Computer forensics is a branch of forensic science which deals with the application of investigative analysis techniques on computers in order to retrieve and preserve evidence in a way that is legally admissible. This means that a major aspect of the science of computer forensics lies in the ability of the forensics expert to present findings in a way that is acceptable and usable by a court of law.
The goal of computer forensics is the performance of a structured investigation on a computing device to find out either what happened or who was responsible for what happened, while at the same time maintaining a properly documented chain of evidence in a formal report.
Digital Forensic Incident Response (DFIR) solutions including computer forensics is an integral and necessary tool in the fight against cybercrime.
According to the U.S. Department of Justice (the “DoJ”), the term cybercrime refers to any illegal activity for which a computer is used as its primary means of commission, transmission, or storage and the term has rapidly gained acceptance in New Zealand. The list of criminal activities made possible by the widespread use of computers has grown exponentially in recent decades, and includes such acts as dissemination of computer viruses, network intrusion, identity theft, and even cyberbullying, stalking and terrorism.
While computer forensics may have been used traditionally by law enforcement organizations like the police in the fight against crime, there are presently many different areas of its application, as private and commercial organizations have adopted its use for a multitude of purposes.
It is therefore the merging of computer-data recovery methods with rules and guidelines from the legal system in order to produce a legally acceptable audit trail.
Computer forensic methods started to be used for collecting digital evidence for courts in the mid 1980s with the emergence and rapid growth in the use of personal computers by individuals and firms. Over the years, as the use of personal computers increased and became even more widespread, cybercrime or computer related crimes have also increased and become even more diverse.
The uses for computer forensics are varied. They range from helping law enforcement officials in the investigation of child pornography, to investigating fraud, murder, espionage, rape and cyber-stalking.
In the private sector, computer forensics has been used by commercial organizations to investigate a wide range of cases including industrial espionage, fraud, intellectual property theft, forgeries, disputes with employees, regulatory compliance, bankruptcies and for the inappropriate use of a computer, Internet and email in the work place.
The theft of intellectual property is one of the most prevalent forms of cybercrime in New Zealand
The discipline of computer forensics is very much concerned with the presentation of legally acceptable evidence, reports and conclusions. This has made it necessary that computer forensic investigators must follow certain rules and guidelines in order to preserve the integrity of their work. Work is not done, for example, on the physical device in question, rather after it has been physically isolated, the forensic analyst must make a digital copy of the data.
To ensure that correct, Court-accepted procedures are followed, the professional investigator should be using a suite of tools such as EnCase©, which is used by Law Enforcement authorities in New Zealand and internationally. This is particularly important, as the evidence discovered can, if appropriate, be handed to authorities such as NZ Police in a form with which they are completely familiar.
It is the forensic analyst’s responsibility to avoid any change of data on a device that may be used as evidence in court. The audit trail created by the analyst must also be clearly understandable and a third party should be able to achieve the same results using the same processes.
As in many other professions, there are also issues that limit or adversely affect the performance of computer forensics experts. The number one hurdle a forensic analyst faces is encryption mechanisms. Although most encryption can be cracked using very powerful computers, there are still certain encryption keys that are either extremely difficult or nearly impossible to crack. In such cases, the analyst will be unable to proceed with that particular task.
We are a leading practitioner in the field of computer forensics and digital forensic incident response, having successfully conducted hundreds of investigations since 1999.