Computer forensics

Definition[]

Computer forensics refers to the use of specialized techniques for recovery, authentication and analysis of electronic data when an investigation or litigation involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage.

Overview[]

Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end users or system support personnel, and generally requires strict adherence to chain of custody protocols.

Computer forensics encompasses e-discovery, intrusion detection and incident response, data recovery, and the packaging and presentation of digital evidence to standards admissible in various legal settings.

The foundation of all computer forensic techniques is the concept of a disk image — a bitstream representation of every bit of information originally stored on an instance of physical media.

Process[]

The computer forensics process consists of three phases: acquisition, examination, and presentation. Computer forensic investigators must have software tools that can effectively and efficiently accomplish the following tasks:

Image data (e.g. make a clone of suspect media)
Create comprehensive file listings with file checksums
Compare an existing list of file checksums with the checksums of current files
Identify and recover text located anywhere on the storage media
View text and image files
Assure that recovery methods do not unnecessarily contaminate data evidence or produce artifacts
Identify compressed data and decompress it
Identify files by their contents and file header signatures, not just filenames and file extensions
Identify encrypted files.

Source[]

NIST Special Publication 800-36, at 41.

Computer forensics

Contents

Definition[]

Overview[]

Process[]

Source[]

See also[]

Fan Feed