menu 1
ACS Home
Computer Forensics
Data Recovery
Technical Consulting
About ACS
Contact ACS



FAQs

What is computer evidence? Computer forensics?
Computer evidence is evidence that happens to be located on computer media, such as a hard disk drive. Essentially, computer forensics is the process of collecting information from and/or about computer systems so that the findings are admissible in a court of law. Activities include preserving and acquiring computer evidence, as well as conducting searches and analyzing information. Gathering usable computer evidence, then, involves more than technology alone. The technology must be applied legally, carefully, and rigorously.

When would computer forensics be needed?
In situations where data believed to be resident, stored, or in transit on computer media may be used in a court of law, computer forensics would be needed.

How is computer evidence used?
High visibility uses of computer forensics are in law enforcement, especially child pornography, hacking, and terrorism. Businesses and individuals use computer evidence in civil cases or when a lawsuit is under consideration. For example, ACS has been retained by corporations to make a forensic copy of media and examine the copy for evidence of disclosure of trade secrets or proprietary company information to competitors or third parties. Individuals are often interested in the same issues, as well as personal ones such as divorce.

What is a forensic copy of computer media?
A forensic copy is a bit-for-bit copy or exact image of computer media such as a hard disk drive.

It's easy to copy a file. Why make a forensic copy?
With a forensic copy, an exact copy, all information is copied whether in a file or not. Also, there are safeguards available in the forensic copy process to assure the accuracy of the copy.

It's also easy to conduct a search. Why use forensic software?
There are many tools available to conduct searches. For the purpose of examining computer evidence, forensic software has a number of advantages. These include thoroughness, accuracy, flexibility, reporting, and speed.
For example, a search can be conducted in any or all areas of a forensic copy of a hard disk drive, including slack space and unallocated space. The search can be for one or more keywords, for file types, etc. Results can be examined and saved. Findings can be incorporated into reports.