How Computer Forensics Works

Computer Forensics Basics

What's brewing in this lab? Computer forensics.
What's brewing in this lab? Computer forensics.
©iStockphoto/James Steidl

The field of computer forensics is relatively young. In the early days of computing, courts considered evidence from computers to be no different from any other kind of evidence. As computers became more advanced and sophisticated, opinion shifted -- the courts learned that computer evidence was easy to corrupt, destroy or change.

Investigators realized that there was a need to develop specific tools and processes to search computers for evidence without affecting the information itself. Detectives partnered with computer scientists to discuss the appropriate procedures and tools they'd need to use to retrieve evidence from a computer. Gradually, they developed the procedures that now make up the field of computer forensics.

Usually, detectives have to secure a warrant to search a suspect's computer for evidence. The warrant must include where detectives can search and what sort of evidence they can look for. In other words, a detective can't just serve a warrant and look wherever he or she likes for anything suspicious. In addition, the warrant's terms can't be too general. Most judges require detectives to be as specific as possible when requesting a warrant.

For this reason, it's important for detectives to research the suspect as much as possible before requesting a warrant. Consider this example: A detective secures a warrant to search a suspect's laptop computer. The detective arrives at the suspect's home and serves the warrant. While at the suspect's home, the detective sees a desktop PC. The detective can't legally search the PC because it wasn't included in the original warrant.

Every computer investigation is somewhat unique. Some investigations might only require a week to complete, but others could take months. Here are some factors that can impact the length of an investigation:

  • The expertise of the detectives
  • The number of computers being searched
  • The amount of storage detectives must sort through (hard drives, CDs, DVDs and thumb drives)
  • Whether the suspect attempted to hide or delete information
  • The presence of encrypted files or files that are protected by passwords

What are the steps in collecting evidence from a computer? Keep reading to find out.