|
Computer forensics has evolved as a discipline in response to the role Information Technology plays in how the U.S. and the world operate. Information is created, managed, analyzed, stored, and exchanged on a variety of electronic media. The need to gather evidence that resides or flows through the media has driven developments in the field of computer forensics. Essentially, computer forensics is the process of collecting information from and/or about computer systems so that the findings are admissible in a court of law. Gathering usable computer evidence, then, involves more than technology alone. The technology must be applied legally, carefully, and rigorously. Computer forensics can range from the complex, such as the Enron case which involves hundreds of hard disk drives, to the relatively simple examination of a single floppy diskette. It is widely used by law enforcement in cases of cybercrime, child pornography, terrorism, and other criminal activities. The media examined for computer evidence can be virtually anything used to store or transmit information in a digital format, such as hard disk drives, back-up tapes, memory sticks in digital cameras, systems at Internet Service Providers, PDAs, etc. Unless the media is completely destroyed physically, some information can usually be retrieved. Even so, the timely preservation of computer evidence is essential because important digital information may exist only temporarily. Likewise, the information can be almost anything, including images, voicemail, email, files, databases, temporary Internet files, deleted files, text fragments, etc. In some cases, the information of interest may be a pattern of use, such as whether a wipe program was run only one time. Or it may be other types of metadata automatically recorded by an operating system. Before data can be searched for evidence, it must first be preserved. In some instances, computer forensics is used to preserve information that may be needed at a later time as computer evidence. For example, data on a company network may be acquired using computer forensic technology without permanently shutting down the network or seizing it unless there is a legal reason for doing so. The company can keep its system and business running while assuring that any evidence available at a point in time has been captured and retained. This overview is provided as background information on some aspects of the field of computer forensics. For legal advice, consult your attorney. For issues involving law enforcement, consult the appropriate governmental agency. For more information on our services, contact ACS at 713 664-8200. |
 |
|
