Computer forensic tools and methodologies are major components of an organization’s disaster recovery preparedness and play a decisive role in overcoming and tackling computer incidents. Due to the growing misuse of computers in criminal activities, there must be a proper set of methodologies to use in an investigation. The evidence acquired from computers is fragile and can be easily erased or altered, and the seized computer can be compromised if not handled using proper methodologies. The methodologies involved in computer forensics may differ depending upon the procedures, resources, and target company.
Forensic tools enable the forensic examiner to recover deleted files, hidden files, and temporary data that the user may not locate.
Techniques usually involved for digital forensics are
- Hard-Drive Analysis – Extracting data is one of the main jobs that computer forensics practitioners perform. Since different computers may store data differently, several methods are used to extract data from hard drives. One technique is known as “live analysis.” This method uses system administrator tools to extract information from the hard drive.
- Another technique, named “deleted files analysis,” is used to extract data from a hard drive, even after deletion. This technique takes advantage of the fact that when deleting files, most computers do not physically delete data. Instead, the computers “forget” the data, allowing itself to write over existing data. With this knowledge, computer forensics practitioners carefully look for and extract data which might have been deleted due to their fraudulent nature.
- Volatile Data Analysis – When working in computer forensics, it is crucial to understand all aspects of a computer’s memory. In terms of volatile data analysis, computer forensics practitioners may be conducting time-sensitive work, as data may be stored in the computer’s random access memory (RAM). Since data stored in the ram is destroyed once the computer turns off or processes new information, computer forensics practitioners must be able to extract information from a computer’s RAM quickly.
- Computer Forensics Tools – Computer forensics practitioners have many tools at their disposal when attempting to extract data from computers. While there are a variety of tools available for use, the National Institute of Standards and Technology is the main organization which promotes the use of and innovation of computer forensics tools. The National Institute of Standards and Technology is a non-regulatory part of the United States Department of Commerce, and therefore, has no governing actions in the field. In terms of forensics tools, typical forensic analysis may involve programs which extract data, conduct keyword searches, and review Windows registries for important information.
