Computer forensics refers to the use of specialized techniques for recovery, authentication and analysis of electronic data when an investigation or litigation involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage.
Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end users or system support personnel, and generally requires strict adherence to chain of custody protocols.
Computer forensics encompasses e-discovery, intrusion detection and incident response, data recovery, and the packaging and presentation of digital evidence to standards admissible in various legal settings.
The computer forensics process consists of three phases: acquisition, examination, and presentation. Computer forensic investigators must have software tools that can effectively and efficiently accomplish the following tasks:
- Image data (e.g. make a clone of suspect media)
- Create comprehensive file listings with file checksums
- Compare an existing list of file checksums with the checksums of current files
- Identify and recover text located anywhere on the storage media
- View text and image files
- Assure that recovery methods do not unnecessarily contaminate data evidence or produce artifacts
- Identify compressed data and decompress it
- Identify files by their contents and file header signatures, not just filenames and file extensions
- Identify encrypted files.
- NIST Special Publication 800-36, at 41.
See also Edit
- Computer forensics tool
- Computer Forensics Tool Testing
- Digital data forensics
- Electronic Crime Scene Investigation: A Guide for First Responders
- Forensic Association of Computer Technologists
- Forensic computer expert
- Forensic copy
- Forensic Examination of Digital Evidence: A Guide for Law Enforcement
- Forensic specialist