Learn more about Electronic Evidence Retrieval and the services we offer.
What is Computer Forensics and how can it help you?
Contact EER for more information.
Read articles related to the world of Computer Forensics.
Broaden your knowledge base with Web links to related topics.
Get answers to commonly asked questions.
.
 
Electronic Evidence Retrieval - Computer Forensics - Data Recovery - Expert Witness Testimony

Demystifying Computer Forensics

by Johnette Hassell, Ph.D. and Susan Steen
Computer Forensics - Data Recovery - Expert Witness Testimony

 

Meta Data
  Some applications, most notably Microsoft Word®, keep information about each document that has been accessed. Since these data, which describe the document, are stored within the document itself, they are called meta data. The meta data can contain the history of the document, including all users who have modified and/or saved it, the directory structure of all machines it was saved on, and names of printers it was printed upon. These data readily yield to forensics investigation techniques. Many theft-of-trade-secret cases have been decided because the meta data showed the original, and all intervening, possessors of protected documents.
 
 

A Proper Forensics Investigation

Evidence retrieved from electronic media requires the same chain of custody controls and assurance, as does other evidence. However, since electronic media are easily altered, special care must be taken to protect the evidence from changes, either deliberate or inadvertent. For example, merely starting a computer running a Windows® system changes more than 160 files. It is imperative that the forensic investigator be able to demonstrate to the court that the electronic evidence was not altered in its acquisition and has not been altered since that time.

  
 
The work of the forensic specialist falls into three broad categories. The computer forensics community has developed tools for acquiring copies of disks without altering the contents. It is not sufficient merely to copy data files, the entire disk must be copied bit by bit. This preserves all the hidden and temporary data on the disk.
  
 

Second, computer science has established techniques for identifying and securing computer files. The usual techniques involve applying numeric procedures to the disk to produce a number virtually unique to the disk. Computer forensic professionals use and document these techniques each time they access the disk to demonstrate its authenticity.

The third task of the computer forensics specialist is to interpret temporary, hidden, and partial files. This interpretation requires in-depth knowledge of how computers and the various applications store and manage data. For example, a computer file usually records the date(s) on which it was created, last modified, and last accessed. It can happen that the “last accessed” date precedes the creation date. The specialist must be able to interpret these inconsistencies to the Court.

  
     
 
 
Return to EER Home Page
  

 

Learn more about Electronic Evidence Retrieval and the services we offer.
What is Computer Forensics and how can it help you?
Contact EER for more information.
Read articles related to the world of Computer Forensics.
Broaden your knowledge base with Web links to related topics.
Get answers to commonly asked questions.