What is digital forensics?
Computer forensics is the analysis of information contained within a computer or other digital device. Some of this information is created by the user, other information is created by the operating system of the device
Why computer forensics is needed?
Lawsuits and litigation are factors in the current business world, which need to be anticipated. Digital evidence is fragile and can easily be destroyed or altered if proper procedures and safeguards are not followed. Recovering data in conjunction with pending litigation or administrative action is very different than the routine use of electronic documents.
Often company IT personnel are asked to recover data. This presents problems in that the personnel may not be qualified in forensic evidence collection and preservation.
An impartial outside forensic examiner precludes the argument that the client contaminated, altered or destroyed evidence to bolster the client’s case or protect a friend, other personal reason, etc.
What devices hold data?
In today’s modern society, digital storage devices are everywhere; computers, laptops, thumb drives, cell phones, digital cameras, smart phones and tablets or mobile devices, MP3 players, point of sale registers, vehicle on-board diagnostic systems, and digital video surveillance systems.
So what is the first step?
The first step is a phone consultation to gauge the scope of the request. After legal standing is determined, a needs assessment is conducted to determine the scope of the request. Logistical issues are also addressed as part of this assessment.
What is the process?
The process itself consists of four parts: collection, examination, analysis, and reporting. The examination and analysis are dependent on the scope of the request, and are limited in focus to the specific requests. In all cases a timely report detailing the findings is provided to the client.
How long does it take?
Typically a hard drive can be imaged in several hours. An estimate can be provided after consultation regarding the hardware to be imaged. The examination and analysis will normally take several days depending on the scope of the request.