How Computer Forensics Works

Computer Forensics Tools

No matter how limited a department's budget is, no credible investigator would stoop to wrenching open a computer to find clues.
No matter how limited a department's budget is, no credible investigator would stoop to wrenching open a computer to find clues.
©iStockphoto/Muharrem Oner

Programmers have created many computer forensics applications. For many police departments, the choice of tools depends on department budgets and available expertise.

Here are a few computer forensics programs and devices that make computer investigations possible:

  • Disk imaging software records the structure and contents of a hard drive. With such software, it's possible to not only copy the information in a drive, but also preserve the way files are organized and their relationship to one another.
  • Software or hardware write tools copy and reconstruct hard drives bit by bit. Both the software and hardware tools avoid changing any information. Some tools require investigators to remove hard drives from the suspect's computer first before making a copy.
  • Hashing tools compare original hard disks to copies. The tools analyze data and assign it a unique number. If the hash numbers on an original and a copy match, the copy is a perfect replica of the original.
  • Investigators use file recovery programs to search for and restore deleted data. These programs locate data that the computer has marked for deletion but has not yet overwritten. Sometimes this results in an incomplete file, which can be more difficult to analyze.
  • There are several programs designed to preserve the information in a computer's random access memory (RAM). Unlike information on a hard drive, the data in RAM ceases to exist once someone shuts off the computer. Without the right software, this information could be lost easily.
  • Analysis software sifts through all the information on a hard drive, looking for specific content. Because modern computers can hold gigabytes of information, it's very difficult and time consuming to search computer files manually. For example, some analysis programs search and evaluate Internet cookies, which can help tell investigators about the suspect's Internet activities. Other programs let investigators search for specific content that may be on the suspect's computer system.
  • Encryption decoding software and password cracking software are useful for accessing protected data.

These tools are only useful as long as investigators follow the right procedures. Otherwise, a good defense lawyer could suggest that any evidence gathered in the computer investigation isn't reliable. Of course, a few anti-forensics experts argue that no computer evidence is completely reliable.

Whether courts continue to accept computer evidence as reliable remains to be seen. Anti-forensics experts argue that it's only a matter of time before someone proves in a court of law that manipulating computer data without being detected is both possible and plausible. If that's the case, courts may have a hard time justifying the inclusion of computer evidence in a trial or investigation.

To learn more about computer forensics and related topics, follow the links below.

Related HowStuffWorks Articles

More Great Links


  • Berinato, Scott. "The Rise of Antiforensics." CSO Online. June, 2007.
  • Computer Forensics Tool Testing Project
  • "Federal Rules of Evidence." Cornell Law School.
  • Fitzgerald, Thomas J. "Deleted But Not Gone." The New York Times. November 3, 2005.
  • Kerr, Orin S. "Computer Records and the Federal Rules of Evidence." U.S. Department of Justice. March, 2001.
  • Harris, Ryan. "Arriving at an anti-forensics consensus." Digital Investigation. 2006.
  • "How the FBI Investigates Computer Crime." CERT.
  • Oseles, Lisa. "Computer Forensics: The Key to Solving the Crime."
  • Peron, Christian S. J. and Legary, Michael. "Digital Anti-Forensics: Emerging trends in data transformation techniques." Seccuris Labs.
  • Robbins, Judd. "An Explanation of Computer Forensics."
  • "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations." United States Department of Justice. July 2002.
  • "The Fall of Enron."
  • Walker, Cornell. "Computer Forensics: Bringing the Evidence to Court." InfosecWriters.
  • Witter, Franklin. "Legal Aspects of Collecting and Preserving Computer Forensic Evidence." Global Information Assurance Certification. April 20, 2001.