Computer Forensics

When one thinks of forensics, it usually is in the form of the old TV show, Quincy, or more recently the doctor on CSI.  There is a new area of the field, called computer forensics and cellular phone forensics.

Computer forensics and mobile phone forensics is not about processing data; rather it is about investigating people and their actions in relation to a computer or other electronic data processing or storage device. Therefore looking to find and use information about what has happened to data as evidence to pinpoint fraudulent, dishonest or deceptive behavior in individuals is a new type of tool in the forensics field.

The forensic investigation of data held on mobile telephones, PDAs, laptops, PCs and other data processing and storage devices provides a valuable resource in litigation, and dispute resolution, in many cases the recovery of deleted e-mails, and 'hidden' data, of which the computer user may be, and probably is completely unaware. For example, information embedded in the computer file or cached to disk about the sequence of access and editing of a document, when created and by whom. This delivers new evidence that is often sufficiently compelling to short circuit the whole matter in question.

There is a prevailing misconception in the minds of many that retrieving deleted data involves no more that restoring what is in the recycle bin or trash can. Analysis through computer forensics and mobile phone forensics requires far more than just copying files and folders from targeted computers or devices. Data from computers needs to be specially imaged to produce an exact copy showing the data stored within.

Three key points to ALWAYS remember with all electronic data storage devices, including computers and mobile phones

1. Computer evidence must be secured quickly to reduce the risk that it might be destroyed, accidentally or deliberately overwritten.
2. If the device to be investigated is discovered powered off, it should not be switched on.
3. If the device to be investigated is discovered powered on, it should not be turned off.

Recovering deleted or partially overwritten data is technically challenging if the resulting evidence is to be relied upon in litigation. Most IT departments have not had the training or investment in appropriate hardware and software to undertake this without compromising the data.  There labs that have the capability of recovering data even though it may have been overwritten or residing on a hard drive that has crashed.

Couple the above with the advent of GPS and its readily available technology and cell phone triangulation the capability exists that will allow the police forces determine the whereabouts of an individual at a specific point in time.  It has recently been discovered that data residing in a GPS unit can reveal where a person was at an exact time.  Cellphones, using trianulation based on the location of their towers, can tell exactly where a cellphone is, provided it is turned on.  Not many people realize that when the cellphone is under power, it is constantly transmitting, even though it is not being used. 

The computer chips in an automobile provide the police with the ability to determine how fast an auto was traveling at the time of impact, whether the driver applied the brakes. 

Truly, the computer affects our lives more and more every day, even to the point of helping to keep the guys in black hats off the street where they can harm the general public.