| What is Computer
Forensics? |
Computer
forensics is the examination of computer media for
facts that support claims or defenses in litigation.
It requires technical expertise and investigative experience.
A testifying forensic expert must be able to explain
how computers function and how and where data is maintained,
stored and transferred. Experts can recreate the order
in which documents were created and date file fragments
of relevance. Findings are not admissible unless a
chain of custody is kept, and they must be authenticated
by the expert.
Electronic data contains a wealth of evidence not
available on hardcopy documents. Most is created as
a result of the needs of the computer hard drives and
computer network system. Even when “erased,” documents
are retained because it is faster for the computer
to simply retain the document until it is written over.
Metadata is maintained as a record keeping function
that enables computers to store data and operate more
efficiently. Data is copied into temporary files to
make the system faster and make it more user- friendly.
All of these attributes also leave trails and evidence.
Computer forensic examiners and experts know where
to look for such residual data and know how to interpret
it.
|
