Computer forensics

Computer forensics is the practice of identifying, extracting and considering evidence from digital media such as computer hard drives. Digital evidence is both fragile and volatile and requires the attention of a certified specialist to ensure that materials of evidentiary value can be effectively isolated and extracted in a scientific manner that will bear the scrutiny of a court of law.

Computer forensics is not to be confused with the more generic term of 'forensic computing', which refers to the analysis and study of all types of digital media and materials - whether they be of a computing or telecommunication nature. Computer forensics, in a strict sense, applies specifically to the evaluation of computers and data storage or data processing devices.

Background

Forensic science is the scientific method of gathering and examining information about the past. The word forensic comes from the Latin forēnsis, meaning "of or before the forum." In modern use, the term forensics in the place of forensic science can be considered correct, as the term forensic is effectively a synonym for legal or related to courts. 1.

Most legal systems apply a form of a legal burden of proof. A legal burden of proof is the imperative on a party in a trial to produce the evidence that will shift the conclusion away from the default position to one's own position. 2

Forensics examinations

Four things are key to all forensics examinations; the:

1. Maintenance of data integrity as well as data authenticity,
2. Prevention of contamination of data,
3. Proper and comprehensive documentation and
4. Implementation of a systematic, scientific methodology

Forensic profession

All professionals involved in a forensics examination have both an ethical and a professional responsibility to:

• Maintain their objectivity.
• Present facts accurately and
• Not withhold any findings as such actions may distort or misrepresent the facts
• Render opinions only on the basis of what can be reasonably demonstrated.

Equivalent or other perspectives on forensic profession:

• Forensic Focus Webinar: Being Your Own Expert Witness

Terminology

Artifact

The term artifact (or artefact) is widely used within computer forensics, though there is no official definition of this term.

The definition closest to the meaning of the word within computer forensics is that of the word artifact within archaeology 3. The term should not be confused with the word artifact used within software development 4.

If archaeology defines an artifact as:

something made or given shape by man, such as a tool or a work of art, esp an object of archaeological interest

The definition of artifact within computer forensics could be:

An object of digital archaeological interest.

Where digital archaeological roughly refers to computer forensics without the forensic (legal) context.

Forensically sound

"When is digital evidence forensically sound?" defines forensically sound as:

The application of a transparent digital forensic process that preserves the original meaning of the data for production in a court of law.

See Also

• Digital evidence
• File Analysis
• Malware analysis
• Memory analysis

External Links

• Wikipedia: Computer forensics
• Wikipedia: Forensic science
• Wikipedia: Legal burden of proof
• Computer Forensics: Digital Forensic Analysis Methodology, from Computer Forensics issue: January 2008 Volume 56 Number 1
• When is digital evidence forensically sound?, by Rodney McKemmish, 2008
• Computer Forensics Part 2: Best Practices, by Information Security and Forensics Society (ISFS), August 2009
• The Alexiou Principle, cepogue, June 27, 2009
• When Computer Forensics Grows Up: Digital Forensics Explained, by Maryville University
• Validation and verification of computer forensic software tools - Searching Function by Yinghua Guo, Jill Slay, Jason Beckett, DFRWS 2009
• Sources of error in digital forensics, by Graeme Horsman, Feburary 2024