Computer forensics Investigation


Computer forensics investigation and analysis represent a method for collecting and preserving evidence from a specific computing device in a manner appropriate for court presentation. The objective of computer forensics investigation is to conduct a systematic inquiry, ensuring a documented chain of evidence, with the aim of discerning precisely the events that transpired on a computing device and identifying those accountable for them.

Why is computer forensics important?

Computer forensics plays a critical role in upholding the credibility of digital evidence presented in legal proceedings. With the increasing ubiquity of computers and data-collecting devices in various aspects of life, the significance of digital evidence and the forensic processes involved in its collection, preservation, and investigation has heightened, particularly in the resolution of crimes and legal matters.

The initiation of a computer forensics investigation involves gathering information in a manner that preserves its integrity. Subsequently, investigators analyze the data or system to ascertain whether any alterations occurred, the nature of these changes, and the identity of the individual responsible for them. Notably, computer forensics is not solely confined to criminal investigations; it is also employed in data recovery scenarios. In instances such as a crashed server, failed drive, or reformatted operating system (OS), the forensic process is utilized to retrieve data when a system unexpectedly ceases to function

Types of computer forensics

There are various types of computer forensic examinations. Each deal with a specific aspect of information technology. Some of the main types include the following:

  • Database forensics: The examination of information contained in databases, both data and related metadata.
  • Email forensics: The recovery and analysis of emails and other information contained in email platforms, such as schedules and contacts.
  • Malware forensics: Sifting through code to identify possible malicious programs and analyzing their payload. Such programs may include Trojan horses, ransomware or various viruses.
  • Memory forensics: Collecting information stored in a computer's random-access memory (RAM) and cache.
  • Network forensics: Looking for evidence by monitoring network traffic, using tools such as a firewall or intrusion detection system.
  • Mobile forensics: Mobile forensics is a branch of digital forensics related to the recovery of digital evidence from mobile devices in such a way that the evidence is preserved in a forensically sound condition
    The growing need for mobile device forensics is driven by:
    • Use of mobile phones to store and transmit personal and corporate information
    • Use of mobile phones in online transactions
How does computer forensics work? Data collection :
  • Electronically stored information must be collected in a way that maintains its integrity. This often involves physically isolating the device under investigation to ensure it cannot be accidentally contaminated or tampered with.
  • Examiners make a digital copy, also called a forensic image, of the device's storage media, and then they lock the original device in a safe facility to maintain its pristine condition. The investigation is conducted on the digital copy
Analysis :
  • Investigators analyse digital copies of storage media in a sterile environment to gather the information for a case.
  • Various tools are used to assist in this process, including Basis Technology's Autopsy for hard drive investigations
Presentation :
  • The forensic investigators present their findings in a legal proceeding, where a court uses them to help determine the result of a lawsuit.
  • In a data recovery situation, forensic investigators present what they were able to recover from a compromised system.