Computer security has become very important and one of the most important fields is computer forensics. Computer forensics is defined as the acquisition, preservation and analysis of electronically stored information in such a way that it can be used in a court of law. This generally boils down to trying to figure out what happened, when it happened and who did it. Computer forensics has even become popular in fiction but here we are going to discuss activities in the real world.
Computer forensics is very interesting and since new technology is introduced all the time, the methods have to be refined to keep up with the changes. Investigations can be divided into two types. In the first category we have the investigations there computers were used to commit a crime. In the second type of investigations, the computer was the target of the crime.
Forensics investigators follow standard set of procedures to ensure that their findings can be used as evidence in court. Often this includes working on a digital copy of the data while the original is stored in a secure place. All this is done to avoid getting the evidence declared invalid by the court, just because the correct procedures were not followed. Computer forensics can require as much legal skills as technical skills.
Nowadays, there are plenty of tools for computer forensics investigations. There is no need to develop your own tools. This means that the technical skills needed for computer forensics are relatively easy to acquire.
The International Society of Forensic Computer Examiners has a computer forensics certification, the Certified Computer Examiner (CCE) certification. It is not well known outside computer forensics, but it is the only certification and has been around since 2003.
Of course, being able to recover data from crashed hard disks is a useful skill also outside legal courts. Often crashed disks contain important data that has not been copied to other locations. While end users are seldom capable of recovering the data, people with the right tools and skills can in many cases recover most of the data. A lot of clients are prepared to pay generously to get their data back.
Computer forensics experts can also find data that has been deliberately deleted. In most operating systems, then you delete a file, the file handle is removed but the data still remains on disk. The operating system can’t find it, the file handle does not exist anymore but the data has not been overwritten on disk. For most operating systems, recovery tools exist that can restore deleted files, as long as the data has not been overwritten. But if the data on disk has been overwritten such tools can’t recover the data.
But it is actually possible to recover the data even if it has been overwritten. This requires special tools which analyze the magnetic fields on the disc platters. If the data has only been overwritten once, it is relatively easy to recover the file. Therefore, if you want to be sure that the data can’t be recovered you need to overwrite the data blocks several times. Every time a data block is overwritten, the chance of recovering the old data decreases exponentially. By overwriting the data seven times, it will be too difficult and too expensive for most organizations to recover the data.