Computer forensics for dummies

  • CERT Admin
  • Thu Jan 22 2015
  • Cyber Guardian Blog


Living and Working in a Recorded World

Ever since the World Wide Web (WWW) dropped into our lives in 1991, rapid growth has taken place in the personal, professional, and criminal use of computers, the Internet, e-mail, wireless tech toys, and social networks. These devices create and capture greater amounts of digital details that are stored in more places than most people realize. You have less chance of destroying detail-trails perfectly than of committing the perfect crime. Like the fingerprint left on the seat adjustment of a car used in a crime, a rogue digital fingerprint always lives on to tell the tale.

What is Computer Forensics?

Computer Forensics is the science of obtaining, preserving, and documenting evidence from digital electronic storage devices, such as computers, PDAs, digital cameras, mobile phones, and various memory storage devices. All must be done in a manner designed to preserve the probative value of the evidence and to assure its admissibility in a legal proceeding. 

You can think of it as the science of forensics applied in a digital environment. But where a traditional forensics specialist might collect and preserve fingerprints or other physical evidence, the computer forensics specialist collects and preserves digital evidence. 

This collection of digital evidence must be done through carefully prescribed and recognized procedures so that the probative value of digital evidence is preserved to ensure its admissibility in a legal proceeding. As traditional forensics may involve people with different specialties, computer forensics similarly involves a multitude of professional specialties working together to gather, preserve and analyze digital evidence.

Why do individuals and organizations need to pay attention to computer forensics?

Nowadays, more and more people are using computers and devices with computing capability. For example, one can send and receive e-mail messages from handheld devices (such as mobile phones, or PDAs), participate in online computer games simultaneously with other game players over digital networks, or manage their finances over the Internet.

Today, many business and personal transactions are conducted electronically:

• Business professionals regularly negotiate deals by e-mail.
• People store their personal address books and calendars on desktop computers or PDAs.
• People regularly use the Internet for business and pleasure.

According to a University of California study, 93% of all information generated during 1999 was generated in digital form, on computers; only 7% of information originated in other media, such as paper2. Moreover, a significant percentage of computer-created documents might never be printed on paper. Many messages and documents are exchanged over the Internet and are read on the computer screen but are not printed out. 

Basic Process of Computer Forensics 

Identification phase

Which profile detection, system monitoring, audit analysis were performed.

Preservation phase

This phase is involving tasks such as setting up a proper case management and ensuring an acceptable chain of custody. This phase is crucial so as to ensure that the data collected is free from contamination.


The relevant data are being collected based on the approved methods utilizing various recovery techniques. Following this phase are two crucial phases, namely, Examination phase and Analysis phase. In these two phases, tasks such as evidence tracing, evidence validation, recovery of hidden/encrypted data, data mining, timeline were performed. 


Tasks related to this phase are documentation, expert testimony.


By Ravindu Meegasmulla

Ravindu has completed Masters in Digital Forensics and Cybercrime Analysis from Staffordshire University United kingdom. Currently he is working as Intern - Information Security Engineer at Sri Lanka CERT|CC 

Last updated: Thu Jan 22 2015