When the company Enron declared bankruptcy in December 2001, hundreds of employees were left jobless while some executives seemed to benefit from the company's collapse. The United States Congress decided to investigate after hearing allegations of corporate misconduct. Much of Congress' investigation relied on computer files as evidence. A specialized detective force began to search through hundreds of Enron employee computers using computer forensics.
The purpose of computer forensics techniques is to search, preserve and analyze information on computer systems to find potential evidence for a trial. Many of the techniques detectives use in crime scene investigations have digital counterparts, but there are also some unique aspects to computer investigations.
For example, just opening a computer file changes the file -- the computer records the time and date it was accessed on the file itself. If detectives seize a computer and then start opening files, there's no way to tell for sure that they didn't change anything. Lawyers can contest the validity of the evidence when the case goes to court.
Some people say that using digital information as evidence is a bad idea. If it's easy to change computer data, how can it be used as reliable evidence? Many countries allow computer evidence in trials, but that could change if digital evidence proves untrustworthy in future cases.
Computers are getting more powerful, so the field of computer forensics must constantly evolve. In the early days of computers, it was possible for a single detective to sort through files because storage capacity was so low. Today, with hard drives capable of holding gigabytes and even terabytes of data, that's a daunting task. Detectives must discover new ways to search for evidence without dedicating too many resources to the process.
What are the basics of computer forensics? What can investigators look for, and where do they look? Find out in the next section.