What Happens in a Computer Forensic Investigation

We have always heard of the word "hack". Its mostly used in related to computers and gets blamed for everything bad that happens in futuristic crime action movie. Most of these are not entirely true but network systems do get hacked. Most companies are confident of what their IT department is capable off.

However that does not mean that an employee can not be tempted to do a little snooping of his own. Most of the time offenders are within the company itself. The accessibility of the internet also poses a problem. Anyone can be anything online. This is why fraud, phishing, and identity theft happen. 

The computer is an important part of our lives. Sending letters have been entirely changed through emails. Communications have been dominated by instant messaging and texts. Portable storage devices that were only known to IT professionals are now used by the general public. We already have an idea of what computer forensics is but what does happen in a typical investigation? 

The computer crime scene

First like any other investigation would start, the location is regarded as a crime scene. The computer analyst will take digital photographs and secure documentary evidence. This includes printouts, notes and disks in the scene. If you have hired a computer forensic expert you should leave everything to them. The computer system should left as it is whether it is turned on or off. 

If the computer is turned on the computer analyst will gather all the information that he can from the running applications. It will then be shutdown in a way that the data will not be lost. Doing a standard shutdown or pulling the plug is not an option. Both of these methods may cause the lost or damage of the data in the computer system. 

The computer forensic analyst then documents the configuration of the system. This will include the order of hard drives, modem, LAN, storage subsystems, cable connections, and wireless networking hardware. The analyst will take digital photographs and make a diagram. They will also take portable storage devices within the area that may contain substantial evidence. 

After that the hard drive will be taken to the lab. It's not suitable to examine data in the same hardware. Offenders who engage in cyber crimes are also aware that important data can be retrieved to convict them. Countermeasures, viruses and booby traps may be installed in the system to damage electronic evidence.

Analysts take the hard drive in their lab instead to make an exact duplicate of its contents. This process is called Imaging. Analysts have their own tools to make sure that the data is copied completely and accurately. 

The duplicate will then be verified by an algorithm. The data is then examined and analyzed. The analyst makes a report containing his findings and all that was done during the investigation starting from the acquisition of the data. The evidence that will be found will be presented in court of prosecution takes place.

The analyst will be an expert witness to present his findings. The most important thing about computer forensic experts is that they are trained in handling evidence. Any IT professional can extract data but they will not be able to preserve it.

The legal aspect of the field makes it different and therefore important.