What is Computer Forensics?
Computer Forensics is the
science of obtaining, preserving, and documenting evidence from digital
electronic storage devices, such as computers, PDAs, digital cameras,
mobile phones, and various memory storage devices. All must be done in a
manner designed to preserve the probative value of the evidence and to
assure its admissibility in a legal proceeding.
You can think of it as the science of forensics applied in a digital
environment. But where a traditional forensics specialist might collect
and preserve fingerprints or other physical evidence, the computer
forensics specialist collects and preserves digital evidence.
This collection of digital evidence must be done through carefully
prescribed and recognized procedures so that the probative value of
digital evidence is preserved to ensure its admissibility in a legal
proceeding. As traditional forensics may involve people with different
specialties, computer forensics similarly involves a multitude of
professional specialties working together to gather, preserve and
analyze digital evidence.
Why do individuals and
organizations need to pay attention to computer forensics?
Nowadays, more and more people are using computers and devices with
computing capability. For example, one can send and receive e-mail
messages from handheld devices (such as mobile phones, or PDAs),
participate in online computer games simultaneously with other game
players over digital networks, or manage their finances over the
Internet.
Today, many business and
personal transactions are conducted electronically:
� Business professionals regularly negotiate deals by e-mail.
� People store their personal address books and calendars on desktop
computers or PDAs.
� People regularly use the Internet for business and pleasure.
According to a University of California study, 93% of all information
generated during 1999 was generated in digital form, on computers; only
7% of information originated in other media, such as paper2. Moreover, a
significant percentage of computer-created documents might never be
printed on paper. Many messages and documents are exchanged over the
Internet and are read on the computer screen but are not printed out.
Basic Process of Computer
Forensics

Identification phase
Which profile detection, system monitoring, audit analysis were
performed.
Preservation phase
This phase is involving tasks such as setting up a proper case
management and ensuring an acceptable chain of custody. This phase is
crucial so as to ensure that the data collected is free from
contamination.
Collection
The relevant data are being collected based on the approved methods
utilizing various recovery techniques. Following this phase are two
crucial phases, namely, Examination phase and Analysis phase. In these
two phases, tasks such as evidence tracing, evidence validation,
recovery of hidden/encrypted data, data mining, timeline were performed.
Presentation.
Tasks related to this phase are documentation, expert testimony.
.
By Ravindu Meegasmulla
Ravindu has completed Masters in Digital Forensics and
Cybercrime Analysis from Staffordshire University United kingdom.
Currently he is working as Intern - Information Security Engineer at Sri
Lanka CERT|CC |