Computer Forensics
Computer forensics is the application of computer investigation and analysis techniques to gather evidence suitable for presentation to a court of law. The goal of computer forensics is to perform a structured investigation while maintaining the chain-of-custody as to the subject evidence to ascertain exactly what happened on a computer and who was responsible for it.
Forensic investigators typically follow a standard set of procedures: After physically isolating the computer in question to make sure it cannot be accidentally contaminated, investigators make a digital image of the hard drive. This is done without powering on the computer. Once the original hard drive has been imaged, the original is preserved in a secure storage facility to maintain its pristine condition. All subsequent investigations are performed on the digital image only.
Investigators use a variety of techniques and proprietary forensic software applications to examine the hard drive image, searching hidden folders and unallocated disk space for copies of deleted, encrypted, or damaged files. Any evidence found on the digital image is carefully documented in a "finding report" and verified against the original source data in preparation for legal proceedings that involve discovery, depositions, or actual litigation.
Computer forensics has become its own area of scientific expertise, with accompanying coursework and certification.
