Computer forensics is a branch of information technology specialising in the gathering of digital data that can be used in legal proceedings.
Certified forensics investigators identify and extract data to support the objectives of an investigation. They specialise in searching for, preserving, and analysing digital information to find evidence for a trial.
In the not-too-distant-past, thoroughly examining a hard drive was a labour intensive process requiring many hours of manpower and costing thousands of pounds. Today, most jobs cost less than £3,000 and can be done with about 15-20 hours of work.
The forensic process usually follows a process of acquisition, analysis, and then reporting. Because of how operating systems overwrite data when saving new information, the sooner you get a computer to a forensics expert, the better the chance of recovering data before it is permanently lost.
The first step in acquisition may be a warrant to search a suspect’s computer, or a Request for Production of Documents to examine an opponent’s data.
Once you turn the relevant machines over to the forensics technician, he will make an image of the computers. This usually only takes a few hours and can be scheduled so that your business is not disrupted.
The level of analysis required depends on the specifics of the case and the nature of the evidence being collected. But modern tools make this process much quicker and more affordable.
Once a disk image has been made, a computer forensics investigator starts searching for data.
They have tools to discover files on any computer system, including hidden files and files that have not been adequately deleted.They can discover and obtain data from encrypted files, and can even trace and rebuild data fragments thought to be lost.
Data can be classified as active, archival, or latent. Active data encompasses operating system files and all data files in current use.
Archival data refers to any data that is stored or contains system backups. These files may be on external drives or in cloud storage.
Latent data, also known as ambient data, includes data that is no longer in use and may have been partially destroyed, such as fragments of deleted files.
Forensics technicians provide a technical report of the information acquired from the machine and metadata components such as times of access and changes.
They document every step of their procedure to prove that they did not alter or damage evidence in the process of collecting it. This report becomes part of the legal evidence chain.
A computer forensics investigator may also be called upon to testify as an expert witness during the trial.
As soon as you suspect the need for digital evidence collection on a particular computer, stop using the machine and lock it up so that no one can access it. Create as detailed a record as possible of who had access to the machine during the relevant time period.
You should always hire a third party computer forensics expert if you suspect the need to collect digital evidence. Even if you work at a company with its own internal IT department, most IT staff members are not trained in computer forensics procedures or legally admissible evidence gathering techniques.
If you suspect that digital information is relevant to your legal situation, you should immediately schedule a computer forensic examination. This is part of your duty to preserve evidence and can prevent later accusations of evidence tainting.
With the constant use of laptops, tablets, and smartphones, digital data pervades every part of life. This ever-increasing trend is making computer forensics experts a critical part of many legal teams.
Call us on 020 3283 8741 or contact us here to discuss further how we can help you with your personal situation.