by showing a location or scene with a timestamp.
Audio Recordings: Sometimes, victims might record key moments of a situation. This could be the attacker's voice or important details about what happened.

Volatile Data

Volatile data is any information stored in a computer's temporary memory. This data will be lost when the computer is turned off or loses power. Volatile data lives in places like registries, cache, and RAM. Looking into this volatile data is called "live forensics."

When evidence is taken, if the computer is still on, any information only in RAM might be lost when it's turned off. One way to do "live analysis" is to get RAM data before removing the computer. Special tools can help with this.

Even after a computer loses power, RAM can sometimes be analyzed for old content. This is because the electrical charge in memory cells takes time to disappear. This effect is used in something called a cold boot attack. Keeping unpowered RAM very cold (below -60°C) helps keep the data longer. However, it's often hard to do this during an investigation in the field.

Sometimes, law enforcement needs to move a running computer to a forensic lab. They might use a mouse jiggler to keep the computer from going to sleep. An uninterruptible power supply (UPS) can provide power during travel.

One easy way to get data is by saving the RAM data to the computer's main storage. Many file systems, like NTFS, keep a lot of RAM data on the main storage during use. These "page files" can be put back together to see what was in RAM at that time.

Jobs in Computer Forensics

Digital Forensics Analyst

A digital forensics analyst has many important tasks. They are responsible for keeping digital evidence safe. They also organize the evidence they collect. They analyze the evidence in a way that helps with the case. If a company has a cyber breach, they help respond to it. They write reports about what they find. And sometimes, they even testify in court. A digital forensics analyst might also be called a computer forensic analyst, digital forensic examiner, or cyber forensic analyst. All these roles do similar jobs.

Training and Certifications

There are several special trainings and certifications you can get in computer forensics. Some examples include the ISFCE Certified Computer Examiner and the IACRB Certified Computer Forensics Examiner.

One of the top certifications, especially in Europe, is the CCFP - Certified Cyber Forensics Professional.

Other important ones, especially in the USA or Asia-Pacific region, include programs from the International Association of Computer Investigative Specialists and the International Society of Forensic Computer Examiners.

Many companies that make forensic software also offer their own certifications. For example, Guidance Software offers the (EnCE) certification for their tool EnCase.