What is Computer Forensics

In general term, Forensics is the methodical gathering and analysis of evidence to establish facts for presentation in a legal proceeding. But in Computer Forensics or IT Forensics it is a branch out of the forensics umbrella that involves the investigation of computers, computer networks, related equipment and also data storage media by means of specialized techniques to discover evidence that may be used to identify if it has been used to commit crime or unauthorized activities.

Who needs or who uses Computer Forensic Services?

Typically a police force or a specialized branch of a police force makes use of computer forensics to investigate a cyber crimes or any crime that may have evidence that has been stored, transmitted or received in a computer system.

More often, the people who engage in computer forensic services are companies that have encountered a breach in data security in a network or organizations that want to investigate a certain employee that may have broken some company policies such as leaking confidential information by means of a computer such as email or even something as trivial as playing computer games during operating hours.

What is done in a Computer Forensic Investigation?

Computer Forensic Investigation involves methodological steps such as acquisition of computer equipment as evidence artefacts and preserving the evidence so that the evidence is not tampered with and does not change throughout the investigation.

The computer forensic investigation also involves the discovery and analysis of relevant data of which all processes and findings are documented meticulously for presentation.

What should you look for in a Computer Forensic Investigator?

A good forensics investigator would have gone through proper training to know how to handle evidence properly and ensure that evidence does not deteriorate during investigation and also be aware of the necessary steps to documentation. The investigator must also have the necessary skill sets to succeed in a computer forensics investigation.

These skills cannot be attained overnight. A computer forensic investigator must have years of experience with a variety of computer systems environment such as DOS, Windows, UNIX and Mac. Computer crimes and breaches usually occur in unforeseen and unexpected situations and in many cases require the discovery of data that are not meant to be accessed. Investigator Impartiality

The computer forensic investigator must remain neutral under all circumstances. The investigator cannot work on a case having judged the suspect's guilt or innocence. This is to ensure that no evidence is left out because of the way the investigator feels about the situation. All evidence must be collected and analyzed.

The investigator must also report any forensic findings that are a result of wrong doing especially if they break the law. This ensures that the investigator's credibility especially when presenting a report or testifying in court.

Evidence Control and Documentation

If anything can be singled out as the most important criteria in computer forensics, evidence control and documentation tops the list. It is absolutely critical to note all the actions and chain of custody during an investigation or the forensic investigation will lose its credibility altogether. Documentation on what evidence is collected and who is holding on to it and what is being done to it must be documented meticulously from the point of acquisition.

The chain of custody is a documentation that lists who has access to the evidence and when. The chain of custody must be signed for by the investigator and a witness. This is particularly important because if the challenging party argues that the evidence is tampered with and there is a lapse or absence in the chain of custody, the investigator will not be able to refute the fact that the evidence might have changed.

The evidence must never be worked on directly to ensure that the evidence remains intact. All tools, processes and methodologies used in an investigation must be documented such that if repeated, will reap similar results. This is also to ensure credibility. Times, dates and events are examples of things that need to be documented.