office
(206) 414-6644
fax (206) 767-5446
Forensic Information
Computer
forensics is a branch of forensic science pertaining to evidence
found in computers and digital storage media. It involves the
identification, collection, preservation, analysis, and presentation
of computer related information in a manner that allows it to be
used as evidence in legal processes. Computer or digital evidence
can be useful in any type of legal or administrative proceedings.
These processes are increasingly known as digital forensics,
recognizing that they are broader than the recovery of information
from systems traditionally called computers.
The goal of a computer or
digital forensic examiner is to identify digital artifacts, the
circumstances surrounding them and explain the current state of the
digital artifacts relevant to a determination of some legal right or
interest. The term digital artifact can include a computer system,
a storage medium (such as a hard disk or CD-ROM of DVD), a specific
electronic document (e.g. an e-mail message or JPEG/GIF/BMP image
file) or even a sequence of packets moving over a network. The
question can be as straightforward as "what information is here?"
and as complex as "what is the sequence of events that resulted in
the creation or modification of the artifact or access to the
artifact?" This often entails looking at metadata, envelope
information, header information and properties as opposed to the
substantive data.
The field of computer forensics also has sub-disciplines within it
including but not limited to forensics on firewalls, networks,
databases, cell phones and PDAs.There are many reasons to employ computer forensics, some major reasons are:
- In litigation, computer forensics can be used to analyze computer systems of defendants and sometimes those of victims and others (in criminal cases) or litigants-parties (in civil cases) for evidence of illegal acts and exculpatory evidence.
- To analyze a computer system after a break-in, for example, to determine how the attacker gained access, what the attacker did and who the attacker is.
- To gather evidence against an
employee that an organization suspects is engaged in
activities contrary to the interests of the organization and
that they would terminate for misconduct.
More information is retained on computers or other digital data creation or storage systems than many people realize; this is especially true as hard drives become larger. Computer forensics examiners can often find and recover lost or deleted information, even if it was intentionally deleted and often even after it has been "overwritten."
- Considerations in Retaining a Computer Forensics Examiner
- Importance of Computer Forensics to Criminal Defense
- Computer Forensics in Internal Company Investigations
Please visit the
frequently asked questions page (FAQs)
for a more detailed discussion of several aspects of computer or
digital forensics or to ask a question. Visit the other pages of
the website for more information
About Us and
our Services
or to
signup for the free monthly newsletter.
The goal of a computer or digital forensic
examiner is to identify digital artifacts, the circumstances
surrounding them and explain the current state of the digital
artifacts relevant to a determination of some legal right or
interest.